Crimeware: Furthering the Criminal Enterprise

Malware -- malicious software -- has been around for years. From the (c)Brain virus in 1986 -- the first to affect the PC -- to the Sasser worm in 2003, scores of viruses and worms have plagued computers. With the Internet's emergence, malware made headlines: VBS/Loveletter (I Love You), the Sapphire worm (SQL Slammer), and the list goes on. Since then we've seen a progressive shift from these financially neutral wide-scale attacks of the early 2000s that disrupted commerce but didn't rob funds toward those designed to defraud. Malware has morphed into crimeware. 

 

Crimeware possesses many of the same characteristics as malware, but studies have shown that cybercriminals now replicate and modify more versions of crimeware than "financially neutral" malware.1 

 

BOT-INFECTED COMPUTERS 

Cybercriminals link infected computers -- "bots" or malicious software robots -- to form botnets that host crimeware and information garnered from illicit activities. The fraudsters can now remotely control systems and direct bots through illicit communication channels using a "command and control" infrastructure. 

 

Fraudsters use botnets to perpetrate criminal activity such as spamming, phishing, forged Web-site hosting, malware, sensitive information collection, and launching "denial of service" attacks, among others. Perpetrators also rent botnets to others so they can conduct the same forms of illegal activity. The botnet activities cost victims in lost information, employee time, and legal costs. 

 

EVOLUTION OF CRIMEWARE 

If the 2007 Storm is any indication, crimeware will only become more complex. First detected in January 2007, the Storm worm was one of the most prevalent threats of last year. The perpetrators distributed the virus via spam e-mail; the victim clicked a link and was delivered to a malicious site, which attempted to install the malware "botnet" automatically or tricked the user into installing it if the automatic installation failed. Once the malware was installed, the fraudsters controlled the infected system via a peer-to-peer network in which bots receive their instructions from other bots. In such botnets, the locations of the command-and-control servers are hidden by constantly changing their names and locations, so the systems take turns controlling each other. This makes it nearly impossible to dismantle the botnet because there is no single command-and-control point to shut down. If one system is taken down, another takes its place. 

 

Organized crime groups are developing and exploiting crimeware to make money through identity theft, data leaks, and theft of personally identifiable information and intellectual property. These cybercrime syndicates might not necessarily have the skills to commit online fraud, but they have the funds to develop crimeware to suit their criminal purposes. Organized crime groups possibly write or sponsor the development of 75 percent to 80 percent -- some estimate 90 percent -- of all malicious software because the high profit margins of such activities and criminal sanctions (if any) are far less than real-world crimes. Cybercrime activities can also fund real-world crime. 

 

Cybercriminals are now using development methodologies similar to those used in legitimate businesses around the globe. They also use "contractors" to develop portions of malicious software or enhance programs that the cybercriminals sell to other fraudsters. 

 

CRIMEWARE TRENDS  

Access to Information 

Using a variety of techniques, cybercriminals attempt to gain access to sensitive information for their use or to re-sell to the highest bidder. For example, a cybercriminal could surreptitiously collect employees' e-mail addresses from a corporate Web site plus the address of the IT manager from a business networking site. The fraudster then sends out a bogus e-mail, supposedly from that IT manager, which contains instructions on downloading what appears to be the latest patch for the corporate Web site. But the victims actually download a password-stealing Trojan from a malicious Web site. The perpetrator can now steal sensitive information through corporate e-mails and other computer sources. 

 

Recently, a security research center uncovered 500 MB of encrypted data on a crimeware server that contained health-care information; passwords to access an airline's computer system, among others; plus Social Security numbers.2 Cybercriminals collected this information on their servers with Trojan software and keystroker loggers. Fraudsters attach these unobtrusive loggers to users' computers and wait for information to be collected. That info is then stored in repositories so that cybercriminals can later use or sell it. 

 

Web-based Delivery 

As I mentioned, the Web has become the most common method of crimeware delivery. Cybercriminals are able to install crimeware on thousands of computers by simply infecting a legitimate Web site or by tricking a user into visiting a malicious Web site. Such an attack method allows cybercriminals direct access to a larger number of potential victims than more traditional methods like e-mail. The MPack compromise, which occurred in mid-2007, is a perfect example of users visiting apparently legitimate Web sites but delivered malware when they accessed them. 

 

Cybercriminals have also abused social networks to spread crimeware to Internet users by inviting a member to visit another apparent member's profile, but it's actually a malicious Web page with content hosted outside the network. Cybercriminals also create bogus applications containing crimeware that social networkers download onto their computers. 

 

TACKLING THE PROBLEM 

In addition to financial costs, crimeware has severely affected users' trust in online commerce. Cybercriminals have destroyed hard-won confidence in online commerce. 

 

In the next column, we'll take a closer look at managing the crisis surrounding data breaches and offer tips for fraud examiners. 

 

Jean-Francois Legault, CISSP, CISA, CISM, GCIH, GCFA, is a senior manager with Deloitte's Forensic & Dispute Services practice in Montreal, Canada.   

 

1 "McAfee Virtual Criminology Report: Organized Crime and the Internet." December 2006. 2 http://blogs.znet.com/security/?p=1287 Retrieved June 25, 2008   

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.