Inside the Global Hacker Service Economy

Editor’s note: This article was originally written for CSO Magazine by Senior Editor Scott Berinato in September 2007. Online it first appeared on CIO.com, broken into several articles due to its length. We have reassembled the feature as it provides CSOonline readers with an unparalleled understanding of what security is up against.

By 2003, online banking was not yet ubiquitous but everyone could see that, eventually, it would be. Everyone includes Internet criminals, who by then had already built software capable of surreptitiously grabbing personal information from online forms, like the ones used for online banking. The first of these so-called form-grabbing Trojans was called Berbew.

Berbew’s creator is believed to be a VXer, or malware developer, named Smash, who rose to prominence by co-founding the IAACA—International Association for the Advancement of Criminal Activity–after the Feds busted up ShadowCrew, Smash’s previous hacking group.

Berbew was wildly effective. Lance James, a researcher with Secure Science Corp., believes it operated undetected for as long as nine months and grabbed as much as 113GB of data—millions of personal credentials.

Like all exploits, Berbew was eventually detected and contained, but, as is customary with malware, strands of Berbew’s form-grabbing code were stitched into new Trojans that had adapted to defenses. The process is not unlike horticulturalists’ grafting pieces of one plant onto another in order to create hardier mums.

Thus, Berbew code reappeared in the Trojan A311-Death, and A311- Death in turn begat a pervasive lineage of malware called the Haxdoor family, authored by Corpse, who many believe was part of a well-known, successful hacking group called the HangUp Team, based in the port city of Archangelsk, Russia, where the Dvina River empties into the White Sea, near the Arctic Circle.

By 2006, online banking was ubiquitous and form-grabbers had been refined into remarkably efficient, multi-purpose bots. Corpse himself was peddling a sophisticated Haxdoor derivative called Nuclear Grabber for as much as $3,200 per copy. Nordea Bank in Sweden lost 8 million kronor ($1.1 million) because of it.

But by last October, despite his success, Corpse decided that it was time to lay low. A message appeared on a discussion board at pinch3.net, a site that sold yet another Haxdoor relative called pinch.

“Corpse does cease development spyware? news not new, but many do not know” reads a post by “sash” translated using Babelfish. It then quotes Corpse: “I declare about the official curtailment of my activity of that connected with troyanami [trojans]”

This past January, a reporter for Computer Sweden chatted with Corpse, pretending to be a potential customer. Corpse tried to sell him Nuclear Grabber for $3,000 and crowed that banks sweep 99 percent of online fraud cases under the rug. After Computerworld Australia published the chat, Corpse disappeared. He hasn’t been heard from since.

But his form-grabbing code resurfaced, when a friend of Don Jackson asked Jackson to look at a file he found on his computer, as a favor.

That file led Jackson behind the curtain to find hacking with a level of sophistication he’d never seen before.

January: Discovery

Don Jackson is a security researcher for SecureWorks, one of dozens of boutique security firms that have emerged to deal with the inherently insecure, crime-ridden, ungovernable Internet. Jackson’s company and others like it usually sell security products, but their real value is in the research they do. With law enforcement overtaxed by and under-trained for electronic crime, these firms have become a primary source of intelligence on underground Internet activity and VXers’ latest innovations.

Seems like an expensive hobby for a small company but the expense associated with the hardcore intel and technically arduous research is more than paid for by its value as a marketing tool. Being the first to market, even when your product is bad news about security, wins press attention and, it’s hoped, customers. As such, the little security startups stock up on researchers like Jackson who have a working, or sometimes intimate, knowledge of the criminal hacker underground. All day, every day, security researchers at these small companies are dissecting malware that they discover, chatting with bad guys and poking around their domains.

Still, neither the sheer number of firms and jobs like Jackson’s created in the past five years, nor the fact that larger companies like Verizon, Symantec, IBM, and BT are acquiring those companies, are signs that the good guys are catching up. It’s more a sign of how much money can be made trying to catch up. Internet crime is profitable for everyone, except of course its victims.

Jackson’s friend was a victim, but of what he wasn’t sure. All he could say was that several of his online accounts had been hijacked and that a scan of his computer turned up a conspicuous executable, or exe, file, one that wasn’t detected as malware, but wasn’t recognized as something legitimate either. The friend asked Jackson if, as a favor, he’d take a look.

Jackson obliged and discovered that the file had been on the system since December 13, 2006, almost a month. If it turned out to be something new and malicious, then Jackson had discovered a 0-day exploit. It would be a publicity boon for SecureWorks.

Jackson downloaded the exe to a lab computer. “Generally, the exe is not all that exciting to researchers who see hundreds of samples each month,” says Jackson. “There are some exceptions.” This was not an exception. Jackson found a derivative of Corpse’s Haxdoor form grabber, just a new cultivar of an old species, albeit a reasonably well-crafted one Like several form grabbers before it, this one intercepted form data before it was SSL-encrypted, meaning that the little glowing lock in the corner of the browser, the one that online merchants will tell you ensures you that you’re on a safe page, meant nothing of the sort.

Jackson named his discovery after the transliteration of a Russian word he found inside the source code: Pesdato. Later, when he learned what that word meant in Padonki, a kind of Russian hacker slang, he changed its name, instead choosing the moniker of a cartoon character that he made up in grade school: Gozi.

The process of fully deconstructing Gozi took Jackson three days. On the third day, as he pored over the source code, Jackson noticed that the sample on his lab computer was communicating with an IP address that he thought was owned by the Russian Business Network. RBN is a notorious service provider out of St. Petersburg, Russia that Jackson and others say is an ISP with a reputation for accommodating spam and other malware outfits. Normally, Jackson thought, bots would be stealthier about communicating with RBN. Maybe this was a mistake. Curious, he decided to poke his head in and look around on the RBN server that Gozi was talking to.

And what he found stunned him. As he sailed off through the servers and in and out of files and almost over a database to where Gozi’s home base was, Jackson found a full-fledged e-commerce operation. It was slick and accessible, with comprehensive product offerings and a strong customer focus. Jackson, no one really, had ever seen anything like it. So business-like. So fully conceived. So professional.

See a video of Don Jackson walking Senior Editor Scott Berinato through an identity theft site at http://www.csoonline.com/article/456863

It was early February by the time he found a 3.3 GB file containing more than 10,000 online credentials taken from 5,200 machines—a stash he estimated could fetch $2 million on the black market. He called the FBI as he prepared to go undercover to learn more. If he had known at the time what pesdato, that Padonki slang word meant, he might have uttered it under his breath when he realized what he had stumbled on to.

Jackson had stumbled on to the next phase of Internet crime. Gozi was significant not because the Gozi Trojan was innovative or hard to detect. It wasn’t. It was in many ways no different than its four-year old ancestor Berbew. No, Gozi was significant, Jackson thought, because it wasn’t really a product at all. It was a service.

The Golden Age

Gozi represents the shift taking place in Internet crime, from software-based attacks to a service-based economy. Electronic crime has evolved, from an episodic problem, like bank robberies carried out by small gangs, to a chronic one, like drug trafficking run by syndicates.

Already every month, Lance James’ company Secure Science discovers 3 million compromised login credentials—for banks, for online email accounts, anything requiring a username and password on the Internet—and intercepts 250,000 stolen credit cards. On an average week, Secure Science monitors 30-40GB of freshly stolen data, “and that’s just our company,” says James.

Given that, you think you’d have heard more about Gozi, or about this chronic condition in general. But you haven’t. Beyond the research community, Gozi and the other Trojans stealing all this data have been largely ignored. A half-dozen CSOs and CISOs contacted for this story, including some representing banks and online merchants, had either never heard of Gozi or vaguely recalled the name and not much else. And why would they? Gozi made it through a news cycle and it was reported without context, with a tally of the known damage, like a traffic accident. And yet, Gozi wasn’t that at all. It was an idea, a business model.

Even after it fell out of the news, and despite the fact that Don Jackson and the FBI believed they knew how it worked, and who was running it, the Gozi Trojan continued to adapt to defenses, infect machines and grab personal information.

“Do you have a credit card? They’ve got it,” states another researcher who used to write malware for a hacking group and who now works intelligence on the Internet underground and could only speak anonymously to protect his cover. “I’m not exaggerating. Your numbers will be compromised four or five times, even if they’re not used yet.”

“I take for granted everything I do on the Internet is public and everything in my wallet is owned,” adds Chris Hoff, the security strategist at Crossbeam and former CISO of Westcorp, a $25 billion financial services company. “But what do I do? Do I pay for everything in cash like my dad? I defy you to do that. I was at a hotel recently and I couldn’t get a bottle of water without swiping my credit card. And I was thirsty! What was I gonna do?”

That’s the thing about this wave of Internet crime. Everyone has apparently decided that it’s an unavoidable cost of doing business online, a risk they’re willing to take, and that whatever’s being lost to crime online is acceptable loss. Banks, merchants, consumers, they’re thirsty! What are they gonna do?

The cops lack resources and jurisdiction. And in some cases, security companies are literally shifting their strategies away from trying to secure machines connected to the Internet; they’re giving up because they don’t believe it can be done.

It’s a conspiracy of apathy. For the criminals, this is great news. They stand blinking into the dawn of a golden age of criminal enterprise. Like Barbary Pirates in the 18th century, and like Colombian drug cartels in the 1970s, malicious hackers will run amok, unfettered, unafraid and perhaps even protected. Only they won’t use muskets or mules. They’ll use malicious code to run syndicates that will be both less violent and more scalable than in the past.

Now is the criminal hacker’s time. In Archangelsk, Russia, it is the HangUp Team’s time.

Next: The inner workings of an identity theft service.

February: Access

What Don Jackson found when he followed Gozi back to the RBN server was called 76service.com. The home page was pretty and simple, just a stylized login box.

But how this service worked wasn’t yet clear, so Jackson went undercover. On carders forums, the online hangouts for people who run credit card rackets, he found some members who knew about Gozi and 76service. He recognized their avatars—online personas usually marked by a picture that gets posted with their comments on discussion boards—as ones that belonged to members of the HangUp Team. “It confirmed to me they were involved,” Jackson says, “but how still wasn’t clear. For all I knew, they just sold the bot to someone.”

In response to requests he posted, one of these HangUp Team members e-mailed Jackson at an anonymous safe-mail.com account. The e-mail told Jackson to log on to a specific IRC chat room with a specific name at a specific time. Jackson, using a machine configured to hide its location, did so.

The room was virtually crowded. “I get there, and there’s lots of conversation. Lots of Russian that’s flying by me,” Jackson says. Everyone spoke freely. Jackson did not sense any fear of law enforcement, or curious researchers, snooping. . In fact, Jackson thinks that a kind of show bidding was taking place. The channel moderator was offering preview accounts to 76service such that the users could tour the site. The hope was they’d come back saying Pesdato! and offer a good price for access.

Jackson asked if he could take a test run, too. If he seemed nervous and unpracticed about doing business here, it was because he was. “The moderator says, ‘You don’t speak Russian. Where are you from?’ I say, ’The UK.’ He says, ‘Only people we know get test runs.’” A few others derided Jackson for his ignorance and, in so many words, told him to go away. And that was that.

Plan B: Jackson called on a friend who followed the HangUp Team closely, almost the way a CIA analyst builds up expertise. He figured this friend may know how to get access. It was a stab in the dark but remarkably it worked. One colleague knew all about 76service, which he said had been online for several months, and he lent Jackson login credentials to 76service.com.

The 76service Business Model

When Jackson logged in, the genius of 76service became immediately clear. 76service customers weren’t weren’t paying for already-stolen credentials. Instead, 76service sold subscriptions or “projects” to Gozi-infected machines. Usually, projects were sold in 30-day increments because that’s a billing cycle, enough time to guarantee that the person who owns the machine with Gozi on it will have logged in to manage their finances, entering data into forms that could be grabbed.

Subscribers could log in with their assigned user name and password any time during the 30-day project. They’d be met with a screen that told them which of their bots was currently active, and a side bar of management options. For example, they could pull down the latest drops—data deposits that the Gozi-infected machines they subscribed to sent to the servers, like the 3.3 GB one Jackson had found.

A project was like an investment portfolio. Individual Gozi-infected machines were like stocks and subscribers bought a group of them, betting they could gain enough personal information from their portfolio of infected machines to make a profit, mostly by turning around and selling credentials on the black market. (In some cases, subscribers would use a few of the credentials themselves).

Some machines, like some stocks, would under perform and provide little private information. But others would land the subscriber a windfall of private data. The point was to subscribe to several infected machines to balance that risk, the way Wall Street fund managers invest in many stocks to offset losses in one company with gains in another.

Grabbing forms provides several advantages to both buyer and seller compared with the old model of pulling account numbers out of databases and selling them. For the seller, it’s safer. He becomes a broker; a middle man. He barely handles stolen data. For the buyer, it’s the added value of an identity compared to a a credential. For example, a credit card number alone might be worth $5, but add the three- or four-digit security code associated with that card and the value triples. Add billing address, phone number, cardholder names and so forth which allow a buyer to create new lines of credit and the value can reach into the hundreds of dollars.

Grab the primary and secondary authentication forms used for financial services login in addition to all that, and you’ve hit the jackpot: a real person’s full financial identity. Everything that person had entered into forms online would create an avatar that could be used in the real world to buy goods, apply for credit and passports, buy cell phones, open new bank accounts and manipulate old ones. A dossier like that would be one of the most valuable commodities available on the information black market.

That’s why the subscription prices were steep. “Prices started at $1,000 per machine per project,” says Jackson. With some tinkering and thanks to some loose database configuration, Jackson gained a view into other people’s accounts. He mostly saw subscriptions that bought access to only a handful of machines, rarely more than a dozen.

The $1K figure was for “fresh bots”—new infections that hadn’t been part of a project yet. Used bots that were coming off an expired project were available, but worth less (and thus, cost less) because of the increased likelihood that personal information gained from that machine had already been sold. Customers were urged to act quickly to get the freshest bots available.

This was another advantage for the seller. Providing the self-service interface freed up the sellers to create ancillary services. 76service was extremely customer-focused. “They were there to give you services that made it a good experience,” Jackson says. You want us to clean up the reports for you? Sure, for a small fee. You want a report on all the credentials from one bank in your drop? Hundred bucks, please. For another $150 a month, we’ll create secure remote drops for you. Alternative packaging and delivery options? We can do that. Nickel and dime. Nickel and dime.

Next: The Conspiracy of Apathy details a game of cat and mouse between 76service and law enforcement, and examines why financial institutions have been slow to respond to the new threat model.

The Conspiracy of Apathy

March: Containment

SecureWorks researcher Don Jackson was focused on his technical analysis of form-grabbing software, but he continued correspondence with the source who gave him access to 76service.com. After several email exchanges with Jackson, the source decided that he could trust him enough to share what he knew about the people behind 76service. This is part of what he shared.

He told Jackson that the operation was run by just two people, known as 76 and Exoric. 76 was in Russia. Exoric seemed to be based out Mexico.

76 was a member of the HangUp Team who broke off to launch this service. He probably bought the Haxdoor form-grabbing code grafted onto Gozi from his old crew. He might have traded for it. He also probably had a relationship with the RBN form his HangUp Team days. The lack of manpower beyond the two of them might also explain some of the mistakes 76service made, such as the direct connection to RBN servers and the site configuration that allowed Jackson to view other people’s projects. It appears 76 recruited Exoric for his server-side knowledge, whereas 76 was coding the actual Trojan.

Jackson was sharing all of this with a field agent from the local FBI office, who sent it up to agents in DC, who in turn coordinated with Russian authorities on an investigation, according to Jackson. (The FBI has refused to comment specifically on the case). Meanwhile Jackson contacted Infraguard which in turn shared his findings with financial institutions. Jackson wrote an exhaustive technical report, one of the most detailed ever created, that covered both how Gozi worked and how the service did, too. After he published it, and his PR team spread the word, the press pounced: “Gozi Trojan leads to Russian Data Hoard.”

Gozi had been known to be in the wild for at least three months. But Jackson also believed that the “Winter Edition” of 76service was by no means the first edition. He suspected that 76service had been operating undetected for perhaps as long as 9 months.

But by mid-March, the good guys seemed to be getting ahead of it. Anti-virus and anti-spyware vendors were adding Gozi signatures to their products to detect the bot. 76service servers had been sent on the run as the FBI and ISPs detected and blocked the IP addresses that Gozi connected to, forcing 76 and Exoric to move the site around constantly. Around March 12, the loose coalition of FBI, researchers, ISPs and others finally seemed to get the 76service shut down.

This spurred a fire sale of whatever data had been left unsold at 76service. Jackson says that after March 12, some banks saw hundreds of accounts opened each day that were traced back to Gozi-grabbed data. Some of those account holders managed to make several cash transfers up to $49,000. “They’re playing with limits on fraud,” says Jackson. That is, they know the banks won’t flag 5 transfers under 50 grand, but will flag one $250,000 transfer. Jackson says many of these transfers were wired to, of all places, Belgium, though he didn’t know if anyonehad been caught picking up the cash there. Some other accounts were detected and blocked from activity before transfers were made. Jackson says the United States Secret Service was briefed. (The USSS declined to comment). Gozi and 76service finally seemed to be contained.

But it hardly mattered. By this time, another form-grabbing Trojan had been discovered: Torpig.

Next: Distributed pain for banks and consumers; concentrated gain for hackers.

The new Trojan was called Torpig. Its technical architecture and its service were nearly identical to Gozi and 76service, including links to RBN servers. But Torpig was engineered to target bank forms specifically—excluding less useful (read: valuable) credentials like email logins or logins for newspaper sites. Torping shipped with a database of financial Web sites’ URLs and when it recognized one of these URLs in the browser’s address bar, it woke up and added a redirect command to the URL.

Jackson says that intelligence suggested that the criminals had set up real accounts at the banks on Torpig’s hit list and then captured their own legitimate transaction traffic to see what “normal” transactions looked like at each bank. This way, they could tailor each banks’ redirect command to mimic a normal transaction, so that filters wouldn’t register anomalous activity. Jackson called it “Gozi on steroids.” It has proven much more problematic to researchers, banks and law enforcement. Shutting it down has been far more difficult than taking out Gozi, too, because Torpig communicated with a network of servers. Gozi had only connected to the one RBN server.

That is, until March 21, when 76service was discovered back online, running off of a new server in Hong Kong. By March 27, Jackson had confirmed that it used a new variant of Gozi, undetected by filters. It was the “spring edition.”

Distributed Pain/Concentrated Gain

The HangUp Team’s online art gallery is populated with a disturbing mishmash of images and messages like “Fraud 4ever” and “In Fraud We Trust” (One picture, for example, combines a picture of Hitler, a Cannibas leaf and the head of Eugene Kaspersky, who owns a Russian-based anti-virus company, on a platter.) And yes, pictures of its members often include what have come to be hackneyed criminal hacker clichés, with members posing with their cash, for example.

But do not mistake this culture for incompetence. HangUp Team is one a number of highly successful businesses that some researchers claim earn their members millions of dollars per month. “As a security professional you don’t want to say you’re impressed by them,” says “John” (not his real name), the security professional at a large bank who agreed to talk only if he could remain anonymous, because he didn’t have permission from his bank to speak. “But they’re better run and managed than many organizations. They’re properly funded, they have a clear goal, they’re performance driven, focused on a single mission. It’s like an MBA case study of success.”

There are two key tenets underscoring that success: Distributed pain with concentrated gain, and distributed risk.

The more important of these is distributed pain with concentrated gain. The massive size of the market that Internet criminals prey on allows them to spread losses across hundreds or thousands of victims. “If you take $10 off of 10,000 credit cards, you’ve made $100,000 that no one victim either recognized or felt enough to care,” says Jim Maloney, a former CSO at Amazon.com who now runs his own security consulting firm. “Then scale that up to five different banks’ credit cards.” Each bank loses rougly $20,000. “The gain is concentrated for this one hacker group but the penalty to each bank is still written off as acceptable loss.

“Then go to law enforcement. Unless they hear from many victims and can aggregate the problem as one big one, so that the resources required to chase it down are justified, they won’t, they can’t chase it down.”

And if they did decide to open an investigation, who do they go after? That’s the distributed risk element. Groups like the HangUp Team, and 76 himself, deal in access to credentials. 76, for example, barely handles stolen data. He also contracts out the distribution of his malware. And he sells to people who themselves don’t commit fraud with the credentials but usually turn around and sell them to still others who actually commit the final fraud by turning stolen information into money and goods.

That’s several links in a supply chain all sharing the risk (It’s instructive to note that, according to several researchers, one of the biggest frustrations for groups like HangUp Team recently has been “newbies” to the credentials market who buy a credit card and immediately rack up tens of thousands of dollars in luxury goods on that card—essentially concentrating the pain and raising a red flag that can threaten to put the good guys on the scent. It’s reminiscent of the movie Goodfellas, when, after the Lufthansa heist, Robert DeNiro’s character nervously castigates his crew for bringing attention to themselves by showing up at a Christmas party with new cars and furs.)

The Internet criminals’ model perfectly mirrors the drug cartel model, which relies on a stratified market that spreads the risk out to pushers, distributors, mules, manufacturers, and all the money flows up, to the cartel. Disrupting the middle men—and that’s what HangUp Team is becoming—doesn’t solve the problem. Other middle men will simply arise to fill the void, much the way Smash started the IAACA to fill the void left by ShadowCrew when it was taken down.

“Information is currency, that’s the radical change,” says Chris Rouland, CTO and IBM Distinguished Engineer with IBM’s Internet Security Systems group. “These guys don’t need to steal from anyone. They’ve moved themselves way up the value chain.”

Next: How hackers use iFrames to distribute malware.

April: The iFrame Problem

In early April, the Spring Edition 76service server in Hong Kong was taken down. Filters added the new Gozi variant to their lists of detected malware. On the run again, 76 and Exoric would fold up their tent and modify Gozi to be undetectable again while they found a new place to set up shop. And when they did, the steps would start again, the two sides entwined in an endless, uneasy foxtrot.

Jackson continued to help where he could but much of this was out of his hands. He had since immersed himself in another facet of 76service—its distribution mechanism.

No matter how inspired the idea of a subscription to infected machines was, or how cleverly engineered the bot that infected those machines was, 76’s and Exoric’s success with 76service, surprisingly, relied on something they didn’t develop themselves, but rather contracted out: distribution, for which they used iFrames, a browser feature that allows Web sites to deliver content from a remote Web site within a frame on a page. Think of stock quotes origination from one site streamed into a small box on another site. (For more about iFrames, see Death by iFrame.) 76 and Exoric used iFrames to infect computers – but in April they had contracted this part of the work out to another service, iFramebiz.com.

Jackson found a partial list of sites hosting the iFrames used exclusively for Gozi. Jackson sampled 5,848 pages, only a portion of the infected pages on his partial list (meaning 76 and Exoric probably paid tens of thousands of dollars for iFrame infections). Some of the iFramed sites on his list were offline. Some had been cleaned up. But 2,079 of them, more than a third of the sample, still had the code online, ready to deliver new, undetectable versions of Gozi as soon as they were ready. A month later, when Jackson took attendance again, 98 percent of the 2,079 were still hosting the iFrame.

Even if Gozi was gone for good, the iFramers would be happy to resell access to these iFrames to the next malware developer.

Transferred Risk

As much as the HangUp Team has relied on distributed pain for its success, financial institutions have relied on transferred risk to keep the Internet crime problem from becoming a consumer cause and damaging their businesses. So far, it has been cheaper to follow regulations enough to pass audits and then pay for the fraud rather than implement more serious security. “If you look at the volume of loss versus revenue, it’s not horribly bad yet,” says Chris Hoff, with a nod to the criminal hacker’s strategy of distributed pain. “The banks say, ‘Regulations say I need to do these seven things, so I do them and let’s hope the technology to defend against this catches up.’”

“John” the security executive at the bank, one of the only security professionals from financial services who agreed to speak for this story, says “If you audited a financial institution, you wouldn’t find many out of compliance. From a legal perspective, banks can spin that around and say there’s nothing else we could do.”

The banks know how much data Lance James at Secure Science is monitoring; some of them are his clients. The researcher with expertise on the HangUp Team calls consumers’ ability to transfer funds online “the dumbest thing I’ve ever seen. You can’t walk into the branch of a bank with a mask on and no ID and make a transfer. So why is it okay online?”

And yet banks push online banking to customers with one hand while the other hand pushes problems like Gozi away, into acceptable loss budgets and insurance—transferred risk.

As long as consumers don’t raise a fuss, and thus far they haven’t in any meaningful way, the banks have little to fear from their strategies.

But perhaps the only reason consumers don’t raise a fuss is because the banks have both overstated the safety and security of online banking and downplayed negative events around it, like the existence of Gozi and 76service.

So did the banks create a false sense of security or did consumers drive them to not address it through their apathy? The banks themselves might argue that they are acting responsibly. It’s hard to tell since most decline to talk about the problem. Bill Nelson is president of the Financial Services Information Sharing and Analysis Center, or FS-ISAC, a group for bank security executives where they can safely share intelligence and other information. Membership in the FS-ISAC has increased from 68 in 2004 to 2,200 this year. “That’s not a lack of interest,” says Nelson.

Nelson was the closest person to bank security executives who would speak on the record. He bristled at the notion that banks are carelessly pushing services they can’t secure. “It’s being misinterpreted that banks don’t care about security. They spend millions of dollars on this. These are good, quality people,” Nelson says.

If anything, say Nelson and others, blaming banks is precisely backwards. If you want to point fingers look at their customers, who’ve created the demand for the product in the first place. “It’s kind of ridiculous to think you wouldn’t, as a bank, use the Internet as a transport,” notes Hoff. “If you’re not offering some form of online banking, you’re going to wither away and go out of business.”

Eric Johnson, an economist at Dartmouth who recently published a study on malware on peer-to-peer networks says, “Customers are the banks’ worst enemies here. Customers are exposing lots of material that creates an environment for identity theft.”

Indeed, many malware problems are intimately connected to insecure PCs and finicky consumers who, even if they say otherwise, value convenience over security. As one CISO at a bank put it—anonymously, of course, “Users are pretty dumb.”

Next: MPACK and the Next Wave of Malware recounts the demise of 76service and the emergence of more powerful form-grabbing technology.

MPACK and the Next Wave of Malware

May: A Poor Re-emergence

The hackers known as 76 and Exoric weren’t just the managers of 76service; they were also clients. Through his undercover work, SecureWorks researcher Don Jackson found that Exoric himself owned a project – a portfolio of trojan-infected machines – just like the ones the team sold. Only, since access was free to him, his was a much bigger project, with hundreds of bots focused exclusively on Gozi-infected machines in Mexico and Chile (.mx and .cl domains), and no 30-day expiration. For a while, Exoric also used his own storefront for the Latin and South American markets, called GucciService.

But by May the business was strained by the constant pursuit of researchers writing signatures to detect Gozi and law enforcement working with them to find and take down the 76service servers.

Early in the month, Jackson was able to say “Gozi isn’t working. No one is going to the site.” At this time, his personal site was also the victim of what he termed a poor DDoS attack that lasted 36 hours. Soon after that, when he visited 76service.com, he found it abandoned, with a simple message: “I choose shadow. Please, never come back again.”

It seemed that, finally, it was over. But it wasn’t, of course. In fact even before Jackson found 76service.com abandoned, a new Gozi variant was already at work, and it would be learned that it had been infecting machines since at least April 14. This latest Gozi bot was better than ever. It had added keystroke logging as an alternative to form grabbing. And recognizing that researchers were their primary adversaries, the new version added features to stymie detection and reverse engineering. “Every copy of Gozi has a unique infection ID,” explains Jackson. “So when data comes into the server it can check against the ID to make sure it’s a valid infection. This new version also checked to see what your bot had sent before. Basically it could shut you off if you kept logging in without delivering good data, which is what researchers do.” The new version also logged the bot’s IP address so that it could be blocked from communicating with the server.

But there were problems. A programming glitch caused the service to create huge files of redundant information, interrupting service to customers while the duo tried to fix it. “That’s why QA testing is so important,” deadpans Jackson. They had only nabbed about 500MB of data off of 200 infected PCs when their new ISP, which Jackson says was based in Panama, took them offline again.

It was a poor reemergence. Lurking on a discussion board with a colleague who could translate Russian, Jackson found a post by someone named 57, a hacker thought to be part of the HangUp Team. 57 wrote that 76 broke off work with Exoric because the two were spending more time on the lam than they did running the service.

The FBI had wound down on the case, according to Jackson (though in an official statement given to CSO from the press office, the FBI says it welcomes any leads on information related to Gozi and 76service, which it termed “unique”). While they continued to monitor some accounts they knew were connected to 76service, Jackson didn’t think it would progress beyond that. 76service was officially defunct. By early June, 76 and Exoric had dissolved their partnership.

But 57 also seemed to indicate that 76 was back with HangUp Team and busy rewriting the Gozi form grabber. The new architecture would allow 76 to hide the drop servers from prying eyes, making it harder to interrupt or shut services down.

Jackson predicted at the time that a new 76service would follow in kind. After all, 76service didn’t fail because of the service model. It failed because of a lack of manpower to secure and manage the service. It couldn’t scale. “I think they cobbled together Gozi and 76service to see what it could do,” says Jackson. “They realize what they need to do next. They spotted weaknesses. Torpig was the next step; it was better. Now what’s next?” With the help of the HangUp Team, a 76service-like site capable of enduring its own success, will return using some descendant of Gozi or Torpig.

Next: A Radical New Strategy for Banks?

The Radical New Strategy?

If users are, as one bank CISO said, dumb; and if banks can just write off their losses; and if the Internet is fundamentally insecure; and if vendors defenses can’t keep up; and if law enforcement is overmatched; what happens next?

Don Jackson thinks that the banks will simply transfer more of the risk. “The banks are worried but their answer is not to track these guys down or be more diligent about security,” says Jackson, who says he remembers talking about this with bank security types at last year’s Information Systems Security Assocaition (ISSA) conference. “Their answer is to shift more responsibility on to their customers. They’ll lower fraud limits, the amount of stolen funds they’ll cover. They’ll make it harder for consumers to prove they were defrauded—and easier to say it was the customer’s fault.. You’ll have to prove that you kept your end of the deal by patching your system and so forth. Watch the terms of use for online banking. I think you’ll see changes.”

Like Jackson, Chris Rouland of IBM ISS believes the days of acceptable loss at the banks are numbered, but he has a hard time seeing a “blame the customer” strategy succeed. “These write-offs, this thing about putting it on consumers, it will end. It has to,” he says.

Rouland says that he is rethinking security at a fundamental level, and many others in the industry are as well. “We’re basically telling banks that client security is your problem, not [your customers’] problem. We’re saying all the awareness in the world can not adequately secure client machines. Telling customers to secure themselves will not work. We believe that in order to fix the problem, you have to protect customers’ customers. You have no choice.”

Notice Rouland did not say you have to secure the client. He never says the banks must figure out a way to protect that machine. That’s careful and deliberate, because Rouland doesn’t believe that’s what banks have to do. When it comes to security PCs, Rouland’s advice is radical: Give up.

“In the next generation,” he says, “we will all do business with infected end points,” he says.

He was asked to repeat what he said, just to be sure. So he did: “Our strategy is we have to figure out how you do business with an infected computer. How do you secure a transaction with an infected machine? Whoever figures out how to do that first will win.”

Next: June—disturbing developments

June: Disturbing Developments

By mid-June, Gozi was practically forgotten, and the new thing was MPACK. This one even had some veteran researchers muttering pesdato!

A typical Trojan like Gozi might rely on one exploit to try and open up a connection with the target PC. MPACK, on the other hand, is a briefcase full of exploits, a dozen or more of them. Mostly they’re old exploits, but the idea is that if you try 15 different lock picks, one is bound to get you in. What’s more, MPACK then reports back to its server which exploits worked where and stores that information in a database, an intelligence function used to effectively pack the briefcases with the most successful lock picks. The practice seems to have vastly increased the successful infection rate of PCs that visit sites delivering MPACK.

MPACK is actually sold with malware such that once the briefcase of exploits gets access, a Trojan—often Torpig—will be delivered to the PC. Other Trojans, like Apophis (which steals digital certificates) and even the old Nuclear Grabber that Corpse was hocking more than a year ago are also available in conjunction with MPACK. It costs hundreds to thousands of dollars.

Researchers still trying to penetrate this service say that MPACK is being sold by sash, likely the same as “sash” who posted news of Corpse’s semi-retirement on the Pinch3.net discussion board. (Sash sells Pinch, too). Sash in turn seems to be working with Step57, a group likely run by 57, the HangUp Team coder who Jackson had found who posted the news of 76service’s demise. All of these players have connections to the Russian Business Network, according to several researchers, including Jackson.

MPACK’s multiple-exploit technique was used before in an exploit called WebAttacker. But MPACK is more effective because of iFrames. Disturbingly, the iFramers seem to have come up with some automated exploit kit capable infecting a massive number of Web pages with illicit iFrames in a short period of time, “like a machine gun spraying holes in sites” says Lance James. The first round of iFrame injections created to deliver MPACK showed up, literally, overnight—more than 10,000 pages were infected, mostly on Italian sites. Since then the process has repeated itself, moving country to country. Thousands of infections all at once.

Researchers are still trying to understand what allows the deployment of so many iFrames so quickly. Mostly they’re reporting on rumors and theories. Using a virtual host to infect many sites is one working theory. But no one knows yet for sure how it’s done. What they do know is iFraming is officially pandemic. “The iFramers are making a killing,” Jackson says. “They don’t get their hands dirty with the actual malware. They just break into a server with scripts. It’s a good business to be in right now.”

Next: The evolution of malware continues.

Fraud 4ever

“The thing about MPACK,” says James, “this is the start of the whole thing.” By this he seems to mean that Golden Age of Internet Crime, that dawning era. “They’re starting to think like architects instead of engineers.” MPACK brings together the best iFrames, the best exploits and some state-of-the-art malware into a single package all of which is being improved constantly, and sold with a focus on customer service. In marketing parlance, it’s not a product, it’s a solution.

Business is good. Internet criminals operate with de facto immunity. The pool of vulnerable computers to exploit remains massive. The target financial institutions still treat their crime as acceptable loss. Law enforcement is otherwise occupied. And technical defenses are mere market conditions to adapt to. For example, when some clever banks came up with a way to beat keylogging by having users use “virtual keyboards” on the screen, criminal hackers just developed Briz, code that captures the pixels around the cursor, the pictures of the characters being typed. Problem solved.

The criminals innovate. Some tactics will make the hair on your neck prickle. Rumors persist of a nasty Brazilian banking Trojan that can change banking account numbers, routing numbers, balance, and payment/transfer values by injecting HTML or even whole, cloned HTTP requests into an online banking session on the fly, such that the person banking would see false information that reflected their intentions and not the actual transfer. Chris Rouland of IBM has seen similar functionality in a bot called Grams.

Prg, another form-grabbing Trojan discovered last October, makes researchers awfully nervous. New variants emerge every couple of months and managed to steal tens of GB of data before being detected. Its encryption is strong and well-designed, its ability to hide itself with anti-forensics deft.

In June, Don Jackson found a new Prg variant. It shipped with a development kit which allows anyone who buys it to adapt the code on the fly in order to evade anti-virus and anti-spyware. On the server where he found it, he also found a staging area where new variants were already developed and waiting to be released as soon as the defenses recognized and blocked the current variant. He also found a couple of drops for two different groups who had bought Prg and distributed it through both iFrames and some good old-fashioned “click-on-this-link” emails. The drops comprised 10,000 account credentials, including second factors of authentication and answers to those security check questions like your mother’s maiden name meant to layer extra security into the online banking process.

“There’s a consumer side of me that says, Be cautious but life must go on. Someone somehow will take care of this,” says Christopher Hoff. “And the security side of me wants to curl up in the fetal position and not go out.”

After Jackson discovered the Prg variant, he learned of two more Gozi variants found in the wild. The EXE inside these versions is called 76.exe, and is probably the product of 76’s reunion with the HangUp Team. It’s pesdato! It has vastly improved its server network and obfuscation techniques. It bounces traffic from country to country. It hides its drops well. In fact, Jackson’s not sure what it even connects to. He’s looking for the front end, the next 76service. He knows it’s out there. But so far he can’t find it.