By Ryan Naraine
April 10, 2006
Ken Dunham, you could say, spends his life peeking at the bowels of
As director of the Rapid Response Team at VeriSign-owned iDefense, of
Dulles, Va., Dunham and his team of malware hunters infiltrate black
hat hacker forums, chat rooms and newsgroups, posing as online
criminals to gather intelligence on the dramatic rise in rootkits,
Trojans and botnets.
Based on all the evidence gathered over the last two years, Dunham is
convinced that groups of well-organized mobsters have taken control of
a global billion-dollar crime network powered by skillful hackers and
money mules targeting known software security weaknesses.
"There's a well-developed criminal underground market that's connected
to the mafia in Russia and Web gangs and loosely affiliated mob groups
around the world. They're all involved in this explosion of phishing
and online crime activity," Dunham said in an interview with eWEEK.
Just two years after the Secret Service claimed a major success with
"Operation Firewall," an undercover investigation that led to the
arrest of 28 suspects accused of identity theft, computer fraud,
credit card fraud and money laundering, security researchers say the
mobsters are back, with a level of sophistication and brazenness that
is "frightening and surreal."
"They never really went away," Dunham said. "They scurried away for a
few months and tightened their security controls. It became harder to
get on their lists and into their chat rooms."
Not these days. A law enforcement official familiar with several
ongoing investigations showed eWEEK screenshots of active Web sites
hawking credit card numbers, Social Security numbers, PayPal and eBay
credentials, and bank login data by the bulk.
"They're very public about all this, especially on the Russian sites.
It's almost comical how open and barefaced they are," said the
official, who requested anonymity because of the sensitive nature of
the ongoing probe.
Black hat hackers have set up e-commerce sites offering private
exploits capable of evading anti-virus scanners. An e-mail
advertisement intercepted by researchers contained an offer to infect
computers for use in botnets at $25 per 10,000 hijacked PCs.
Skilled hackers in Eastern Europe, Asia and Latin America are selling
zero-day exploits on Internet forums where moderators even test the
validity of the code against anti-virus software.
"I saw one case where an undetectable Trojan was offered for sale and
the buyers were debating whether it was worth the price. They were
doing competitive testing to ensure it actually worked as advertised,"
said Jim Melnick, a member of Dunham's team.
"We even have proof of actual job listings on Russian-language sites
offering lucrative pay for coders who can create exploits and launch
denial-of-service attacks. We've seen evidence of skilled hackers
stealing corporate data on behalf of competitors. This isn't just
about credit card and bank information. It has all the elements on
traditional mafia-type crime," Melnick said.
Roger Thompson, a computer security pioneer who created the first
Australian anti-virus company in the late 1980s, is convinced the
secretive Russian mafia is masterminding the use of sophisticated
rootkits in botnet-seeding Trojans.
"They are paying to recruit bright young hackers and using teenage
kids around the world to move money around. They're into everything:
spyware installations, denial-of-service shakedowns, you name it. It's
the traditional mafia finding it easy to make money on the Internet,"
said Thompson, who now runs Exploit Prevention Labs, in Atlanta.
Yury Mashevsky, a virus analyst at Kaspersky Lab, said there is even
evidence of turf wars in the criminal underworld. "They use malicious
programs that destroy the software developed by rival groups and
include threats directed at each other, anti-virus vendors, police and
law enforcement agencies in their creations," Mashevsky said, in
He has also seen fierce online confrontation in the battle to control
the resources of infected computers. In November 2005, Mashevsky
discovered an attempt to hijack a botnet. "[The] network of infected
computers changed hands three times in one day. Criminals have
realized that it is much simpler to obtain already-infected resources
than to maintain their own botnets, or to spend money on buying parts
of botnets which are already in use," he said.
On message boards and newsgroups where malicious code is put up for
sale, Mashevsky said flame wars and attacks against each other to
steal virtual property amounts to normal everyday activity.
Dunham, who frequently briefs upper levels of federal cyber-security
authorities on emerging threats, said there have been cases in Russia
where mafia-style physical torture has been used to recruit hackers.
"If you become a known hacker and you start to cut into their profits,
they'll come to your house, take you away and beat you to a pulp until
you back off or join them. There have been documented cases of this,"
One key aspect of Web mob activity that flies under the radar is use
of "money mules," or individuals who help to launder and transfer
money from hijacked online bank accounts.
On career Web sites such as Monster.com, a job listing for a "private
financial receiver," "shipping manager," or "country representative"
invariable is an active attempt to recruit people around the world to
withdraw funds and deliver it to crime bosses, according to a detailed
research report by iDefense on the so-called money mules.
Money is transferred into the mule's account, withdrawn as cash and
then wired to an offshore account.
"We've only scratched the surface of what's going on in the
underworld. It's like the iceberg that took down the Titanic. No one
knew how big and dangerous it was," Dunham said.
He cited the recent discovery of MetaFisher, also known as SpyAgent, a
Trojan connected to a Web-based command and control interface that
highlighted just how advanced the attackers have become.
"In just a few weeks, MetaFisher spread to thousands of computers. We
found conclusively that these attacks were going on undetected for
more than a year. Can you imagine the amount of data that has already
been stolen? It's unimaginable," Dunham said.
Eric Sites, vice president of R&D Sunbelt Software, in Clearwater,
Fla., showed eWEEK screenshots of the Web interface that showed
specific targeted phishing attacks against European banks and keeps
detailed statistics on actual bot infections around the world.
The interface also can be used to add exploits, keep track of
anti-virus signature definitions and keep track of callback from
"This isn't the work of the guy in the basement. This is organized and
simplified to make it super easy to control all those bot drones,"
LayerOne 2006 : Pasadena Hilton : Pasadena, CA
Infomation Security and Technology Conference