How Russia became a malware hornet's nest

By Bill Brenner, Senior News Writer 09 Oct 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

That Russia is a hornet's nest of malicious cyber activity is nothing new. The question for some in the information security community is why people from that part of the world are so determined to earn a living writing attack code.

In some of these states it is extremely unlikely to see police action on cyber crime even if communication is established, whether due to training or budget issues. They are a black hole. Gadi Evron, security evangelist, Beyond Security

A dismal economy and lax law enforcement is fueling the problem, say two well-known security researchers. It has helped nudge Russian computer programmers into an underground market where easy money can be made creating programs used to steal credit card and Social Security numbers.

"[Russian hackers] don't see themselves as doing anything criminal," Kaspersky Labs CEO Eugene Kaspersky said during an interview at his company's U.S. facility in Woburn, Mass., last week.

He explained that many Russian programmers compare themselves to weapons manufacturers -- they build the technology but are not the ones using it. In other words, they're not responsible if someone else is pulling the trigger. Meanwhile, Kaspersky said, the Russian economy is still shaky enough that people are looking for ways to make a steady living, and building malware for online gangsters is one way to do it.

Russian programmers are believed to be behind such widely-available malware-making toolkits as Mpack and WebAttacker, which Symantec Corp. has cited as a big reason for more than 200,000 new malicious code threats in the first half of 2007.

Attacker origins: Today's Attackers Can Find the Needle: From massive botnets to targeted phishing and transacting Trojans, today's new breed of attacker is more dangerous than ever. Discovery of malware cesspool triggers attack fears: Trend Micro researchers say a malware-infested Web server in Russia, linked to several Italian Web sites, could lead to a large-scale attack. Top spammer indicted on email fraud, identity theft: The arrest may reduce the volume of spam in the short-term, say experts and analysts, but the real spam threat comes from criminal gangs based in Asia and Russia. Experts doubt Russian government launched DDoS attacks: Distributed denial-of-service attacks against Estonian computer systems probably originated from smaller groups in control of botnets rather than the Russian government.

Meanwhile, in August Trend Micro reported finding a Russian Web server hosting about 400 malicious programs it warned could set the stage for a large-scale attack. Then there's a recent analysis from SecureWorks Inc. that concluded a Russian gang of spammers had used the SpamThru Trojan to engineer a tidal wave of junk mail hawking everything from stocks to pills.

While some refuse to take responsibility for the damage their handiwork causes, others know there's little chance that they'll be pursued by the authorities in that part of the world, said Gadi Evron, a security evangelist with McLean, Va.-based Beyond Security.

"In some of these states it is extremely unlikely to see police action on cyber crime even if communication is established, whether due to training or budget issues. They are a black hole," Evron said in an email exchange. "In other cases attempts have not even been made, or they don't like cooperating with U.S. law enforcement."

More importantly, he said, if the authorities want to pursue some malware makers, they have to deal with businesses that harbor them. Such companies won't keep logs or provide law enforcement with the data they need to catch the bad guys. "Some of these service providers are criminal on their own, and work undisturbed," said Evron, who helped investigate massive cyberattacks that sent the Web-dependent nation of Estonia reeling last April.

Meanwhile, international cooperation on cyber crime is problematic at best, he said. "There are official routes to take, such as through Interpol, but these take time and are considered highly official," he said. "On the Internet, things move very fast and in many cases in ways that current laws and treaties don't cover. The current system as it is right now is close to useless for this purpose whether in the ex-Soviet states or not."

While Russian programmers are making a good living in the malware business, they have by no means cornered the market, Kaspersky said. China has surpassed Russia as the biggest producer of malware, according to Kaspersky and Evron noted that the U.S. and other western countries have imperfect records for going after and catching malware makers.

"In the U.S. and other western countries we have enough problems with lack of policy assisting law enforcement and laws to help prosecution," he said. "There are black hat criminal havens in the U.S. we haven't been able to even approach."

Tags: Malware, Viruses, Trojans and Spyware,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  Hacker Tools and Techniques: Underground Sites and Hacking Groups,  Security Awareness Training and Internal Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware How to defend against rogue DHCP server malware New Trojan stealing FTP credentials, attacking FTP websites Cybercriminals exploit Michael Jackson, Farrah Fawcett deaths When BIOS updates become malware attacks Antispyware buying guide for Indian enterprises PCI compliance requirement 5: Antivirus Hacker attack techniques and tactics: Understanding hacking strategies Rootkit Hunter demo: Detect and remove Linux rootkits Botnet threats and countermeasures Conficker worm much smaller than feared Application Attacks (Buffer Overflows, Cross-Site Scripting) PCI management: The case for Web application firewalls Month of Twitter Bugs project to document Twitter flaws Adobe issues first quarterly patch release fixing 13 flaws Balancing security and performance: Protecting layer 7 on the network Adobe issues Reader update fixing zero-day flaw The Pipe Dream of No More Free Bugs Security Squad: Federal cybersecurity defenses Oracle issues 43 updates, fixes serious database flaws Attackers target new Microsoft PowerPoint zero-day flaw How to detect input validation errors and vulnerabilities Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Hacker Tools and Techniques: Underground Sites and Hacking Groups Juniper pulls ATM hacking presentation from Black Hat Botnet platform helps cybercriminals bid for zombie PCs Man pleads guilty in online banking hacking scam ATM malware lets attackers take over machines The failing war against cybercriminals Hacker attack techniques and tactics: Understanding hacking strategies The Pipe Dream of No More Free Bugs Government needs a plan to limit Web usage during a security crisis Mobile phones win during Pwn2Own contest Black Hat DC 2009: Joanna Rutkowska on Intel TXT flaws

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com) Zotob  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary