Six hot items on the hacker's holiday shopping list

A shadow economy has sprung up to make malware buying easy

Malicious hackers and other assorted bad guys looking for new tools for plying their trade this upcoming holiday season will have plenty of toys and services to choose from.

Servicing them is a growing underground market bristling with botnets, Trojans, rootkits, spyware and all sorts of shady services aimed at everybody from the humble do-it-yourself hacker to sophisticated, organized criminal gangs.

"Just like there is a B2B marketplace, now there's a C2C -- criminal-to-criminal -- market," said Don Jackson, security researcher with Atlanta-based security vendor SecureWorks Inc.

And just like their more legitimate commercial counterparts, the operatives in this shadow economy operate on a free market principle, replete with concepts such as volume discounts, customer loyalty programs and referral services, added Makshym Schipka, senior architect for security vendor MessageLabs Ltd. "It's not just organized crime that is behind a lot of modern threats" on the Internet, said Schipka.

A lot of the activity is shifting more to a thriving open-market model filled with multiple criminal enterprises and individuals offering a whole portfolio of tools and services that are often just a Google click or two away from those who seek them.

"People are becoming more specialized in delivering goods and services in this market," he said. "You can either buy the things you want, or sell the things you made" with considerable impunity, he said. Just as there's a High Street for legitimate businesses, there's one for online criminals as well, said the London-based Schipka.

Here, according to Jackson and Schipka, are some the items likely to be in high demand by hackers shopping in this underground marketplace this coming holiday season:

  • Build A Storm Botnet: This new and uniquely crafted malware tool has been designed with the really high-end hacker in mind and is likely to be one of the hottest items this season, according to Jackson. For prices starting at $100,000, spammers and other malicious attackers can now buy their very own Storm botnet, complete with fast flux DNS and hosting capabilities. Making it possible is a smart new 40-byte encryption feature supported on the latest Storm variants that hackers can basically use to segment compromised machines into their own little Storm botnets.

    "Think of this as an FAO Schwarz kind of item," Jackson says. "Rather than leasing a botnet service and paying bot by bot for a good e-mail run or iFrame blast, you can pay for it all at once and have your own little Storm botnet ," Jackson said. The people who would buy such services are those who have already made their loot using leased services and are looking to start owning infrastructure, he said.

    • Rent-A-Bot services: Who needs to buy a botnet when you can lease a perfectly good one by the hour at a fraction of the price? Available in abundance this season, such botnet services are designed to let average spammers deliver a gazillion copies of their malware without them having to invest in the infrastructure needed to do so, Schipka said. For as little as $100 to $200 per hour, spammers can get access to a fully functional botnet capable of delivering the finest image spam and body part enhancement ads to millions at the click of a button, he said.

      And such rent-a-bots aren't just for spammers anymore, Jackson said. What makes these versatile services so broadly appealing to bad guys is that they can be easily adapted to deliver the malware of choice or to launch distributed denial of service (DDOS) attacks against extortion targets. One example is the BlackEnergy botnet, which can be used to launch DDOS attacks against specific targets for about $80 per hour, according to Jackson. For those not willing to spend even that much, low-cost options starting at $10 per hour for one million bots are readily available for conveniently distributing smaller spam loads and malware.

      All an enterprising hacker needs to take advantage of such services is a plan, Schipka said. "You would need to figure out your business model and draw up a business plan," he said. "If you were renting a bot for three hours at a $100 per hour to deliver spam it means you need to make more than that to benefit from the use of the service." If it's some other sort of malware being seeded via a botnet -- such as a keylogger or Trojan -- the cost of purchasing the code would have to be included as well, Schipka he said. "...They'd need to be looking for a botnet with the highest quality and the lowest amount of money."

    • Ye Olde Malware tools. Do-it-yourself enthusiasts have a wider range than ever before of malware tools, including Trojans, zero-day exploits, rootkits, spyware programs and keyloggers, according to Jackson and Schipka. For around $3,000 to $3,500, serious shoppers can find sophisticated polymorphic malware capable of delivering all sorts of nasty code on vulnerable computers while constantly morphing to evade detection. Variants can be purchased separately for less than $10 on average to about $20 a piece. In some cases, variants can be delivered at the rate of one new variant every 59 minutes, or precisely one minute less than the hourly cycles many anti-virus vendors use to push out new virus signatures, said Schipka.

      Likely to be in high-demand are customized Trojan programs specifically designed to steal identity and patient data from systems belonging to health care providers, Jackson said. Current black-market rates for this kind of ID information, which is typically used to defraud health insurers, is about $200 per patient profile.

      In the stocking stuffer class are tools such as the Webattacker malware creation kits, exploits from sites such as WabiSabiLabi and numerous one-click phishing kits available from groups such as the Russian Business Network, Jackson said.

      • Data providers. These consumer-friendly service providers are targeted at intrepid entrepreneurs looking to use someone else's identity and financial information for their own gain. As an industry niche that's been around longer than many others, data providers today cater to a wide-ranging audience with disparate needs. Some specialized services offer identity information, complete with driver's license photos, passport scans, credit card numbers, e-mail and street addresses -- all for as little as $5 a pop, according to Schipka. At the higher end, health-care related identity data or information belonging to high-level corporate executives can go for nearly $200 per victim. And then there are services that let individuals buy stolen credit card data at between 2% to 4% of the credit balance left on the cards, Schipka said.
      • Drop services. These specialized services have been developed expressly for the harried online shopper who purchases items online -- especially high-ticket electronics gadgets -- with stolen credit cards but has no place to send them. Drop services can provide thieves with convenient and reliable addresses to mail stolen goods in the country from where the online purchase is made, Schipka said. "Sometimes, these are people who know they are receiving stolen goods," he said. "Sometimes, they just sort of receive these parcels and either send them somewhere else or make them available in person" to pre-specified locations. People in the latter category don't often know they are handling stolen goods and are hired via phony work-at-home advertisements that promise to pay them specific amounts of money for simply receiving and forwarding goods, he said. Drop services typically get the stolen goods for about 30% or less of the retail value of the product, he said.
      • Escrow, anyone? Forget all those quaint notions about honor among thieves. In the online underground, it's more often about scammers looking to scam other scammers, Schipka said. That's where referrals and escrow services can play a key role, he said. For fees ranging from about 2% to 4% of the total transaction, service providers will act as a "trusted" intermediary between a seller and buyer of malware and other illegal services. Such services can hold purchase money in escrow until a buyer has had a chance to see whether the goods or services are okay and performing as billed. And sellers are assured they get paid for delivering what they promised, Schipka said.

Copyright © 2007 IDG Communications, Inc.

 
Shop Tech Products at Amazon