Russian Underground is just part of a global criminal network

Pierluigi Paganini November 01, 2012

Trend Micro published a very interesting report on the Russian underground market, the document written by Max Goncharov analyzed the services and the products marketed by cyber criminals.

The study is based on data obtained from the analysis of online forums and services attended by Russian hackers such as antichat.ru, xeka.ru, and carding-cc.com.

Trend Micro demonstrated that is possible to acquire every kind of tools and services to realize cyber criminal activities and frauds. The top 10 activities included software designing, spam and flooding services, hacking, server sales and hosting, denial-of-service attacks, pay-per-install services for downloads and traffic, file encryption, malware, and exploit writing.

  1. Programming services and software sales
  2. Hacking services
  3. Dedicated server sales and bulletproof-hosting services
  4. Spam and flooding services, including call and SMS flooding services
  5. Download sales
  6. DDoS services
  7. Traffic sales
  8. File encryption services
  9. Trojan sales
  10. Exploit writing services and sales

Programming services and software sales was the most common service in the criminal market, where it is possible to buy customized malware agents and any kind of applications to conduct a cyber attack such as spammers, brute-force tools and DDoS bots and exploit toolkits.

As explained in my previous article the cybercrime is generating an impressive economy, its value is frightening, and that is able to interfere with the economic system of each state with devastating consequences.

The Russian underground is famous for its organization, a “shadow economy that is increasingly becoming one that is service-oriented and resembles real-world businesses in the way it sells products to others.”

The Russian cybercrime investigations company Group-IB in the last months published a study on Russian cybercrime market estimating a business in 2011 of  $2.3 billion.

Dark market, deep web … all terms that evoke hacking activities in our mind, and it is true, hacking represents the majority of services provided such as brute-forcing, SQL injection and Cross-site scripting attacks, phishing, and of course social engineering.

The services for the creation and the distribution of malware are in high demand, the study reveals the great interest in File Encryption and Crypting Services due the necessity to hide malicious code from security defense systems.

Cybercriminals use various crypting techniques proposing two categories of crypting services:

  1. encrypting services for individual files (e.g.DLL files and executable files) .
  2. crypter sales.

I love cryptography that’s why I decided to go deep in the topic presented in the excellent study.

The most important component for crypting services is the crypter stub used to code/decode a malicious code.

Crypters can be classified as either statistical or polymorphic.

“A statistical crypter’s stub is a separate program to which the encrypted file is tied. When launched, the file is extracted, decoded, and executed.”

“Polymorphic crypters are considered more advanced. They use state-of-the-art algorithms that utilize random variables, data, keys, decoders, and so on. As such, one input source file never produces an output file that is identical to the output of another source file.”

So a crypter are critical components to ensure malware efficiency, but how much is it?

Let’s give a look to the following price list to understand how could be convenient to user these components.

The low price is not only a prerogative of crypters, with a reduced investment a criminal could acquire a huge quantity of  products and access to various services.

The spread of a malware is also simple and cheap, the Russian underground, and not only, proposes completed services that provide hosting for malicious code and also personalization of the most effective malware such as Zeus.  Zeus installation on a rented server could cost few dozens of dollars according to the Trend Micro report.

Here are sample cybercriminal posts offering ZeuS services (translated from Russian):

“I’ll sell ZeuS 2.0.8.9 source code. Private sale of source code. Price: US$400–500; bargaining (swapping) is possible.”
“Selling ZeuS 2.1.0.1 bin + set up on your hosting for US$200 escrow is accepted.”
“I’ll sell a Zeus 2.0.8.9 builder + administration controls. I also do builds. Price: US$300. Build price: US$100.”
“LOGS-ZeuS logs (2.4Gb) DE FR IT GB, price: US$250.”
“Installation of ZeuS in your host: US$35. Installation of ZeuS in my host: US$40.”
“Setup of ZeuS: US$100, support for botnet: US$200/month, consulting: US$30.”

In particular, Pay-per-install services such as download services have a great popularity, criminals provide the malicious file to a service provider or ask it for a customization of most common malicious agents, and the provider manages the distribution aspects.

“Download services are usually offered based on the target country. The value of traffic is primarily based on how important its owner is. The bigger the organization it belongs to, the more expensive it is”

Goncharov distinguished two different type of programs:

  • Traffic partner programs convert traffic to downloads. “Traffic services, such as promising to direct a certain number of users to a Website, or using black hat search engine optimization techniques to improve search engine visibility, are also popular.”
  • Download partner programs that are sold per 1,000 installs, usually they require two components, traffic, and an exploit bundle.

We all know how much danger could be a DDoS attack, but many ignore how much simple is to acquire tools to conduct this type of offensives or to rent a “A one-day denial-of-service”, in this last scenarios criminals have to pay a cost from $30 to $70.

To arrange a DDoS attack a criminal need to use specially crafted bots and botnets, this means that he must obtain the access to a huge quantity of machine that have to compose the offensive architecture and then installs a daemon in it using his DDoS bot kit.

The service rent propose to the criminal a pre-built botnet to attack the chosen target, easy, cheap and efficient, what do you think about?

Very popular are hosting services, mainly dedicated servers that are a must in a cybercriminal operations, typically for their exploits or for drive-by-downloads, these are considered unique consumables with more or less constant demand.

“Servers are usually sold by the tens or hundreds with prices depending on their processing power and, to a larger extent, Internet access speed.”

Other relevant services are spamming services remain popular but a high demand is also for collections of social media profiles such as social networking and forum account.

For obvious reason I extracted the most meaningful and known topics from the report, I strongly suggest its complete reading to have an idea of the Russian underground community that is able to provide any kind of services and products for criminal activities.

As said in my previous posts these services make easy to arrange cyber frauds and to conduct cyber attacks, in many cases there isn’t the need of a deep technical knowledge and this aspect is crucial. We are assisting to affirmation of C2C (cybercrime to cybercrime)  business model, ordinary criminals are supported by cyber criminals to expand their activities, a dangerous commingling!

“The document provides a clear vision on fundamental tools and technologies cybercriminals create and use to enhance their business”, completing it with an interesting data … the pricing.

The Russian economy is not isolated, we are facing with a growing industry that start from cyber space to reinvest the proceeds in to other criminal activities such as drugs and weapons.

The phenomenon has to be analyzed on a wide optical, these economies are just part of a global criminal networks that has no boundaries!

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Russian underground, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]




you might also like

leave a comment