Crimeware giants form botnet tag team
Rock Phish's big, fat, fast-flux network
The Rock Phish gang - one of the net's most notorious phishing outfits - has teamed up with another criminal heavyweight called Asprox in overhauling its network with state-of-the-art technology, according to researchers from RSA.
Over the past five months, Rock Phishers have painstakingly refurbished their infrastructure, introducing several sophisticated crimeware packages that get silently installed on the PCs of its victims. One of those programs makes infected machines part of a fast-flux botnet that adds reliability and resiliency to the Rock Phish network.
"We suspect the Rock Phish gang now has an up-to-date, highly reliable fast-flux network to be used for whatever they need - a major upgrade from the previous simplistic proxy client used before," members of the RSA FraudAction Research Lab wrote.
Based in Europe, the Rock Phish group is a criminal collective that has been targeting banks and other financial institutions since 2004. According to RSA, they are responsible for half of the worldwide phishing attacks and have siphoned tens of millions of dollars from individuals' bank accounts. The group got its name from a now discontinued quirk in which the phishers used directory paths that contained the word "rock."
The first sign the group was expanding operations came in April, when it introduced a trojan known alternately as Zeus or WSNPOEM, which steals sensitive financial information in transit from a victim's machine to a bank. Shortly afterward, the gang added more crimeware, including a custom-made botnet client that was spread, among other means, using the Neosploit infection kit.
Careful readers will know that Neosploit has long been used to make PCs part of Asprox, a botnet that specializes in sending spam used in phishing campaigns. (Asprox is also legendary for the recent spate of SQL injection attacks on high-profile websites, including those carrying news of the 2008 Olympic games and the British government.)
Soon, additional signs appeared pointing to a partnership between Rock Phishers and Asprox. Most notably, the command and control server for the custom Rock Phish crimeware had exactly the same directory structure of many of the Asprox servers, leading RSA researchers to believe Rock Phish and Asprox attacks were using at least one common server. (Researchers from Damballa were able to confirm this finding after observing malware samples from each of the respective botnets establish HTTP proxy server connections to a common set of destination IPs.)
RSA researchers also noticed that a decrease in phishing attacks hosted on Rock Phishers' old servers coincided with never-before-seen phishing attacks used on the Asprox botnet.
The move is one more example of the specialization that's taking place in the world of online crime. Borrowing a page from the "best of breed" philosophy of Sun's Scott McNealy, criminal enterprises don't want to spend months or years building technology if they can pay someone else to do it better and faster. And given the talent out there, why should they?
In this case, Rock Phishers seem to be betting that the spoofed pages used in their phishing attacks will remain up longer using fast-flux technology from Asprox.
"It just shows that these guys know each other and are willing to provide services to each other," said Joe Stewart, a researcher at SecureWorks who has spent years tracking Asprox and groups that use fast-flux botnets. "This goes on in the underground all the time." ®
How about some of the major players like Symantec, Microsoft, and the networks, make a reverse bot that when awakened by a worm, trojan, virus, bot, (or any other threat), will send out ringers to locate the finial destination (follow the money), as well as "Infect Their Machine".
Just because he is a genius, does'nt mean he is'nt evil.
The way to get them
Forget trying to track the net comms, the way to catch these people is to do it the old-fashioned way, follow the money and infiltrate. Computer evidence will only be useful when you know who they are and can sieze their machines.
The problem seems to be a lack of desire on the part of the relevant powers to really want to shut them down.
RE: I thought
The high-end crooks are too savvy to fall that easily. They are smart enough to encrypt their connections to make the material look like so much trash and/or use obfuscation that makes it look indistinguishable from a simple HTTP request. Fast-flux botnets and decentralized administration mean there is no single point of weakness to track or take down. Furthermore, many of these organization have international if not intercontinental reach, making any kind of legal proceedings difficult should they be caught (for example, suppose the head of one of these botnets turns out to live in a country hostile to the accusing country).