Researchers Shed Light on Shadowy Russian Botnets
Kaspersky Lab analysts identified new links between different families of malicious code that initially appeared to have nothing in common. They also reached the conclusion that the Russian-speaking cyber-criminal community is now using a standard package that consists of two Trojans and a botnet they control.
12/06/07 9:12 AM PT
An investigation into the latest version of "gpicode.ai" -- a Trojan horse carrier of malware that encrypts recipients' data -- put security researchers on to a trail of clues that provides new insights into the ongoing evolution of spam-driven malware and its use by botnet operators based in Russia.
Prompted by outbreaks of virus incidents -- including the fast-spreading Storm Worm -- Kaspersky Lab researchers undertook an investigation on major outbreaks and malware trends, compiling their findings in their third-quarter report, "Malicious Code Evolution: July-September 2007".
"Researching one incident led us to other incidents which were just starting to unfold; to an outside observer, these events appeared to have no connection with each other," the report says.
The resulting report provides "an inside look a the evolution of today's hackers from flashy, ego-driven attacks to smooth, quiet and very dangerous business endeavors," according to spokesperson Emily Bain.
In addition, the report provides "a rare insight into the world of Russian-speaking cyber-criminals and how they interact with one another," Bain told TechNewsWorld.
Spam-Malware Code Standardization
Their investigation brought to light a number of interesting factors regarding the manner that botnet operators in Russia are standardizing recent advances they have made in using spam-driven malware, banner ads and Web sites to grow their operations.
"It became clear that there was 'universal' code used in a range of malicious programs with differing functions," according to Kaspersky Lab researchers.
The analysts also identified new links between different families of malicious code that initially appeared to have nothing in common. They also reached the conclusion that the Russian-speaking cyber-criminal community is now using a standard package that consists of two Trojans and a botnet they control.
A growing range of new spam malware botnet threats "that for the most part are emerging as a concentrated flow of uniform Trojan programs," arose during this year's third quarter, according to Kaspersky's report.
"The lack of originality and the scale of activity points to a greater professionalism among cyber-criminals -- attracting the attention of the press or law enforcement agencies is no longer the primary focus of cyber-criminals," the report says.
A Botnet Hydra
The emergence of the latest Trojan "blackmailer" and the simultaneous installation of multiple botnets on Web sites were among this year's third-quarter malware "highlights." The Storm botnet also sparked attention to this increase in activity as the number of computers now estimated to be infected exceeds 2 million, according to Kaspersky Lab.
Researchers also noted the appearance of a Trojan-delivered spyware program designed to steal confidential data from recipients' whose PCs include Russian software for accessing the Moscow Stock Exchange's online systems platform.
From the Kaspersky Lab report and other findings by other IT security specialists conducting research in the area, "it can be deduced that malware 'Lincoln Logs' have become a commodity in the criminal underground," ESET Director of Technical Education Randy Abrams told TechNewsWorld.
"Just as logic chips can be plugged into a variety of electronic devices, logic building blocks can be plugged into a lot of malicious software. Intel makes money off of their motherboards, but they also make money by selling the same chipsets to other manufacturers of motherboards. The organized element is clearly making money off of exploiting computers, but then they are selling their work to make money off of the code that they have already written," he said.
Kaspersky Lab's findings should make it easier for security researchers to create heuristic or more traditional signature detection algorithms to detect and help prevent these threats, according to Abrams.
"Another implication is that these threats will become much more widespread as more criminals use the components to attack users. The threats will also become more diverse as they will be customized. Still the core logic may well provide a more constant angle of counter attack for security vendors with strong heuristic approaches," Abrams maintained.
As IT security specialists and businesses are increasingly challenged to devise methods and to combat the growth, there appears to be little hope of any action through government and international agreements on the legal front.
"What have the Storm creators done to violate the laws of Russia or China or wherever they are operating?" asked Andrew Klein, senior marketing manager at SonicWall. "We apply our rules and say if they were in the U.S., we could arrest them, but they are not. Is it illegal to create a virus or distribute a virus in Russia for example?
"What about creating and selling guns in the U.S.? Or does the person have to use the virus for 'bad' purposes ? What evidence is needed to define bad -- is it stolen information such as credit card numbers, etc.? I will bet that the creators of Storm do not collect the single piece of information; I believe they have created the 'gun' and have sold it others so that they can fire it at whoever they wish," he added.
The scant likelihood of concerted legal or enforcement actions and the growing threat of spam-malware driven by botnet operators "flying under the radar [only] reinforces the need for quality defense in depth," according to Abrams.