A small industry emerges to support would-be credit card thieves, malware writers
There is money to be made in credit card theft, so a small industry has emerged to help commercialize the business; a software kit, known as Zeus, epitomizes the commercialization of the malware services industry: as is the case with other malicious software, Zeus can easily be bought online, in this case for between $400 and $700; detailed instructions on how to use it are readily available, too; to check whether a piece of malware is on the security companies’ blacklists, hackers can send their creations to Web sites such as virtest.com, which for just $1 will try the code out on more than twenty antivirus products; if the malware fails the test, would-be criminals can simply upload their malware to another site that will tweak it to render it unrecognizable
“Interested in credit card theft? There’s an app for that.” So says Gunter OllmannDamballa. He and others are warning of a burgeoning cybercrime service industry, one which lets people with next to no programming skills steal a fortune in cash or get hold of sensitive government documents., a security researcher at Atlanta, Georgia—based
New Scientist’s Jim Giles writes that would-be hackers have long been able to buy rudimentary software packages that can be used to build malware, such as code that can steal online banking passwords. Now these hacking tools are being supported with a range of services, some with a money-back guarantee, that makes it easier than ever to create and spread malware.
“There used to be only a small number of clever criminals who could pull off these attacks,” says Patrick Peterson of online security company Cisco in San Bruno, California. “Now there is a much lower barrier to entry.”
Giles writes that one such software kit, known as Zeus, epitomizes the commercialization of the malware services industry. As is the case with other malicious software, Zeus can easily be bought online, in this case for between $400 and $700. Detailed instructions on how to use it are readily available, too.
What sets Zeus apart is that it enables someone with minimal computer skills to create sophisticated malware that can be used to steal online banking credentials or sensitive documents. “It represents a sea change in innovation, beyond anything we’ve seen before,” says Peterson.
As an example of what is possible using Zeus, one recent attack netted sensitive US government documents, reports Nart Villeneuve, a security researcher at the Munk Center for International Studies at the University of Toronto, Canada. The attack began in February with a series of emails sent to senior officials in the U.S. military, the Federal Aviation Administration (FAA), and other government agencies, purporting to contains links to vital security information.
In reality, clicking on the links resulted in malware built with Zeus being installed on the user’s machine. The attack was sophisticated enough to dupe some of its targets, and as a result eighty-one machines were compromised. Villeneuve was able to identify 1,533 documents from the compromised machines that ended up on a computer in Belarus, including defense contracts, documents relating to biological and chemical terrorism, and the security plan for a U.S. airport. The identity of the person who siphoned off the documents is unknown.
Giles quotes Ollmann to say that the ease with which Zeus can be used has been enhanced by the support services, including customized hacking tools, that have grown up around it. If, for example, criminals know that the computer they are targeting is in Spain, they can plug in additional software designed to mount attacks on Spanish banks. Plug-ins like this are available online for around $30, Ollmann says.
“The key to successful malware lies in tricking users into unwittingly installing it,” Gils writes. Now even dilettante hackers can spread their malware by paying more technically adept criminals to do it for them.
Peterson cites the example of Fragus, a sophisticated piece of software he first observed last summer. Fragus is deployed initially by skilled hackers, who break into web servers and install it. Once in place, it searches for vulnerabilities in the browsers used by visitors to these websites. If it finds a way in, Fragus can be programmed to covertly send a piece of Zeus-created malware to the visitor’s computer. This allows hackers to sell malware installation as a service to less skilled criminals.
Fragus also delivers feedback on which browsers it has cracked and where the users of those browsers are based. “That data can be used to target a particular country,” says Henry Stern, a colleague of Peterson’s at Cisco. Stern says he is currently aware of a few dozen websites infected by Fragus, and that it had previously been used to deliver malware to people accessing websites belonging to a widely read US newspaper.
Zeus and Fragus can be reined in (see New Scientist’s “Hitting back at hackers”), but even here the malware service industry is trying to stay one step ahead. So while many companies provide software that, for example, can detect the presence of malware built with Zeus, another layer of cybercrime activity is devoted to finding ways to bypass those protections.
To check whether a piece of malware is on the security companies’ blacklists, hackers can send their creations to Web sites such as virtest.com, which for just $1 will try the code out on more than twenty antivirus products. If the malware fails the test, would-be criminals can simply upload their malware to another site that will tweak it to render it unrecognizable.