Like eBay For Malware: Computer Crime Is Slicker Than You Think
If the public's image of the online criminal -- the brilliant but maladjusted teen breaking into systems just to prove he can -- were ever true, those days are long gone.
Not long after people first figured out how to break into computer systems, they started creating tools to make it easier for themselves; not long after that, those tools made their way into the hands of people who could use them without really understanding how they worked.
Today, few malware developers use their own code. They write it for the same reason commercial software developers do: to sell it for a healthy profit. If you've ever bought anything online, buying from them may be disconcertingly familiar.
If you want to break into a computer or steal credit card numbers, you can buy the necessary software online, just like almost anything else. More than that, you can find user friendly, point-and-click attack applications that have been pre-tested and reviewed by experts, and read through customer feedback before making your purchase. You might even be able to buy technical support or get a money back guarantee. Some developers offer their malware through a software-as-a-service model. If you prefer an even more hands-off approach, you can simply buy pre-screened credit card numbers and identity information itself, or sign a services agreement with someone who will do the dirty work for you.
As in many other industries, money has given rise to professionalism. Online crime and malware development has become a full-blown and extremely profitable commercial enterprise that in many ways mirrors the legitimate software market.
"We're in a world where these guys might as well just incorporate," says David Parry, Trend Micro's Global Director of Security Education. "There's certainly more money in the cybercrime market than the antivirus market. The internet security industry is a drop in the bucket; we're talking about hundreds of billions of dollars."
"The general dynamics within this market are just like any other business model," says to Thomas Holt of the University of North Carolina at Charlotte's Department of Criminal Justice. "You have to offer a good price, you have to be readily able to communicate with your customers, you have to give them reliable products, because nobody's going to buy something if it doesn't quite work like you say it can."
According to Shane Coursen, Senior Technical Consultant at Kaspersky Labs, malware development is easily profitable enough to attract professional talent. "The financial model is absolutely huge. The amount of money that a developer could make at least matches what they can make at a software company. You could even set it up as a legitimate business, reporting earnings and everything."
Go To Market
Holt leads a team of researchers that tracks the online marketplaces where malware developers, brokers, and criminal "service providers" sell their wares. Starting with nothing more than Google searches, they have identified a network of approximately 30 publicly accessible sites of surprising sophistication, with features that rival eBay and Amazon.
The particular marketplaces Holt's team tracks are generally incorporated into hacker community forum sites hosted in Russia, Eastern Europe, and other regions where criminal prosecution and extradition are difficult or impossible. Prospective sellers post detailed descriptions of their products and services. Those selling malware will often including screenshots, claims about resistance to antivirus or other countermeasures, and penetration capabilities. Those selling stolen account data will often specify the nationality of the account, the bank, the type of account (Visa v. Mastercard, gold v. platinum), and the total value of each account. In many cases, they will also have complex pricing models, including purchase minimums and volume discounts.
At the same time, the purchaser sends a sample their product to a forum moderator -- a copy of the malware code or a sample of the stolen data -- who will then review and test it. If the moderator finds that the product does not work as advertised or that the data is invalid, they will block the seller from posting; otherwise, they will post a detailed review alongside the seller's product description. Moderators may also block products or services they consider too risky. VPN services, for example, have been widely turned away by various site moderators after law enforcement tracked down a particularly well-known online gang through their VPN connections.
Next: A Buyers' Market
Prospective buyers are then free to ask detailed questions about the product, and actual buyers will post their own feedback and reviews. "Thank you for a FreeJoiner, is the best program in its class I have ever seen," wrote a satisfied customer wrote on one of these sites. "Purchased a freejoiner 2 and left very happy," wrote another.
Over time, moderators use their own reviews and customer feedback to track each seller's reputation, and maintain rankings ranging from "Verified Seller" (good) to "Ripper" (bad). Sites will often develop "blacklists" and "whitelists" to block out or provide quicker access to specific sellers, and a number of "ripper databases" are distributed throughout these communities.
These "open forum" sites represent only one subset of the cybercrime market; other models may look very different, but can be just as sophisticated. Some malware developers, for example, maintain what amounts to their own channel programs.
"There are programmers who are working for brokers, and the brokers are selling the malware to other criminals, who are then reselling the malware to other criminals," says Trend Micro's Parry. "When they capture a bunch of systems, they resell those systems to another criminal, and another criminal. The actual hacker types don't want to get their hands dirty with something that would actually send them to prison."
Other groups build affiliate networks that tap into legitimate and semi-legitimate businesses. In a presentation at the Defcon hacking conference this year, Peter Gutmann of the University of Auckland's Department of Computer Science described networks in which businesses would pay affiliates up to 30 cents for each machine they infect with spyware or adware. Some of these companies claim to terminate unethical affiliates and include user licensing agreements in their software, while the software itself is hidden and often includes keystroke loggers and measures to render it difficult or impossible to delete.
Customer Service
Just like their go-to-market strategies, the array of services offered by malware developers and other online criminals have grown in sophistication alongside their legitimate counterparts. Extensive customer service, technical support, and update subscriptions have all become standard practice.
"They have to provide good customer support to compete," notes Holt. "If you buy 50 dumps [credit card or bank account records] from somebody, and 25 of them are invalid, the 'good' sellers are the ones who are going to say, "You know what, here's 25 dumps in return.' The malware writers will say, 'You know what, if you're having a problem, just contact me. I'm always around. I'll be happy to help you with whatever I can.'"
Some of these vendors focus entirely on services. They may offer technical support or customization contracts on existing malware packages, for example. Others offer to conduct attacks or spam campaigns on your behalf. One group advertises an hour-long denial of service attack for $20, and 24 hours for $100, noting that their botnet is distributed across multiple time zones and can therefore launch and maintain attacks at any time, day or night.
"One group in particular says, kind of like Dominoes Pizza, 'if the first hour of our denial service attack doesn't work, you get your money back'," notes Holt. "That's pretty common."
Other operations mirror legitimate software as a service providers. These "malware-as-a-service" providers rent out access to botnets or Web-based attack tools. Gutmann noted one example in which a Russian group rented out its malicious Website. A prospective buyer could get the 100 visitors for free, but then had to pay $4 per 1,000 visitors up to 5,000, $3.80 per 1000 up to 10000, and $3.50 per 1,000 if they bought 10,000 or more.
"Software rental is just another way to get money out of this market," says Oliver Friedrichs, Symantec's Director of Security Response. "It's common to see authors who write keyloggers and botnetworks, and then rent them out to people ultimately who may launch a phishing campaign or a spam campaign."
Next: Quality Product
Given the competition for the enormous sums of money in the cybercrime market, it is not surprising that the quality of the products and services available to the would-be cybercriminal are increasing along with the sophistication of the markets and vendors. The most recent versions of many malware applications are extremely user-friendly, with point-and-click graphical interfaces and a wide range of functionality. They tout their ability to evade detection and defeat antivirus software and other countermeasures. Most importantly, they require little or no expertise to use.
"Code has had to become much, much more sophisticated and very professional in quality in order to turn a profit," says Friedrichs. "We've certainly seen spyware, for example, that leverages very advanced rootkit capabilities in order to hide and stay resident on a system once it's installed itself."
The availability of cracked versions of older software and low-cost applications created in developing countries forces malware writers to polish their product if they want to compete. Nevertheless, quality software can command a healthy premium. "Nuclear Grabber goes for $3,000 because this is a fantastic product that has multiple functionalities in multiple environments," Holt says of one popular attack tool. "So, if you want to do phishing, you can use it for phishing. If you want a keylogger, you can use it for keylogging. It's up to you."
According to Gutmann, some vendors have hired professional linguists to craft spam messages that bypass filters while remaining meaningful to the recipient, while phishers use psychology graduate students to develop scams that will lure victims into giving up their personal data. "They have better experts than we do!" he said in his Defcon presentation.
Malware applications are even beginning to incorporate their own security measures, both to outmaneuver competitors and avoid detection. A trojan, for example, might update a computer's antivirus signatures to block subsequent infection attempts by competing malware, while server attack tools might install patches or fix misconfigurations to protect a Web host delivering malicious code to unsuspecting visitors. "It's ironic, but the bad guys need security too," notes Parry. "They hack each other, and they want to keep us from getting access to their backend mechanics."
The bottom line is that the good guys are facing more and better equipped opponents. "
"Anything that you want to find, you can buy at these markets," Holt concludes. "It's so deep that you don't have to have a technical background to really get into identity theft and credit card fraud and hard core kinds of computer crime."
Damon Poeter contributed to this article.