Researchers in Symantec Corp.'s internal special projects group have developed a new application capable of real-time...
monitoring within the various channels that data thieves, crackers and other online miscreants use to communicate.
Called Dark Vision, the application is actually a mash-up comprising components of Google Maps and various Symantec products. It presents users with a dual-paned interface: one side contains a list of active IRC chat servers being monitored, and the other shows a global map with markers showing the locations of selected servers.
During a recent demonstration of the technology, Oliver Friedrichs, director of emerging technologies at Cupertino, Calif.-based Symantec's security response group, clicked on a link for a random chat server and brought up a live log of the activity on the server.
IRC servers are the digital equivalent of Hanoi's backstreets and bars during the Vietnam War; anything contraband is available for the right price. Identity thieves can log in to secret servers and issue various commands to check the limits of stolen credit cards, obtain the all-important CCV numbers or find buyers looking for bulk card numbers. Spammers are equally ubiquitous on IRC, buying and selling compromised machines for use in the botnets that now send much of the world's spam.
Security researchers and law enforcement agencies for years have known of the existence of this underground economy, and in rare cases have themselves used IRC to find and take down spammers or crackers. But, for the most part, these servers operate with seeming impunity in countries around the world. Indeed, law enforcement officers say part of the difficulty they face in trying to shut down the servers is the varying computer crime laws in Europe, Asia and South America, where many of the servers reside. Identification alone is extremely problematic because the servers can be shut down and moved to another machine within minutes.
As Friedrichs scrolled through the chat log on one IRC server, he pointed out one user checking the limits on several hundred credit card numbers. Another user is looking for valid customer logins for a large U.S. bank; he had several replies within a minute or two.
Dark Vision also allows Friedrichs and his team to keep tabs on botnets. He says they see an average of about 800 active botnets on any given day. Asked whether Symantec has shown Dark Vision to law enforcement agencies or banks, Friedrichs hesitated.
"No, we haven't," he said. "Right now this is still a research project. The next step would be to provide notifications to banks and consumers."
When, or whether, that will happen is still uncertain. Friedrichs is not even sure whether the Dark Vision technology will find its way into one of Symantec's products anytime soon. Although he suggested that it might be a nice fit with the company's anti-fraud service.