[ISN] Online crime gangs embrace open source ethos

From: InfoSec News (alerts@private)
Date: Thu Jan 17 2008 - 23:03:15 PST


http://www.theregister.co.uk/2008/01/17/globalization_of_crimeware/

By Dan Goodin in San Francisco 
The Register
17th January 2008

Add the malware bazaar to the list of marketplaces being radically 
reshaped by the forces of globalization.

That's the conclusion of Thomas Holt, a professor of criminal justice at 
the University of North Carolina at Charlotte, who says the marketplace 
for rootkits, Trojans and other software nasties increasingly transcends 
national boundaries. In many respects, malware creation mimics open 
source communities, in which legions of programmers spanning the globe 
tweak one another's code to add new features and fix bugs.

"It seems somewhat different than the standard way of thinking of a 
hacker," says Holt, who presented his findings Thursday to military and 
law enforcement officials at the US Department of Defense's Cyber Crime 
Conference. Crime groups "are looking to one another for assistance. 
It's no longer just a single person distributing malware. Now there 
appear to be groups and there appears to be a distribution of labor."

Holt and a team of researchers scour websites, internet relay chat 
channels and other online forums where malware is discussed and 
distributed. What they're seeing is a collaborative process in which a 
title is released by a hacker in one region and then re-released again 
and again over the next several years in different locales by other 
authors.

Take, for example, the distribution, of Try2DDoS, a tool that automates 
distributed denial of service attacks. It was first released in June 
2005 on Underground Konnekt, a hacker website operating out of France, 
by a user dubbed Libere_ton_espri.

Over the next two years, a program with the same name and containing 
identical source code turned up on boards in China, Guatemala, Russia 
and Argentina and then again in China. As the program moved, it gained 
new capabilities, including support for Spanish and Chinese languages.

The comparison to open source development only goes so far. Three of the 
four individuals reposting the program claimed to be the original 
authors, something Libere_ton_espri or no one else bothered to 
challenge.

To be fair, collaboration among online miscreants isn't exactly new. The 
Rbot Trojan and countless other pieces of malware have been passed 
around the net and modified by script kiddies and seasoned criminals for 
years. What Holt seems to be saying is that the shift of malware 
creation from sport for bragging rights to profit-driven enterprise 
means authors aren't as upset when their work is plagiarized by a rival 
group. The profit motive also seems to have brought a pragmatism to the 
activity, making criminals more willing to collaborate with one another.

The research carries important lessons for law enforcement officers and 
others on the front lines of computer security, to whit: that it's often 
difficult to know who is the original creator of a piece of malware 
making the rounds. More importantly, it shows that malware takes on a 
life of its own once it is released into the wild. Tracking down a 
programmer or group responsible for its creation doesn't mean the 
crimeware is likely to go away.

Social networks are one way cyber gumshoes can learn more about people 
engaged in the creation and trafficking of malware. Holt says his group 
recently found a programmer from Eastern Europe providing surprisingly 
detailed accounts of his life on one site. It included a picture of his 
computer work space and information about his apartment, roommate and a 
next-door neighbor. He even volunteered information about an alcohol 
problem. (Holt declined to provide specifics because he says he is 
working with law enforcement officers to track down the individual.)

Of course, some online crime groups are more tight-lipped than others. 
Groups behind malware branded the Storm Worm and the so-called Rock 
Phishing attacks are notoriously secretive, likely making the monitoring 
of social networks of little value to people tracking such them.

Still, in many cases, it can prove a bonanza.

"Not only can you find information about the person creating the tool," 
Holt says. "You can find a little about their motivation, whether it's 
political or economic. It can give you some real insight into the person 
and that's got some real weight to it."


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Thu Jan 17 2008 - 23:12:54 PST