http://www.eweek.com/
article2/0,1895,1947561,00.asp
By Ryan Naraine
April 10, 2006
Ken Dunham, you could say, spends his life peeking at the
bowels of
the Internet.
As director of the Rapid Response Team at VeriSign-owned
iDefense, of
Dulles, Va., Dunham and his team of malware hunters
infiltrate black
hat hacker forums, chat rooms and newsgroups, posing as
online
criminals to gather intelligence on the dramatic rise in
rootkits,
Trojans and botnets.
Based on all the evidence gathered over the last two years,
Dunham is
convinced that groups of well-organized mobsters have taken
control of
a global billion-dollar crime network powered by skillful
hackers and
money mules targeting known software security weaknesses.
"There's a well-developed criminal underground market
that's connected
to the mafia in Russia and Web gangs and loosely affiliated
mob groups
around the world. They're all involved in this explosion of
phishing
and online crime activity," Dunham said in an
interview with eWEEK.
Just two years after the Secret Service claimed a major
success with
"Operation Firewall," an undercover
investigation that led to the
arrest of 28 suspects accused of identity theft, computer
fraud,
credit card fraud and money laundering, security researchers
say the
mobsters are back, with a level of sophistication and
brazenness that
is "frightening and surreal."
"They never really went away," Dunham said.
"They scurried away for a
few months and tightened their security controls. It became
harder to
get on their lists and into their chat rooms."
Not these days. A law enforcement official familiar with
several
ongoing investigations showed eWEEK screenshots of active
Web sites
hawking credit card numbers, Social Security numbers, PayPal
and eBay
credentials, and bank login data by the bulk.
"They're very public about all this, especially on
the Russian sites.
It's almost comical how open and barefaced they are,"
said the
official, who requested anonymity because of the sensitive
nature of
the ongoing probe.
Black hat hackers have set up e-commerce sites offering
private
exploits capable of evading anti-virus scanners. An e-mail
advertisement intercepted by researchers contained an offer
to infect
computers for use in botnets at $25 per 10,000 hijacked PCs.
Skilled hackers in Eastern Europe, Asia and Latin America
are selling
zero-day exploits on Internet forums where moderators even
test the
validity of the code against anti-virus software.
"I saw one case where an undetectable Trojan was
offered for sale and
the buyers were debating whether it was worth the price.
They were
doing competitive testing to ensure it actually worked as
advertised,"
said Jim Melnick, a member of Dunham's team.
"We even have proof of actual job listings on
Russian-language sites
offering lucrative pay for coders who can create exploits
and launch
denial-of-service attacks. We've seen evidence of skilled
hackers
stealing corporate data on behalf of competitors. This
isn't just
about credit card and bank information. It has all the
elements on
traditional mafia-type crime," Melnick said.
Roger Thompson, a computer security pioneer who created the
first
Australian anti-virus company in the late 1980s, is
convinced the
secretive Russian mafia is masterminding the use of
sophisticated
rootkits in botnet-seeding Trojans.
"They are paying to recruit bright young hackers and
using teenage
kids around the world to move money around. They're into
everything:
spyware installations, denial-of-service shakedowns, you
name it. It's
the traditional mafia finding it easy to make money on the
Internet,"
said Thompson, who now runs Exploit Prevention Labs, in
Atlanta.
Yury Mashevsky, a virus analyst at Kaspersky Lab, said there
is even
evidence of turf wars in the criminal underworld.
"They use malicious
programs that destroy the software developed by rival groups
and
include threats directed at each other, anti-virus vendors,
police and
law enforcement agencies in their creations,"
Mashevsky said, in
Woburn, Mass.
He has also seen fierce online confrontation in the battle
to control
the resources of infected computers. In November 2005,
Mashevsky
discovered an attempt to hijack a botnet. "[The]
network of infected
computers changed hands three times in one day. Criminals
have
realized that it is much simpler to obtain already-infected
resources
than to maintain their own botnets, or to spend money on
buying parts
of botnets which are already in use," he said.
On message boards and newsgroups where malicious code is put
up for
sale, Mashevsky said flame wars and attacks against each
other to
steal virtual property amounts to normal everyday activity.
Dunham, who frequently briefs upper levels of federal
cyber-security
authorities on emerging threats, said there have been cases
in Russia
where mafia-style physical torture has been used to recruit
hackers.
"If you become a known hacker and you start to cut
into their profits,
they'll come to your house, take you away and beat you to a
pulp until
you back off or join them. There have been documented cases
of this,"
Dunham said.
One key aspect of Web mob activity that flies under the
radar is use
of "money mules," or individuals who help to
launder and transfer
money from hijacked online bank accounts.
On career Web sites such as Monster.com, a job listing for a
"private
financial receiver," "shipping manager,"
or "country representative"
invariable is an active attempt to recruit people around the
world to
withdraw funds and deliver it to crime bosses, according to
a detailed
research report by iDefense on the so-called money mules.
Money is transferred into the mule's account, withdrawn as
cash and
then wired to an offshore account.
"We've only scratched the surface of what's going on
in the
underworld. It's like the iceberg that took down the
Titanic. No one
knew how big and dangerous it was," Dunham said.
He cited the recent discovery of MetaFisher, also known as
SpyAgent, a
Trojan connected to a Web-based command and control
interface that
highlighted just how advanced the attackers have become.
"In just a few weeks, MetaFisher spread to thousands
of computers. We
found conclusively that these attacks were going on
undetected for
more than a year. Can you imagine the amount of data that
has already
been stolen? It's unimaginable," Dunham said.
Eric Sites, vice president of R&D Sunbelt Software, in
Clearwater,
Fla., showed eWEEK screenshots of the Web interface that
showed
specific targeted phishing attacks against European banks
and keeps
detailed statistics on actual bot infections around the
world.
The interface also can be used to add exploits, keep track
of
anti-virus signature definitions and keep track of callback
from
injected machines.
"This isn't the work of the guy in the basement. This
is organized and
simplified to make it super easy to control all those bot
drones,"
Sites said.
_________________________________
LayerOne 2006 : Pasadena Hilton : Pasadena, CA
Infomation Security and Technology Conference
http://layerone.info
|