[AI] Credit card theft? There's an app for that

Sanjay ilovecold at gmail.com
Mon Jun 21 02:18:38 EDT 2010

          A service industry for malware is making it possible for anyone
          with basic computer skills to launch state-of-the-art

by Jim Giles

"INTERESTED in credit card theft? There's an app for that." So says
Gunter Ollmann, a security researcher at Damballa, a company based
in Atlanta, Georgia. He and others are warning of a burgeoning
cybercrime service industry, one which lets people with next to no
programming skills steal a fortune in cash or get hold of sensitive
government documents.

Would-be hackers have long been able to buy rudimentary software
packages that can be used to build malware, such as code that can
steal online banking passwords. Now these hacking tools are being
supported with a range of services, some with a money-back guarantee,
that makes it easier than ever to create and spread malware.

"There used to be only a small number of clever criminals who could
pull off these attacks," says Patrick Peterson of online security
company Cisco in San Bruno, California. "Now there is a much lower
barrier to entry."

One such software kit, known as Zeus, epitomises the commercialisation
of the malware services industry. Like other malicious software, Zeus
can easily be bought online, in this case for between $400 and $700.
Detailed instructions on how to use it are readily available, too.

What sets Zeus apart is that it enables someone with minimal computer
skills to create sophisticated malware that can be used to steal
online banking credentials or sensitive documents. "It represents a
sea change in innovation, beyond anything we've seen before," says

As an example of what is possible using Zeus, one recent attack netted
sensitive US government documents, reports Nart Villeneuve, a
security researcher at the Munk Centre for International Studies at
the University of Toronto, Canada. The attack began in February
with a series of emails sent to senior officials in the US military,
the Federal Aviation Administration and other government agencies,
purporting to contains links to vital security information.

In reality, clicking on the links resulted in malware built with Zeus
being installed on the user's machine. The attack was sophisticated
enough to dupe some of its targets, and as a result 81 machines were
compromised. Villeneuve was able to identify 1533 documents from the
compromised machines that ended up on a computer in Belarus, including
defence contracts, documents relating to biological and chemical
terrorism and the security plan for a US airport. The identity of the
person who siphoned off the documents is unknown.

The ease with which Zeus can be used has been enhanced by the support
services, including customised hacking tools, that have grown up
around it, Ollmann says. If, for example, criminals know that the
computer they are targeting is in Spain, they can plug in additional
software designed to mount attacks on Spanish banks. Plug-ins like
this are available online for around $30, Ollmann says.

The key to successful malware lies in tricking users into unwittingly
installing it. And now even dilettante hackers can spread their
malware by paying more technically adept criminals to do it for them.

Peterson cites the example of Fragus, a sophisticated piece of
software he first observed last summer. Fragus is deployed initially
by skilled hackers, who break into web servers and install it. Once in
place, it searches for vulnerabilities in the browsers used by
visitors to these websites. If it finds a way in, Fragus can be
programmed to covertly send a piece of Zeus-created malware to the
visitor's computer. This allows hackers to sell malware installation
as a service to less skilled criminals.

Fragus also delivers feedback on which browsers it has cracked and
where the users of those browsers are based. "That data can be used to
target a particular country," says Henry Stern, a colleague of
Peterson's at Cisco. Stern says he is currently aware of a few dozen
websites infected by Fragus, and that it had previously been used to
deliver malware to people accessing websites belonging to a widely
read US newspaper.

Zeus and Fragus can be reined in (see "Hitting back at hackers"),
but even here the malware service industry is trying to stay one step
ahead. So while many companies provide software that, for example, can
detect the presence of malware built with Zeus, another layer of
cybercrime activity is devoted to finding ways to bypass those

To check whether a piece of malware is on the security companies'
blacklists, hackers can send their creations to websites such as
virtest.com, which for just $1 will try the code out on more than
20 antivirus products. If the malware fails the test, would-be
criminals can simply upload their malware to another site that will
tweak it to render it unrecognisable.
Hackers can upload malware to a site that will make it unrecognisable
by antivirus software

The online security industry is warning that this profileration of
"malware as a service" products is likely to result in far more potent
attacks. There is already anecdotal evidence that hackers are paying
more attention to company rather than personal bank accounts, for
example, and to breaching government computers, says Villeneuve.

Hitting back at hackers
There is no anti-malware magic bullet, but a range of techniques are
emerging that can help limit the damage malware causes.

For example, nobody should accept friend requests on online social
networks from people they do not know. Hackers have created fake
profiles and used these to persuade workers at several large firms to
follow a link that installs malware. And, of course, you should never
click on a link in an email unless you are certain the message comes
from a trusted contact.

Companies and other large organisations are vulnerable, however,
because employees are likely to slip up at some point. To protect
against that, in-house security teams should be thinking about going
beyond standard antivirus protection, says John Pirc, a director
at the IT security firm McAfee, in Austin, Texas. One option, called
session-based analysis, involves monitoring all computer traffic into
and out of a company. The aim is to spot suspicious patterns of
activity, such as data flowing to a computer in a country that the
company does not do business with. Pirc says that the approach can
pick up danger signs even if no identifiable piece of malware has been

Technical telepathy: 09969636745

Saints are not always saints; sinners are not always sinners.

More information about the AccessIndia mailing list