Article received from Simon Heron,
Managing Director of Network Box (UK) Ltd, a unified threat management company
GANG CULTURE IN THE ONLINE WORLD
Trojans, Bullying, Spam and Other Wars In Your PC
The era when script kiddies were the primary online threat has long since passed. Today, hacking and malicious code are big business. Too big, it would seem, for some blackhats to manage single handed.
The financial returns for online crime are staggering. In the UK alone, recorded online banking fraud jumped from £23.2m in 2005 to £33.5m in 2006, according to Apacs, the UK payments association. In the USA, where the online payments systems are less secure than in Europe, Gartner reports that the losses through phishing attacks amounted to 2.75 billion dollars in 2005. As a result, cyber gangs are emerging’ as the illicit and lucrative business of hacking becomes beyond the reach of one perpetrator alone.
A couple of years ago, when online scams such as phishing were relatively new phenomena, an email containing grammatically incorrect English may have been enough to dupe a recipient. Similarly, a phishing website may not have been an exact replica of a bank’s, but it was familiar enough to fool a significant number of people and turn a tidy profit.
Consumers and businesses, however, are getting wiser and are less easily hoodwinked. A curious spelling or poorly constructed sentence in an email is often enough to alert most people to its fraudulent nature. All of which means blackhats’ social engineering techniques need to be as sharp as their malicious code.
Pooling skills and resources
The problem is, a good hacker is not necessarily a natural wordsmith. Someone that finds scripting duplicitous emails very easy may not have the technical nous to deliver the scam, and vice versa. And what about selling made-to-order malware – who is going to hawk the (mal)wares and bring in the orders while someone else is busy exploiting the vulnerability before the software vendor or anti-virus industry issues a patch?
For those serious about making big sums of cash, expanding from underground sole trader to cyber gang is a natural progression and there does not seem to be a shortage of hackers willing to form a collective. This is because plying a criminal trade as part of a cyber gang has a number of immediate advantages over doing so in the offline world. Firstly, it is far harder to get caught – online crimes are ‘faceless’ criminal acts and the fact gangs operate across borders makes their capture even more difficult. Secondly, even if they are caught, cross-border prosecution is problematic for the appropriate authorities to pursue and any eventual punishment is likely to be lenient.
Gang origins and characteristics
The majority of the gangs appear to originate from three distinct areas: from Eastern Europe (Russia in particular); from the US; and from China. But while their motivations run more or less parallel – that is, to make money – their methods for executing their scams differ.
The Russian gangs, such as Coders Dream Team and WebAttacker Team, have grown up in an IT-proficient environment. Monitoring of IRC rooms suggests that some Russia-based IT professionals are ex-KGB, meaning their online skills are highly sophisticated. There is also high unemployment in the region, leaving a surplus of highly-qualified personnel that are unable to apply the skills they have honed for many years in a legitimate work setting. Hence they can find themselves lured by the relative high gains and low risks of online crime.
It is the Russian gangs that appear to be involved with the most serious criminal activity, using everything at their disposal – such as Trojans, keyloggers, phishing attacks etc – to snare victims. The serious money lies in identity theft and the Russian gangs are unrelenting when it comes to writing password-stealing malware.
However, it is not just the socio-economic climate in Russia that makes such fertile ground for online crime. Provided the criminals target consumers and business outside of their own country, the Russian government is apparently very reluctant to pursue them.
One eastern European gang, Rockphish, is estimated to comprise 12 members and is very prolific. The outfit is thought to be responsible for between one-third and one-half of all phishing messages sent out on any given day. From when they were first identified in 2004 until the end of 2006, the group is estimated to have cost banks around $100 million. As an aside, it should be said that there is a school of thought that Rock phish could in fact be a script that has made it so much easier to run phishing scams and that many other gangs are using it, the debate continues and highlights just how difficult it is to track these groups.
However, the gang still has to be mindful that with expansion comes the need for greater organisation. Should the group grow any larger, it will face the same challenges as any other legitimate growing business: the need for a clear direction and strategy; a cohesive structure; management and delegation issues. All potential obstacles that, if not overcome maturely, could unstitch an otherwise tight union.
The other inherent issue with a larger gang is that, inevitably, preserving its secrecy becomes a perennial concern. Particularly if the above challenges are not overcome smoothly – internal disquiet is not conducive to running a water-tight operation.
In the USA, the history of the cyber gang is probably longest. However, laws in the USA regarding cyber crime have been tightened up and also gangs in the US do not have the same international boundaries that protect gangs in foreign countries. Also the nature of the society and the more open nature of the authorities have meant that the life cycle of the cyber gang is different.
There is evidence that initially street gangs began to use the Internet but in some cases this was mainly for exchanging ideas on how to improve drugs sales or which gun to buy and so on, glock3 were an example of this. However, back in 2003, more network based cyber gangs had already developed; these are gangs that get to know each other over the Internet rather than on the street. Even then there were cyber gangs like Shadowcrew, Carderplanet and Darkprofits.
The Shadowcrew was estimated to have 4,000 members by the time it was broken up. They ran webs sites to sell their counterfeit credit cards and false IDs and netted around $4.3million. They even worked together, a notable difference to their Eastern European counterparts. Like most cyber gangs there was an element of international co-operation with some gang members as widely spread as Sweden, the Netherlands and Poland but the majority of these US gangs were located in the States. Now, street gangs and cyber gangs were working together.
For instance, the street gang would steal a laptop and the cyber gang would extract the data from it for extortion purposes, or cyber gangs would arrange for poorly paid cleaners in large firms to steal ‘valuable’ laptops like the MDs or accounts. Another instance of this convergence is industrial espionage, data whether hard or soft copy has a value and cyber gangs have the knowledge to obtain soft copies.
In China, the situation is different again, and in this article we will not discuss the question of whether the People’s Liberation Army has been carrying out attacks against the West as that is probably the largest gang described here but focus on unofficial groups. It appears that the Triads have been heavily involved in this business, in Australia a Triad recruited children to launder money stolen as a result of phishing schemes. There are a number of gangs in China who are trying to get user IDs, passwords and financials. In this case, it seems to be kids as they are mostly interested in online game passwords which are easy to onsell.
Recruitment drives
Like ingratiating one’s self with any criminal underground, joining a cyber gang is not easy. Obviously, if a blackhat knows someone on a personal level that is already involved with online crime, then using the existing trust built up by that relationship is probably the best way of brokering the subject of how to join.
For those wanting to get involved but do not have a direct access to a member of a cyber gang, then social networking in internet chat rooms are where fledgling relationships and gangs are born.
Blackhats can spend months in internet chat rooms sounding out those with similar designs as themselves, then more months nurturing the relationship and ensuring that the faceless person they’ve ‘met’ is trustworthy. Only then will a partnership be born, and they must then repeat the process until they believe they have the optimum number of members.
The PC battlefield
The battle between the gangs can essentially be reduced to the battle for botnets. Each gang wants to have control of the most and biggest botnets, as it is via these compromised, connected PCs that their malware is distributed. The greater the reach of their botnets, the more malware and spam they can distribute and, ultimately, the more money they can make.
One of the most common methods gangs use to infect PCs is by using Trojans. And it is here than a turf war really unfurls. For example, the Storm Trojan that was discovered in January 2007 and released by a Russia-based gang would infect a victim PC and ‘conscript’ it in to the gang’s botnet (shown below as a cloud of compromised PCs), where it can be used to collect information on the PC’s owner, such as usernames and passwords, or be used to issue mass spam mailouts and so on. However, Srizbi Trojan, a rival gang discovered in June 2007 and also from Russia – which typically uses MPack, an attack kit produced by Coders Dream Team – composed a piece malware sophisticated enough not only to detect the Storm Trojan on an infected PC, but also to remove the existing Storm Trojan and replace it with its own malware.
Predictably, the authors of the Storm Trojan felt slighted upset by this and upped the ante. In retaliation, they started DDoSing the servers that Srizbi Trojan uses to download its last update. That meant that the bots controlled by Srizbi Trojan could not be updated and their botnet was paralysed.
Another way of disrupting a rival gang’s botnet is to intercept its command and control operation. Command and control means the botnet does just that: on the one hand, it can command the compromised PCs to release a deluge of spam emails; on other hand, it is there to relay sensitive and confidential information, such as usernames and passwords, to the gang controlling the botnet. This latter function provides an opportunity for a rival gang to disable the IRC channel to sever the compromised PC’s connection to the botnet. The rival gang can then set about taking control of the PC.
And so the cycle continues. A war rages within the PC and the user is none the wiser. Unless, that is, there is an overlap in the uninstallation of old malware and the installation of new malware. If one gang plants malicious code, then another gang attempts to replace it with their own without properly uninstalling the old code, it may not work effectively, if at all. This is not dissimilar to installing new anti-virus software before properly uninstalling the old anti-virus program. Configuration will be difficult and it may not operate as it should.
The other and bigger issue when this overlap occurs is that ‘runt’ code can be left behind, which may slow the PC to such a pace that the PC’s owner becomes aware that it is infected – defeating the object of surreptitious infection and preventing the gang’s covert control of the PC.
The impact of gangs
As ever, the impact of this clandestine gang warfare is felt by consumers and businesses alike. Consumer victims are likely to see their PCs malfunctioning and their email address blacklisted by their ISP. They may also have their personal details compromised, their bank accounts siphoned and, in the worst case scenario, their whole identity stolen, which can have serious financial and legal consequences.
The fallout for businesses can be enormous. Essentially, an organisation that falls victim to an attack by a cyber gang can come to a standstill. Again, an ISP may blacklist its email addresses and website, which will then sever its connection with its partners and customers and damaging its ability to trade in part or in whole. Productivity can grind to a halt because email and the internet are business-critical tools for employees. A business may also find itself a victim of ransomware, whereby the gang encrypts all of the company’s crucial documents and demands a fee for returning them to their normal format. All of which will have a devasting impact on the organisation’s reputation, something which can take years to recover from.
Never-ending cycle
Like many crimes, online scams are here to stay. To an extent, trying to eradicate the gangs is a futile exercise; as soon as one gang is caught, another will simply spring up in its place.
However, like many gangs warring in the offline world, feuds between cyber gangs could prove to be their undoing. Making money is undoubtedly the primary motive for developing malware, but the gangs are not without ego. In the hacking world, there is still kudos ascribed to developing intelligent and perplexing malicious code, and each gang wants to be seen as the best in the business – as demonstrated by the Srizbi and Storm gangs’ battle of wits. In the battle to outsmart each other, gangs may temporarily take their eyes off the forever-chasing security industry and leave behind clues to their identity, which could lead to their eventual capture.
Tackling the gangs
Security professionals are not idly waiting for gangs to slip up. The industry is as committed as ever to staying one step ahead of the blackhats – individuals or groups – and making IT systems as secure as possible. But in terms of tackling and disbanding the gangs themselves, the industry is relatively powerless.
Despite online crime slowly beginning to be seen for the burgeoning and far-reaching crime it is, more needs to be done. Authorities in this country, and particularly those abroad where they frequently pretend the problem isn’t their responsibility, need to be pressurised in to taking action against the perpetrators.
Of course, the path to a clear international legal framework, with punishments sizeable enough to act as a deterrent, is laden with barriers – cross-border jurisdiction, extradition, international relations and political agendas to name but a few significant obstacles. But it must addressed sooner rather than later, otherwise existing gangs – and the inevitable emergence of new gangs – have all the impetus they need to continue their global attacks on consumers and businesses.
 Stumble It!
| 
