How Russia became a malware hornet's nest

By Bill Brenner, Senior News Writer 09 Oct 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

That Russia is a hornet's nest of malicious cyber activity is nothing new. The question for some in the information security community is why people from that part of the world are so determined to earn a living writing attack code.

In some of these states it is extremely unlikely to see police action on cyber crime even if communication is established, whether due to training or budget issues. They are a black hole. Gadi Evron, security evangelist, Beyond Security

A dismal economy and lax law enforcement is fueling the problem, say two well-known security researchers. It has helped nudge Russian computer programmers into an underground market where easy money can be made creating programs used to steal credit card and Social Security numbers.

"[Russian hackers] don't see themselves as doing anything criminal," Kaspersky Labs CEO Eugene Kaspersky said during an interview at his company's U.S. facility in Woburn, Mass., last week.

He explained that many Russian programmers compare themselves to weapons manufacturers -- they build the technology but are not the ones using it. In other words, they're not responsible if someone else is pulling the trigger. Meanwhile, Kaspersky said, the Russian economy is still shaky enough that people are looking for ways to make a steady living, and building malware for online gangsters is one way to do it.

Russian programmers are believed to be behind such widely-available malware-making toolkits as Mpack and WebAttacker, which Symantec Corp. has cited as a big reason for more than 200,000 new malicious code threats in the first half of 2007.

Attacker origins: Today's Attackers Can Find the Needle: From massive botnets to targeted phishing and transacting Trojans, today's new breed of attacker is more dangerous than ever. Discovery of malware cesspool triggers attack fears: Trend Micro researchers say a malware-infested Web server in Russia, linked to several Italian Web sites, could lead to a large-scale attack. Top spammer indicted on email fraud, identity theft: The arrest may reduce the volume of spam in the short-term, say experts and analysts, but the real spam threat comes from criminal gangs based in Asia and Russia. Experts doubt Russian government launched DDoS attacks: Distributed denial-of-service attacks against Estonian computer systems probably originated from smaller groups in control of botnets rather than the Russian government.

Meanwhile, in August Trend Micro reported finding a Russian Web server hosting about 400 malicious programs it warned could set the stage for a large-scale attack. Then there's a recent analysis from SecureWorks Inc. that concluded a Russian gang of spammers had used the SpamThru Trojan to engineer a tidal wave of junk mail hawking everything from stocks to pills.

While some refuse to take responsibility for the damage their handiwork causes, others know there's little chance that they'll be pursued by the authorities in that part of the world, said Gadi Evron, a security evangelist with McLean, Va.-based Beyond Security.

"In some of these states it is extremely unlikely to see police action on cyber crime even if communication is established, whether due to training or budget issues. They are a black hole," Evron said in an email exchange. "In other cases attempts have not even been made, or they don't like cooperating with U.S. law enforcement."

More importantly, he said, if the authorities want to pursue some malware makers, they have to deal with businesses that harbor them. Such companies won't keep logs or provide law enforcement with the data they need to catch the bad guys. "Some of these service providers are criminal on their own, and work undisturbed," said Evron, who helped investigate massive cyberattacks that sent the Web-dependent nation of Estonia reeling last April.

Meanwhile, international cooperation on cyber crime is problematic at best, he said. "There are official routes to take, such as through Interpol, but these take time and are considered highly official," he said. "On the Internet, things move very fast and in many cases in ways that current laws and treaties don't cover. The current system as it is right now is close to useless for this purpose whether in the ex-Soviet states or not."

While Russian programmers are making a good living in the malware business, they have by no means cornered the market, Kaspersky said. China has surpassed Russia as the biggest producer of malware, according to Kaspersky and Evron noted that the U.S. and other western countries have imperfect records for going after and catching malware makers.

"In the U.S. and other western countries we have enough problems with lack of policy assisting law enforcement and laws to help prosecution," he said. "There are black hat criminal havens in the U.S. we haven't been able to even approach."

Tags: Malware, Viruses, Trojans and Spyware,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  Hacker Tools and Techniques: Underground Sites and Hacking Groups,  Security Awareness Training and Internal Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated Application Attacks (Buffer Overflows, Cross-Site Scripting) Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches SSH key compromise shuts down Apache website IBM finds sharp spike in malicious content on trusted sites Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Hacker Tools and Techniques: Underground Sites and Hacking Groups Metasploit Project acquisition ups ante for penetration testing market Successful rogue antivirus hinges on social engineering DEFCON survey suggests hacker community on vacation DoD urges less network anonymity, more PKI use New hacker skills optimize revenue Maturing cybercriminal economy buoyed by business savvy hackers Juniper pulls ATM hacking presentation from Black Hat Botnet platform helps cybercriminals bid for zombie PCs Man pleads guilty in online banking hacking scam ATM malware lets attackers take over machines

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary