Yes. The guarantor plays an interesting role. It's quite important to the whole botnet ecosystem and probably the ecosystems of any underground markets. If you can imagine a simple deal between two bad guys -- one has created the malware and another one owns the botnet and needs this malware. They want to make a deal, but these guys can't trust anybody when they're working for the dark side. They can't trust each other in this ecosystem. This is why this role [guarantor] appears. Both sides trust this middle-man, and then they can make a deal. Guarantors are usually respected people from hacker forums who have been there for ages. They're usually moderating hacker forums and are not going to disappear, so they are more or less reliable from the point of view of the criminals. At the same time, they don't do any illegal activities. They don't develop malware or own the botnet. All they do is verify what the seller is offering and what the buyer wants to buy. Are these guarantors in a grey-space where they aren't doing anything that law enforcement can take action on?
That's correct. They feel safe doing what they do. These guys are playing one of the key roles in the whole ecosystem because if there were no middle-men, maybe there would be fewer deals because it's hard for the bad guys to trust each other. Right in the middle there is a botnet owner who buys malware, exploit keys or any kind of software keys from the producers through the guarantor. Then the guarantor is used again in deals between the botnet owner and the consumer of the services of the botnet. Those are spammers, people who want to conduct a distributed denial-of-service attack (DDoS) on some resource or any kind of other clients who are interested in using the botnet. The latest Verizon Business Data Breach Report found the market is saturated for credit card numbers, causing the prices of that data to decline on the black market. Does that price fluctuation make this kind of guarantor business arrangement change over time?
No. It's just the normal flow of the market. The saturation of the market causing cheap credit card data is the result of having a really big number of credit cards stolen. The process is really easy with different automated tools developed and shared for free on the Internet. For example, the Metasploit framework is used to create malware quickly and efficiently. All of these helping technologies and frameworks are making it much easier for the bad guys to steal tons of credit card numbers. The more offers out there for stolen credit cards, the cheaper the price is.
One early prediction by Kaspersky for 2010 was that semi-legal grey market programs will be run by botnet owners. Is your research an indication that this is now true?It seems the law is not restricting these things at the moment, but such services do not help the security community and the normal home user. It seems to be malicious.
chief security expertKaspersky Lab Japan
Actually there is an area in the dark side which is called "greyware". It's software which cannot be directly called malicious. But it was developed with an intent to do something malicious. At the same time it doesn't make any unauthorized access. A good example of "greyware" is remote administration software. It's software that can be utilized by a network administrator to control their networks and their workstations remotely and do administrative tasks. This same software can be installed and hidden from the user and utilized by the bad guys to steal information from remote workstations. This approach is migrating to other areas so the bad guys are trying to make their activities and services look more legitimate. A hacker gave up his identity to Kaspersky to get payment for a service he created to trick malware researchers. Can you talk about what took place?
This case is not closed yet and is currently being dealt with in our legal department so I cannot share many details about it. There was an Austrian guy who developed a service called AV Tracker. The basic idea behind the service is to create malware -- special spyware -- that would be sent to the antivirus vendor laboratories to gain information. Using the stolen AV vendor data, the bad guy can track the IP addresses on the Internet where the malware was executed and he can be sure that the IP addresses that he sees belong to security companies. Then he offers an open source software module that anybody can use to make sure that any malware running at a security company will not behave as it would on the real home-user machine. That development was assisting the bad guys to make sure the malware would behave differently in our labs and we would have poor detection capabilities. We think the service was developed with malicious intent from the beginning. It seems the law is not restricting these things at the moment, but such services do not help the security community and the normal home user. It seems to be malicious.