The lurking Trojan and the password-hungry keylogger are only the tip of the iceberg.
As in today’s globalized legit economy, malware’s ability to spread and make money for its dastardly creators rests upon on a wide array of underhanded support services. At the RSA conference in San Francisco today, researchers who have dug deep into the criminal online infrastructure described some of those services.
Lawrence Baldwin of myNetWatchman.com described an “Xsox” botnet of malware-infected PCs that provides an anonymization network for criminals who want to hide their tracks – or make it look as if a bank login is coming from Alabama, say, instead of somewhere like the Ukraine.
The simple GUI interface that Baldwin displayed allows a bad guy to see all the currently available Xsox-infected computers, with their IP address, country, uptime and other information readily displayed. Simply clicking on one establishes an encrypted connection and use of that PC as an “exit node,” Baldwin said, so that any connection to a bank site or anywhere else appears to come from that exit node instead of the crook’s computer.
This service-providing botnet has been around for about 3 years, Baldwin said. He estimates it’s used to withdraw between $2 and $5 million from banks per day, and says that the ISP that hosts the botnet has never received a complaint in 3 years.
Another black-market offering provides malware-installation services for those would-be crooks who lack the skills or the inclination to infect computers themselves. One example service charges $130 for 1000 malware installations in the US, $60 for the same number of infections in Italy, and only $5 for anywhere in Asia.
And then there’s the money laundering. Yet another online service will connect a thief who has stolen credit card info with a willing mule. The thief need only use that mule’s address and name to send him or her a laptop bought online, for example. The service then takes care of reselling that laptop and delivering a 30 to 50 percent cut of the proceeds to the thief, Baldwin says.
Splashy malware like the Conficker worm might draw the headlines, but it’s these kind of support services that really allow online crime to thrive. As long as they’re around, malware will be too.