Antivirus researchers have uncovered a startling increase in organized virus- and worm-writing activity that they say is powering an underground economy specializing in identity theft and spam.
"The July outbreak of MyDoom.O was yet another reminder that spammers are now using sophisticated, blended threats that mix spam, viruses and denial-of-service attacks," according to Andrew Lochart, director of product marketing at Postini, an e-mail security services provider. In July alone, Postini's customers reported more than 16 million directory harvest attacks, which are attempts by spammers to hijack a company's entire e-mail directory.
The link between viruses, worms and the underground criminal economy, however, goes back to long before the latest version of MyDoom, says Mikko Hypponen, antivirus research director at F-Secure. Starting with the initial outbreak of MyDoom in January, Hypponen began to notice that what had previously been considered little more than a rogue virus-writing subculture actually had a significant link to organized efforts to use malicious code to make money.
"MyDoom got press coverage because of the denial-of-service attack it launched against SCO and Microsoft," says Hypponen. "But nobody was paying attention to what was happening behind the scenes."
And what was happening, according to Hypponen, was the beginning of a concerted, unabashed effort to turn virus and worm infections into cash.
Eight days after MyDoom.A hit the Internet, somebody scanned millions of IP addresses looking for the back door left by the worm, said Hypponen. The attackers searched for systems with a Trojan horse called Mitglieder installed and then used those systems as their spam engines. As a result, millions of computers across the Internet were now for sale to the underground spam community.
Of course, spamming viruses aren't new. Security professionals have been dealing with them for years. However, the appearance of MyDoom and more recent viruses and worms signaled the beginning of much larger problems, says Hypponen.
By the end of January, Internet users were busy dealing with the Bagle mass mailer. And although the first version wasn't particularly successful, at least a dozen variants soon followed, including variants that carried Mitglieder.
But the real clues that organized gangs were using Bagle and MyDoom to sell spam proxies -- as well as links to phony Web sites that exist only to harvest identities and personal financial information -- came when the writer behind Netsky.R posed a direct challenge to the so-called professional virus writers.
In addition to attempting to remove Bagle and MyDoom from infected computers, Netsky conducted a denial-of-service attack against Web sites known to be fronts for identity thieves, according to Hypponen.
When F-Secure analysts decoded the encrypted messages hidden within a subsequent version of Bagle (Bagle.J), they discovered a threat of a virus war if the Netsky author continued to "ruin" the "business" of the professional virus writers.
"We have information that the writers of both MyDoom and Bagle may be Russian immigrants living in various European countries," says Hypponen.
Whoever is behind it, they are organized and running a thriving business, says Hypponen.
Brian Dunphy, director of global analysis operations at Symantec's Security Operations Center, acknowledges that it's difficult to discern the intent behind many viruses and worms in the wild. In addition to planting back doors, some worms, such as the latest MyDoom variant, have embedded peer-to-peer updating capabilities, he says.
"What we used to see are worms and viruses that did not have a reach-back-and-call-home capability," says Dunphy. "What we saw with MyDoom, however, was that infected systems were aware of other infected systems, and they automatically built a peer-to-peer network of sorts."
In fact, Symantec's analysis of the recent MyDoom.M outbreak discovered a mechanism that's used to maintain a list of all known infected systems and permits the worm's author to update all MyDoom.M-infected systems with new arbitrary malicious code with little risk of its network being hijacked by rival worm authors, says Alfred Huger, senior director of Symantec Security Response.
In addition to propagating spam proxies and setting up peer-to-peer networks, viruses and worms are being used to install Web servers on vulnerable systems. Those Web servers are then used to host everything from pornography and pirated software sites to fake banks, Hugos says.
Underground bartering and selling is conducted on Web sites such as a Russian site that, among other things, sells subscription services to compromised computers.
Various other Russian and Chinese message boards exist for the sole purpose of selling spam hosts. Accepted payment methods, shown clearly on the Web pages, include E-gold transactions and WebMoney and Western Union money transfers. Ironically, organized e-criminals don't accept credit cards.
For Sale: Your ID
Viruses and worms carrying Trojan horse code are also powering massive identity theft rings.
At sites like www.oemcd.biz, www.mega-oem.biz, http://huge-sales.info and www.atlantictrustbank.com, among hundreds of others, users are presented with the opportunity to buy popular software at tremendous discounts, sometimes at one-tenth the retail price. And while these sites look authentic, Hypponen offers a word of caution.
"The one thing all of these sites have in common is that none of them exist," he says. "If you buy something from them, you'll get nothing, and they will never charge your credit card. But what they will do is steal your identity." In fact, identities and bulk credit card "dumps" are available to the highest bidder at some sites.
Tracking down virus writers and other online criminals can be more difficult than anybody ever imagined. It's particularly difficult in the case of fraudulent domain-hosting schemes, which often use IP addresses that expire every two minutes, Hypponen says.
"If you refresh these sites, the domain name points to a different IP address every two minutes," he explains. "And then if you look at the IP addresses, you'll see that they are in places like Japan, Portugal, Brazil, Canada and elsewhere."
Hackers and malicious-code writers are increasingly automating the Internet shell game that keeps many of them one step ahead of law enforcement. The Kuwaiti hacker group Q8See is a case in point.
On March 8, a Russian source reported to F-Secure analysts the existence of a Trojan horse created by Q8See called Slacke. But what made Slacke unique was the extraordinary lengths to which its authors went to hide their tracks and the mystery that remains about the group's intent.
First, the worm downloaded code from a Web site hosted in S“o Tomé and Pr"ncipe, a small island nation located off the Atlantic coast of Africa. Analysis by F-Secure, however, showed that the domain rights for the Web site had been sold to a company in Sweden. But registration information listed the company name as JordanChat and the location as Irbid, Jordan. The contact name was TeR0r.
As thousands of infected computers downloaded the malicious code from the Web server in S“o Tomé and Pr"ncipe, they were then linked to an Internet Relay Chat system operated by CNN in Atlanta.
Once logged into CNN's IRC server, the systems connected to an IRC channel in Mexico called Noticias. And when Hypponen and his analysts studied the channel, they were astonished at what they saw.
"There were 20,000 clients just sitting on the channel doing nothing. They looked like people, but they were bots," he says, referring to programs that perform repetitive, automated functions.
The bots, however, weren't alone. According to Hypponen, three Kuwaiti users, presumably members of Q8See, were sitting on the channel and sending commands to the bots to scan various ranges of IP addresses. And while CNN eventually shut down the chat server, nobody knows for sure what the hackers were doing.
"We may never know," says Hypponen. "Whether or not this is traditional organized crime doesn't matter -- because they are organized, and what they are doing is criminal."
Signs of the Underground Economy
- A massive underground community is engaging in online theft.
- Windows machines are infected with viruses, then turned into proxies, Web servers or attack networks.
- Lists of such servers are being sold and bought online.
- Credit card databases are being sold and bought.
- EBay, PayPal and E-gold accounts are being sold and bought.
- Hacked servers are being sold and bought.
- Distributed denial-of-service attack networks are being sold and bought.