Gozi malware arrests, report highlight Russian cybercrime
Feds charge Russian national over the Gozi Trojan that hit banks, new report shows 70% of exploit kits released or developed in Russia
By Antone Gonsalves
January 24, 2013 — CSO — Russia's notoriety as a home for cybercriminals was highlighted in the conviction of the creator of the infamous Gozi malware and a new report that found the majority of exploit kits were built in the country.
On Wednesday, federal prosecutors in New York unsealed an indictment that charged Russian national Nikita Kuzmin with creating the Gozi Trojan. The malware infected more than 1 million computers globally and led to 10s of millions of dollars in losses at several major U.S. banks.
On Tuesday, managed security provider Solutionary released a report showing that 70% of the exploit kits reviewed by its Security Engineering Research Team were released or developed in Russia.
"A lot of these exploit kits are not simple little things that script kiddies have written," Rob Kraus, director of research for Solutionary, said. "They are robust applications that almost emulate those of enterprise solutions. There's a lot of time and effort put into these exploit kits to make them profitable."
Almost 60% of the vulnerabilities targeted by the kits are more than two years old, showing that exploiting known vulnerabilities remains a lucrative business.
Russia is home to some of the world's most notorious malware writers and distributors. Lax law enforcement and an economy favoring the wealthy have pushed many computer programmers underground. A large number of the developers build the malware and then sell or rent it to others.
"I think a big part of it is the brilliant mind syndrome," Stuart McClure, chief executive and founder of security firm Cylance, said. "So many talented mathematicians and scientists with few positive applications for that brilliance."
[In depth: Inside the global hacker service economy]
Russian cybercriminals tend to focus on bank fraud, which is why a lot of specialized Trojans like Gozi originate from the country, Ryan Sherstobitoff, senior security researcher for McAfee, said.
"That's why Russia tends to be a malware hotspot (for bank fraud)," Sherstobitoff said. "Most Russian cybercriminals are interested in profit and financial gain, as opposed to stealing state secrets."
In general, 60% to 70% of all malware is aimed at stealing from bank accounts or making illegal fund transfers, Sherstobitoff said.
Kuzmin designed the Gozi Trojan in 2005 and passed along his list of technical specifications to computer programmers to write the source code, according to the indictment. Kuzmin then opened a business called "76 Service" that charged a weekly fee for use of the malware. Buyers could configure it to steal data of their choosing and Kuzmin provided the storage for the data. In 2009, he sold the malware outright for about $50,000 plus a share of the profits.
McAfee believes there could be a connection between Kuzmin selling the malware and another cybercriminal who goes by the nickname vorVzakone planning to use a Gozi variant in a coordinated attack this spring on U.S. banking customers. The timing of the events make them "highly suspicious," Sherstobitoff said.
VorVzakone announced Project Blitzkrieg last September while trying to recruit other criminals on a semi-private, Russian-language underground forum.
Kuzmin was arrested in the United States in November 2010 and pled guilty six months later to a variety of computer intrusion and fraud charges, the indictment said. Two other men involved in the creation and distribution of the Gozi malware were also charged.
Deniss Calovskis, a Latvian national suspected of writing some of the Gozi source code, was arrested in his home country in November 2012. Mihai Ionut Paunescu, a Romanian national suspected of running a hosting service for distributing Gozi and other malware, was arrested in his country in December 2012.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.