In the beginning there were only malware and machines to be infected, with no money in the middle - only a will to get “fame” by coding. A few years ago this situation changed drastically and today the cybercrime ecosystem is much more complicated, including as much as 7 key elements. This starts with the coders, who only develop the malware, then sell it to other criminals while offering service support. The criminals who buy it distribute it among other cybercriminals and money mules.

What’s the problem here? In general the AV industry still fights the same way as 15 or more years ago. We detect more amounts of advanced malware yet more appears every day. It’s like cutting a weed but leaving the root - it just grows up again and again...

The title of this post suggests that I’ve been thinking of one of the cyber-criminals that uses SpyEye, maybe in admiration! But actually his cyber-criminal actions overshadow anything else.

The truth is that, following my post highlighting the tactic of using as C&C one of the Cloud Computing services offered by Amazon, I found a sample of SpyEye that is somewhat interesting: among its goals is an attack DDoS directed against the Kaspersky Lab website.

The SpyEye configuration file, which is basically a compressed file and password protected (usually MD5), stores the resources involved in the planned attack. The surprise came when I looked at the configuration file of the plugin (ddos.dll.cfg). The following image shows the parameters set in this file:

Last week, we held our first Ibero-American virus analyst summit, to which we invited 34 journalists from 14 Latin American countries, as well as Spain and Portugal. Speakers and panelists included antivirus experts Fabio Assolini, Jorge Mieres, Vicente Diaz and Dmitry Bestuzhev.

After rumors about the supposed merger between SpyEye and ZeuS, and the public release of the source of the latter, it was logical that the range of possibilities opened up even more for new cybercriminals into the ecosystem of crimeware.

Consistent with this, it was only a matter of time for the emergence of new packages based on ZeuS crimeware, which is now realized. Ice IX Botnet is the first new generation of web applications developed to manage centralized botnets through the HTTP protocol based on leaked ZeuS source code.

    Last week I participated in a student workshop at the “Pontífica Universidad Católica del Ecuador” – PUCE http://www.puce.edu.ec/ . The workshop wasn’t geared only for technical students but was also aimed at students studying law and jurisprudence. During the sessions, we discussed ways to obtain and to join electronic evidence related to malware attacks, how to interpret them and to present to law enforcement for prosecution of cyber criminals.

We also analyzed the ongoing merging of classic (traditional) crime to cybercrime in terms of document-cloning, grooming and other crimes.

I believe these initiatives are very important for current students and future law professionals to get a clear understanding of the modern attacks, the legal limitation the reform that is needed to improve the battle against cyber crime.

In this episode of Lab Matters, Kaspersky Lab malware researcher Tim Armstrong joins Ryan Naraine to examine the security posture of the Android mobile operating system. Armstrong looks at strengths and weaknesses of the open-source platform and warns about the risks associated with jailbreaking/rooting Android devices.

While Eugene’s busy taking bets (wonder how much he’s going to make?), I’ve been having a think about the Winlock case.

Russian law enforcement is estimating that the bad guys could have raked in as much as $1 billion. While it’s difficult to be certain about the exact amounts involved (obviously they spread their money across a lot of different accounts to avoid attracting attention), a little bit of simple math makes me think this figure isn’t as crazy as it might sound.

Our statistical analysis tells us there could be around a million people who’ve been infected. 10 cybercriminals, each getting a cut of a ransom between $10 and $30 - even though they were paying out $3 per infection to the people willing to spread this malware, the numbers add up pretty quickly.

Interesting news on Trojan SMS Blockers (Winlock etc). These programs block Windows and demand a ransom in the form of a text message which is sent to short number for a fee. It's a very popular type of racket at the moment, both in Russia and a few other countries.

The whole affair has now reached the General Prosecutor’s office of Russia – the criminals have been identified and detained (or so it seems) and will be prosecuted in Moscow soon.

Altogether the criminals have earned an estimated 790,000 roubles, or $25K. Moreover, they have caused other damages by blocking or crashing a yet to be determined number of personal and company PCs. Very often people have needed to re-install the OS and all software and then restore data from backups - even after paying the ransom.

But I wanted to focus on the outcome – or the possible outcome of this incident, not on the investigation, arrests and so forth.

It seems the BBC has been dabbling in the world of malware ... again. They have reported that they have created a smartphone application that is also able to spy on the activities of the person using a compromised handset.

Readers of the blog may remember that the Beeb has something of a history in this area. They raised eyebrows in March 2009 when they 'acquired' a botnet. Shortly after this they also bought personal information, including credit card numbers, from a 'broker' of such data in India.

There's no question of any law having been infringed here - the BBC has not distributed the application. However, we believe its actions to be unethical and unwise. There's enough bad stuff out there without good guys developing their own malicious, or potentially malicious, code - as Denis's blog testifies.

Jose Nazario of Arbor Networks recently posted an analysis of Trojan.Heloag on their blog, mentioning that some observed behaviour might be related to Peer-to-Peer C&C functionality. However, Jose's analysis was dynamic only and thus he was not certain about this when I contacted him (also thanks to Alex Cox for sharing network traces of his honeypot). Being interested in Peer-to-Peer botnets (e.g. Stormfucker: Owning the Storm Botnet [MP4 Video]), I had to take a deeper look.

The Heloag binaries I've looked at (6ede527bb5aa65eae8049ac955b1018d dropped by d9b14a7bc0334458d99e666e553f0ee0) did not contain any Peer-to-Peer C&C functionality! Instead, the bot rather speaks a very simple protocol over TCP with the following command types supported (encoded as the first byte of the packet):

0. DDoS another host using different techniques:
   • TCP DDoS, connect(..) based (does not send data)
   • UDP DDoS, sendto(..) based (sends some random data)
   • HTTP DDoS requesting / with User-Agent "helloAgent", InternetOpenUrlA based
   • HTTP DDoS crawling links from / with User-Agent "Google page"
1. Download and execute an URL of up to 0xA4 bytes, zero-padded URL
2. Send the current computer name
3. Stop with the currently executing DDoS command
4. Disconnect from current server and connect to new C&C server

Disassembly for function 4

This means that even though during dynamic analysis, multiple C&C servers were observed, it is just some kind of hand-over to another C&C server which can be used for load-balancing or renting out bots. Since there is always only one server, the bot is connected to at a time, this does not add a lot to take-down resilience (phew!).