Tuesday, October 09, 2007

Malware as a Service

Update 10.30.2007: Another gem from Scott Berinato. This story covers a website called "loads.cc" (NSFW), which sounds like what you'd get if you crossed Amazon Elastic Compute Cloud (EC2) with the Malware industry. Spooky business models from criminal world.

Most of the time us webappsec people are a world’s apart from the traditional A/V and malware industry involved in reverse engineering rootkits, creating signatures, taking down botnets, tracking fraud, etc. We read the headline snippets sure, but don’t really have the time to keep up with what’s happening at ground level. So when Scott Berinato of CIO.com passed along his latest and VERY in depth thee-part article documenting the evolution Malware Industry through infiltrating fraud rings, I was definitely interested. The text is definitely illuminating as it talks about groups such as the Russian Business Network, ShadowCrew, HangUp Team, 76service and others and how they’re turning the industry into “Malware as a Service” (MaaS). Web 2.0 models are for everyone I guess. I even saw that Hoff got into the action, saying something about how we was thirsty. :)

I pulled out some quotes I thought were particularly thought provoking.

“Jackson found a full-fledged e-commerce operation. It was slick and accessible, with comprehensive product offerings and a strong customer focus. Jackson, no one really, had ever seen anything like it. So business-like. So fully conceived. So professional.”

“Gozi represents the shift taking place in Internet crime, from software-based attacks to a service-based economy.”

“Electronic crime has evolved, from an episodic problem, like bank robberies carried out by small gangs, to a chronic one, like drug trafficking run by syndicates.”

“When Jackson logged in, the genius of 76service became immediately clear. 76service customers weren’t weren’t paying for already-stolen credentials. Instead, 76service sold subscriptions or “projects” to Gozi-infected machines.”

“Some of those account holders managed to make several cash transfers up to $49,000. “They’re playing with limits on fraud,” says Jackson. That is, they know the banks won’t flag 5 transfers under 50 grand, but will flag one $250,000 transfer.”

“There are two key tenets underscoring that success: Distributed pain with concentrated gain, and distributed risk.”

“The Internet criminals’ model perfectly mirrors the drug cartel model, which relies on a stratified market that spreads the risk out to pushers, distributors, mules, manufacturers, and all the money flows up, to the cartel.”

“Business is good. Internet criminals operate with de facto immunity. The pool of vulnerable computers to exploit remains massive. The target financial institutions still treat their crime as acceptable loss. Law enforcement is otherwise occupied. And technical defenses are mere market conditions to adapt to.”

7 comments:

Christofer Hoff said...

I'm always thirsty.

The last 2 articles I've been quoted in make me look like a bigger tool than I am.

Sigh.

/Hoff

Jeremiah Grossman said...

thirsty == beer

beer == acting like a tool.

makes sense to me! :)

Derek Slater said...

Hoff - I don't think you look like a tool. I think it's kinda dark out there these days - not just on the webapp front - and your quotes help get the point across.

Plus anybody who like mojitos is clearly pretty smart.

Derek Slater
CSO

davi said...

organized = business-like

just add crime

Anonymous said...

a little off topic but I thought everybody here might enjoy todays xkcd comic http://xkcd.com/327/

Bad Mal said...

Thought you might enjoy a 76service follow up related to US based hosting

http://rbnexploit.blogspot.com/2007/10/rbn-76service-gozi-hangup-team-and-us.html

Mike said...

Believe me, all of the anti-malware companies are doing what they can to prevent and plan for these DIY kits that are all over the place. The hackers have learned that they have a sustainable market among themselves, and their continuous evolution has a lot of people over many sectors, very concerned.