[ISN] From Russia with malice

InfoSec News isn at c4i.org
Thu Jan 6 06:05:38 EST 2005


Daniel Thomas
05 Jan 2005

Virus writing is no longer the exclusive domain of teenage geeks
designing malicious code in their bedroom.

Criminals are earning millions by dropping viruses and trojans onto
computers of unsuspecting home users, siphoning money from online bank
accounts, trading stolen identities, distributing porn and
blackmailing firms.

And the former Soviet Union, with a high number of technically
sophisticated but out of work programmers, is one of the major regions
where this activity is on the increase.

Some 4044 cases of internet fraud were reported in Russia between 1999
and 2002, according to the Russian Ministry of Internal Affairs. But
in the first half of last year this grew dramatically, with 4,295
internet-based crimes reported by Russian police. The majority were
based around malicious code and information theft.

Over 90 per cent of malicious code now circulating around the internet
is designed for criminal gain, says Eugene Kaspersky head of
anti-virus research at Moscow-based Kaspersky Lab.

'It's being used for stealing money, for spam and advertising, and for
internet crime rackets,' he says.

Kaspersky's figures are backed by estimates from the Ukraine-based
Computer Crime Research Centre which says the total amount of
financial losses worldwide resulting from cybercrime exceeded $411bn
at the end of last year.

Speaking to Computing at the anti-virus lab's headquarters, located in
a totalitarian-looking ex-communist party building on the outskirts of
Moscow, Kaspersky scrolls through a list of hundreds of new viruses
that have been caught using virus-detecting 'honey-pot' computers over
the past five days.

Some 420 of the 470 viruses identified by him and his team of 10
codebreakers during this time have been designed for criminal
purposes, he says.

'There's a lot of money on the internet,' says Kaspersky. 'And it's
very easy to develop a trojan or web page that looks like a bank's

Phishing, which uses social engineering and key-logging trojans to
trick online banking customers into revealing financial details, is
one of the fastest growing areas of computer crime, with 1142 active
sites reported by the Anti-Phishing Working Group last October.

Later this month, two men and two women from Russia, Estonia and
Ukraine, will face trial at the Old Bailey for allegedly being part of
a gang that conned customers into giving out bank details before
stealing money from their accounts.

'It's hard to transfer money from these accounts as they can be
traced, so often they will buy something using the details and then
earn money by selling it,' says Kaspersky.

Trojans, which use email attachments and web links to trick internet
users into downloading code, are also being used take control of
unsuspecting home and work computers.

By building up a 'zombie army' - a network of thousands of compromised
computers - hackers take ownership of a lucrative asset, which they
can hire out to illegal spammers and criminal gangs wanting to extort
money from ecommerce firms through distributed denial of service
(DDOS) attacks which crash sites.

'There are internet shops for zombie networks where you can by 5,000
infected machines for $300,' says Kaspersky.

Last July, the UK?s National Hi-Tech Crime Unit, working with its
Russian Ministry of Internal Affairs equivalent, Division K, smashed a
Russian crime racket responsible for extorting thousands of pounds
from UK online bookmakers reliant on their website availability
(Computing, 21 July).

The gang, located in St Petersburg and south-west Russia, targeted
prominent betting firms, including William Hill, Paddy Power and Blue
Square, using DDOS attacks to bring down sites, and demanded between
$10,000 and $40,000 to stop repeat occurrences.

But despite recent successes by internet law enforcement agencies,
Kaspersky believes the criminals are getting smarter, seeking out new
ways to conceal their identity and earn money.

Every time police capture cybercriminals they also reveal some of the
methods they use to catch them, he says.

'There will be a lot more malicious code next year for two reasons,'
says Kaspersky. 'Firstly the criminals will try and hide themselves
using proxies and that will need more code.'

'Secondly people are doing more to protect themselves against these
threats so criminals need to develop new malicious code to bypass this
and build new zombie networks.'

Where lucrative money-making opportunities spring up on the internet,
organised crime groups will follow. And when new security measures
shut the door on current exploits, new opportunities and flaws will be
exposed, says Kaspersky.

'They will never stop their business, they will just find another way.  
The story will carry on year after year and because of this the
anti-virus firms will not lose their jobs,' he says.

Political hacktivism

Home users are unknowingly having their computers commandeered by
political activists as part of a plot to bring down Chechen rebel

An email virus claiming to contain pictures of nude glamour models is
preying on male computer users, infecting their machines with code
which takes control of their PC.

The W32/Maslan-C worm infects PCs using an attached Playgirls2.exe
file, spreads to other email users and then waits until the first day
of every month to launch denial-of-service attacks on Chechen
separatist sites, according to anti-virus firm Sophos.

By creating an army of compromised computers the virus writer can
bombard Chechen websites, including www.chechpress.com and
www.kavkaz.org.uk, blasting them off the internet.

These websites play a key role in the propaganda war between the
Chechen rebels and the Kremlin, according to Sophos.

Although there is no proof linking the Kremlin to the denial of
service attacks, it follows moves by Russia to close down websites of
Chechen rebels calling for independence in the region.

Last November the Russian Foreign Ministry asked the Lithuanian
government for an explanation as to why the websites - run by
separatists out of Lithuania - had resumed activity.

More information about the ISN mailing list