[Infowarrior] - Hackers offer subscription, support for their malware

[Richard Forno]

Hackers offer subscription, support for their malware
Organised hacking gangs set up malware subscription sites
Jaikumar Vijayan 05/04/2007 08:17:16
http://www.computerworld.com.au/index.php/id;838771320;fp;16;fpid;0;pf;1

Like many just-launched e-commerce sites in the world, this unnamed Web site
has a fairly functional, if somewhat rudimentary, home page. A list of
options at top of the home page allows visitors to transact business in
Russian or in English, offers an FAQ section, spells out the terms and
conditions for software use and provides details on payment forms that are
supported.

But contact details are, shall we say, sparse. That's because the
merchandise being hawked on the site -- no we're not going to say what it is
-- aren't exactly legitimate. The site offers malicious code that webmasters
with criminal intent can use to infect visitors to their sites with a
spyware Trojan.

In return for downloading the malware to their sites, Web site owners are
promised at least 50 Euros -- about US$66 -- every Monday, with the
potential for even more for "clean installs" of the malicious code on end
user systems. "If your traffic is good, we will change rates for you and
make payout with new rates," the site promises.

As organized gangs increasingly turn to cybercrime, sites like the one
described are coming to represent the new face of malware development and
distribution, according to security researchers. Unlike malicious code
writers of the past who tended to distribute their code to a tight group of
insiders or in underground newsgroups, the new breed is far more
professional about how it hawks, plies and prices its wares, they said.

"We've been seeing a growth of highly organized managed exploit providers in
non-extradition countries" over the past year or so, said Gunter Ollmann,
director of security strategies at IBM's ISS X-Force team. For subscriptions
starting as low as $20 per month, such enterprises sell "fully managed
exploit engines" that spyware distributors and spammers can use to
infiltrate systems worldwide, he said.

The exploit code is usually encrypted and uses a range of morphing
techniques to evade detection by security software. It is designed to use
various vulnerabilities to try and infect a target system. And many exploit
providers simply wait for Microsoft's monthly patches, which they then
reverse engineer to develop new exploit code against the disclosed
vulnerabilities, Ollmann said.

"All you've got to do is just subscribe to them on a monthly basis," Ollmann
said. "The going rate is about $20."

One such site was discovered by Don Jackson, a security researcher at
SecureWorks, an Atlanta-based managed security service provider. While
investigating a Trojan named Gozi recently, Jackson discovered that it was
designed to steal data from encrypted SSL streams and send it to a server
based in St. Petersburg, Russia. The Trojan took advantage of a
vulnerability in the iFrame tags of Microsoft's Internet Explorer and had
apparently been planted on several hosted Web sites, community forums,
social networking sites and sites belonging to small businesses.

The server to which the stolen information was sent to held more than 10,000
records containing confidential information belonging to about 5,200 home
users. It was maintained by a group called 76Service and contained
server-side code for stealing data from systems -- as well as code for an
administrator interface and a customer interface for data mining, Jackson
said.

The front end allowed subscribers to login to individual accounts, view
indexed data and get results from queries based on certain fields such as IP
addresses and URLs. Each customer-generated query had a price associated
with it, Jackson said. The currency unit used on the site was WMZ, a
WebMoney unit roughly equivalent to the U.S. dollar, Jackson said. A
customer query returning three passwords for a small retailer might cost 100
WMZ, while a query for 10 passwords for an international bank might fetch
2,500 WMZ or more. Customers could also choose how they wanted their search
results delivered -- as compressed files in e-mails or via FTP.

The actual Gozi Trojan code itself appears to have been purchased by
76Service from a Russian hacking group called the HangUp Team. Such code
typically costs about $1,000 to $2,000, depending on its sophistication,
Jackson said. In addition to the original Trojan, the server also hosted two
ready-to-deploy variants in a separate staging area. The malicious code
included a downloader and a stored password stealer and appeared to be have
been made to order for 76Service.

Often, groups such as the HangUp Team also offer a detection monitoring
service with which they keep an eye on anti-virus vendors to know exactly
when signatures are available that can detect their malware. Customers who
can afford the service are then told to start releasing variants to evade
detection. And customers willing to pay for premium service can get hundreds
of such ready-to-use variants bundled with their initial malware code
purchase.

"When the first variant is detected by many AV vendors and data from new
infections starts to slow, the person providing the executable code is to
spot that and release a new variant," Jackson said.

The actual server hardware that the 76Service used was being managed by
another entity called Russian Business Network (RBN), which provided
SNMP-based management and back-up services. "This ensured a level of service
[comparable to] a hosting provider," Jackson said.

"We are not talking about kids doing it for kicks over the weekend anymore,"
said Yuval Ben-Itzhak,, chief technology officer of Finjan a
Californian-based security vendor. "This is real cash, real money that's
involved here."

A report released last June by Finjan, had already noted a trend towards the
commercialization of malicious code, Ben-Itzhak said. That report noted that
cybercriminals hold "vulnerability auctions" at they sell information on
freshly discovered software flaws to the highest bidder. Another trend
spotted was the packaging of exploits into professional, off-the-shelf tool
kits that can be used to create malicious Web sites. One such tool kit --
Web Attacker -- cost just $300 from a Russian Web site.

"Just like any other legitimate software company, the Russian Web site even
solicited support and update service, and provided detailed reporting
capabilities that could outline the number of people infected per exploit
and per operating system," the Finjan report noted. "The level of investment
in this particular software indicates that there is substantial demand for
such products."