"Over the years, the criminal elements, the ones who are making money, making millions out of all this online crime, are just getting stronger and stronger. I don't think we are really winning this war."

As director of antivirus research for F-Secure, you might expect Mikko Hypponen to overplay the seriousness of the situation. But according to the Finnish company, during 2007 the number of samples of malicious code on its database doubled, having taken 20 years to reach the size it was at the beginning of this year.

There seems to be some serious evidence then for the idea of an evolution from hacking and virus writing for fun to creating malicious code for profit. Security experts are increasingly pointing to the existence of a "black" or "shadow" cybereconomy, where malware services are sold online using the same kinds of development methods and guarantees given by legitimate software vendors.

It is difficult to establish exactly how organized this malware economy is but, according to David Marcus, security research manager at McAfee Avert Labs, it's relatively straightforward to buy not only the modules to build malware, but also the support services that go with it.

"From Trojan creation sites out of Germany and the Eastern bloc, you can purchase kits and support for malware in yearly contracts," said Marcus. "They present themselves as a cottage industry which sells tools or creation kits. It's hard to tell if it's a conspiracy or a bunch of autonomous individuals who are good at covering their tracks."

As well as kits and support, legions of compromised computers, or botnets, can be hired for nefarious purposes–usually for spam runs, or to perpetrate denial-of-service attacks. One of the most successful botnets of 2007 has been "Storm," so-called due to the hook-line used to trick victims into opening e-mails containing the Trojan horse. In January, the first malware was sent out with the tagline "230 dead as storm batters Europe."

The Storm botnet, estimated now to contain millions of compromised computers, has advanced defenses. The servers that control the botnet use so-called fast-flux Domain Name System (DNS) techniques to constantly change their location and names, making them difficult to locate and shut down. And security researchers who have attempted to find the command and control servers have suffered denial-of-service attacks launched by the controllers of the botnet.

"Storm has been exceptionally successful," said McAfee's Marcus. "It's used for spam runs, and researchers attempting to locate Storm command and control servers have come under attack. The hardest part is finding the key to those channels. They're not always easy to detect and find. Some of the communications are encrypted, while some are difficult to detect from a network point of view. I hate to use the word evolution, but they're certainly learning from their successes and failures. If it weren't for Storm, bots would be in significant recession. Some days we're seeing 1,000 different variants a day."

Weathering the Storm
Joe Telafici, director of operations at McAfee's Avert Labs, said Storm is continuing to evolve. "We've seen periodic activity from Storm indicating that it is still actively being maintained. They have actually ripped out core pieces of functionality to modify the obfuscation mechanisms that weren't working any more. Most people keep changing the wrapper until it gets by (security software)–these guys changed the functionality."

In the past year, the development of illegal malware has reached the point where it is almost as sophisticated as the traditional software-development and sales channel, according to Telafici.

"We've seen platform development, middleware, solutions sellers and hosting–all types of software and companies, with the same level of breakdown," said Telafici.

One indication of the maturity of the black economy, according to Telafici, was the recent case of a hacker who wrote a packer (software used to bypass antivirus protection) and who "threw in the towel recently as it wasn't profitable enough–there's too much competition. They opened the source code and walked away."

Security vendors seem to be powerless to take any action against the groups in control of botnet networks, especially those who use fast-flux techniques to move the location of command and control servers.

"With botnets, we are unlikely to make a dent unless we find the guy who controls the command and control server," said Telafici.

While law-enforcement agencies have a headstart in tracking cybercriminals, due to their experience of dealing with economic crimes such as fraud, many of the crimes are seemingly small, not warranting police attention.

"The majority of cybercriminals are small players for small dollars and short bursts of traffic," said Telafici. "On the flip side, you see the amount of effort and money spent protecting spam relays (as in Storm). If (security researchers) aren't careful they get DDoS-ed"–that is, hit by a distributed denial-of-service attack–"by a chunk of the spam network. That the guys are protecting their turf indicates that in aggregate the amount of money that is changing hands is significant."

Game theory, a branch of applied mathematics that models how adversaries maximize their gains through adapting to each other's strategies, features heavily in security assessments of the black economy. As one player becomes stronger, the other increases its efforts to gain the upper hand.

"I view it as we're locked in a Darwinian power struggle," said Telafici. "As we up the ante, the black economy adjusts to that, and it in turn ups the ante."

Anatomy of the 2007 black economy
Raimund Genes, chief technology officer of anti-malware for security company Trend Micro, said that malicious software via the affiliate model–in which someone pays others to infect users with spyware and Trojans–has become more prevalent in 2007.

The affiliate model was pioneered by the iframedollars.biz site in 2005, which paid Webmasters 6 cents per infected site. Since then, this has been extended to a "vast number of adware affiliates," said Genes. For example, one adware supplier pays 30 cents for each install in the U.S., 20 cents in Canada, 10 cents in the U.K., and 1 or 2 cents elsewhere.

Hackers also piggyback malicious software on legitimate software. According to Trend Micro, versions of coolwebsearch co-install a mail zombie and a keystroke logger, while some peer-to-peer and file-sharing applications come with bundled adware and spyware.

While standard commercial software vendors sell software as a service, malicious-software vendors sell malware as a service, which is advertised and distributed like standard software. Communicating via Internet relay chat (IRC) and forums, hackers advertise Iframe exploits, pop-unders, click fraud, posting and spam. "If you don't have it, you can rent it here," boasts cialis reactions one post, which also offers online video tutorials. Prices for services vary by as much as 100 percent to 200 percent across sites, while prices for non-Russian sites are often higher: "If you want the discount rate, buy via Russian sites," said Genes.

In March the price quoted on malware sites for the Gozi Trojan, which steals data and sends it to hackers in an encrypted form, was between $1,000 and $2,000 for the basic version. Buyers could purchase add-on services at varying prices starting at $20.

In the 2007 black economy, everything can be outsourced, according to Trend Micro. A scammer can buy hosts for a phishing site, buy spam services to lure victims, buy drops to send the money to, and pay a cashier to cash out the accounts. "You wonder why anyone still bothers burgling houses when this is so much easier," said Genes.

Antidetection vendors sell services to malicious-software and botnet vendors, who sell stolen credit card data to middlemen. Those middlemen then sell that information to fraudsters who deal in stolen credit card data and pay a premium for verifiably active accounts. "The money seems to be in the middlemen," said Genes.

One example of this is the Gozi Trojan. According to reports, the malware was available this summer as a service from iFrameBiz and stat482.com, who bought the Trojan from the HangUp team, a group of Russian hackers. The Trojan server was managed by 76service.com, and hosted by the Russian Business Network, which security vendors allege offered "bullet-proof" hosting for phishing sites and other illicit operations.

According to Trend Micro, there are many independent malicious-software developers selling their wares online. Private releases can be tailored to individual clients, while vendors offer support services, often bundling antidetection. For example, the private edition of Hav-rat version 1.2, a Trojan written by hacker Havalito, is advertised as being completely undetectable by antivirus companies. If it does get detected then it will be replaced with a new copy that again is supposedly undetectable.

Hackers can buy denial-of-service attacks for $100 per day, while spammers can buy CDs with harvested e-mail addresses. Spammers can also send mail via spam brokers, handled via online forums such as specialham.com and spamforum.biz. In this environment, $1 buys 1,000 to 5,000 credits, while $1,000 buys 10,000 compromised PCs. Credit is deducted when the spam is accepted by the target mail server. The brokers handle spam distribution via open proxies, relays and compromised PCs, while the sending is usually done from the client's PC using broker-provided software and control information.

"This is a completely standard commercial business," said Genes. "The spammers even have their own trade associations."

Ready-made tools for creating phishing e-mails, such as fake requests for bank details, are fairly easy to buy, with many independent vendors selling them. Bulletproof hosting is also easily available, while phishers engage spam services to lure users to their sites.

Carders, who mainly deal in stolen credit card details, openly publish prices, or engage in private negotiations to decide the price, with some sources giving bulk discounts for larger purchases. The rate for credit card details is approximately $1 for all the details down to the Card Verification Value (CVV); $10 for details with CVV linked to a Social Security number; and $50 for a full bank account.

Scammers use a variety of ways to launder cash. Compromised bank accounts can be used to launder funds, or struggling companies can be bribed to turn the money into ready cash. Scammers can find businesses with a debt of $10,000, and agree to pay them $20,000 if they agree to cash out 50 percent of the funds. Dedicated cashiers, also known as "money mules," can also take up to 50 percent of the funds to move the money via transfer services.

Money can also be laundered by buying and selling merchandise on the wider black market. Shipper rings can ship PCs to scammers via intermediaries, which can then be resold.

Cost to legitimate business
As the malicious-software economy grows in sophistication, so do the losses sustained by legitimate businesses. According to the 2007 Computer Security Institute computer crime and security survey, these losses have seen a sharp increase this year.

Robert Richardson, director of the CSI, said the average annual loss among U.S. businesses due to cybercrime has shot up to $350,424, from $168,000 in 2006. "Not since the 2004 report have average losses been this high," said Richardson.

This year's survey results are based on the responses of 494 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions, and universities.

Almost one-fifth of those respondents who suffered one or more kinds of security incidents said they had suffered a targeted attack aimed exclusively at their organization, or organizations within a small subset. Khalid Kark, a principal security analyst at Forrester, said targeted attacks against companies and institutions are becoming more common.

"As banks and companies have increased security levels, the hacker community is casting a much wider net," said Khalid. "Instead of hacking into something right away, now it's low and slow. They're determining attack avenues, taking their sweet time to find holes, and then using stealth (to steal data)."

Financial services companies are being attacked more and more, said the analyst, while the attacks are increasing in number and complexity.

But while the black cybereconomy is maturing, at the moment its main practitioners seem to be individuals or small groups acting within a loose web of affiliations that can be quickly established and broken to evade detection.

F-Secure's Hypponen blames a lack of international co-operation and political and social problems for the current situation. "In many cases these are people with skills but without opportunities," said Hypponen. "What if you are born with IT skills in rural China, or in the middle of Siberia? There is no legal way of making use of the skills they have."

While law enforcement co-operation with government and the IT community is paramount in addressing the problem in the short term, longer-term solutions must be found. One way to address the issue of the growth of the "black cybereconomy" in the long term is to harness the IT talent in developing countries that otherwise might be co-opted into illegal activity, say security experts.

"We have to make it more attractive to be in the white economy than in the black–when that happens we will turn a corner. We're starting to see that happen as companies look to less expensive economies as places to put people. In Eastern Europe and Asia there are highly skilled people where there are less opportunities–this is where the black economy is fueled now," said McAfee's Telafici.

Tom Espiner of ZDNet UK reported from London.

December 17th, 2007

Posted by Richard Koman

We here at WorldStart often tell you about new e-mail scams that are going around on the Internet, but we've never really told cialis prescriptions you what you can do to report all the spam you receive in your Inbox. Lately, I've been asked that question a lot, so I figured it was about time we addressed it. I do apologize for taking so long to do so. Reporting spam e-mail is very easy to do and if everyone does their part, who knows, maybe the bad side of e-mail will finally disappear for good. Let's check it out, shall we?!

What: U.S. Department of Justice seeks archived SMS text messages from Verizon Wireless without obtaining a warrant first.

When: District judge rules on October 30; magistrate judge completes review of archived text messages on Friday.

Outcome: Prosecutors receive the complete contents of defendant's text messages.

What happened, according to court documents:
It may not be that well known outside of police and telecommunications circles, but odds are excellent that your mobile phone provider saves copies of your SMS text messages. In a case that Police Blotter wrote about last year, federal police obtained logs of archived text messages from two unnamed wireless providers.

In addition, a judge in the Kobe Bryant sex case ordered the phone provider to turn over archived messages. Text messages were also part of the trial involving the attempted murder of rapper 50 Cent.

(By the way, here is one way to send almost-anonymous text messages.)

The most recent case dealing with SMS text messages does not involve a celebrity, though. It involves Susan Jackson, who pleaded guilty to wire fraud involving unauthorized transfers from her employer's bank account to her own NASA Federal Credit Union account.

To buttress her request for a minimum sentence, Jackson submitted letters that she said were from friends, employers, and relatives, but the U.S. Secret Service asserts the documents were altered or doctored. If that is true, it could amount to an additional charge of obstruction of justice.

One person allegedly said that Jackson urged him, "using text messaging and e-mail," to go along with the alterations.

The U.S. Department of Justice asked for a subpoena ordering Verizon Wireless to turn over the contents of text messages for phone number (301) 325-XXXX. The request was made under 18 USC 2703(b)(1)(b)(i) and (ii), which do not require probable cause and a search warrant. Instead, all prosecutors must do is claim–and this is much easier–that the records are "relevant and material" to an investigation. (The Justice Department says this is fine because the text messages were "opened communications," meaning that they were already read by the recipient and should therefore be easier to obtain.)

Jackson's lawyer opposed the request, saying that a proper search warrant was required. On October 30, U.S. District Judge Richard Roberts sided with the prosecution and said that only a subpoena was needed.

Verizon complied. It turned over three sets of documents: information about the cialis pill cutter account holder linked to that phone number, a list of the complete contents of the text messages sent or received by cellular telephone number (301) 325-XXXX between June 6 and October 31, 2007, and a log of whom Jackson sent messages to from her Verizon e-mail address. Note that Verizon did not keep copies of the actual contents of her e-mail messages.

Because Jackson alleged that the text messages might involve sensitive attorney-client communications, the court appointed a magistrate judge to review them. Magistrate Judge Alan Kay concluded that the text messages did not involve attorney-client privilege and recommended they be turned over to prosecutors "in their entirety."

Excerpts from Justice Department's brief:
Unfortunately, the defendant's Internet services provider, Verizon Internet Services, Inc., has advised the government that it does not store the content of its subscribers' e-mail communications…

It does maintain, however, a "transactional log" for its accounts, including the defendant's account…Since the information will not contain the content of any communications, it is not believed that the defendant has any basis to contest production.

Excerpts from magistrate judge's report:
Verizon produced a package with the contents of text messages that were sent or received by cellular telephone number (301) 325-(XXXX) between June 6 and October 31, 2007. While a few of the messages make reference to Jackson's court case or meetings with her attorney, none of them appear to contain any communications between Jackson and her attorney. For example, on June 6, 2007, at 3:11 p.m. the cellular phone number in question received a text message from cellular phone number (240) 687-(XXXX) that asked "When is ur crt. date?" and approximately one minute later cellular phone number (301) 325-(XXXX) responded "29th." Approximately four minutes later, the person sending messages from (240) 687-(XXXX) then asked, "Did u get all the letters u needed? And what is ur atty. saying?" to which the person sending messages from (301) 325-(XXXX) responded "I meet w/her on Friday." The undersigned did not locate any other text messages that appear to relate to Jackson's court case or that might constitute a communication between Jackson and her attorney…

Verizon made no representations that the package produced reflected all text messages sent or received by (301) 325-(XXXX). The government's subpoena requested text message information from June 21, 2007 until the date of Judge Roberts' Order on October 30, 2007. The messages actually produced cover the following dates (all in 2007): June 6, June 12-14, June 17, June 19, July 3-4, and October 23-31. Whether any messages were sent or received on other days during this time period, and if so why Verizon did not produce them, is unclear.

Verizon produced transaction logs for Jackson's e-mail address…The e-mail transaction log indicates the date and time that each e-mail was sent and the e-mail address of the recipient. The pages of the transaction log that Verizon provided contain records of e-mails sent by Jackson between June 11, and July 9, 2007. The log shows 33 e-mails between Jackson and her attorney, Dani Jahn of the Federal Public Defender's Office, between June 13 and July 9, 2007. Verizon did not produce the contents of any of these e-mails….

November 28th, 2007

Posted by Richard Koman