Adaptive Crime Services

Cyber crime continues to adapt to modern services and infrastructure, often leveraging legitimate services for malicious purposes. On top of this, blackhat services are also being created to aid in attacks. The result is a growing infrastructure available to cyber criminals who continue to innovate attack methodologies. Let’s have a look at some examples.

Leveraging Modern Services

The use of legitimate web hosting for attacks is obviously not new – think of Geocities and Google Pages which were frequently abused in the past (which incidentally are no longer supported). This was effective because it was easy to quickly register new accounts and blend in, further used as an evasive technique for webfiltering. As these attack avenues shut down, new ones open up and are subsequently adapted for crime. CA and Dancho Danchev recently wrote on a new ZBot setup using Amazon cloud services – EC2 and RDS – for server C&C and back-end storage. For more info on Zeus/ZBot, see our analysis here. This is just one example of cyber crime adapting to modern services, and it is certainly open to discussion in the digital underground.

In this latest ZBot campaign, the concept of using Amazon’s Relational Database Service (RDS) was quite interesting to me. I saw this presented back in October when monitoring a hacking forum. Below is a screenshot I captured of a proposition to use such services — indeed, it seems as though it was feasible enough to pursue.

October 2009 discussion on using cloud services for Zeus activity & profit

This post spawns from a bot herder who wants to centralize their pilfered data so that it is always accessible if any of their controllers were taken down. ZBot will receive configuration with controller information (where to send its pilfered data). Those controllers then manage that data through a database, often local: the idea here is to have all controllers reporting the data remotely to the cloud. Of course, this is a ‘putting your eggs all in one basket approach’, but nonetheless highlights the fact that cyber criminals are willing to try new services for their own gain. This is also an example of where controlled blackhat services could be created to support the same approach. Leading on from this is another post I captured requesting VPS hosting for Zeus (Virtual Private Server).

Request for Zeus VPS hosting

These are examples of how cyber crime will continue to adapt to modern technology and utilize legitimate services. Of course, these are not the only services that are used for malicious purposes. Recently a WPA cracking service became available for network penetration testing: for $17-$34 USD you get access to a distributed cluster to accelerate the brute-force process. VirusTotal, a public cross vendor-detection service for malware, was even used by cyber criminals to monitor their creations so they could avoid detection. However, the latter is changing…

Expanding Blackhat Services

I mentioned the use of VirusTotal for a QA process during malware release is changing. This is simply because it is known that the samples they submit are shared to security vendors, thus the time window to detection is ultimately shrunk. To grow this window again, cross-detection platforms similar to VirusTotal are recommended in forums to use instead of VirusTotal, to help keep their samples internal. Some platforms are being exclusively developed as well.

House rules: VirusTotal == Ban

Cyber criminals have found profit by offering their own services to fellow blackhats. It’s no secret that botnets are being rented for spam campaigns and other malicious attacks. Loaders, which I view as simplified botnets, are becoming quite popular and prevalent simply because of the potential profit they can generate. Bredolab is an excellent example, and we don’t have to look much further than our October 2009 Threat Landscape Report to see how prevalent it has been. Bredolab is a loader (traditionally referred to as a trojan downloader), which simply connects to a server to report, download and execute payload. This payload is dynamic, and can change depending on multiple parameters, such as region. Loader services take advantage of this by selling use of their loader botnet to install binaries on infected machines, and typically charge by groups of 1000 installs. Below are two examples of such services being offered.

Loader service #1

Loader service #2

On top of traditional bulletproof hosting and botnet rentals, captcha breaking, consulting and anti-detection (crypting / obfuscation via new stubs for sale, etc) are other areas where blackhat services are emerging in a Crime as a Service (CaaS) model. Malicious activity is likely to stream through legitimate and illegitimate services, just as criminals will continue to run drugs through commercial and private transport. It is becoming increasingly important to filter such activity from legitimate services.

Captcha breaking service, leveraged in latest Koobface attacks