The 'Malware Economy' Evolves

superglaze writes "ZDNet UK has a feature on how the malware economy is turning into a recognizable traditional IT economy. Leasing botnets? Malware support? Welcome to the new age of computing. As the piece suggests, it's all gone Darwinian. 'One indication of the maturity of the black economy, according to Telafici, was the recent case of a hacker who wrote a packer [software used to bypass antivirus protection], "threw in the towel recently as it wasn't profitable enough -- there's too much competition. They opened the source code and walked away."'"

Oblig..

Cracker not hacker!! ARRRGGHHHH OMFG the mainstream media is screwing us geeks over again.

There whining is covered, please continue with OT discussion...

Re:Oblig..

So you're saying the editor is a slacker and the hacker who wrote the packer should be a cracker?

This shouldn't have surprised anyone

Really, we've been talking about the Economic basis of spam [slashdot.org] for some time. I've commented [slashdot.org] and journaled [slashdot.org] on how the economics of spam make most current solutions meaningless in the greater fight.

So now when we see yet another article discussing the money that is made in malware, particularly the botnets that drive spammers, there's no reason why anyone should find this surprising.

Re:This shouldn't have surprised anyone

absolutely, and we'll pay to have a couple of botnets to get the message out!

Open source malware?

That's a FUD goldmine, or a FUDmine, if you will. Damn, OSS enemies will be crowing about this: "open source leads to VIRUSES and MALWARE! Open source hackers create programs to take over your computer, how can you trust them?"

Only high profit crime

This is only logical. A criminal will work for the quick buck. BnE is great when lots of people are leaving their windows open and you are the only burglar, but once every one is on the BnE bandwagonit's time to switch to mugging or extortion.

Re:Only high profit crime

A criminal will work for the quick buck. BnE is great when lots of people are leaving their windows open and you are the only burglar, but once every one is on the BnE bandwagon, it's time to switch to mugging or extortion.

Like Patent trolling, DRM, or WGA.

When prey is plentiful...

...the predators will flourish.

Malware and ex-emailer

As I receive spam my conclusion is that the majority of bot nets are created by people like my Aunt. She thinks she is safe because she uses some obscure malware and e-mail detection system that seems to have appeared like magic to rescue her from the perils of the net. However her windows 98 kernel has obviously been rooted and she does not even know it.

I keep getting spam traffic from her that is reassigned from a myriad of outlook express ex-emailers. I have told her that she will have to get her OS reinstalled but she just won't listen. I am afraid that the windows OS and the Microsoft way of computing has done little more than create a shit load of computer using zombies and little old ladies (like my aunt) who in blissful ignorance just keep up the status quo. The result of this blissful ignorance is that bot nets have become almost impossible to kill.

Re:Malware and ex-emailer

And this won't change as long as you're not responsible for your computer's actions.

We have a license for everything. You need a license to drive, to prove you're able to steer a car without causing a problem. We (at least here) need a license for a gun, so you prove you're not just some maniac who wants to kill his wife's sisters. But even for "non-lethal" things like some jobs you need to prove you're able to handle what's put into your hands sufficiently professionally that you don't cause harm to anyone else.

Now, I wouldn't really want a "driving license" for computers, but I'd very much enjoy seeing people taking some more responsibility for their computers and what they do to others on the internet. As we see now, this has become an economic problem. We waste a lot of bandwidth and work hours fighting spam, we have the sword of a DDoS looming over our heads due to botnets ready to strike, and it all boils down to people using rooted boxes and not even knowing it.

Before you start crying about your freedom to use the net, be aware that sooner or later our legislators WILL react. They have to, the pressure from the industry is already tangible. And in our current environment, the result is very likely not one where people get better educated and more responsibility, instead we'll probably see laws regulating what kinds of machines you may attach to the net (and the accompanying locking of "insecure" machines from participation), and we know the current definition of "secure". It will pretty much lead to machines so heavily DRMed that Vista looks like open source compared to it.

So either we start pushing towards more personal responsibility or we'll have something dumped on us that is the maybe least favorable alternative. Because the industry WILL start lobbying for protection from those rooted machines. And they don't care if you can use your computer for anything but playing prepared content. Actually, some would definitly like that.

Re:Malware and ex-emailer

Now, I wouldn't really want a "driving license" for computers, but I'd very much enjoy seeing people taking some more responsibility for their computers and what they do to others on the internet

http://www.ecdl.com/ [ecdl.com]

 

Re:Malware and ex-emailer

I dated Miss Information for a while. The problem was her sister, Miss Conduct.

Re:Malware and ex-emailer

Your post advocates a
( ) technical (X) legislative ( ) market-based ( ) vigilante

approach to fighting spam.

Furthermore, your approach appears to require a level of international cooperation akin to
( ) Passing a meaningless UN resolution
( ) Negotiating a world wide free trade agreement
( ) private, i.e., commercial and civil, law
( ) Banning land mines
( ) Adding a permanent member to the UN Security Council
( ) Achieved balanced copyright reform
( ) Censuring Cowboy Neal
(X) Doing anything truly useful about climate change
( ) Eliminating Britney Spears

Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from jurisdiction to jurisdiction before a useful treaty can be negotiated.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(X) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(X) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
(X) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
(X) Jurisdictional problems
(X) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
(X) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
(X) Technically illiterate politicians
(X) Extreme stupidity on the part of people who do business with spammers
(X) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:
(X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
(X) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
(X) Countermeasures must work if phased in gradually
( ) Sending email should be free
(X) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(X) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:
( ) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
(X) uh, come to think of it, I have no particular opinion of you nor any desire to form one.

Re:Malware and ex-emailer

I still don't understand why ISPs are not doing more about this. SPAM uses a large amount of the precious and limited bandwidth, but they filter p2p? I get 10 to 20 spam an hour. As I have more than one e-mail client (one on laptop, one at home, one at work...) each one gets passed off the SIP mail server 3 times for me. It also passes in to the ISP mail server once, so 20-30 messages times 4, times 24 hours times each user ads up to how much bandwidth? And this is why I can't seed my Ubuntu images?

they raise billion dollars from IPO

malware is great!
such as Alibaba.com, a chinese company, well known for the malware 3721, can even make IPO for more than 1.3 billon dollars.
that's why it is called "Historic IPO"

No shortage of idiots

I don't get it. One of the most popular uses for a botnet, according to the article, is for spam mailings. But how can spammers afford to pay any significant amount of money for the service? I understand that they're mailing out to millions of people and count on a high level of rejection, but how many people are stupid enough to open something that says, "5PL1t H3R 1n HALF WYTH YORE HUGE ORGAN"? Let's face it, half the population is female, and probably not interested (unless they're buying for their boyfriend, and wouldn't THAT be a kick-ass Christmas present); a majority of the male half of the population are probably reasonably satisfied with their equipment; and even a vast majority of those poor, pathetic guys who actually have "AY tiney Pinnus That You GIrflrend Lauff at" probably have an IQ in at least the high double digits (I mean, they figured out how to turn on a computer and collect their e-mail, at least). So they probably wouldn't open that message either.

And then there's the spam filters, which are getting pretty good these days.

So that leaves what percentage of the population stupid enough to open one of these things and infect their computers with something vile? And if they're that stupid, how likely is it that they have a bank account worth looting? Or that they haven't been hit before so often they just sign their paycheque over to the spammers automatically and save everybody a lot of trouble?

Help. Somebody please explain it all to me.

The real money in spam? Selling to spammers

This has to do with SPAM and not botnets...

It's been said before, probably better than I can: The "mark" in the spam economy is NOT the person receiving the email. The "mark" is the person foolish enough to buy the Spam-in-a-box kit thinking they will be able to get a single person to buy their w0tches or v1agra. The money in spam is made not from the person foolish enough to buy the w0tches. The money is made in selling the service to spam millions of people.

Utility Computing

No kidding :-) I said in a public forum about 4 years ago that botnets are the first and only successful example of commercial utility computing [wikipedia.org], where a vendor tries to rent out time on large compute clusters.

This works much better for botnet vendors than for Amazon EC2 or HP Utility Data Center, because the really valuable resource the botnets are renting is a routable IP address that hasn't been shut down yet. Computers are nearly free, but IP addresses that work are not.

Malware is closed-source

There's copyright protection on an product designed for illegal use? Isn't that like complaining that someone stole your cocaine?

Mature IT industry, eh?

Hopefully this means the malware industry will begin hemorrhaging money by hiring consultants.

Here's the actual paper.

Here's the actual paper from which came most of the material in the article: "The Commercial Malware Industry" [auckland.ac.nz], from the University of Auckland. More technical details.

New threats of interest:

• Some viruses now use error correcting codes so that attempts to patch them out will be repaired.
• Windows Genuine Advantage blackmail trojan. Pops up message requesting payment of money or will disable your computer. (p.39)
• Location-aware malware - used to find location for credit card number, so phony transactions can be generated from a physically nearby node. (p. 41)
• "The most popular brands of antivirus software have an 80% miss rate" - AusCERT (p. 46)
• Malware that detects and removes anti-virus and anti-rootkit tools is available. Once one of these is loaded, it runs before anti-virus software, even in Safe Mode. (p. 48)
• "eGold Siphoner" detects valid sessions connecting to eGold.com and transfers funds by hijacking the authenticated session. (p. 52)

Kind of like open source copy protection?

The design of stealth software like the "packer" is the same as copy-protection and "DRM" media encryption software, they both depend on obfuscation to hide the payload from an attacker while giving him both the key and the cyphertext. If you open-source it, you're telling the attacker (the antivirus researcher, or the deCSS author) where the key or the malware is hiding.

I'm sure all the AV guys have already grabbed a copy of that packer and are totally on top of it.

Some day may all spammers....

...wake up with a Trojan horse head in their bed.

Woo!?!

"They opened the source code.."

Another win for FOSS!

language hacking

This might sound like rubbish at first.

I'd rather you use the big old evil word, "evolution," rather than Darwinist or Darwinian.

Reason: conservative moonbats attack science by making it personal. For example, Rush Limbaugh attacks global climate change by saying that Al Gore is everywhere and listening to Al Gore makes him want to put a gun in his mouth (I am not making this up, we live in La La Land.)

Another reason is that the recent spate of articles catching on to calorie restriction as a method of life extension avoid the word "evolution" when discussing the reason that it works. The reason that fasting prolongs life is that evolution changes the aging governor in people who are experiencing famine to save them for reproduction later. No one, not Slate or NYT or Scientific American includes the word "evolution" when talking about this effect.

So let's drop the personification of theories. After all, evolution is a lot more than Darwin knew about, the theory has tremendous explanatory value and shouldn't be pegged to centuries ago.

JBS Haldane, 1940:

1. Events occur which are not perceived by any mind.
2. There were unperceived events before there were any minds.
And I also believe, though this is not a necessary logical deduction from the former two, that:
3. When a man has died he is dead.

Hit them in the pocket

So far, the one legislative action that has done anything significant to spam was the law barring credit cards from processing payments to online casinos. It's not that much of a leap to similarly ban any payments to v1gra pushers as well as the many 'canadian pharmacies'. After all, the product is either quackery or an illegal sale of a prescription drug, so the enterprise is illegal even without spamming. Even a fair percentage of the id10ts that fall for the spam will balk at sending cash through the mail.

If the law also called for reversal of existing transactions to a merchant found to be pushing illegal pharmaceuticals or quack remedies (after all, unlike the herbal suppliment industry, the spams DO promise effectiveness for a particular condition) then the whole 'enterprise' becomes significantly riskier.

Likewise, pump and dump is illegal already and carries significnt penelties. In addition to clogging inboxes and defrauding naieve investors, they also do great economic harm to the penny stock companies that are targeted since their stock tends to end up worse off after the dump than before the pump. If the SEC actually pursued and prosecuted these fraudsters, they would stop.

That takes care of most of the spam. If we use "for the children" for good rather than evil for a change, we can also get rid of the sex toy and porn spam. Considering that spam is splattered everywhere, including wild guesses at potentially valid addresses, they are certainly not taking care to avoid soliciting children. why is it that the same prosecutors and detectives who would relentlessly pursue any XXX store owner who ever failed to throw a minor out of the store won't pursue spammers who actively invite children to buy their products and even preview for free?

Finally, the botnets themselves are built by committing felony tampering on a massive scale. Why is it that some kid hacks his way into one computer gets the book thrown at him, but a real criminal who hacks into MILLIONS of computers isn't pursued because "it's too hard"? Surely, anyone who commits millions of felonies is worth orders of magnitude more effort than some kid with a war dialer!

The FBI DID recently catch up with a few botnet operators. That's a good start, they should keep it up. The SEC and FDA should join them.

The repl|cas are about the only thing that might slip through the cracks, but even those may be violations of trademark law depending on how closely thay resemble the real thing. If they don't bear close resemblance, then they are mail fraud.

The short summary, the bulk of spam is connected with criminal enterprises. The process of zombifying a PC is a felony. There is no need to add new laws, just enforce the existing ones for a change. There is significant legwork involved, but on the other hand, if law enforcement just spends $30 or so a month on an ISP account, the spammers will effectively report their own crimes.

unacceptable language

your post contains unacceptable language