 Okay, so what I'm going to be talking about is the commercial malware industry. So not so much people, you know, sitting in basements and hacking out viruses and whatever, but the actual commercial vendors or commercial operators doing this mostly in the form of organized crime. So it's a historical perspective on this to sort of provide some background for this. In the 1920s and 1930s, there was something called the numbers racket, which was basically Lotto before the government got involved in it. And it was a small-scale industry, exactly as malware was maybe 10 years ago. And it was run through things like local barbershops, local rooster shops. And for people who aren't familiar with the way sort of things work back then, you didn't have universal phone service. You might have one phone serving in a Thai neighborhood, and that would be in the barbershop or the grocer shop. So that was a gathering point for the entire neighborhood. And so they ran the numbers racket through that. You could bet for a couple of cents at a time. And the way it worked is you chose a three-digit number and then the total amount bet at a peri-mutual gambling machines at race tracks was used to match that last three digits. And if that matched the least significant three digits of the total amount bet, then you won a certain amount back. And the reason it was done that way was because that was just a publicly verifiable, effectively a Lotto draw. And nobody really cared about this. The police and so on, occasionally they'd do some shakedown, but generally no one cared about it because it was a small-scale thing. The amounts involved were so small that nobody really bothered about it. And then organized crime moved in. The sky called Dutch Schultz took over from the existing operators. So he'd come in with the existing operators. He'd negotiate with them. He'd put a loaded gun on the table pointing at the operators and said, would say, we're going to take over your racket. Do you have any objections to this? And the local operator would be a barbershop operator. He really wasn't used to that. So he basically said, yeah, no, go ahead. Take over the business. And so once organized crime was running it, they had enough money to put into this that they could do things like hire mathematicians. There was a guy called Otto Berman known as Abad Abad Berman who could fix the numbers racket. They still don't know exactly how he did this, but he would go to race tracks and make a series of last-minute bets to ensure that the frequently played numbers were less likely to win than relatively infrequent ones. So basically the house always won. He was tilting the odds in favour of the house. No one had ever considered this level of attack before. They assumed it was relatively safe from attack because it was a small-scale operation. It wasn't until organized crime moved in and put serious money behind this and serious expertise that you could go in and actually fix the numbers racket. And so the problem with this is that, yeah, once organized crime gets involved, everything changes. And we've got the same thing with sort of malware and with spam that it's basically a worldwide organized professionally run industry. So initially you had viruses that were basically publicity viruses. I mean, someone would write a virus and they do it to get their name in the press or their name in lights or whatever, bragging rights. And that was it. These things were poorly tested. They barely worked. There was a whole bunch of stuff that came out around about 2000, 2001 where they did things like they hadn't tested the random number generator so they'd only scan a subset of the IP address range. And it wouldn't work on different platforms. It worked on one specific version of Windows and nothing else and a whole pile of other stuff. So these were poorly tested. They were written for bragging rights. The stuff that's being done now mostly is done by paid professional programmers. These are well tested. They can be incredibly sophisticated. I'm going to give some examples to point out some of the things that these do throughout the talk. So for example, there's a Babylonia virus which has plug-in virus modules. So you download a sort of a main controller virus and then it goes out and gets these plugins to perform various malware functions. There are ones that use digitally signed encrypted updates. So this was, Hybris I think was even before this was being done to some extent by vendors where they do digitally signed updates. So the malware authors were already using this technology before the vendors themselves were. So the thing with this is, you know, again, once you've got serious money involved you can buy serious expertise to do all this stuff. For example, spam vendors are employing people with PhDs in linguistics to bypass spam filters. Now you think about this. You've got the spam filters are being written by hackers sort of enthusiastically. Basically, you know, I don't mean this in a negative way but enthusiastic amateurs basically. They're sitting down there writing the code. The guys who are attacking them are getting people with PhDs in linguistics to get around the spam filters. Same thing with phishing. They're using psychology graduates to scam the victims. So you've got the first level phishing guys who basically try and lure them in. And if they have problems they pass them on to the second level tech support which are people with degrees in psychology to try and con people out of their money. So the exact figures of what people are making and in particular the sort of developers and so on is not really known. These are basically based on rumors but apparently you can earn up to $200,000 a year as a malware author in Eastern Europe. Now, the general wages there aren't very good. So this is a spectacularly good wage for Eastern Europe. And the same thing for sort of very commercially viable remote route zero days. Again, there are rumors that these go for $50,000 to $100,000 each. So you can make an awful amount of money way more than you can ever make in any legitimate industry by selling to the malware industry. So here's a typical example of how you might get the recruits. Let's say you're somewhere in Russia you're running some botnet just for the fun of it. Your local ISP either has an agreement with the local crime organization or they're being leaned on or whatever. So they report this to the local crime organization. They then turn up at your door and make you an offer you can't refuse and suddenly you're working for the Russian mafia. So, you know, this is an example. You can't, you don't actually sort of go there and sign up. They don't have out, they don't put out recruitment posters. On the other hand, you could just be doing this in your spare time and suddenly without really wanting to, you're working for organized crime. This is a commercial sort of relatively white hat. There was Sabi Laby, whatever it is, online auction site. I've used this as an example. I don't see this as a very viable commercial business model. But that's an example anyway of, let's say, non-black market trade in exploits. There was, for example, there was a black market exploit for Vista, which was actually released before Vista was released. So it wasn't just a zero day. It was more of a minus one day, which sold for about $50,000. So this is a comment of the stuff where it's coming out of Russia and some examples of prices and distribution of the stuff out of bi-Russian hacker groups. So because this is a complete industry, it's not one individual doing carding or spamming or whatever, it's a complete industry. It's broken down into different sectors and the different sectors take care of different parts of the malware. So you can outsource pretty much anything you want. Some of it's done, for example, by the affiliate model. So what you do is you've got spyware and you pay affiliates to affect people who come to particular websites with their Trojans. This is pioneered by a Russian organization, iframedollars.biz. Iframe is kind of the number one attack vector of Trojans for getting stuff into browsers. What they do is they pay webmasters $0.06 for each infected machine. So they could check whether the malware had been loaded onto a machine. If it went through your website, they'd pay you $0.06. And there's also all sorts of different payment rates. You can get fixed weekly payouts. You can get bonuses for in-stores on clean machines. And there's some quotes there from some of their advertising saying, basically, if you're getting really good returns for us, we can negotiate and pay you more based on the fact that you're getting very good returns for us. And that's since extended from that to a vast mass of adware affiliates. These are some examples. There's basically too many of these to list. And typically, they'll pay. They have certain published rates where they'll pay based on infection of machines. So, for example, if they infect in the U.S., you get $0.30 per infection and then it drops lower and lower. So you don't necessarily want to infect a machine in Romania, for example. You're not going to get a very good return out of that. So the payback for that is a lot lower than infecting someone in the U.S. Typically, these things sort of pretend to be legal. So they've got terms and conditions saying that if any affiliates act unethically, then we'll terminate their contract, which is complete nonsense. It's just there to look good. And they make serious money out of this. One of the things we're dealing with sort of Eastern European, not necessarily criminals, but let's say gray market groups, is they really know how to look after their customers. So there's a website, Neoclickteamparty.com. I don't know if that's still up. They may have taken it down, but it shows the end of year party for their top business earners. And so they went at this castle and they brought in strippers and they had paintball competitions. They gave away a C-class Mercedes for their top earner and they had, you know, like strippers wanting to carry it via laptops to give to their top earners. I mean, they really look after their, at least affiliates, if not customers. So some of the examples of what some of the stuff does, they do things like they do context-sensitive spamming. So one of the things that Google does is you can pay to get a better ranking in Google. What these guys do is they subvert that process so they inject ads into your web browser. So they'll, for example, rewrite Google search results so that their spammed search results rank higher than the official Google results. All they'll do things like they'll notice that you're searching for a particular thing and then they'll spam you with ads based on this thing. Yeah, and there's a comment at the bottom of basically the way that sort of works. So there's this huge amount of gray market and sort of rather unethical practices. So I mentioned earlier that they'll put something in the EOLA saying, you know, you understand that you're installing something that is going to serve you ads and so on and so forth. That's the actual vendors. The affiliates then use OLA automation to bypass that. So they basically, the OLA pops up. There's OLA automation to click on OK and it goes away before the user even sees it. So, you know, the actual, the adware distributor can say, we're acting ethically. We're displaying this license agreement. We're warning the user and it's not our fault if the other guys are subverting this. And you piggyback it on legitimate software and a million other things. So that's an example of the sort of, you know, at the very edges of the market, the sort of the adware and malware distribution. But basically the whole thing works pretty much as malware as a service. So you may have heard a whole pile of advertising of software as a service, which legitimate vendors are getting into, are trying to get into because they can make more money from that. So what the malware vendors are doing, they've got malware as a service. And it's advertised and distributed exactly like standard commercial software. So there's an example from a Russian website basically advertising the different types of malware and the services they can provide for you. And they go to the level of having online video tutorials. So if you don't understand how the malware works or how to run the malware, you can download this video tutorial and there's a guy there doing a complete demo of how the malware works. Just a comment on this, a lot of the stuff is in Russian. And if there's any Russian speakers in the audience, you may be sort of giggling at my attempts at translating this. One of the nasty things with this is during the Cold War, things like the CIA and the NSA could go out and train their people to speak Russian. So they'd have specialists in a particular field. They'd send them on courses to learn not just Russian, but you know, Russian technical jargon pertaining to this. At the moment, we really don't have anyone like this because it's, you know, you get, there are a couple of companies like Kaspersky, obviously who have Russian speaking staff. And occasionally here and there you'll find a Russian speaker. But in general, the people investigating this do not speak Russian. So you don't need any super duper 128-bit AES encryption. All you need to do is just write it in Cyrillic. And about 99.9% of the people investigating this industry can't read any of that. And not only is it in Russian, it's in sort of Russian hacker jargon. So there's words in there that you won't find in any dictionary. It's very hard to figure out exactly what they're speaking about. So this is a very approximate attempt at translating some of this Russian. So, okay, you get video demos and stuff like that. You get tried before you buy offers. So there's things like, for example, you get a free trial. You get 100 visitors, 100 exploits. And then basically the more you buy, the cheaper it gets. So there's a rough translation there at the bottom. So you get both discounts and the more money you give them, the cheaper it gets. This is an example of the interfaces for these things. So at the, in the backend level, typically, there's a bunch of, you know, Pearl scripts and the usual binaries and so on and so forth. But they actually provide proper graphical interfaces to these things. And this is kind of a scary indication. This is a graphical interface for something called visual breeze. And, you know, this is the level of sophistication that this stuff is getting at. They actually have skinnable interfaces. So, you know, you consider that the defenders are barely catching up and barely keeping the virus signatures and whatnot up to date. And the attackers are sitting there deciding on what sort of, you know, skinnable interfaces they can put on their management interfaces. That's the level of sort of, you know, that's what you get by throwing serious commercial money at this. You can get, you know, commercial programmers to do, to do really good jobs on programming interfaces for these things. So here's an example of one of these ones. There's one that's been going around recently called the Gozie Trojan. So basically you buy the basic version for one or $2,000. Everything's negotiable. And then you buy add-on services for this to do various different types of attacks. And again, there's a translation there. So basically, you know, generally they're selling to the Russian market, but you can also buy it overseas. And there's a huge variation in prices. So if you're looking for this stuff, you have to shop around different sites to find good prices. One general rule that works for all of these things is that if you're non-Russian, the prices become much higher. So you go to a Russian site, you see the Russian prices. You go to a site where the same prices were advertised in English and it's sort of twice as much because they can get a lot more out of foreigners. So if you want the discount rate for this stuff, go to Russian sites to buy it. Typically the prices were advertised in WebMoney. So in the US, you have PayPal. Given the far more aggressive environment that's in operation in Russia, you know, if PayPal's set up over there, then they'd be completely looted dry in about 10 minutes because they're much more proficient at attacking these sites. So there's a Russian equivalent of this called WebMoney, which is basically a version of PayPal, but it's heavily fortified and designed to be very resistant to the Russian business environment. And there's a bunch of standard currencies that they use. And usually these exports are traded in WebMoney currency and they have one that's tied to the US dollar, WMZ. So whenever you see a price you're quoted in dollars, it's basically WebMoney but tied to the US dollar. And there's some examples there. Again, you get an ICQ spam, free trial, the first 10,000 messages are free. And after that, you pay various rates depending on how many of these things you're buying. Same thing for buying server-compromised tools. So this is a front-end for something called M-Tools. And you basically feed it a bunch of accounts and then it does the rest. So the thing with M-Tools is that, say, I think it's a Unix toolkit. And as I said, it's mentioned, it's done in Pearl and a bunch of other scripts. Everything run together. So you really need some expertise to run this sort of stuff. Jeff got an excellent on that. So you can buy the basic FTP tools, front-end and impact, which is the back-end that does the actual work. And so you basically buy the tools as a service combined. So impact itself costs $1,000 or whatever you can negotiate it for. And then you buy the GUI front-end that does the management for it. I don't know if that's visible in that. It's a bit blurry, but they're actually running Opera. So you notice that on Russian sites. They really, really seem to like Opera. Presumably, I don't know either because they simply like the browser or because it's least likely to be targeted by malware. So yeah, that's a web-based front-end to the end-blank exploit toolkit. And there's some examples there of these various things that they're selling and they provide ratings for them. So they're saying, you know, this is reasonably good. This isn't bad. This one's really cool. You should buy this one and so on and so forth. So here's some examples of what this sort of stuff does. So one of the things that happens with these things is that, you know, the victim's PCs are very badly secured. Well, the people running the malware, their servers are also really, really badly secured. They might run malware that can break into anything, but they're not very good at securing their own servers. So what investigators do is they go back to the servers at the malware contacts and they go and see what's been and what's been deposited on these servers. So this is just from one single server. So from, I think this is, again, from the GOESI Trojan. One single server that this Trojan drops stuff onto. There's unknown numbers of these around. This is just one single one. And, well, you can read the numbers there. So they basically had accounts not just for the obvious banks and financial institutions. They had federal, state, and local government. They had national and local law enforcement within the US. They had medical information, social security numbers, basically everything you can possibly, you know, worry about losing on a PC. The bad guys already had this. There's a kind of a nasty catch-22 involved in this that if you're an investigator and you go in and you find a PC full of, let's say, medical data, well, HIPAA says that you're not actually supposed to have this information and they make it very difficult to communicate back to the victims, saying we found this machine full of stolen information because, in theory, you're not supposed to have it and so you can't then communicate that back to the actual victims. So the thing about this is you can outsource absolutely anything. If you want to get into the malware business and you don't know much about computers, okay, you can buy hosts for a phishing scam. You can buy the spam. You can buy drops to get the money into and you can buy the cashiers to actually cash the drops out and give you the actual money result back out of that. I'll get on to that in a minute. So given how easy it is to do all this, you wonder why anyone actually still burglars houses because it's so much easier to just go online and buy all the malware and buy all the services and do everything yourself. So there's a rough diagram of how some of this stuff might be hooked together. It's actually a lot more diverse than that. Just like the legitimate industry, there's a whole bunch of suppliers and so on all tied together. This is a very much a simplification of just a couple of aspects of this. The real money isn't being the middleman. If you could automate the middleman and have something like a banking clearinghouse to handle this, you could make some serious money. The problem with this is once you've got the single point of focus, all the law enforcement guys will dive into that. So it's kind of a catch-22. You can't scale it beyond a certain point because you can't have a very large target in the middle. On the other hand, because it's extremely diversified, there isn't one single target that you can shut down. So here's an example of some of these different sites. It's not a clearinghouse, we're actually running all the botnets and for handling the carding and the spam and all that sort of stuff. Right. So it's an example of the different sites that this has pulled together. Most of these have been taken offline since then. The only one that's still working is Russian business networks. So basically these are the different groups that provided the different components of this Trojan. Russian business network is kind of cool because it's located in St. Petersburg and it basically says, as far as anyone can tell, it's an ISP for malware and an ISP for spammers and botnets and botnet hosting and so on and so forth. So I don't know if they did that because they have a very good sense of humor where sort of Russian business meaning malware or maybe it was just coincidence. But that's basically, this is the business network for running malware. So one of the things with malware is that if you go to the typical sort of victim of the stuff, they expect these Hollywood style effects. They expect exploding computer panels and things catching fire and so on and so forth. The problem with, and that was the case with viruses five to 10 years ago, they were designed to be impressive and to get your name in the news. Modern malware is designed to be as unobtrusive as possible. You're never supposed to notice it's there. And so the result is that you get people's machines who are absolutely crawling with viruses and they have no idea that they are because the viruses are designed to hide. And this is a genuine example from a virus vendor. They got this support call saying, you know, I've heard about this Anacorticova virus so I downloaded it and nothing happened. Why didn't anything happen? I want to see Anacorticova. I've now downloaded this virus and I haven't got anything out of it. And that is the end user view of how viruses are supposed to work. So this is an interesting economic model because basically what these guys are going for is where the money is. So, you know, there's an argument that's saying, okay, Firefox is picking up market share. So the malware guys will now go for Firefox because it's got a certain amount of market share. Well, that isn't the case because they really only care about the money. They only care about the market share. If you assume, well, there's a sample example there. Let's assume, let's say Internet Explorer has about an 80% market share. Firefox has a 20% market share. There's a high probability of success against Internet Explorer, a low probability of success against Firefox. So basically you can get, yeah, and using those sample figures, those are purely sample figures. You know, 60% return against Internet Explorer or 2% return against Firefox. Nobody's going to bother attacking Firefox even if there are vulnerabilities in there because the money just isn't in there. So commercial attackers expend money to get the biggest market share. They really don't care about bragging rights. And that's, you know, if you look at some of the stuff in OS X and particularly in Safari, when Safari came out for Windows, there were just instantly exploits for this. But nobody had ever bothered attacking it before because the market share was so small that there was no real money to be made in it. You got a lot more money from attacking Windows. So kind of, you get the kind of monoculture argument there. If you want to be secure against attacks, use a little used platform that there's no money in attacking. So I'm going to skip through some of the stuff. It's well known. Well, I guess reasonably well known. Just, you know, for example, how the spam business works. So typically you go out and you buy a bunch of addresses. It's handled by a spam broker. So again, 10 years ago, you might have done the spamming yourself, but now you don't need to worry anymore. You can outsource the whole thing. So what you do is you go to a spam broker. You buy a certain amount of spamming credits. And, you know, you can either buy credits so they do the spamming for you or you can buy a botnet and do the spamming via a botnet. And once the target NPA accepts the spam, your credit is then deducted. So what happens is they have their various distribution networks, open proxies, relays, botnets, compromise PCs, whatever you want. They send you software. You stick on your machine. You then feed your software into that. It goes out to the spam brokers, machines, their botnets, their relays, whatever, and goes out. And then you get charged once the spam is accepted by the target machine. And for example, you do your various methods of obscuring that. If you've got a botnet of, let's say, 10,000 nodes, then 1,000 nodes fire up and spam as hard as they can for a minute, they shut down again. Another 1,000 nodes fire up, spam shut down again. So they never are around for long enough and they never are around consistently enough for you to track down any one particular machine and shut them down. Carding business works basically the same way. You get prices that are published through a subject to private negotiation. Again, these are sample prices. Oh, sorry, these are actual real prices, but there's a huge variation in price ranges. So you can negotiate discounts. If you know where to go, you might get cheaper prices, betted prices discounts, bulk discounts, whatever. Typically, you buy a dump, which in card jargon means the dump of the mag stripe in front of the back of the card, which is basically everything you need to loot out the card account. And again, you can get bulk discounts because the people doing this are, well, crooks. You need to look out for deals. Basically, guys, you grab your money and vanish with it. So typically, the IRC nets have a channel called Rippers or something equivalent. And it's basically an eBay-style reputation system. So you go to eBay and you can say, I've dealt with this guy before and it was okay. You go to some of these IRC channels and you get to something saying, you know, I just bought 10,000 cards off the sky and they're all fine. So they've got their own built-in reputation system for this. IRC bots doing card checks. I'll skip into this. IRC bounce is hiding this stuff. So, yeah, basically, again, you can't really go in here after any particular IRC servers because they've got proxies running on compromised PCs and they bounce it through compromised PCs. So you trace all this stuff back and it doesn't come back to some central, you know, high command. You just trace it back to grandma's compromised PC. Once you've got the funds out of credit card accounts, you move them into drops, which are basically bank accounts used to launder funds. So crooks really, really like online banking, particularly if it's using someone else's bank account. So what they do is they use compromise bank accounts to launder the money. And the final step of the thing is you've got cashiers who basically cash out the contents of the drop. Typical going rate for a cashier is about 50% of the income. So you've got $10,000 in an account. They'll cash it out. They'll keep $5,000 and they'll give $5,000 back to you. And it's pretty much like an open labor market. And again, these are some examples. And these things tend to come and go, so I don't know if any of these are still current, but labor works when I was doing the slides. And so you get an offer like, for example, I need someone to fill up hotmail boxes with spam and I'll pay out of the profit of the carding that I get out of that. Here's an example from Carter Planet, which as far as I know is shut down now. And these are basically just, you know, standard ads of people advertising, the sort of stuff you can buy there. And it's complete, you know, card information, verification details, everything you need, credit cards overseas. This one's a lot more interesting. So these guys are advertising change of billing for credit cards. So one of the things that credit card vendors are doing, or effectively doing via merchants, is they're saying we will only ship to the billing address of the card. That's kind of the last line of defense. Obviously if you get 1,000 video cameras and you ship them to Eastern Europe, that's kind of fraudulent. So the way to lock that down is to say you have to ship it to the billing address of the card. Well, these guys, if these guys can do change of billing, which means they change the billing address of the card to anything you want. That means they've defeated that mechanism as well. So, and you can pretty much choose whatever you want. You want platinum cards, okay, you can grab those. Because they're selling compromised accounts, they can sell you eBay accounts, and you can say I want an account with let's say 1,000 positive feedbacks that's been around for 10 years. So people are going to trust this account so they can run your scam through that account. So you can buy specifically those accounts rather than some newly opened eBay account, active PayPal accounts. Well, you can read the rest anyway. And they'll sell you the complete service, they'll sell you drops, they'll sell you, for example, you can get carded FedEx accounts. So when you're using your credit cards or the stolen credit cards to buy goods, you obviously don't want to pay to get them shipped either. So you can get carded FedEx accounts to FedEx them out and get them resold. Oh, yes, so there's an example there. And basically you can buy anything you want, social security numbers, anything you need in order to verify that you are the legitimate owner of this credit card. And as with the Russian guys, you know, when you sign up you get free trials. Some of this thing, you know, like Citibank cards, five cards, change your billing so you can get a cent wherever you want with $5,000 credit on the card. That's simply the free sign up. That shows how easy the access is to the stuff, how much of the stuff there is floating around. If they can afford to give away these credit cards with $5,000 lines of credit on them, just for free, as a free trial. So, okay, I mentioned the obvious fraud. You know, you get 25 PCs shipped to Eastern Europe. Obviously that's not going to work anymore. There's far easier ways to actually monetize the information. One way of doing it is you take a legitimate company that doesn't do any online trading at the moment. Some, you know, Granny's Flower Shop, and who knows where. And you set up credit card processing on their behalf. So, if anyone checks they've got this legitimate established business, Granny's Flower Shop, it's been around for 20 years. Granny's Flower Shop doesn't even know that you've set up this credit card billing on their behalf. Therefore, they can't detect that there's any fraud. And you can carry out fraud for as long as you want, or at least until the account gets shut down. And there's commercial pre-internet crime that's been done for a long time. For example, something called triangulation. You advertise a digital camera, for example, on eBay. It's a $1,000 camera. You advertise it for $800. It's an unwatered gift. You use a stolen credit card to buy it and get it sent to the victim's address. They send you the money. So, you've basically used them as a proxy for money laundering. And you can monetize absolutely everything. The obvious ones are credit cards, banks, and so on, and so forth. Less obvious ones are things like stock brokerage accounts. So, there's lots of pump and dump scams where you've got to spam out your pump or your pump part of the thing to people and convince other people to buy your useless stock. Well, there's a much easier way of doing this. You break it to someone's stock brokerage account. You dump all the IBM and Shell and whatever stock and use it to buy your useless stock. And so, basically, that converted all the expensive valuable stock into absolutely useless stock and you're at the same time selling it. So, you've used this as a kind of proxy, again, for converting your useless stock into money. Yeah, good point. Oh, okay. So, yeah, the comment was it also works for retirement accounts. Yeah, so there's a whole pile of stuff that normally you can't directly monetize. And this is kind of a monetization by proxy. You can also use it for click fraud. So, and again, I assume click fraud is reasonably well known. So, basically, you're getting paid per click. So, what things like Google does, this is kind of nasty moral hazard in here. I mean, the more clicks you get, the more vendors get paid, even things like Google. So, what Google does is they recital their ads to these very gray market sites, which are things like domain parkers. And they'll just get a park domain, fill it up with stuff, and then you click on that and sure you get paid a lot less, but you're still getting paid for each click. So, you have botnets and whatnot. And these are things like pay to click or pay to read rings, which are sites where you sign up and you just get paid to sit there and click on ads all day long and you get a certain amount. And obviously, the person, the middleman, gets a certain amount as well. So, it's another way of monetizing accounts and monetizing information. So, this is some examples of spam technical mechanisms. And I'll skip this. So, further on, I'll get into some of the cool stuff that malware does and some of the level of sophistication of some of this malware. But this is just some examples of the spam industry. Some examples of hosting. And again, I'll skip this. It's not terribly interesting. You can read the slides. One thing that spam is really like doing is compromising routers. So, the thing is you compromise an end user PC and you get one single IP address and that's it. You compromise on a router and you get not just that router's address range, but via BGP, you can basically, you know, fill other routers and doing whatever you want. So, you know, for example, you see another route update saying, we're now responsible for this apparently unused block of address space. And within five to ten minutes, the entire internet thinks that that router is responsible for that address space. You then take the first address in that space and you spam like mad for as long as you can until it gets blacklisted. You take the second address in the space, you spam like mad and you basically burn through the entire address space, one address after the other, sending out as much spam as you can. And there's various other ways of doing it. There's this kind of, you know, you can improvise a very huge net block. And the way it works is you get a more specific prefixes when that net block will remain within the control of the owners. Any leftover gaps will be yours. And so, again, you get this chunk of IP addresses that you can burn out for sending spam or doing malware hosting or whatever. Okay. Yeah, the standard thing. You break into someone else's PCs to do it. So, one of the things with this, you know, the value of a router versus the value of an individual PC, you can see the black market value of some of these systems. As Cisco routed typically will sell for about $5. And you go down to a single individual compromised PC and it's too cheap to meter. I mean, seriously, these things are so easy to get. You buy them in lots of $1,000 or $10,000 because you can't price an individual one. Unix boxes, on the other hand, are worth a bit more. They're worth, in some cases, almost as much as a router because they've got all the tools in there to effectively turn the box into a router. So, you're buying a proto router that you can then turn into a router. So, the value is a lot higher than the value of a single Windows PC. Okay, typical examples. I've already mentioned this for control links. This is how these things were being run a couple of years ago. So, it's all done via IRC. And again, these are done via Bouncer's IRC proxy. So, you can't actually trace it back to one single server. There's a neat example there of a piece of malware. And if you read the text, it looks exactly like a standard legitimate piece of software. You know, it provides a subsystem for a versatile Internet technology deployment across multiple systems. It doesn't actually meet your malware, but basically that's what they're saying. This is a malware distribution system, but it's advertised as if it was some, you know, white hat, useful piece of software. So, there's an interesting comment from the RAND Corporation. One of the studies that led to the creation of the Internet saying that basically we can build incredibly reliable networks through the use of redundancy. This is from 1960. And the malware authors know this. And so now they're going almost exclusively to peer-to-peer based bot nets. And thanks to the, you know, the sterling efforts of the MPAA, they've actually, you know, sort of trained up this generation of people who are good at building really, really good P2P systems that are very, very difficult to shut down. And so obviously the malware authors are using the same P2P technology to build malware bot nets that are very, very hard to shut down. So, here's an example. This is from a couple of years ago, but I've used this one because it's very widely available. This is spawned an entire generation of extra bots. A lot of the earlier ones were really badly written and buggy and so on and so forth. This is extremely well-written. It's cross-platform. It's modular. It's GPL. It's basically, you know, it's a nice piece of software. I mean, it's malware, but it's a nicely written piece of malware. So, this is spawned vast numbers of other bots based on this. It's actually very hard to count them because there's so many little variations. There could be hundreds or thousands of these things. And they will be extended in different ways. So, it's pretty much what you expect, you know, packet sniffing, root kit, whatever it was, keyboard interception. And it's script-driven. So, there's a typical example of some of the commands you can tell this thing. So, basically, you can say, go out and harvest a bunch of email addresses, or alternatively, buy it, get a pre-harvested list of addresses maybe that you've bought from a spam broker. Create an email message template, so dare, insert name here and so on and so forth. So, basically, just fill in the blanks. And then just start spamming via this agobotnet and stop spamming. So, it's completely script-driven. And some of these things have been extended to use macros. So, you don't have to even type in all of this stuff. You just have a little macro command language, and that does all of it for you. And, yeah, there's a whole bunch of additional commands, which I won't go into. One of the neat things that these things do, this is one of the evolutions go-about. It does things like unsecure commands. So, Microsoft finally started shipping vaguely secure versions of Windows where they're closed down public shares and decom and so on and so forth. So, what this unsecure command does is it undoes all of that. So, it turns on all the insecure defaults again that used to be in Windows a couple of years ago. And this is various other things. For example, you can download initial add-on bits for the bot from other sites. There's an HTTP visit. So, occasionally you'll get someone saying that, you know, I used this PC, but I didn't like download all the sheep porn that's on it. It must have been someone else. Well, with this botnet, you can actually do that. You can go into someone's else machine and download a whole pile of porn on that machine and then, presumably, they get blamed for it. That's more of a malicious thing. Most of this stuff is commercially driven, so they're not really interested in doing that. They're interested in being as unobtrusive and indetectable as possible. There's one called spybot. Again, this is a variation of this, but it's more towards spying. Again, some common examples of what spamware and worms do, socks, proxies. Basically, they just enable spamming. I'll get onto some of the more interesting ones, your paperclip fraud. So, I've already mentioned this sort of distributed spam bots where you get 10,000 machines and a couple of them spam at a time. It's the same thing for websites. Obviously, if you've got a spyware or malware website, you can't have one single server because that's going to get taken out. So, what they do is they reverse HTTP proxies. So, you've got, again, the spot need of 10,000 machines and they're acting as a reverse proxy. So, you've got this basically distributed fault-tolerant website. For maybe a couple of minutes, there'll be 1,000 machines active acting as this virtual web server. They shut down another 1,000 fire up and act as a virtual web server. They shut down and so on. And there's an example of the samig math worm, for example, changed its website, meaning it's a virtual website every 10 minutes. So, it's basically like frequency hopping or spread spectrum. You can't trace it back to one individual source. Standard thing is you disable antivirus software. You disable firewall software. You bypass firewall software. And there's various tricks, for example. One neat trick is lots of firewall software will check things like the end-of-stop system memory image. This is all, all the stuff refers to Windows-based stuff because that's where it's all been done. So, you can walk the end-of-stop system memory image and patch yourself in underneath the firewall. That's the obvious one. Much less obvious one is you paid your own private copy of this thing in from disk. So, the firewall is very carefully sitting here washing the legitimate copy, making sure nothing happens to this. There's a second shadow copy sitting down here which is doing all the work. And the firewall software doesn't even know that this other copy exists. Yeah, the standard one, again, with antivirus software. You modify the antivirus database so it can't detect you anymore. And there's some neat variations on this which I'll get into in a minute. So, I've already mentioned you enable unsafe defaults. Lowering browser security settings. So, again, this is the first, I think it was the first sort of pop-up virus that was written, mytile, written by Diablo. And that guy was actually being paid for each pop-up delivered. So, all that thing did is it went in, went to an edited explorer, enabled unsafe defaults, so pop-ups would keep coming in. And this guy was paid for each pop-up delivered. So, some of them are more interesting and cool tricks that some of these do. Some of these are only proof of concept. Some of them are actually deployed in the wild. A fairly standard one is you run multiple instances of yourself or multiple threads. So, you inject a thread into each process running on the Windows machine. So, the antivirus software can't really kill it anymore because it's running inside Word, inside Internet Explorer, inside Notepad, inside everything else. And these processes all monitor each other. If one of them gets killed, the other one's coming and resurrected. So, these are basically unkillable because the antivirus software can't simultaneously kill every single process on the system. As long as there's one single process infected still running, it can resurrect all the others. There was one, this is a proof of concept, a virus called RDA fighter, which actually used error-correcting code to repair itself. This is really creepy. I mean, if you're investigating this stuff and you go in and you maybe patch out some of the malicious payload, and the thing runs and it's repaired itself, and it keeps running the malicious payload, even though you think you've patched it out. That's kind of an extreme. That was done as a proof of concept. It's way excessive. So, you don't generally need to do that in actual deployed stuff, but that's an example of how sophisticated some of these things are. Some of the earlier virus checkers and, you know, integrity protection programs would use CRC32s. Well, the problem with CRC32s is that they're okay for detecting accidental corruption. They're pretty much useless for detecting deliberate malicious corruption. You can take a file with the CRC32, check some and modify a part of it, and make sure the checksum remains the same. So, there are viruses that will infect right through a CRC32 checksum. So, your virus checker is sitting there. It thinks the file hasn't been modified and it's actually been infected by the virus. Again, this one was from a while back. There are viruses that will engage users in chat sessions to convince them that this isn't malware. So, you know, hey, here's this cool file. Try and run it. Is this a virus? No, it's not a virus, trust me. And, you know, the typical sort of AOL sort of level of interaction that it's not that hard to actually fake a human user. So, you can actually talk people into running this malware. And variations of this is you rewrite users' email. You rewrite the contents of users' chat sessions to inject the virus into the chat session. So, I'm sitting there chatting to you and the virus injects itself into my chat session. So, as far as the other side can tell, it's talking to me. There's just a bit of extra stuff coming in, which is the virus that's propagating itself out to your machine. Again, various bits and pieces. Ah, sorry. So, this is an example of how sophisticated some of this stuff is. If you look at the sort of, let's say amateur-written viruses, the non-commercial stuff that was around 2000, 2001, this stuff was really badly debugged. It only worked on one particular platform. It was kind of flaky. This is a commercially written virus. Again, this goes-y one that's been around. That's been sort of creeping around for about the past six months or so. So, what this does is it registers itself as a layered service provider under Windows and it uses that to see through SSL because the SSL level lives below the LSP level. So, it gets the data that's coming out of the web browser before it gets into the SSL layer. The thing is it doesn't just assume that that's going to work. It actually tests it. So, what you've got is you've got the main goes-y infection running on your machine. It goes out to the server and gets some bogus HTTP data. It's random garbage. It doesn't really matter. It's just information like go to this bank and send in this username and password. It then pushes it through the MSI server and it goes down to the layered service provider and it feeds the result back to the goes-y main program and it compares the two. And if what it pushed in through Internet Explorer is what comes out through the layered service provider, it knows that it's basically bypassed SSL. So, it's getting at the data before it goes into the SSL layer and that it can then see any information that goes into that browser of normally protected via SSL. The Trojan can actually pull out before it gets to the SSL layer. So, this doesn't just install stuff and hope it works. It actually runs these fairly sophisticated configuration tests and self-tests to make sure that the malware is actually working. If the self-test doesn't work, it simply shuts itself down. So, it's effectively not there anymore for the purposes of things like virus scanning and integrity checking. And again, this sort of monoculture thing that if everyone uses the Windows built in SSL layer, then everyone's vulnerable to this particular attack. If your application carries its own SSL around with it, it's not vulnerable to this LSP injection and so it's not vulnerable to the attack. This is another thing that's been happening within the last maybe month or two. You may have seen this, if you check your spam email, you may have been getting password resets from Amazon and eBay and PayPal and whatnot. There's some malware out there and people are still trying to figure out what it is, which goes into these sites and performs password resets on your behalf. So, the typical reset process, and this is basically the fault of the people running these sites, you go to somewhere like Amazon. If you can post in an email address, that's all you need to do to get a password reset. And then if you're controlling the user's machine, you sit in the monitor incoming email for something from Amazon.com. That gives you a cookie that you paste into a web browser and you've now got access to that person's account. You don't need phishing. You don't need password stealing at all. All you need is the ability to do a post to a web page and to get back the resulting mail via malware running on the user's machines. Anyone from Amazon or PayPal or anything sitting in this room, for God's sake, put a reverse cheering test or captures on your password reset facilities because basically at the moment these sites are all handing out not necessarily passwords but account access to anyone who can run this kind of stuff. Yeah, obvious things. You prevent antivirus, software, malware, removal programs from running. There's a bunch of standard ones. And there's some more inventive ones. Oh, actually another interesting thing that the Gozi Trojan does is it steals client keys and certificates. So, currently there's this sort of theory that client certificates on PCs are supposed to protect us from this. The problem is client certificates are so hard to use and so painful to use that no one bothers with them. And even if they did, there's a Trojan that steals your private keys and certificates off your machine. So, the scary thing about this is that the Trojan that steals these keys is probably more widely used and widely deployed than the actual client certificates themselves are. So, you know, this is like a minus one day attack we've lost before we've even started. So, here's an example of a Trojan. Again, this is from a while back. This thing called the Glute Trojan. And this worked in multiple phases. So, phase one was this very fast, or actually a bunch of very fast deploying variants. So, basically zero days. They came in extremely quickly, very, very tiny, very compact, came in under the AV software and they disabled the Windows XP firewall and security center. That's all they did. They had no other function. So, because they were very small, fast moving, zero days, they couldn't be detected and they turned off the first line of defense. That then connected to a second line. That then employed the second line of this thing. It connected to a bunch of URLs and it downloaded this piece of malware which was a bit more sophisticated. It was larger. But once the first line of defense is gone, you could get in through that hole and that then turned off the antivirus software and various other protection measures. It also blocked access and again, this is a standard thing, a lot of malware does. It blocked access to Windows updates. So, once you're vulnerable, you can't fix it anymore. And it blocked access to antivirus vendor sites and again, you can't update your antivirus database so you can't detect the stuff afterwards. And finally, there was this thing called Mitglider which was phase three and that was the actual malware which did the usual botnets and password stealing and what and so on and so forth. And again, this has become reasonably standard. You've got this multi-phase bootstrap approach. So, you've got a very fast moving zero day and that then opens the gates and then more and more serious stuff comes in after that. So, you know, people have said SQL Slammer, that was 376 bytes. How can something that tiny be a threat? You can't put, you know, a botnet into 376 bytes. The answer is you don't need to. All you need to do is open the door for the really scary stuff to come in afterwards. And some of these stuff, some of these things are incredibly complicated. These things, you know, like Glitter was an example that uses a three phase infection strategy. Some of these things use 10 to 15 phase infection strategies. I think not so much because it's necessary, but mainly because it is commoditized. And so, you have different vendors providing different parts of this. So, you have someone that provides zero days and someone that provides the next level of bootstrap and someone that provides the password stealing. And so, you buy it all from different vendors and each vendor that you deal with adds another phase to this process. Here's a vague idea. I tried to do a diagram of this and I ended up with this whole A4 page full of arrows with spaghetti all over the place of a typical infection. So, this is way too complicated to actually diagram, but that's a very simplified sort of flowchart of how this happens. So, you've got basically a bunch of bait and spam sites with, you know, porn or free, cheap AFE's or whatever it is to get the people in. They then go through redirect sites that go to another layer of sites and have the actual exploit. So, there's zero days that come in and open the doors. And then finally, there's downloaders and then the actual adware and spyware and malware that does everything else. So, this is an example of this sort of multi-phase bootstrap where you go to one site and then you get pushed through this entire chain and getting this entire industry's worth of malware loaded onto your machine. So, this is an example of one particular worm. This is from a couple of years ago. This was, I think this was the first worm that used encrypted modules. So, basically, they used encrypted modules and they were digitally signed. So, this is, I think Windows Update digitally signs it, but it doesn't encrypt it. So, this is, you know, more sophisticated than Windows Update, which is self-is-relatively sophisticated. And it had this thing called a programmable virus. So, you had this kind of a mothership that went in and it didn't actually do much itself. All it did was have a pilot load where pilot plugins were. So, it would go out and it would fetch the appropriate plugins for that machine or the attack that the person was carrying out. And these were the signed encrypted plugins from different sites. And that would then carry out the payload attack. And there's basically a shopping list. Because there were a wide variety of plugins, you could pretty much do anything you want and provide the appropriate plugin for it. Yeah, different auto-start mechanisms. So, one interesting thing that there's a piece of malware called WGA, which pops up this message under Windows, demands payment of money or it'll disable your copy of Windows. So, people are actually exploiting this. There's some malware that fakes that out and says, you know, enter your credit card details here or your copy of Windows will be disabled. Love Microsoft. So, they're taking the official Windows mechanism and they're actually pretending to be that to steal people's credit card details. One interesting thing, again, these are sort of more just illustrations of some of the creative things these guys are doing. One of the things is if you've got malware on a machine, obviously you don't want someone else's malware sitting there chewing up CPU time or network bandwidth or whatever. So, one of the things your malware should do, if you can get away with it, is remove competing malware from the system. So, there's a trojan called spam through. And what that does is it takes a pirated copy of Kaspersky antivirus. And the reason it takes Kaspersky is that most of the malware authors tune their viruses to not be detected by any of the mainstream ones like McAfee and so on and so forth. So, they're pretty much useless in detecting viruses. Kaspersky is not a mainstream product, so nobody tunes their viruses to not be detected by it. So, it's very good at detecting viruses. So, they'll take Kaspersky, an unregistered copy. They'll patch the in-memory license check code and then they'll just run it and use it to remove everything but themselves from the system. So, they're guaranteed a very clean machine. And there's companies like, for example, Direct Revenue. And they actually have a separate division called Dark Arts which is dedicated to removing everyone else's malware from the system. So, you get the Direct Revenue malware but no one else's. There are ones that record geolocation information. We don't know exactly why they do this yet. The theory is that for critical purchases, if you've got a credit card that's registered in, say, New York and suddenly you're buying a whole bunch of stuff in LA, then it may be detected by a normally detection software that's being used somewhere along way from where it's registered. So, there are viruses that do geolocation information. So, the theory is, as far as we can tell, maybe they're doing this stuff just because they're interested and because why not? I mean, they're not paying for the bandwidth. They're not paying for the service, so why not? But you could also use this to defeat a normally detection botnet. So, if you've got a botnet, you make sure that you're carrying out the credit card fraud from a location close to where the credit card owner actually lives, and that defeats this location-based malware detection, or this fraud detection. Yeah, various things. So, here's an example that detects that... This is actually kind of a neat one. So, it detects the hijack's Windows updates. So, the thing with Windows updates is they always have to get through. Obviously, you can't firewall or block off Windows updates. So, if you've hijacked Windows updates, then you've got a virus propagation mechanism that can't be stopped because no firewall will prevent Windows updates from working. So, there are ones that use that that do that. Okay, various bits and pieces. So, this is an example, again, of an identity theft trojan and root-cut stuff. One of the neat things this one does, it's all standard root-cut stuff, but it has one kind of neat trick that it does. If antivirus software tries to terminate it, what it's doing is it's sitting in the system because it's a root-cut. It's underneath the antivirus software. So, it swaps the process handles of itself in the antivirus software. So, the antivirus software terminates it. It swaps the process handle, and the antivirus software terminates itself rather than terminating the malware. These guys have a sense of humour. And there are ones, you know, they're context aware, for example. They'll hook into your browser, and they'll recognise. They won't just send back information about any old rubbish you're surfing because they're really not interested. They're interested about banking sites. So, they'll recognise strings like trading and merchants and banks and so on and so forth, and only record information related to that. And again, these are some examples of the trojan that did that and the information they got from that. Standard root-cut mechanisms. More root-cut. Again, I've just listed these for completeness. So, the RDA fighters, which I mentioned earlier, that was the first one that used error correction codes. It also did something called randomized decryption, which these are basically, you want to create a virus that can't be detected by any kind of standard virus scanner. So, on the outer layer, they're always polymorphic. So, basically, there's no standard pattern to search for. The inner layer, typically, is encrypted. What RDA did is it encrypted it with a random 16-bit key. So, it had to brute-force break its own encryption in order to run. The thing is for the virus, that's fine. It's running on someone else's machine. It's an X gigahertz Pentium 4. It can race through that in no time at all. For a virus scanner to brute-force theoretically present encryption on every single executable that it has to scan is more or less unworkable. So, this is something where the load for scanning becomes so high that it doesn't become effective to scan for it anymore. So, because of polymorphism, the way virus scanners work today, no one scans for fixed patterns anymore. You basically run this thing inside a sandbox, so inside an x86 CPU emulator, and you either check for certain behavior. For example, if you're rewriting your own code, then that's not Microsoft. Thanks. If a program starts up and starts rewriting its own code, that's not Microsoft Word starting up. That's something very peculiar. So, there's a good suspicion that that's a virus. All you wait till it's fully decrypted itself, and then you can scan for the malware payload. And so, what current scanners do is they use behavioral analysis. And there have been viruses written specifically to defeat this one from Russia called Xemist, which luckily is a proof of concept that hasn't been deployed. And that requires about 2 million code cycles to detect reliably. So, now you consider, okay, 2 million code cycles again on a monkey, it's P4, that's no problem. Well, you actually have to run this inside an emulator. Obviously, you can't run the virus natively on the CPU. So, you multiply that by about a factor of 100 because it's running inside software emulation. And then if you've got 10,000 files on that system, again, you multiply by a factor of 10,000. So, basically, this is an undetectable virus. You cannot effectively scan for this virus because it would take about six months to scan one machine. And, you know, you talk to antivirus vendors, how do you detect this? Well, we just hope it doesn't get into the wild because at the moment we have no strategy for detecting this, or no effective strategy for detecting this. And so, you know, again, there are various ways of getting around this. So, obviously, if you've got virus to decrypt themselves, then the access pattern is going to be, you start in the code segment, you run right through it, decrypting it, you go to the end and then you execute that code. Very easy to detect. So, there are ones that use, for example, maximum sequence random number generators. So, they randomly jump all over memory, decrypting a byte at a time. So, you've completely covered up any memory access patterns. So, the virus software can't detect any more that that's decrypting a linear chunk of code. All it's seeing is a bunch of random memory reads. A much simpler technique than what Zeemist used is you simply only run the virus a certain percentage of the time. So, there's a virus called eTapel Similarly. And the guy that wrote this has this particular thing he likes doing, which is you read the timestamp counter on a Pentium. And based on a effectively random bit down towards the low end, you either run the virus or you don't. So, you can say 50% of the time when this virus starts up, it will behave like a virus. And 50% of the time, it will behave like a completely normal, non-malicious piece of software. So, once you've infected 100 different files on the machine, again, it's effectively impossible to scan for this because you'd have to scan and rescan and rescan this thing hundreds of times in order to actually trigger the virus behavior in the worst case. Obviously, if I say read timestamp counter, yes or no, that sounds very simple. Well, this is obviously polymorphic and infinitely obfuscated. So, you can't just check for that particular code sequence. So, again, that's another way of creating a virus that really can't be detected or can't be scanned for. And antivirus vendors are actually knowing this. I mentioned earlier that, actually, there's a quote there from, well, he doesn't actually mention this most popular brand, but you can probably fill in the blanks yourself. And they typically have an 80% failure rate for detecting viruses. Not so much because they're junk, but because the people writing the malware are actually getting the commercial vendor software and they're tuning their malware so it doesn't work. It's not detected anymore. And antivirus vendors, in some cases, you can perform online scans. So, what this does is you go for a trial thing or it makes sure you've got the latest antivirus software by using the online version. And then there's people coming in and connecting and running some code against it that detects as a virus. Slight variation comes in, slight variation comes in. Eventually, something comes in that isn't detected as a virus anymore. And that's basically malware authors tuning the code to not be detected by the virus scanners anymore. And there's other root-cut vendors where, again, this is a service, so you can pay the root-cut vendor to make their thing undetectable. So you buy the basic root-cut and then you pay them a certain amount and they guarantee that this version customized for you can't be detected by these brands of antivirus software. Hacker Defender, this is an older one. I provided this as an example because this was, I think, one of the first ones that actually exploited this commercial model and sort of malware as a, well, in this case, just root-cut as a service. It's not updated anymore because as far as anyone knows, this guy was killed in a traffic accident in New Year's Eve 2007. However, he has basically proven the business model and now lots of other vendors are doing the same thing. Yeah, okay, so that's the comment. Hangup Team being the one. These are the guys who did the Gozie Trojan. That's another group that does basically malware 2 design. Okay, and the rest of it is just generic stuff on phishing. The cool interesting bits were basically the Russian malware authors and some of the interesting things that this malware does. The rest of it, if you want the other details, it's pretty standard stuff. Just read the slides. Okay, do we have time for questions or is that it? Quick question? Yeah. So, okay, the question was, can you put in some sort of preemptive defense module? Isn't that more or less what antivirus software is supposed to be, though? Yeah. Okay, yeah, sorry, we've... Thank you.