Crime as a service
- Article 1 of 2
- I Magazine, April 2010
Taking on board the enterprise computing ideas of outsourcing and Software as a Service, criminal gangs are now offering each other what has been dubbed “Crime as a Service”.
Malicious programmers can be very good at creating Trojans, such as ‘Zeus’, ‘Clampi’ and ‘Torpig’, that penetrate security systems, log keystrokes and hijack online banking sessions. But very few of them have the mechanisms in place to send out the spam messages, run the botnets and hack the websites necessary to infect PCs with these Trojans. Few spam emailers have the skills to launder the money obtained from the hijacks, and money launderers can rarely program.
Now those groups who specialise in each area are meeting on online forums and selling their services to each other to create an entire criminal ecosystem.
Enterprises as well as consumers are being targeted by these gangs. Rodney Joffe, director of the Conficker Working Group, says that in the US alone, an average of five to six enterprises a day are losing $200,000 each thanks to just one gang, which is using a version of Zeus bought from another group. A school in New York was targeted before Christmas and $4m dollars stolen from its bank accounts, only $3.5m of which has been recovered. Criminals from the Ukraine armed with credentials stolen using Zeus were able to embezzle $415,000 from Bullitt County, Kentucky’s government payroll account.
Defending against a Trojan attack is hard, with even up-to-date AV software finding it difficult to spot the ever-mutating Trojans. Joffe recommends using at least two different kinds of AV software that employ heuristic functions rather than file signatures to spot Trojan-like behaviour. Network monitoring tools can also spot suspicious behaviour on a network. However, even with the best software in place, infections are still possible and even likely. CIOs should therefore look not just at prevention, but also how they will quarantine and disinfect when the inevitable happens.
Crime as a Service: In figures
Number of Zeus variants created last year: 90,000 (SentryBay)
Percentage of Trojans that evade detection: 70-80% (RSA), >50% (SentryBay)
Length of ‘guarantee’ included with Zeus by sellers: six months without detection
Number of times per day a Trojan gets auto-updated to avoid detection: twice
Price charged by gangs to infect machines with Trojan: $23/1,000 machines, $130-270 for exclusivity
The might of Zeus
The most powerful Trojan available is Zeus. This sells for somewhere between $500 and $3,000 according to Ari Rivner of security firm RSA, depending on which version a gang wants, and comes complete with configuration utility and testing kit to update it to evade the latest AV software definitions. As well as logging keystrokes, it can add HTML to web pages to capture extra information, continue HTTPS sessions invisibly and bypass two-factor authentication.