Feeds

Online crime gangs embrace open source ethos

Malware gets globalized

The essential guide to IT transformation

Add the malware bazaar to the list of marketplaces being radically reshaped by the forces of globalization.

That's the conclusion of Thomas Holt, a professor of criminal justice at the University of North Carolina at Charlotte, who says the marketplace for rootkits, Trojans and other software nasties increasingly transcends national boundaries. In many respects, malware creation mimics open source communities, in which legions of programmers spanning the globe tweak one another's code to add new features and fix bugs.

"It seems somewhat different than the standard way of thinking of a hacker," says Holt, who presented his findings Thursday to military and law enforcement officials at the US Department of Defense's Cyber Crime Conference. Crime groups "are looking to one another for assistance. It's no longer just a single person distributing malware. Now there appear to be groups and there appears to be a distribution of labor."

Holt and a team of researchers scour websites, internet relay chat channels and other online forums where malware is discussed and distributed. What they're seeing is a collaborative process in which a title is released by a hacker in one region and then re-released again and again over the next several years in different locales by other authors.

Take, for example, the distribution, of Try2DDoS, a tool that automates distributed denial of service attacks. It was first released in June 2005 on Underground Konnekt, a hacker website operating out of France, by a user dubbed Libere_ton_espri.

Over the next two years, a program with the same name and containing identical source code turned up on boards in China, Guatemala, Russia and Argentina and then again in China. As the program moved, it gained new capabilities, including support for Spanish and Chinese languages.

The comparison to open source development only goes so far. Three of the four individuals reposting the program claimed to be the original authors, something Libere_ton_espri or no one else bothered to challenge.

To be fair, collaboration among online miscreants isn't exactly new. The Rbot Trojan and countless other pieces of malware have been passed around the net and modified by script kiddies and seasoned criminals for years. What Holt seems to be saying is that the shift of malware creation from sport for bragging rights to profit-driven enterprise means authors aren't as upset when their work is plagiarized by a rival group. The profit motive also seems to have brought a pragmatism to the activity, making criminals more willing to collaborate with one another.

The research carries important lessons for law enforcement officers and others on the front lines of computer security, to whit: that it's often difficult to know who is the original creator of a piece of malware making the rounds. More importantly, it shows that malware takes on a life of its own once it is released into the wild. Tracking down a programmer or group responsible for its creation doesn't mean the crimeware is likely to go away.

Social networks are one way cyber gumshoes can learn more about people engaged in the creation and trafficking of malware. Holt says his group recently found a programmer from Eastern Europe providing surprisingly detailed accounts of his life on one site. It included a picture of his computer work space and information about his apartment, roommate and a next-door neighbor. He even volunteered information about an alcohol problem. (Holt declined to provide specifics because he says he is working with law enforcement officers to track down the individual.)

Of course, some online crime groups are more tight-lipped than others. Groups behind malware branded the Storm Worm and the so-called Rock Phishing attacks are notoriously secretive, likely making the monitoring of social networks of little value to people tracking such them.

Still, in many cases, it can prove a bonanza.

"Not only can you find information about the person creating the tool," Holt says. "You can find a little about their motivation, whether it's political or economic. It can give you some real insight into the person and that's got some real weight to it." ®

Next gen security for virtualised datacentres

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?