But Malware is Prone to be Profitable

Read this a couple of times, than read it several more times, and repeat. It's usually "powerful stuff" that prompts such confusing descriptions of what sound like defense in-depth at one point, and a combination of intergalactic security statements in respect to the "massive amounts of computing power required" to solve the "security problem" at another. Stop predicting weather and assessing the impact of global warming, and command the supercomputers to figure our the scientific mysteries behind common insecurities :

"Even if we can't produce effective network security, we can at least make it more difficult and therefore expensive to attack a network by adopting some of the hacker's own techniques. He favors randomizing the use of a number of techniques for filtering content, so that individual malware vectors will sporadically stop working. By changing the challenge involved in compromising systems, the whole malware economy is changed. Stolfo also took a positively Darwinian view of how much change was needed, suggesting that security only had to be good enough to make someone else's system look like a more economical target. Overall, the talks were pretty depressing, given that the operating systems and software we rely on will probably never be truly secure. The process of blocking malware that takes advantage of this insecurity appears to be entering the realm where true security has become one of those problems that requires massive amounts of computing power and an inordinate amount of time."

The operating systems and the software we use can be truly secure, but will be useless compared to the currently insecure, but useful ones we're using. Now here's a great and straight to the point article, that's segmenting the possible uses of a host that's already been compromised, a great example of how innovations in terms of improved Internet connectivity, increased CPU power, and flexibility of online payments both steamline progress, and contribute to the growth of the underground.

Beat malware by doing what malware authors do? Sounds great. Malware authors outsource, do it too. Malware authors embraced the on demand SCM concept, embrace it too. Malware authors consolidate with stronger strategic partners, and acquire the weaker ones by providing them with DIY malware creation tools in order for them to make the headlines at a later stage, consolidate too. Malware authors keep it simple the stupids, you fight back with rocket science theoretical models and shift the focus from the pragmatic reality just the way it is - consolidation, outsourcing, shift towards a service based economy, quality and assurance of the malware releases, malicious economies of scale in the form of malware exploitating kits, ones it's getting hard to keep track of these days.

At the bottom line, how to solve the "malware problem"? It all depends on who you're solving it for. Long live marginal thinking.

Related posts:
Malware - Future Trends, January, 2006
Underground Economy's Supply of Goods and Services
The Dynamics of the Malware Industry - Proprietary Malware Tools
Managed Spamming Appliance - The Future of Spam
Multiple Firewalls Bypassing Verification on Demand

Exposing the Russian Business Network

It was about time someone comes up with an in-depth study summarizing all of the Russian Business Network's activities, as for me personally, 2007 is the year when bloggers demonstrated what wisdom of the crowds really means, by putting each and every piece of the puzzle to come up with the complete picture, one the whole world benefits from. A highly recommened account into the RBN's activities courtesy of David Bizeul's "Russian Business Network study" :

"It’s interesting to observe that many recent cyber crime troubles are relating to Russia. This observation is obviously a simple shortening. Indeed nothing seems to link to Russia at first sight, it’s a nasty country for sending spam but many are worst, Russia is only the 8th top spam country. We need to dig deeper to identify that cyber crime is originating mostly from Russian dark zones. In a digital world, those dark zones exist where the Internet becomes invisible and it’s used for collecting phishing sites credentials, for distributing drive by download exploits, for collecting malware stolen data, etc. It’s a considerable black market as it has been revealed in this paper. A lot of information can be available over the web on Russian malicious activities and precisely on the way RBN (Russian Business Network) plays a major role in these cases."

What contributed to such a well coordinated exposure of the RBN during the last two quarters at the bottom line? It's not just security researchers exchanging info behind the curtains, but mostly due to RBN's customers confidence in RBN's ability to remain online. And while remaining online has never been a problem for the RBN, until recently when DIY IP blocking rulesets were available for the world to use, they undermined their abilities to remain undetected. In fact, I was about start a contest asking anyone who can come up with a IP with a clean reputation within the RBN's main netblock right before it dissapeared, and would have been suprised if someone managed to find one.

The RBN doesn't just makes mistakes when its customers embedd malware hosting and live exploit URLs on each and every malware and high-profile attack during the year, it simply doesn't care in covering its tracks and so doesn't their customers as well. RBN's second biggest mistake for receiving so much attention is their laziness which comes in the form of over 100 pieces of malware hosted on a single IP, without actually bothering to take care of their directory listing permissions, allowing my neatly crafred OSINT gathering techniques to come up with yet proof of a common belief into their practice of laziness. Moreover, the KISS strategy that I often relate to the successful malicious economies of scale that malware authors achieve due to DIY malware kits using outdated exploits compared to bothering to purchase zero day ones, didn't work for the RBN. Remember that each and every of the several Storm Worm related IPs that I covered once were returning fake suspended account notices in a typical KISS strategy, while the live exploit URLs and the actual binaries were still active within the domains.

This isn't exactly what you would expect from what's turning into a case study on conversational marketing, or perhaps how conversational marketing provokes the wisdom of crowds effect to materialize, so that the entire community benefits from each and everyone's contribution - in this case exposing the RBN.

How would the RBN change its practices in the upcoming future given all the publicity it received as of recently? They will simply stop benefing from the easy of management of their old centralized infrastructure, and will segment the network into smaller pieces, but while still providing services to their old customers, they're easy to traceback, and to sum up this post in one sentence - the Russian Business Network is alive, and is providing the same services to the same customers, including malware and live exploits hosting URLs under several different netblocks.

It's also great to note that David's been keeping track of my research into the RBN's activities. Go through the study and find out more about the RBN practices.

Related posts:
Go to Sleep, Go to Sleep my Little RBN
Detecting and Blocking the Russian Business Network
RBN's Fake Security Software
Over 100 Malwares Hosted on a Single RBN IP
The Russian Business Network