FEATURE: Modern Day Malware & Organised Crime

Quarter past nine on a Monday morning. I’m staring at the thick oak beam of long polished table wondering what the hell I’m doing at briefing about internet security. My last journalistic foray into this turgid corner of the tech world had me stuck talking anti-virus software with one of the chief marketing officers at a leading company. I recall a solid 40 minutes of the internet neighbourhood watch warnings as the canapes passed just out of reach behind his back. The hungrier I got the more it sapped my soul. My last conscious thought was “never again”. Never again; until today.

I’m not sure if it was the lure of the Soho House, the charm of the invitation or, more likely, the promise of breakfast but somehow, between them, they short-circuited that old memory in my brain; they silenced its voice. Down went that corner of my neural net; a localised blackout and now here I am in my trainers and jeans, most others with a collar at least. Quarter past nine on a Monday morning. Fifteen minutes before I’m usually at work.

Ed Gibson begins the day more upset than I am that his cooked breakfast hasn’t arrived but that’s probably where the similarity ends. Edward P Gibson is Microsoft’s chief security advisor and a former operative with the FBI. He takes comfortable control of the room of assembled journalists with the warmth and ease of his Midwest drawl. I wonder if that manner served him well at the FBI. I wonder if he’s enjoying his retirement, but by the end of the morning I’ll have changed my mind about how much rest he’s getting in his new profession.

“The UK has become a haven for e-crime,” Mr Gibson begins as he reminds us of the decision made by the former Home Secretary to remove credit card fraud from the police agenda. It’s a matter for our banks and card companies now. We report it. They repay it. Part of me can’t help but think of it as a victimless crime but then I know that isn’t true. What crime really is?

“Still, what’s all this got to do with malware,” I’m thinking as Mr Gibson talks of e-mails traveling through two countries in the blink of an eye before they pass between my desktop and yours. That’s more about phishing schemes? Someone sends you a false message from a bank that they happen to have got lucky is the one you save with and if you’re stupid enough to fill in your details, then your money gets taken. You probably deserve it. But malware? Viruses? That’s about programmers having their bit of fun with Windows isn’t it; it’s a twenty something, single, white male in his basement, pop-tart in hand wreaking a petty revenge on the world? Isn’t it? Isn’t it? Apparently not.

Up steps Mr X. Mr X is a security expert but of a very different kind. Mr X is a hacker – an accolade that Edward P Gibson is loathed to lay on him, such distaste that he has for those of Mr X’s former profession. But behind the black silk suit, the white open necked shirt and printed business cards Mr X has just handed out; behind his slow, smooth facade of a professional gambler who got out while the going was good gleams the eyes of a man with a lot of respect for the internet’s darkest community and a pride in the work he used to do.

He takes us through the world of modern day malware with the briefest of introductions. Only now do I appreciate how hard it was for him to begin, because largely there is no beginning. Malware has become a community, an ecosystem and such it goes round not from top to bottom but cycling from one place to another; to people, computers, services, criminals, salesmen, middlemen men, e-markets, racketeers, gangsters and the writers of the code themselves and all without our knowledge. They pedal our stolen data and wring it dry.

Malware has become the generic term for all viruses, worms, trojans, adware, spyware and anything else that makes our systems execute programs that we hadn’t intended them to run and it is not just made for fun anymore. It’s not made to prove a point. It’s written, targeted distributed and deployed with the sole purpose of stealing and extorting money.

The authorities know it’s happening and they know where it’s happening. There are forums out there, well-known forums where skills are sought and trades exchanged. You’ll find people to write code for you, sellers of the raw materials like blank credit cards and skimming devices, data for sale and a host of merchant services. There are people selling trojans or other “loads” – a term used to describe infections – at the cost of $200 for a 1,000. You can purchase IDs, passports, driving licences or just plain data that could be as cheap as $2 per MB of text taken from keystroke logging programs. Exactly how many words is 1 MB of text data? How much information can you gather from that?

All of this is known but the community is a very tight, closed group and to get a look in you need an introduction. Someone has to vouch for you and even then some will only deal with you if you can speak Russian, the language of the major players of the malware world. These forums are the hacker’s Linkedin.

“Does everyone know what bulletproof hosting is?” Edward Gibson interjects as his colleague begins to get carried away with terminology from the behind the glow of disappointingly ordinary Dell XPS laptop. I raise my hand for an explanation.

“Bulletproof hosting is the cornerstone of the business,” says Mr X getting me up to speed. Hackers need safe havens to run their programs, servers where no one can shut them down or trace them, places where they can operate safe from the authorities. This is either done with a network of remote controlled computers called botnets, including the groups of zombie PCs working P2P that people talk of. These become like decentralised servers where files flow untraceably, impossible to track and if a malware attack ever finally is sourced, it’ll just end up with Interpol and their SWAT team bursting into the house of some unsuspecting pensioner in Leeds, a thousand infra red dots trained on his cardigan; slippers on and tea cup shaking in his hands. It’s bulletproof because it’s perfect, unstoppable and all it costs the hacker is around 47 cents per node.

The other more sinister method is to find countries that have got no problem with hosting your illegal activities or certainly no problem compared to the sums of money you’re paying them for the privilege.

Bulletproof hosting rakes in millions each month for the top players in the field. They guarantee you server space and protection for you to run your malware. They even offer 24/7 telephone support should there be a problem.

Once you’ve acquired your webspace, you may wish to purchase a load which you could get standard or tailor made. Common popular choices are trojans. The price of a load depends on what you order and where you wish it to be deployed. Security is tighter in UK, Denmark and the US where load crews charge a premium. They’re paid per infection, so the loads must be more sophisticated and deployed in greater numbers for reasonable rates of success.

Just in case any of those in these “drops services” are short of ideas, there are legitimate market places such as the Swiss based WabiSabiLabi where you’ll find software exploits up for sale. It’s an eBay for weaknesses, loopholes and backdoors into everything from Windows Vista to the networks and databases of private companies.

One of the most recent developments in loads is the genius “exploitation packs”. As in nature, a good virus is not the one that kills you. It’s the one that keeps you alive so you can continue to be of use. If malware causes your computer to crash, bluescreen and die then it can’t gather anymore data nor use your PC as a part of a botnet. Exploitation packs deploy 1KB or 2KB downloaders that profile your machine; evaluate exactly where you are, what you use it for, what your hardware’s capable of and then deploy a specific set of programs to to run quietly in the background skimming your details and data while you go about your business and nearly all of them install what are known as “rootkits” which make the entire package completely undetectable to whatever anti-virus or security you may have.

The makers and vendors of these packs might only sell a few licence each month to keep their product more exclusive and effective and they’ll even add DRM as well such that the domain to which the malware will divert all the data and traffic will be hardcoded into the programs requiring second and third payments for any subsequent attacks.

Cloud labs monitor your malware to see how it’s performing and can send you an SMS when you have a problem and need to redesign. Malware can be created on the fly, tailored to get by every individual system it meets. You may have all your Microsoft updates and patches but they’ll even find a way in if your third party software isn’t up to date. Mr X shows us one such exploit in all computers where Adobe Acrobat Reader is of version 8 or less regardless of what other kind of protection the system has.

But most impressive for me is one of the pieces of big brand malware known as Limbo. It’s so subtle that all it does is inject the odd extra field in banking forms. Where you’re usually asked for three digits of your security number, it may just ask you for a fourth until it slowly builds up the picture of your whole profile. Then full access to your savings can be sold for between 5-10% of the contents of your account.

These products and services are so sophisticated and user friendly that you don’t even need any computer knowledge to be a hacker any more. All you have to do is hire the right people to do the job for you and you too can hold companies to ransom by threatening to shut down their servers or give away their secrets. You can collect any kind of data you like and there’s always a market for whatever you can steal.

It’s simply impossible for any one internet security system to give you the protection they claim to. The idea of protection against 98.7% of the malware online is an utter nonsense. The same malware .exe file can repackage itself against security updates far faster than anti-virus can keep up. The malware world is further reaching and much more sophisticated. One option you have is to run different anti-virus programs simultaneously to cover yourself as best as possible but good luck trying to run a stable computer or having enough processing power to do anything else.

Companies like Prevx supply such a solution that’ll run alongside whatever main security program you have; a different downloadable scanning tool depending upon whether you are a home user or a small or large business. I’ve had a try of it since. It seems to work pretty well. My copy of Avast hasn’t had a fit, my computer hasn’t crashed and, if a piece of malware has got through, it’s obviously deployed a rootkit as well because everything seems to running normally.

For the final part of the morning, Mr X gives us a demonstration of what a virus can do if you happen to click on the wrong link with not enough updated software to protect you. One click and then minutes later we watch as load after load descends upon the breached XPS until finally it crumbles under the weight. Bluescreen. Game over.

With 15,000 pieces of malware detected every day and so many weaknesses in operating systems and so much human error and oversight, I walk out of the briefing into the day bamboozled by fear and dazed by the light. It’s easy to panic until you realize what all this means. No one should be scared by e-commerce or online banking or data theft through the web. The virtual world is just the same as the real one. You just have to use common sense. Going online using XP with no service packs or anti-virus is like walking down the street with your mobile phone in your open palm and money pinned to your shirt. Now, that would’ve been ok five or ten years ago but the point Mr Gibson and friends are making is that the streets have got a rougher. In Mayfair you might be ok but try it in Brixton and you won’t last long.

The infect rate of the load crews is still only around 30%, so there are plenty of people who are doing the right things. Update your software, patch your apps, use an anti-virus (a free one will do) and probably install Vista as well. It may be annoying but it’s got a very low infection rate. So remember kids, surf safe.

Sep 29, 2008Daniel Sung

For latest tech stories go to TechDigest.tv

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__atuvc	1 year 1 month	AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it before the share count cache is updated.
__atuvs	30 minutes	AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it before the share count cache is updated.

Cookie	Duration	Description
at-rand	never	AddThis sets this cookie to track page visits, sources of traffic and share counts.
disqus_unique	1 year	Set to record internal statistics for anonymous visitors.
uvc	1 year 1 month	addthis.com sets this cookie to determine the usage of addthis.com service.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_gat_gtag_UA_*	1 minute	Google Analytics sets this cookie to store a unique user ID.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
__gads	1 year 24 days	Google sets this cookie under the DoubleClick domain, tracks the number of times users see an advert, measures the campaign's success, and calculates its revenue. This cookie can only be read from the domain they are currently on and will not track any data while they are browsing other sites.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
loc	1 year 1 month	AddThis sets this geolocation cookie to help understand the location of users who share the information.
skimGUID	10 years	Set by Slimlinks, this cookie is a unique identifier provided to each device for log analysis to determine the number of unique users for various parts of skimresources.com.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
_ir	session	This is a Pinterest cookie that collects information on visitor behaviour on multiple websites. This information is used on the website, in order to optimize the relevance of advertisement.
__gpi	1 year 24 days	Google Ads Service uses this cookie to collect information about from multiple websites for retargeting ads.

Cookie	Duration	Description
wp_api	past	Description is currently not available.
wp_api_sec	past	Description is currently not available.
xtc	1 year 1 month	Description is currently not available.

Share this:

Like this: