DarkGovernment

The Online Shadow Economy of Malware

A multi-billion dollar market exists for malware authors,
malware, meaning computer viruses, trojans and spyware, is
about money. The teenagers who wrote viruses have grown up
and now they’re trying to make money. The shadow Internet
economy is worth over $105 billion. Online crime is bigger than
the global drugs trade. There is a sophisticated online black
market with tens of thousands of participants. Collectively, online
criminals are using the techniques of the free market to subvert
and corrupt legitimate online business.
Dot.com entrepreneurs of crime
Maksym Schipka, Senior Architect at MessageLabs, has been
spending a lot of time exploring this criminal underworld. He has
been looking at Russian websites, chat forums and exchanges
because he understands the language and because they are
the most active. However, there are similar online markets in
other countries. In the shadow economy, people boast of making
$10,000 a day and while this may be bravado, people are making
good money in the shadow economy. With little chance of being
caught and so much money at stake, it is little wonder that “a
huge number of people are involved,” according to Schipka.
Division of labor
The big surprise is the level of specialization and the
sophistication of the market. Picture a mall: some shops sell
clothes, some sell food, others sell books and so on. Each shop
is specialized and dedicated to one type of product. For each
type of product, there are several shops competing to offer better
prices and better service. This is what the shadow economy
is like.
Let’s look at one online crime and see how it breaks down into
a series of specialized trades. First, malware writers create new
viruses, spyware, and trojans to infect computers. For as little
as $250 you can buy a custom written malware and for an extra
$25 a month you can subscribe to updates that will ensure your
malware evades detection. The vast majority of malware authors
do not distribute it themselves. In fact, they make great play of
offering their software “for educational purposes only” in the hope
that this offers some immunity from prosecution.
A malware middleman buys malware from a programmer and
uses the services of a botnet owner to spread it. A botnet is
a remotely-controlled network of computers that have been
infected by a virus. Typically, they are poorly protected computers
belonging to innocent people around the world. You may have a
bot running on your PC now and not know it. These computers
give botnet owners the computing horsepower and network
connectivity to spam out millions of emails or send out hundreds
of thousands of trojan attacks or host a malicious website. Once
the malware has spread, the middleman can sit back and start to
collect stolen information and identities.
The middleman sells the stolen identities to make money.
A full identity sells for around $5. This includes full name and
address, a passport or driving licence scan, credit card numbers
and bank account details. Credit card numbers sell for 2-5% of
the remaining credit balance on the cards in question. Identity
thieves offer their customers a high level of service. For example,
you can buy identities sorted by country, industry, role; and credit
cards sorted by remaining balance.
There is another category of middleman who specializes
in turning stolen credit card identities into cash. He will buy
credit card information and then use a “drop service.” A drop is
someone who receives goods purchased with a stolen credit
card. Some are criminal fences; others are unwitting dupes doing
it for cash. A middleman buys goods from online shops – typically
cameras and portable computers – and then ships them to drops.
The drops, in turn, post them on or sell them immediately for
cash. This is how a stolen credit card is laundered.
Scammers scammed
They say there’s no honor among thieves. This is also true of
the shadow economy. Fraud and rip-offs are so common that a
system of guarantors and escrow accounts has emerged. For
example, a drop service provider might offer a guarantee to an
identity thief that they will be paid their cut of the sale of any
goods, even if individual fences don’t pay up.
Similarly, guarantors will provide an escrow service. For example,
a buyer will transfer payment to the guarantor and the seller will
transmit the virus code or the credit card numbers. If the goods
check out the funds are released. Typically, these
guarantors take 2-3% of the transaction value for
their services. The emergence of these services
shows a developing sophistication in the market,
driven by economics more than technology or
the demands of organized crime. It also shows
there are participants who value their long-term
reputation. These are worrying signs.
Continuous improvement
Another sign of growing sophistication is the
continuous improvement in the quality of products
on sale in the shadow economy. Malware writers
work hard to test their products against anti-virus
software. They offer guarantees that a given virus
or trojan will not be detected using current antivirus
programs. If vendors update their software,
then the malware author will supply a new version.
Conventional anti-virus programs rely on
“signatures” to detect malware. A signature is
similar to a DNA fragment that identifi es the virus
and separates it from legitimate data. Anti-virus
programs scan email attachments and other fi les
to check that they contain no known signatures.
As new malware comes to light, anti-virus vendors
issue signature updates. However, they can only
fi nd a new signature after a new virus is in the wild
and is released on the Internet. Worse, malware
authors can also download the signatures and test
their creations against the latest updates. Schipka’s
research suggests that malware authors can
produce new, unique malware every 45 seconds
in order to keep it undetected.
This is where the MessageLabs service is so
valuable. As malware developers get more
sophisticated, they fi nd it easier to stay one step
ahead of signature-based detection. MessageLabs
uses signatures, but also has a second line of
defense: its proprietary Skeptic™ engine. This
heuristic scanner can detect malware without
signatures. Moreover, the bad guys can’t buy it and
use it to test their malware. The only people who
have access to Skeptic are MessageLabs and the
only people who benefi t from it are MessageLabs
customers. Ultimately, says Schipka, “The only thing
you can rely on is very good, well-managed heuristic
detection.”
The free market and the future of online crime
The shadow economy has all the attributes of
a traditional economy – division of labor, price
competition, marketing and so on – accelerated
to Internet speed and carried out online. Adam
Smith, the pioneering political economist, in his
Wealth of Nations, foresaw that the division of labor
could increase productivity and quality. Similarly,
competition drives down prices and tends to drive
innovation. While it is interesting to observe these
classical economic principles at work, they hold
a terrible warning: malware is going to get more
common and more virulent. Companies that rely
on the Internet and email, need the best protection
they can get.

Tags: computer security, hacking, malware, shadow economy, trojan, trojans

Sarah Palin’s Email Account

The internet activist group “Anonymous,” famed for its exposure of unethical behavior by the Scientology cult, has now gone after the Alaskan govenor and republican Vice-Presidential candidate Sarah Palin.

At around midnight last night some members affiliated with the group gained access to governor Palin’s email account “gov.palin@yahoo.com” and handed over the contents to the government sunshine site Wikileaks.org.

Governor Palin has come under media criticism in the past week for using private email accounts to avoid Alaskan freedom of information laws. The contents of the mailbox show this to be true and also hold clues of at least one other Yahoo based mail account held by Palin, “gov.sarah@yahoo.com“.

The zip archive made available by Wikileaks contains screen shots of Palin’s inbox, two example emails, address book and a couple of family photos. The list of correspondence, together with the account name tends to re-enforce the earlier criticism of Palin’s email use.

The list of emails include an exchange with Alaskan Lieutenant Governor Sean Parnell about his campaign for Congress. Another screenshot shows Palin’s inbox and an e-mail from Amy McCorkell, whom Palin appointed to the Governor’s Advisory Board on Alcoholism and Drug Abuse in 2007.

The e-mail, a message of support to Palin, tells her not to let negative press get to her and asks Palin to pray for McCorkell, who writes that “I need strength to 1. keep employment, 2. not have to choose.”

According to Kim Zetter of Wired Magazine, McCorkell confirmed that she did send the e-mail to Palin.

Subsequently tests by Wikileaks reveal that both Palin’s “gov.palin@yahoo.com” and her unrelated “gov.sarah@yahoo.com” account have now been deleted, almost certainly by Palin herself.

According to the Guardian, who has looked at the Wikileaks data, among the emails in Palin’s account were several from addresses belonging to her aides, including a draft letter to California governor Arnold Schwarzenegger, a discussion of nominations to the state court of appeals, and several bearing “DPS”, the acronym for the Alaska Department of Public Safety.

DPS supervises the Alaska state troopers. Could the e-mails in question be relevant to the brewing ethics storm over Palin’s push to sack her former brother-in-law from the force?

The contact list included also holds accounts for other official representative’s private email accounts, including those of Alaska’s Kris Perry and Sharon Leighow.

Screen Shots of Inbox

Click For Larger images and then again for the largest size

Note that the ‘ctunnel.com’ reference in the browser screen shots is to a proxy service used to prevent the activists from being traced.

Wikileaks may release additional emails should they prove to be of political substance.
Account information used by the anonymous ‘hacktivists’:

More »

Tags: anonymous, cyberterror, email, hacking, palin, sarah palin, yahoo

Webcam Hackers Arrested

A Gainesville, Fl., and a Cyprus man are both in jail after using women’s Webcams to shoot video and photos of them without their knowledge.

The Gainesville Sun reports that Craig Matthew Feigin, a 23-year-old Los Angeles native, is being charged with modifying computer data and disrupting or denying computer system services. Feigin is accused of installing software on a woman’s computer, and then using the software to remotely control the camera to shoot video of the woman and her friends without their knowledge.

Ars Technica identifies the woman as Marisel Garcia and reports that she had left her malfunctioning computer with Feigin, a University of Florida student, for repairs on July 4.

After she got the machine back, Garcia noticed problems – reduced battery life and a light that indicated her build-in camera was on each time she got near the computer. A friend with IT experience found the software.

According to Gainesvill police, Feigin – who was reportedly shocked and surprised to have been arrested—shot videos that were used to create more than 20,000 photographs of Garcia in various stages of undress, which were sent to an Eastern European server.

[Gainesville Police Detective Joseph] Mayo said Feigin admitted installing the programs on the woman’s computer, viewing photographs of the woman on the server and controlling the woman’s computer remotely over the Internet. Further, Mayo said, Feigin admitted to having done the same things to another woman’s computer.

“We have eight or nine more potential victims that we know of now,” Mayo said Friday. “We believe some of them may be students at UF or at Santa Fe (College).”

Mayo said Feigin had ties to a Web site that appears to repackage and market the freeware for $8.88 as a tool to catch cheating spouses and other domestic activities like drinking babysitters. Detectives estimated Feigin made fewer than 10 sales.

In a related story, Sophos is reporting that a 47-year-old computer technician in Cyprus has been jailed for four years after he hacked a teenage girl’s Webcam through a Trojan horse virus (which he’d e-mailed to her), took compromising photos of her and then blackmailed the girl by threatening to send the photos to all of her e-mail contacts unless she agreed to pose nude for him.

The girl refused and went to the police. The man was arrested in 2005, but was only sentenced this week.

“Most spyware is designed to steal your identity, your passwords, your banking information—but it is just as easy to program a Trojan horse to take over your webcam,” said Graham Cluley, senior technology consultant for Sophos. “This case highlights that as well as malware being used for financial gain, it can also be used by voyeurs. Everyone needs to treat computer security as paramount importance to ensure they do not fall victim to an internet blackmailer or peeping tom.”

Tags: crime, cyber crime, hacking, spy, spying, web cam

U.K. Hacker Fighting U.S. Extradition

A U.K. hacker accused to accessing US military and Nasa computers has taken his case against extradition to the House of Lords, arguing it would breach his human rights. Gary McKinnon, known as Solo, has never denied that he hacked into 97 US military and Nasa computers from his London home in 2002. It was called the “biggest military computer hack of all time” and McKinnon was arrested – but never charged in the UK. He always claimed he did it because he was curious, and it was only due to the lax security that he was able to infiltrate the networks.

Now he’s taking his case against extradition to the final court of appeal – the House of Lords – claiming having to face trial in the US would breach his human rights.

In the High Court, McKinnon’s solicitors unsuccessfully argued that he’d face a lengthy pre-trial detention with no prospect of bail, and that his sentence could amount to over 45 years, and that he wouldn’t be allowed to serve any of it in the UK, but judges weren’t moved.

In this appeal, the Law Lords will examine supposed threats to McKinnon from US authorities, including one by a New Jersey prosecutor who reportedly told him he would “fry.” They also allege that the former FBI legal attache and a legal representative of the US government attempted to coerce him into waiving his extradition rights during 2003.
McKinnon’s solicitor, David Pannick, told the court:

“The US had attempted to secure [McKinnon’s] voluntary surrender and guilty pleas by plea bargain tactics that were coercive and involved threats regarding the duration of his sentence of imprisonment.”
In the US he’s wanted for five counts of “fraud and related activity on government computers”, as well as one other indictment, ZDNet reports.

Tags: computer hacker, hacking, nasa, U.K.

Government Web Hackers Arrested

Spanish police have arrested five young computer hackers who allegedly disabled Internet pages run by government agencies in the U.S., Latin America and Asia, authorities said Saturday.

The National Police described the suspects as belonging to one of the most active hacker groups on the Internet and said two of the suspects are only 16 years old. The others are 19 or 20.

On the Internet, the group calls itself D.O.M Team, police said.

One of the group’s techniques was to infiltrate Web sites and insert a page of its own, police said. A Google search turns up several hits with pages that fit this description.

The group attacked some 21,000 Web pages over the last two years, police said in a statement. The five were arrested this week in Barcelona, Burgos, Malaga and Valencia.

The statement did not identify which government Web sites the suspects are accused of tampering with.

The Spanish newspaper El Mundo reported in March that the group had infiltrated NASA’s Web page, but a police official said Saturday she could not confirm this. The official spoke on condition of anonymity in line with department rules.

The group also hacked the Venezuelan national telephone company’s page, and that of the Spanish telephone operator Jazztel, among others, the paper said.

El Mundo said it had contacted the group and it described itself not as a bunch of delinquents, but computer-lovers that raid Web sites to show system administrators the pages’ vulnerabilities.

The Spanish investigation began in March after the Web page of a Spanish political party, Izquierda Unida, was disabled shortly after Spain’s general election March 9.

The five suspects did not know each other personally, but rather just over the Internet. They were in contact with other members of the hacking group, mainly in Latin America, police said.

Tags: computer hacker, computer security, crime, hacker, hacking, web hacker