“The Russian shadow economy is an economy of scale, one that is service oriented and that has become a kleptocracy wherein crony capitalism has obtained a new lease on life in cyberspace,” says a new report into the cybercriminal Russian underground.
Russian Underground 101 is a Trend Micro study into the cybercriminal underground in Russia. It is based on data gathered from online forums and services and articles written by hackers. What it finds is a complete shadow economy of cybercriminality where virtually every form of online criminal activity can be bought and sold at surprisingly low prices.
It includes, for example, encryption services to disguise malicious files, VPN services for secure communications, bullet-proof host servers resistant to take-downs, botnet rentals for DDoS attacks and spam campaigns, specific trojans and rootkits, activation keys for pirated software, and hacking for hire and more.
Hacking for hire is the underground version of freelance or contract programming. Just as companies hire whitehat hackers for penetration testing and security auditing, so criminals can hire blackhat hackers to undertake the same services – but for a different purpose. One of the most common ‘requirements’ is to gain access to specific user accounts. “The most popular email domains cybercriminals hack in Russia,” notes the report, “are Mail.ru, Yandex.ru, and Rambler.ru (with prices ranging from $16–$97). Social networks, Vkontakte and Odnoklassniki, are also popular targets (prices range from $97–$130 for known accounts, and from $325 for unknown accounts). Services and tools for hacking Gmail, Hotmail, and Yahoo! Mail are also somewhat available but at premium prices.”
The report is full of ‘adverts’ taken from the forums and translated into English by Trend. Zeus, one of the most popular and effective financial theft trojans and botnet builders, is frequently advertised. “I’ll sell ZeuS 188.8.131.52 source code. Private sale of source code. Price: US$400–500; bargaining (swapping) is possible,” reads one post. “Selling ZeuS 184.108.40.206 bin + set up on your hosting for US$200 escrow is accepted,” reads another. Zeus has the ability to intercept and alter communications between a browser and a website. It steals bank credentials and can redirect transactions to a different account. “Hackers… utilize ZeuS to install all of the necessary software in a bot as well. As such, even computers that do not have confidential information saved in them can still prove useful for a variety of malicious activities, hence, ZeuS’s infamy,” notes Trend Micro.
Russia is well-known for the technical expertise of its hackers (see, for example, Peter the Great beats Sun Tzu in cybercrime), and it is generally considered that a high proportion of botnets are controlled from east European countries and Russia. Nevertheless, it is somewhat surprising to see such a complete criminal shadow economy operating beneath the law. Perhaps more worryingly, Trend Micro says, “This paper covered only the most basic and fundamental tools and technologies cybercriminals create and use to enhance their business.”
Professor John Walker, chair of the London chapter ISACA and CTO of Secure-Bastion, sees a road-map for APT laid out by the report. “In a nutshell,” he told Infosecurity, “what the Trend Micro report is confirming is that the much debated logical attack vectors of the Advanced Persistent Threat (APT), and the more focused Advanced Evasion Techniques (AET) as reported by StoneSoft are not hype, but reality.
“In the Trend Micro report,” he continued, “we see the imagination of the Russian Cyber Attacker laid out before our eyes – with some excellent examples of the lengths cyber criminals are prepared to take to underpin a successful mission. It is also very clear that, this mission is lucrative, and would seem to imply it is going to be with us for some time yet.”
Andy Dancer, CTO at Trend Micro, agreed. “If you were to sketch out an ideal systems architecture to commit computer crime as part of a formal software design process,” he told Infosecurity, “it would look very similar to what we see here, and yet, far from being designed, this system has evolved in the pseudo open market of the criminal underworld chat forum.”