CHAPTER 2: CRIMEWARE PRODUCTS

This chapter describes different varieties, and the evolution of, commercially available crimeware: from toolkits to exploit vulnerabilities of operating systems, to malware as a service, to crime accessories of cyber hooligans and thieves.

“Zero Day” exploit toolkits

In October of 2008, a commercial “Zero Day” attack pack was made available to the Chinese hacking community via a well-known public hacking repository website. The attack pack exploited a Microsoft^® Windows^® vulnerability, named MS08-067, which could allow remote code execution if an affected system received a specially crafted remote procedure call request.¹⁷ As soon as this vulnerability became known, the MS08-067 port scanning toolkit with attack capability (the attack pack) went on sale, complete with user interface and the usage instructions.¹⁸

According to the researchers from major antivirus research labs, this kit allowed its “customers” to make money from pay-per-click sites using infected machines. This toolkit provided a DDoS attack option, could terminate popular antivirus software in China, and provided stealth capability.¹⁹ The hacker even provided a customer service disclaimer that his tools must never be used for “legal purposes” and that they are sold for “research use” only. “For customer service [purposes], he has also warned his “customers” about “trojanized” versions of his kit distributed by others on the Internet, that will install a backdoor to spy on the backdoor user.”²⁰

Toolkits like this are particularly dangerous, because they exploit systems’ vulnerabilities that may be still unknown to the security community. Operating systems and browsers are the most targeted platforms for Zero Day attacks.

“Zeus”

Perhaps the most infamous commercial malware package is “Zeus”, also known as “Zbot”. Zeus is described as a malware package that is readily available for sale and also traded in underground forums. The package contains a builder that can generate a bot executable and web server files, such as images, PHP templates, and SQL templates, for use as the C&C server. Zeus is a generic back door that allows full control by an unauthorized remote user, and the primary function of Zeus is financial gain — stealing online credentials such as FTP, e-mail, online banking, and other online passwords.²¹

It has been alleged that Zeus was created by a Russian hacker with the code name “Slavik/monster”. Since as early as 2008, Zeus has been readily available to buy in underground forums for as little as $700 and up to $8,000 for the newest version with all available features.²² Ironically, the latest version of Zeus uses classic copy protection mechanisms to prevent the use of unlicensed pirate copies.²³

The biggest news story involving Zeus was about an international financial crime ring. The cyber thieves who used Zeus did not target large corporations or banks, but instead went after the accounts of medium-sized companies, towns, and even churches that did not have state-of-the-art security technology.²⁴ Using Zeus, hackers in Russia and Eastern Europe infected computers around the world.

The FBI found that the virus was carried in an email, and when targeted individuals at businesses opened the e-mail, the malicious software installed itself on the victimized computers, secretly capturing passwords, account numbers, and other data related to financial accounts.²⁵

Before being caught, the members of the theft ring managed to steal $70 million. In fact, this theft ring attempted to steal some $220 million and was actively involved in using Zeus to infect more computers.²⁶ They were caught thanks to the collaboration of international law enforcement organizations across international borders.²⁷

Recently the source code for Zeus was released into the “wild,” i.e. became available to anyone who wants it. The source code was reportedly uploaded to a file-sharing site and then the link was posted to a malware forum.²⁸ This could be potentially dangerous if it gets into the hands of people who really know how to use it. The source code is written in C++ and requires someone with fairly good knowledge of C++ to figure out the code. ²⁹ There are plenty of C++ hackers, however, who would be able figure out this code and “improve” it for malicious purposes.

Not unlike a legitimate merger and acquisition, it has been confirmed as of March of 2011 that the creator of Zeus sold this source code to the people who make “SpyEye”, another malware that is used to steal financial information.³⁰

“SpyEye”

In December of 2009 a new malware toolkit known as “SpyEye” started to appear for sale on Russian underground forums. The starting price of this toolkit was $500.³¹ Shortly afterwards, SpyEye became a competitor to Zeus and a contender for the “king of the banking bots” position. SpyEye and Zeus took their rivalry seriously, and the last version of SpyEye contained the feature “Kill Zeus.”³² The “Kill Zeus” feature actually removed Zeus from an infected system so only SpyEye would run.³³

The creators of the SpyEye malware kit went out of their way to make it appealing and user-friendly with a user interface that rivals commercial applications. The main interface has a “Hack the Planet!” logo, and it displays how many bots are online and how many bots are currently part of the botnet.³⁴

According to major antivirus software organizations, the merged SpyEye/Zeus bot toolkit has already been released into the hands of hackers who use it to create Trojan horses that infiltrate mobile devices.³⁵

“Darkness” DDoS botnet tool

Another commercially available threat, which came to the attention of the cybersecurity community in 2010, is known as the “Darkness” botnet. It has rapidly proliferated in 2011, and still continues to gain momentum. Unlike Zeus and SpyEye, Darkness does not steal or spy. It spreads to create a DDoS network that is controlled by several domains hosted in Russia.³⁶ It goes after targets primarily in Europe and the USA.³⁷ Darkness is an example of malware as a service (MaaS).

The makers of this crimeware do not engage in attacks themselves, but rent their product out to others, and charge per number of sites and the amount of damage desired:

• 30 bots overwhelm an average site;
• 300 bots – a medium-sized site;
• 1,000 bots – a large site;
• 5,000 – a cluster of sites, even when using anti-DDoS blocks and other preventive measures.

Fifteen to twenty thousand bots can theoretically bring down a major social networking site.³⁸

An attack on a large 1,000-bots’ worth site sold for $50 a day.³⁹

A higher-end version of Darkness that includes three different C&C servers, providing some built-in redundancy, costs about $350. This DDoS kit comes complete with the administration panel to create, dispatch, monitor, and control the army of bots that infects PCs all over the world.

In December of 2010, an older version of the Darkness code became available for free in various underground forums. The free release was followed by a slew of new Darkness botnet C&C serverswaging DDoS attacks.⁴⁰

¹⁷ “Microsoft Security Bulletin MS08-067 – Critical”. Microsoft TechNet. October 23, 2008. www.microsoft.com/technet/security/bulletin/ms08- 067.mspx (accessed May 23, 2011).

¹⁸ Ren, Haowei. “Exploit-MS08-067 Bundled in Commercial Malware Kit.” McAfee Labs. November 14, 2008. http://blogs.mccafee.com/mcafee-labs/exploit-ms08-067-bundled-in-commercial-malware-kit (accessed May 23, 2011).

¹⁹ Ibid.

²⁰ Ibid.

²¹ Falliere, Nicolas, and Eric Chien. “Zeus: King of the Bots.” Symantec Security Response. www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf (accessed May 23, 2011).

²² Ibid.

²³ Stevens, Kevin, and Don Jackson. “ZeuS Banking Trojan Report.” Dell SecureWorks. March 11, 2010. www.secureworks.com/research/threats/zeus/?threat=zeus (accessed May 19, 2010).

²⁴ “Cyber Banking Fraud: Global Partnerships Lead to Major Arrests.” FBI. January 10, 2010. www.fbi.gov/news/stories/2010/october/cyber-banking-fraud/cyber-banking-fraud (accessed May 20, 2011).

²⁵ Ibid.

²⁶ Ibid.

²⁷ Ibid.

²⁸ Stevens, Kevin. “ZeuS Source Code Already in the Wild.” TrendLabs Malware Blog. March 31, 2011. http://blog.trendmicro.com/zeus-source-code-already-in-the-wild/ (accessed May 23, 2011).

²⁹ Ibid.

³⁰ Ibid.

³¹ Coogan, Peter. “SpyEye Bot versus Zeus Bot.” Symantec. February 22, 2010. www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot (accessed May 13, 2011).

³² Ibid.

³³ Ibid.

³⁴ Stevens, Kevin. “The SpyEye Interface, Part 1: CN 1.” TrendLabs Malware Blog. October 3, 2010. http://blog.trendmicro.com/the-spyeye-interface-part-1-cn-1/ (accessed May 23, 2011).

³⁵ Kharouni, Loucif. “SpyEye/ZeuS Toolkit v1.3.05 Beta.” TrendLabs Malware Blog. January 24, 2011. http://blog.trendmicro.com/spyeyezeus-toolkit-v1-3-05-beta/ (accessed May 24, 2011).

³⁶ Jackson Higgins, Kelly. “Active ‘Darkness’ DDoS Botnet’s Tool Now Available For Free.” Dark Reading. January 24, 2011. www.darkreading.com/insiderthreat/167801100/security/attacks-breaches/229100144/active-darkness-ddos-botnet-s-tool-now-available-for-free.html (accessed September 1, 2011).

³⁷ DiMino, Andre’ M. “BlackEnergy competitor – The ‘Darkness’ DDoS Bot.” Jeff Liford (dot) com. December 6, 2010. http://jliford.blogspot.com/2010/12/blackenergy-competitor-darkness-ddos.html (accessed August 1, 2011).

³⁸ Storm, Darlene. “Evil new DDoS botnet lurking in the Darkness.” Computerworld. December 7, 2010. http://blogs.computerworld.com/17489/evil_new_ddos_b otnet_lurking_in_the_darkness (accessed August 1, 2011).

³⁹ Ibid.

⁴⁰ Jackson Higgins, Kelly. “Active ‘Darkness’ DDoS Botnet’s Tool Now Available For Free.” Dark Reading. January 24, 2011. www.darkreading.com/insiderthreat/167801100/security/attacks-breaches/229100144/active-darkness-ddos-botnet-s-tool-now-available-for-free.html (accessed September 1, 2011).