Editor's note: This article was originally written for CSO Magazine by Senior Editor Scott Berinato in September 2007. Online it first appeared on CIO.com, broken into several articles due to its length. We have reassembled the feature as it provides CSOonline readers with an unparalleled understanding of what security is up against.
By 2003, online banking was not yet ubiquitous but everyone could see that, eventually, it would be. Everyone includes Internet criminals, who by then had already built software capable of surreptitiously grabbing personal information from online forms, like the ones used for online banking. The first of these so-called form-grabbing Trojans was called Berbew.
Berbew’s creator is believed to be a VXer, or malware developer, named Smash, who rose to prominence by co-founding the IAACA—International Association for the Advancement of Criminal Activity–after the Feds busted up ShadowCrew, Smash’s previous hacking group.
Berbew was wildly effective. Lance James, a researcher with Secure Science Corp., believes it operated undetected for as long as nine months and grabbed as much as 113GB of data—millions of personal credentials.
Like all exploits, Berbew was eventually detected and contained, but, as is customary with malware, strands of Berbew’s form-grabbing code were stitched into new Trojans that had adapted to defenses. The process is not unlike horticulturalists’ grafting pieces of one plant onto another in order to create hardier mums.
Thus, Berbew code reappeared in the Trojan A311-Death, and A311- Death in turn begat a pervasive lineage of malware called the Haxdoor family, authored by Corpse, who many believe was part of a well-known, successful hacking group called the HangUp Team, based in the port city of Archangelsk, Russia, where the Dvina River empties into the White Sea, near the Arctic Circle.
By 2006, online banking was ubiquitous and form-grabbers had been refined into remarkably efficient, multi-purpose bots. Corpse himself was peddling a sophisticated Haxdoor derivative called Nuclear Grabber for as much as $3,200 per copy. Nordea Bank in Sweden lost 8 million kronor ($1.1 million) because of it.
But by last October, despite his success, Corpse decided that it was time to lay low. A message appeared on a discussion board at pinch3.net, a site that sold yet another Haxdoor relative called pinch.
“Corpse does cease development spyware? news not new, but many do not know” reads a post by “sash” translated using Babelfish. It then quotes Corpse: “I declare about the official curtailment of my activity of that connected with troyanami [trojans]”
This past January, a reporter for Computer Sweden chatted with Corpse, pretending to be a potential customer. Corpse tried to sell him Nuclear Grabber for $3,000 and crowed that banks sweep 99 percent of online fraud cases under the rug. After Computerworld Australia published the chat, Corpse disappeared. He hasn’t been heard from since.
But his form-grabbing code resurfaced, when a friend of Don Jackson asked Jackson to look at a file he found on his computer, as a favor.
That file led Jackson behind the curtain to find hacking with a level of sophistication he’d never seen before.
Don Jackson is a security researcher for SecureWorks, one of dozens of boutique security firms that have emerged to deal with the inherently insecure, crime-ridden, ungovernable Internet. Jackson’s company and others like it usually sell security products, but their real value is in the research they do. With law enforcement overtaxed by and under-trained for electronic crime, these firms have become a primary source of intelligence on underground Internet activity and VXers’ latest innovations.
Seems like an expensive hobby for a small company but the expense associated with the hardcore intel and technically arduous research is more than paid for by its value as a marketing tool. Being the first to market, even when your product is bad news about security, wins press attention and, it’s hoped, customers. As such, the little security startups stock up on researchers like Jackson who have a working, or sometimes intimate, knowledge of the criminal hacker underground. All day, every day, security researchers at these small companies are dissecting malware that they discover, chatting with bad guys and poking around their domains.
Still, neither the sheer number of firms and jobs like Jackson’s created in the past five years, nor the fact that larger companies like Verizon, Symantec, IBM, and BT are acquiring those companies, are signs that the good guys are catching up. It’s more a sign of how much money can be made trying to catch up. Internet crime is profitable for everyone, except of course its victims.
Jackson’s friend was a victim, but of what he wasn’t sure. All he could say was that several of his online accounts had been hijacked and that a scan of his computer turned up a conspicuous executable, or exe, file, one that wasn’t detected as malware, but wasn’t recognized as something legitimate either. The friend asked Jackson if, as a favor, he’d take a look.
Jackson obliged and discovered that the file had been on the system since December 13, 2006, almost a month. If it turned out to be something new and malicious, then Jackson had discovered a 0-day exploit. It would be a publicity boon for SecureWorks.
Jackson downloaded the exe to a lab computer. “Generally, the exe is not all that exciting to researchers who see hundreds of samples each month,” says Jackson. “There are some exceptions.” This was not an exception. Jackson found a derivative of Corpse’s Haxdoor form grabber, just a new cultivar of an old species, albeit a reasonably well-crafted one Like several form grabbers before it, this one intercepted form data before it was SSL-encrypted, meaning that the little glowing lock in the corner of the browser, the one that online merchants will tell you ensures you that you’re on a safe page, meant nothing of the sort.
Jackson named his discovery after the transliteration of a Russian word he found inside the source code: Pesdato. Later, when he learned what that word meant in Padonki, a kind of Russian hacker slang, he changed its name, instead choosing the moniker of a cartoon character that he made up in grade school: Gozi.
The process of fully deconstructing Gozi took Jackson three days. On the third day, as he pored over the source code, Jackson noticed that the sample on his lab computer was communicating with an IP address that he thought was owned by the Russian Business Network. RBN is a notorious service provider out of St. Petersburg, Russia that Jackson and others say is an ISP with a reputation for accommodating spam and other malware outfits. Normally, Jackson thought, bots would be stealthier about communicating with RBN. Maybe this was a mistake. Curious, he decided to poke his head in and look around on the RBN server that Gozi was talking to.
And what he found stunned him. As he sailed off through the servers and in and out of files and almost over a database to where Gozi’s home base was, Jackson found a full-fledged e-commerce operation. It was slick and accessible, with comprehensive product offerings and a strong customer focus. Jackson, no one really, had ever seen anything like it. So business-like. So fully conceived. So professional.
See a video of Don Jackson walking Senior Editor Scott Berinato through an identity theft site at http://www.csoonline.com/article/456863
It was early February by the time he found a 3.3 GB file containing more than 10,000 online credentials taken from 5,200 machines—a stash he estimated could fetch $2 million on the black market. He called the FBI as he prepared to go undercover to learn more. If he had known at the time what pesdato, that Padonki slang word meant, he might have uttered it under his breath when he realized what he had stumbled on to.
Jackson had stumbled on to the next phase of Internet crime. Gozi was significant not because the Gozi Trojan was innovative or hard to detect. It wasn’t. It was in many ways no different than its four-year old ancestor Berbew. No, Gozi was significant, Jackson thought, because it wasn’t really a product at all. It was a service.
The Golden Age
Gozi represents the shift taking place in Internet crime, from software-based attacks to a service-based economy. Electronic crime has evolved, from an episodic problem, like bank robberies carried out by small gangs, to a chronic one, like drug trafficking run by syndicates.
Already every month, Lance James’ company Secure Science discovers 3 million compromised login credentials—for banks, for online email accounts, anything requiring a username and password on the Internet—and intercepts 250,000 stolen credit cards. On an average week, Secure Science monitors 30-40GB of freshly stolen data, “and that’s just our company,” says James.
Given that, you think you’d have heard more about Gozi, or about this chronic condition in general. But you haven’t. Beyond the research community, Gozi and the other Trojans stealing all this data have been largely ignored. A half-dozen CSOs and CISOs contacted for this story, including some representing banks and online merchants, had either never heard of Gozi or vaguely recalled the name and not much else. And why would they? Gozi made it through a news cycle and it was reported without context, with a tally of the known damage, like a traffic accident. And yet, Gozi wasn’t that at all. It was an idea, a business model.
Even after it fell out of the news, and despite the fact that Don Jackson and the FBI believed they knew how it worked, and who was running it, the Gozi Trojan continued to adapt to defenses, infect machines and grab personal information.
“Do you have a credit card? They’ve got it,” states another researcher who used to write malware for a hacking group and who now works intelligence on the Internet underground and could only speak anonymously to protect his cover. “I’m not exaggerating. Your numbers will be compromised four or five times, even if they’re not used yet.”
“I take for granted everything I do on the Internet is public and everything in my wallet is owned,” adds Chris Hoff, the security strategist at Crossbeam and former CISO of Westcorp, a $25 billion financial services company. “But what do I do? Do I pay for everything in cash like my dad? I defy you to do that. I was at a hotel recently and I couldn’t get a bottle of water without swiping my credit card. And I was thirsty! What was I gonna do?”
That’s the thing about this wave of Internet crime. Everyone has apparently decided that it’s an unavoidable cost of doing business online, a risk they’re willing to take, and that whatever’s being lost to crime online is acceptable loss. Banks, merchants, consumers, they’re thirsty! What are they gonna do?
The cops lack resources and jurisdiction. And in some cases, security companies are literally shifting their strategies away from trying to secure machines connected to the Internet; they’re giving up because they don’t believe it can be done.
It’s a conspiracy of apathy. For the criminals, this is great news. They stand blinking into the dawn of a golden age of criminal enterprise. Like Barbary Pirates in the 18th century, and like Colombian drug cartels in the 1970s, malicious hackers will run amok, unfettered, unafraid and perhaps even protected. Only they won’t use muskets or mules. They’ll use malicious code to run syndicates that will be both less violent and more scalable than in the past.
Now is the criminal hacker’s time. In Archangelsk, Russia, it is the HangUp Team’s time.
Next: The inner workings of an identity theft service.
What Don Jackson found when he followed Gozi back to the RBN server was called 76service.com. The home page was pretty and simple, just a stylized login box.
But how this service worked wasn’t yet clear, so Jackson went undercover. On carders forums, the online hangouts for people who run credit card rackets, he found some members who knew about Gozi and 76service. He recognized their avatars—online personas usually marked by a picture that gets posted with their comments on discussion boards—as ones that belonged to members of the HangUp Team. “It confirmed to me they were involved,” Jackson says, “but how still wasn’t clear. For all I knew, they just sold the bot to someone.”