Why it is all too easy to become a cybercriminal

February 19th, 2010

The disclosure of Operation Aurora last month and the outing of the  Kneber botnet gang’s stolen booty this week have much in common.

Both involved nothing-out-of-the-ordinary cyberattacks that quixotically rose above the din to grab international headlines.

The mainstream attention is welcomed. It helps to underscore how the Internet underground has advanced to the point where a plethora of powerful hacking tools and services  is readily available to  novice hackers and elite crime gangs alike –  with  prices  to fit every budget.

“Hacker have more options and are getting better at execution,” says Don Jackson, senior researcher at SecureWorks. “The script kiddie of today is much more dangerous that the script kiddie of five years ago, or even one year ago.”

Pricing of hacking tools

In Operation Aurora, Chinese hackers sent targeted messages to specific senior managers at 30 corporations luring  them to click on a corrupted Web link. Clicking on the link activated a  hacking tool designed to tap into a fresh zero-day vulnerability in Internet Explorer browser.  The crooks likely paid $5,000 or maybe more for this  cutting-edge malicious code.

Such zero-day attacks have long become commonplace, of course. The template for zero-day attacks  dates back to December 2005, and the antics of the  Russian iframeCash.biz gang, led by Andrej Sporaw. The enterprising  Sporaw and company  flushed out a fresh zero-day hole in a Windows operating system component, called Windows metaframe file, and began exploiting the WMF hole to launch pop-up ads for early versions of scareware. You can read about that in this chapter of my book, Zero Day Threat: The Shocking Truth About How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity.

In the Chinese zero-day attack last month,  one of the targeted corporations happened to be Google — in a mood to complain. The search giant cried foul, igniting an international brouhaha over how China does business.

By contrast, the Kneber botnet gang paid nothing for the powerful, simple-to-use ZeuS hacking tool they’ve been using to harvest account logons from tens of thousands of botted PCs inside hundreds of corporate networks. The version they used has for months been readily available for free on criminal forums.

ZeuS is best known as a widely popular banking Trojan. Current versions of ZeuS sell for up to $10,000, and are used by elite cyber gangs to wire funds from of the online banking accounts of small- and medium-sized businesses, as LastWatchdog recounted in this investigative story. But older, free versions of ZeuS work just fine for turning an infected PC into a bot and harvesting all the PC’s account logons that are stored in Web browser cookies,  says  SecureWorks’ Jackson.

To bot PCs with their free copy of Zeus, the Kneber gang most likely is patronizing spamming specialists to send out email lures and enticing Facebook messages and Twitter tweets enticing them to click on a corrupted Web link. The cost: as low as $10 per 100,000 spammed messages.

Those fooled into clicking on the link got the Kneber gang’s free copy of ZeuS installed. The gang probably spent something on the order of $300 to $1,000 to rent an Internet-connected server on which they collected and stored the harvested account logons delivered by their fresh  bots.

Drawing notariety

It was this command & control/storage server that  NetWitness tracked down and accessed in late January. NetWitness’ report on what it found — 68,000 account logons stolen from 75,000 botted PCs in 2,411 corporate networks in 196 countries — drew big headlines in the Wall Street Journal and New York Times. Journal tech security beat reporter Siobhan Gorman reported that the affected companies included Merck, Cardinal Health, Paramount Pictures and Juniper Networks.

NetWitness’ media coup  sparked some sniping from rival tech security vendors McAfee and Symantec; each cast aspersions on NetWitness’ characterizations of the significance of its findings. NetWitness shot back with this point-by-point response.

Competitive bickering aside, the fact is any capable researcher could have similarly tracked the Kneber gang’s activities, since they put no effort into stealth. NetWitness went one big step further and exfiltrated stolen data from the gang’s server. Still,  “compared to other ZeuS operations, this was minor league,” says Jackson.

Gunter Ollmann, research director at Damballa and a leading botnet expert, says ZeuS is like the iPhone of hacking tools, spawning a multitude of third party plug-in applications. “There are plenty of tutorials and scripts available for criminals to copy and learn from,” says Ollmann. “Think of ZeuS as a Swiss Army knife with a Lego interface.”

Amateurs are getting more widely involved in harvesting data because there is a rich and robust market for valid account logons, which dangle like candy in the Web browsers of workplace laptops and PCs. And it remains true that many people use the same username and password to gain access to multiple accounts, security experts say.

“There has always been a market for stolen data,” says Frank Kenney, VP of Global Strategy for Ipswitch File Transfer. “Today, the speed at which that information gets leveraged is astounding.”

Corporations are having a difficult time keeping up.

“Most organizations do not have the continuous, real-time monitoring in place to detect this type of activity,” says Phil Neray, vice president of security strategy at IBM’s Guardium subsidiary. “Many of them still focus on defending network perimeters … others focus exclusively on meeting compliance checklists, forgetting that the true mission of security teams is to protect high-value corporate data.”

By Byron Acohido