Trend Micro Report Provides Look Into Russian Malware Black Market

 
 
By Brian Prince  |  Posted 2012-11-01
 
 
 

It's a bustling marketplace with enough buyers, sellers and services to rival any retail industry. But it's not your local clothing store; it's the Russian cyber-underground.

For just $30 U.S., an interested party can purchase a one-day denial-of-service (DoS) attack. If the buyer wants the attack to go on for a week, the price jumps to $150 U.S.

"This market has evolved into a very well-organized community of developers, buyers and sellers of crimeware," explained Jon Clay, senior product marketing manager at Trend Micro.

"With the increase in capitalism in Russia," he continued, "they [cyber-criminals] have built up a very profitable economy with many members and people who participate in many ways. You have developers/programmers who all they want to do is create and sell their stuff to the highest bidder. You have individuals or groups who purchase tools to use in conducting cyber-crime.  You also have middlemen who simply buy and sell and make a little profit with each transaction."

"But over the years, this underground economy has flourished and become one which seems to work very well, just like legitimate industries," Clay said.

In a new report, Trend Micro outlined a massive market for hacker goods and services, ranging from exploits to dedicated server sales and hosting. Software flaw exploits, the report notes, are typically sold individually or in bundles, though some are also available for rent. The Styx Sploit pack—which targets Java, Adobe Flash Player and Adobe Acrobat—can be rented for $3,000 a month.

"As a rule, bundled exploits are encrypted to avoid malware detection by security software," according to the report. "Bundle developers also try to obfuscate their exploits' source code to prevent victims from noticing them running on Websites,” the report said.  

Furthermore, “each bundle may also be able to obtain statistics (e.g., a mechanism for recording the number of visitors, their OS versions, their browser versions, etc.)," the report noted.

"An exploit's reach is a measure of its efficiency—the ratio of users on whose computers the exploit worked to the total number of users who visited a page in which it was embedded," the report continues. "As such, if 1,000 users visited an exploit-laden page, and the computers of 200 people were successfully infected with a Trojan, that exploit's reach is equal to (200/1,000)," equal to a 20 percent success rate.

The most popular email domains cyber-criminals hack in Russia are Mail.ru, Yandex.ru and Rambler.ru, the report notes, though the social networks Vkontakte and Odnoklassniki are also popular targets. Tools and services for hacking Gmail, Hotmail and Yahoo Mail are also available but at "premium prices," the report noted.

Offerings for hacking ICQ, Skype, Twitter and Facebook accounts as well as other services are not very popular, but may also be found, the report said.

On a number of forum sites, regular communication and advertising is done by people selling their tools and code, Clay told eWEEK.

"Due to the amount of opportunity for monetizing crimeware, I don't believe there is a huge amount of competition," he said. "Prices certainly fall, but mainly this is due to older kits or tools that don't have as much value today as they once did. So you see prices falling," said Clay.

“Supply and demand is very prevalent in this industry, and it follows the traditional economic rules. But you do see a lot of advertising for tools, but the transactions are typically made via nonpublic communication channels in an effort to stay safe from law enforcement," he said.

The Russian shadow economy is a service-oriented economy of scale that has "become a kleptocracy wherein crony capitalism has obtained a new lease on life," the report says.

Like any underground business, however, there is a mix of greed and mistrust governing relations.

"Our researchers have successfully communicated with some criminals who are less cautious than others, but certainly some of these hackers are very security-conscious and will go to some lengths to vet a customer," said Clay.

"This is typically true when it is a new potential customer who they have not worked with in the past. This is a community, and as such, they buy and sell to the same people over time, so many customers are repeat customers and obviously have a better reputation with the seller than someone new," Clay said.

Rocket Fuel