[SecurityRatty] tag: copies

Will Code Malware for Financial Incentives

Tue, 18 Nov 2008 10:57:55 +0000

A couple of hundred dollars can indeed get you state of the art undetectable piece of malware with post-purchase service in the form of automatic lower detection rate for sure, but what happens when the vendors of such releases start vertically integrating just like everyone else, and start offering OS-independent spamming, flooding, modifications and tweaking of popular crimeware kits in the very same fashion? The quality assurance process gets centralized into the hands of experienced programmers that have been developing cybercrime facilitating tools for years.

It's interesting to monitor the pricing schemes that they implement. For instance, the modularity of a particular malware, that is the additional functions that a buyer may want or not want, increase or decrease the price respectively. Others, tend to leave the price open topic by only mentioning the starting price for their services and they increasing it again in open topic fashion.

Let's take look at some recently advertised (translated) "malware coding for hire" propositions, highlighting some of the latest developments in their pricing strategies :

Proposition 1 :
"Programs and scripts under the following categories are accepted :
grabbers; spamming tools for forums, spamming tools for social networking sites, modifications of admin panels for (popular crimeware kits), phishing pages

Platform: software running on MAC OS to Windows
Multitasking: have the capacity to work on multiple projects
Speed and responsibility: at the highest level
Pre-payment for new customers: 50% of the whole price, 30% pre-pay of the whole price for repreated customers
Support: Paid
Rates: starting from 100 euros

If, after speaking ultimate price, you decide to add to your order something else - the price change. Prepare the job immediately, which will understand what to do and how much it will cost you, if you have any suggestions for a price, then lays them immediately and not after the work is completed. If you order something that requires parsing your logs, and their continued use, you agree to provide "a significant portion of the logs, so that after putting the project did not raise misunderstandings due to the fact that some logs are no longer "fresh", because of their "uniqueness". In this case, for the finalization of the project will be charged an additional fee."

This is an example of an "open topic pricing scheme" with the vendor offering the possibility to code the malware or the tool for any price above 100 euro based on what he perceives as features included within worth the price.

Proposition 2:
"Starting price for my malware is 250 EUR. Additional modules like P2P features, source code for a particular module go for an additional 50 EUR. If you're paying in another currency the price is 200 GBP or 395 dollars. I sell only ten copies of the builder so hurry up. The trading process is simple - a password protected file with the malware is sent to you so you can see the files inside. You then sent the money and I mail you back the password. If you don't like this way you lose.

I can also offer you another deal, I will share the complete source code in exchange to access to a botnet with at least 4000 infected hosts because I don't have time to play around with me bot right now.

This proposition is particularly interesting because the seller is introducing basic understanding of exchange rates, but most of all because he's in fact offering a direct bargain in the form of access to a botnet in exchange for a complete source code of his malware bot. Both propositions are also great examples that vendors engage by keeping their current and potential customers up-to-date with TODO lists of features to come next to the usual CHANGELOGS, and, of course, establish trust by allowing potential customers to take a peek at the source code of the malware they're about to purchase.

Related posts:
Coding Spyware and Malware for Hire
The Underground Economy's Supply of Goods and Services
The Dynamics of the Malware Industry - Proprietary Malware Tools
Using Market Forces to Disrupt Botnets
Multiple Firewalls Bypassing Verification on Demand
Managed Spamming Appliances - The Future of Spam
Localizing Cybercrime - Cultural Diversity on Demand
E-crime and Socioeconomic Factors
Russia's FSB vs Cybercrime
Malware as a Web Service
Localizing Open Source Malware
Quality and Assurance in Malware Attacks
Benchmarking and Optimising Malware

Storage, security raises issues for telepresence

Thu, 13 Nov 2008 02:00:00 +0000

If high-quality copies of corporate meetings can be easily recorded, both vendors and users will have to determine how best to safeguard such information.

How can we co-operate to tackle phishing?

Mon, 27 Oct 2008 09:47:06 +0000

Richard Clayton and I recently presented evidence of the adverse impact of take-down companies not sharing phishing feeds. Many phishing websites are missed by the take-down company which has the contract for removal; unsurprisingly, these websites are not removed very fast. Consequently, more consumers’ identities are stolen.

In the paper, we propose a simple solution: take-down companies should share their raw, unverified feeds of phishing URLs with their competitors. Each company can examine the raw feed, pick out the websites impersonating their clients, and focus on removing these sites.

Since we presented our findings to the Anti-Phishing Working Group eCrime Researchers Summit, we have received considerable feedback from take-down companies. Take-down companies attending the APWG meeting understood that sharing would help speed up response times, but expressed reservations at sharing their feeds unless they were duly compensated. Eric Olsen of Cyveillance (another company offering take-down services) has written a comprehensive rebuttal of our recommendations. He argues that competition between take-down companies drives investment in efforts to detect more websites. Mandated sharing of phishing URL feeds, in his view, would undermine these detection efforts and cause take-down companies such as Cyveillance to exit the business.

I do have some sympathy for the objections raised by the take-down companies. As we state in the paper, free-riding (where one company relies on another to invest in detection so they don’t have to) is a concern for any sharing regime. Academic research studying other areas of information security (e.g., here and here), however, has shown that free-riding is unlikely to be so rampant as to drive all the best take-down companies out of offering service, as Mr. Olsen suggests.

While we can quibble over the extent of the threat from free free-riding, it should not detract from the conclusions we draw over the need for greater sharing. In our view, it would be unwise and irresponsible to accept the current status quo of keeping phishing URL feeds completely private. After all, competition without sharing has approximately doubled the lifetimes of phishing websites! The solution, then, is to devise a sharing mechanism that gives take-down companies the incentive to keep detecting more phishing URLs.

Here is our stab at devising a suitable sharing mechanism. We propose the creation of a members-only sharing club with compensation for net contributors paid for by net receivers. Take-down companies submit real-time copies of their entire feeds to a trusted third party (for the sake of argument, let’s assume that the APWG takes on this role). The APWG collates the individual feeds, marks the source of each submission (i.e., which take-down company) along with a timestamp. The APWG makes the amalgamated feed available immediately to all members. The members pick out phishing URLs impersonating their own clients, while ignoring the rest. Crucially, the expensive task of verifying phishing URLs and initiating take-down continues to be performed by the take-down company.

Periodically, the combined feed is audited to determine the reciprocity of contributions. Take-down companies provide a list of their clients to the auditor. The auditor then computes the number of phishing websites impersonating each take-down company’s clients that are missed by the takedown company but identified by others. The auditor also tallies the time difference for phishing websites that are identified by others first.

For example, suppose bank A1 has hired take-down company A to remove phishing sites on its behalf, and bank B1 has hired take-down company B. Suppose 500 phishing sites impersonate A1, and that A identifies 400 while B identifies an additional 100 sites missed by A. Likewise, suppose another 500 phishing sites impersonate bank B1, and that B identifies 300 while A identifies an additional 200 sites missed by B. B has received a net of 100 useful phishing sites more from A than B has given to A. Consequently, B should pay A a previously-agreed ‘finder’s fee’ for identifying these extra 100 websites.

The ‘finder’s fee’ provides additional incentive for take-down companies to invest in better phishing website detection. Designed properly, such a sharing club can overcome the potential for free-riding that companies such as Cyveillance fret about, while increasing sharing to shorten phishing website lifetimes.

Some subtleties must be mentioned, however. If the finder’s fee is big enough, some companies may be tempted to cheat to minimize their payout. For instance, underperforming take-down companies could claim to have independently discovered missing data from their feed shortly after collecting it from the shared feed. This can be mitigated by adding a credible threat of detection — inserting a few dubious fake phishing URLs that only appear in the shared feed. If the company claims to have ‘independently’ rediscovered these URLs, then they will be caught cheating. Another issue is that the auditing system does incur some overhead, which could be avoided if sharing was made unconditional.

To sum up, we recognize that many take-down companies will be reticent to share. However, we feel that sharing is too important to the goal of tackling phishing to brush aside because of a few inevitable complications. For the good of protecting consumers, the anti-phishing industry should learn to co-operate!

Veterans' benefits applications slated for VA shredder

Fri, 17 Oct 2008 20:00:00 +0000

The U.S. Department of Veterans Affairs' undersecretary for benefits has ordered all VA regional offices to suspend document shredding activities after several original copies of veterans' applications for financial benefits were found among those slated for shredding.

Quality Assurance in Malware Attacks - Part Two

Tue, 14 Oct 2008 03:21:38 +0000

Surprisingly, while opportunistic cybercriminals have long embraced the malware as a service model, and are offering managed lower detection rate services for a customer's malware, or DIY ones where the customer can take advantage of popular tools ported to the Web, others are still trying to innovate at a faddish market niche - multiple offline AV scanners tools aiming to ensure that their malware doesn't end up in the hands of vendors/researchers.

Multiple offline AV scanning tools like this very latest release, naturally using pirated copies of popular antivirus software, are faddish, due to the fact that during the last two years, the underground has been busy working on several paid web based services, that not only make sure vendors and researchers never get the chance to obtain the samples, but also, are already offering scheduled scanning of malware and automatic ICQ/Jabber notifications for QA of the campaign, next to the rest of unique features disintermediating legitimate multiple AV scanning services.

Certain features within such services clearly speak for the intentions of the people behind the service. For instance, among one of these features is the ability to fetch a binary from a set of given dropper URLs like malwaredomain.com/binary.exe, the result of the scan can then alert the malware campaigner about the current state of detection.

What's on these proprietary multiple AV scanning service's to-do list? Let's say anything that a legitimate multiple AV scanning service would never offer, like the following according to one of the services in question :

- DIY heuristic scanning level settings for each of the software in place
- upcoming sets of anti spyware and personal firewalls with detailed statistics of the sandboxing
- behavior-based detection results

The possibilities for integrating such proprietary multi AV scanning services within the QA process of a malware campaign are countless, and both, the customers and the sellers seem to have realized the potential of this ecosystem.

Identity-Based Encryption and Beyond

Wed, 08 Oct 2008 00:42:07 +0000

In June 2008, the US National Institute for Standards and Technology (NIST) held a workshop entitled, "Applications of Pairing Based Cryptography: Identity-Based Encryption and Beyond," in Gaithersburg, Maryland. In a series of 14 talks and two panel discussions, the presenters at this workshop discussed several aspects of identity-based encryption (IBE) and related pairing-based public-key schemes, including the history of the technology, applications for which it is well suited, and potential future developments. Copies of the presentations are now available on the workshop's Web site (www.nist.gov/ibe/). Close to 100 people from a wide range of security vendors, government agencies and academic institutions attended the event; this installment of Crypto Corner takes a closer look at all the events.

The Commercialization of Anti Debugging Tactics in Malware

Mon, 29 Sep 2008 12:55:54 +0000

Commoditization or commercialization, Themida or Code Virtualizer, individually crypting or outsourcing to an experienced malware crypting service offering discounts on a volume basis next to detection rates of the crypted binary offered by a trusted online scanner that is NOT distributing the samples to the vendors? These are just some of the questions malware authors often ask themselves, while others distribute pirated copies of Code Virtualizer urging everyone to start taking advantage of commercial anti-reverse engineering tools to make their malware harder to analyze. Once again, just like we've seen before, a legitimate commercial application can come handy in the hands of the wrong people :

"Code Virtualizer will convert your original code (Intel x86 instructions) into Virtual Opcodes that will only be understood by an internal Virtual Machine. Those Virtual Opcodes and the Virtual Machine itself are unique for every protected application, avoiding a general attack over Code Virtualizer. Code Virtualizer can protect your sensitive code areas in any x32 and x64 native PE files (like executable files/EXEs, system services, DLLs , OCXs , ActiveX controls, screen savers and device drivers).

Code Virtualizer can generate multiple types of virtual machines with a different instruction set for each one. This means that a specific block of Intel x86 instructions can be converted into different instruction set for each machine, preventing an attacker from recognizing any generated virtual opcode after the transformation from x86 instructions. The following picture represents how a block of Intel x86 instructions is converted into different kinds of virtual opcodes, which could be emulated by different virtual machines.

When an attacker tries to decompile a block of code that was protected by Code Virtualizer, he will not find the original x86 instructions. Instead, he will find a completely new instruction set which is not recognized by him or any other special decompiler. This will force the attacker to go through the extremely hard work of identifying how each opcode is executed and how the specific virtual machine works for each protected application. Code Virtualizer totally obfuscates the execution of the virtual opcodes and the study of each unique virtual machine in order to prevent someone from studying how the virtual opcodes are executed."

With Cyber-as-a-Service business model becoming increasingly common, the entire quality assurance model in respect to malware is slowly maturing from individual malware crypting propositions, where the seller of the service is basically taking advantage of a diverse set of public/private tools, into DIY web services offering crypting discounts on a volume basis, and perhaps most importantly - improving the customer's experience by letting him take advantage of the inventory of crypting tools and bypassing verification services. Within the tool's inventory are naturally lots of (pirated) commercial anti-reverse engineering tools.

As we've seen before, whenever someone starts commercializing what used to be a self-selving process, others will either follow, or disintermediate their services by persistently releasing crypting tools for free in the wild. At the end of the day, it's all a matter of how serious they're about commercializing this market segment, and taking into consideration that a spamming vendor is offering malware crypting services "in between" the rest of the services in their portfolio, this underground cash cow is yet to prove itself in the long term.

New Book: Schneier on Security

Mon, 15 Sep 2008 03:18:23 +0000

I have a new book coming out: Schneier on Security. It's a collection of my essays, all written from June 2002 to June 2008. They're all on my website, so regular readers won't have missed anything if they don't buy this book. But for those of you who want my essays in one easy-to-read place, or are planning to be shipwrecked on a desert island without Web access and would like to spend your time there pondering the sorts of questions I discuss in my essays, or want to give copies of my essays to friends and relatives as gifts, this book is for you. There are only 90 shopping days before Christmas.

The hardcover book retails for $30, but Amazon is already selling it for $20. If you want a signed copy, e-mail me. I'll send you a signed copy for $30, including U.S. shipping, and $40, including shipping overseas. Yes, Amazon is cheaper -- and you can always find me at a conference and ask me to sign the book.

Rifling through my DEMO notebook

Sun, 14 Sep 2008 20:00:00 +0000

Seen and heard last week at Network World's DEMOfall 08 in San Diego: When RealNetworks took the wraps off new DVD-to-PC copying software, one major selling point was that users now can sleep soundly knowing for the first time that their homemade copies of commercial movies are perfectly legal.

What CAN You Do?

Wed, 03 Sep 2008 08:36:00 +0000

This is NOT a funny post. At all.

Alan is not the only one who got 0wned. I am hearing VERY disturbing rumors from some other people (sorry, can't share them here) - and they are good, paranoid people :-) People who don't have a password of "password." :-)

Now, think.

What can you, personally, do today if you know - or, at least, suspect - that somebody is after you?

Change all passwords? Create paper copies of financial records? Backup everything offline? What else?

Think PERSONAL [CYBER-]SECURITY PLAN.

Maybe it will become a new blog meme... In any case, I AM thinking about it. Today!

And I suggest you do that too.