Tuesday, April 25, 2006

Wild Wild Underground

Where's the real underground these days, behind the shadows of the ShadowCrew, the revenge of the now, for-profit script kiddies, or in the slowly shaping real Mafia's online ambitions? Moreover, is all this activity going on behind the Dark Web, or the WWW itself? Go through this fresh overview, emphasizing on today's script kiddies, 0days as a commodity, malware and DDoS on demand on the WWW itself, and perhaps a little bit of vendors' tolerated FUD.








In a previous post, I mentioned on the existence of the International Exploits Shop, the Xshop, basically a web module where 0days, and service support in terms of videos, PHP-based configuration etc. are provided to anyone willing to get hold of a 0day/zero-day vulnerability -- scary stuff, yet truly realistic concept that's directly bypassing today's infomediaries that purchase vulnerabilities.








I must admit I didn't do homework well enough to figure out that the Hack Shop has been changing quite some places for the last two years and having offered many other vulnerabilities, going beyond what I came across to two months ago -- the Internet offers a much wider set of potential buyers than from the three informediaries for the time being. As a reader gave me a hint, in the future images would protect that type of pages from crawling activities, and it's interesting to note that previous versions of the shop were doing exactly the same, while the last one I got tipped about, was using text on its pages. What's also important to mention is that these are the public propositions, ones placed on the WWW, and not the Dark Web, the one behind closed doors. Last month, Sophos mentioned on the existence of a multi-exploit kit for an unbelievably cheap price :








"A Russian website is selling a spyware kit for $15. The website promises an easy-to-deploy spyware that only requires users to trick their victims into visiting a malicious website. The website even offers technical support. Carole Theriault, senior security consultant at Sophos, says such websites invite script kiddies and other unskilled would-be hackers into the world of cybercrime for profit."







Rather interesting, WebSense Security Labs looked further, came up with the screenshots from the site itself, cut the last screenshot you can clearly see here (Disable adobe acrobat web capture, Disable opera user, Kill frame, Location lock, Referrer lock) but again spread the rumour of multi-exploit kit for sale at $15, of course for entering the for-profit cyber crime business -- a little bit of FUD, sure, but the sellers aren't still that very desperate I think.



So, I decided to look even further and now can easily conclude -- it depends where you're buying it from, I mean even the official site sells it at a price that way too high for an average script kiddie to get hold of multi-exploits pack -- whether outdated or not can be questioned as well. So, the kit officially goes for $300 and, $25 for updates, I also came across it for $95, but I bet they are a lot of people looking for naive wannabe exploiters out there. As you can see on these screenshots, it has the ability to encrypt HTML pages, parts of the page, and take precautions for curious folks trying to figure out more about the page in question, and it makes me wonder on how well would malicious HTML detection would perform here, if it does?








What's the outcome -- script kiddies with attitude are basically compiling toolsets of old exploits and building all-in-one malware kits. As you can even see, they are lazy enough not to keep an eye on its detection status, a sign of "growing" business for sure, yet the "underground" seems to Ph34r going to the Opera , so take your note.








I recently came across to a great article "The Return of the Web Mob" you can find more details on the topic as well, such as :








"I saw one case where an undetectable Trojan was offered for sale and the buyers were debating whether it was worth the price. They were doing competitive testing to ensure it actually worked as advertised," said Jim Melnick, a member of Dunham's team."








"In November 2005, Mashevsky discovered an attempt to hijack a botnet. [The] network of infected computers changed hands three times in one day. Criminals have realized that it is much simpler to obtain already-infected resources than to maintain their own botnets, or to spend money on buying parts of botnets which are already in use," he said."








"Dunham, who frequently briefs upper levels of federal cyber-security authorities on emerging threats, said there have been cases in Russia where mafia-style physical torture has been used to recruit hackers. If you become a known hacker and you start to cut into their profits, they'll come to your house, take you away and beat you to a pulp until you back off or join them. There have been documented cases of this," Dunham said."








While doing a recent research across the Russian and the Chinese domain, I came to the conclusion that every local scene has it's own underground, and that those that go as publicly as some do at the bottom line, make the headlines. However, Chinese users being collectivists, are still at the heroic stage of cyber dissidents slowly turning into wannabe hackers, and they have a chain of command, so to speak, that I can argue is more powerful than thought to be "well organized" like the ones in Russia, being individualists. There are even marketing campaigns going on in the form of surveys, trying to measure the bargaining point for 0day vulnerabilities I guess. This one says :



How much would you be willing to pay for an exploit?
$100-300
$300-500
$500-1000
over $1000
we write our own exploits :D
I get them for free








and offers trying to even add value to the purchase by offering a SMS flooder for free if you purchase the exploit. I mean, if you start thinking logically, bypassing the current intermediaries and their moody programs compared to one-to-one communication model with a possible buyer -- the entire idea behind disintermediation is the method of choice. Have 0days turned into an uncontrolled commodity that has to be somehow, at least, coordinated?!








In my recent Future trends of malware research, I mentioned how open-source malware would inevitably dominate, and how the concept will put even more pressure on AV vendors to figure out how to protect from unknown malicious code -- proactively. What I came across to was, customer-centric malware propositions, special features increase or decrease the final price, botnet sources for free download/purchase if modifications are made, free advices coming with the purchase, on demand vulnerabilities, spamming or spam harvesting services on demand, price comparison for malware samples, rootkits-enabled pieces of malware indeed show an increase of growth, DDoS on demand services are usually proposed with 30 mins of service "demo".






Bot's sources are also annoyingly available at the click of a button, as I verified over 20 working links with archives averaging 75MB.








Popular ones :
urxbot, spybot, sdbot, rxbot, rbot, phatbot, litmus, gtbot, forbot, evilbot, darkirc, agobot, jbot, microbot, blueyebot, icebot, q8bot, happybot, htmlinfectbot, gsys, epicbot, darkbot, r00fuz, panicattack








Who's to blame? It's not Russia for sure, and if it was it would mostly have to do with enforcement of current laws, yet the global media tends to stereotype to efficiently meet deadlines, instead of figuring out what is going on at the bottom line. When the U.S sees attacks coming from Chinese networks, it doesn't mean it's Chinese hackers attacking the U.S, but could be that sick North Korean ones are trying to increase tensions by spoofing their identities. Moreover, as I've mentioned it is logical to conclude that there are "undergrounds" on a national level, for instance for the last couple of years there's been a steady growth of defacements and phishing attackers from Brazil, Turkey, and of course China, I rarely come across anything else but "mention Russia and get over it" attitude.






In respect to the Chinese "underground", according a report not to be disclosed, and so I'm not as it's fully loaded with impressive information, the Chinese underground back in 2002 used to aggressively attack U.S government's and military targets while drinking Coke from McDonald's themed Coke glass :) courtesy of the China Eagle Union themselves. Their actions in coordination with the Honker Union of China, for instance, played a crucial role in active hacktivism and continue playing it even today.


Like it or not, the average script kiddie, or can we say sophisticated Generation Y teenagers, are well too informed, and obviously sellers of malicious services such as DDoS and malware on demand, than it used to be years ago. I feel it's not their knowledge that's increasing, but the number of connected computers with security illiterate users aiming to put themselves in a "stealth mode" while online in order not to get hacked, or as a friend put it, running in root mode and hiding behind firewalls - ah, the end user.








You can digitally fingerprint a malicious code when you have it, that's normal, but what happens when you don't, can you fight the concepts themselves? Ken Dunham comments on "mafia-style physical torture" are the reflection of people naming their malware MyDoom and begging for botnets if you take your time to go through the quotes from Ancheta's case.








Don't ph34r the teenagers, ph34r their immaturity, and ongoing recruitment practices by the Mafia itself.