 Okay. I've been told that it's time to start, so we'll go ahead and get going. My name is Thomas Holt. I'm a professor at the University of North Carolina at Charlotte. I am in the Department of Criminal Justice, so most people immediately ask, so do you do CSI kind of stuff? And I always invariably say no. I do computer crime stuff, and then people's eyes go crossed, and they don't know what I'm talking about. So it's nice to have a large audience of people who will get most of this presentation. Basically, it's kind of odd to have somebody from Criminal Justice talking about security, or at least from my colleague's point of view it is. But let me tell you a little bit about what we do at the university at the moment. Right now, we run a honey net, and I run an intelligence team within the honey net. And our role is to go out and identify new threats, new targets, who's selling stolen data, how they're getting it, what are the latest tools, what are the latest trends, and what can we get for free, because a lot of these groups out there tend to provide resources for those who are interested. So what I'd like to do today is just kind of walk you through some of what we found, some of the latest stuff, and some of the things you're probably familiar with, and some of the data that we've seen being sold for profit. And basically, we know that the problem of malware as a whole, and identity theft, computer-based theft, is continually increasing. It's becoming more complex. The reports of phishing, spamming, they just keep going up and up. Dollar losses continue to climb, too. My personal favorite are the Nigerian email scam victims. You know, the African Prince contacting you. Victims, unfortunately, in those schemes lose around $5,000, or at least that was the estimate from last year. And that's just a staggering amount of money. So when you think about it, it's important that we understand where our threats are coming from and how they're actually being performed. You've probably seen the CSI FBI report where they talk about damages to different companies. $15 million in virus contamination damages, bought damages estimated around $1 million. And you've probably, maybe you have, maybe you haven't heard a little bit about some of the law enforcement agencies that are trying to deal with this problem, particularly with malware markets and with stolen data markets. Operation Firewall in 2004 that dealt with the Shadow Crew and a couple of other groups. Operation Bot Roast where the FBI and other agencies are trying to take down bot herders and bot nets. You may have seen some of these headlines recently. Of particular note, the TJX suit. You've heard about the 45 million credit card numbers that are just floating around out there. The spam king who was busted, the bot net or bot roast problem. And what's great for us is that we can actually go out and track these things to some extent. These groups are operating, the criminals themselves run websites, they run forums, they have IRC channels all devoted to malware production, distribution, sales, carding, which is the sort of use of stolen data for different purposes and even some intellectual property kinds of things. And the sites themselves can tell us or at least give us an idea of who is responsible for these problems. It gives us sort of a snapshot of what's going on at the moment. And what I'm going to present to you today is information from our research. So basically what you're going to see today is information from around six to seven forums related sites that are actively involved in carding the distribution of malware and hacking. And I use security kind of loosely here because we see security as a justification among a lot of these folks. They say that they're bots or for network penetration and intrusion testing, so use it at your own risk. And so in the process of our work, most of these forums are run out of Eastern Europe, Russia, and so there's some language issues that we have to deal with. We use machine translations via Google and other programs to get a sense of what's going on, and we also have some human translators who speak various languages or at least have the capacity to read and understand what it is that we're looking at. So we have some inter-rater reliability by saying, here's what this translation tells us, look at us, pardon me, look at it, tell us what you think. And so we have some good ideas of what are going on. In fact, we have a sample of about 30 sites, they come, they go. So we try to have a pretty good understanding of where some of our threats are coming from and we track a lot of different issues all at once. I don't know if you're familiar with how these markets work, and what I'm going to talk about today is not so much IRC-based, but these are publicly accessible web forums. You don't have to register in order to look at what's going on. You can just ghost very easily. And so I'm going to walk you through a little bit about how the markets work, what we see currently being sold, and then some general information about the dynamics within the markets themselves. So how sellers work, how buyers work, and hopefully you'll find it pretty interesting. Basically, forums are structured in a specific way to act as advertising space. If you're a malware writer, if you're working as an advertiser for someone, you go to one of these forums and you create a post, or you create your new thread. And in that thread, you'll provide information about what you're providing. If it's a bot, you talk about its functionality. You talk about what AV systems it can get around. If it's, say, a packer, you talk about what programs you can do, how much you charge for it. You'll provide your ICQ number and ways for various people to get in touch with you. In turn, when you make your post and you create your new thread, you have to give your malware to the website for review. Moderators take your code, take whatever specific product you've got, and run it to see if what you're claiming your malware can do is actually possible, if it's effective, and where its weaknesses are. If you say it's got ten different functionalities and they test it and it appears to have nine functionalities that actually work, one doesn't work as well, then they say, great, we'll sell it for you. They verify whether or not what you're selling is good, and the same is true with stolen data. They'll take a range of dumps or credit card numbers that you may have, and they'll test a few of them to see are these accounts valid. If so, go ahead and sell. So the moderators will come back and post within your thread, here's what he said it can do, here's what our testers found. Buyers at that point will begin to provide feedback or ask questions. With stolen data, we'll see people asking, do you have any information for Turkey? Do you have German information? Or can you do credit card lookups for a specific individual? With malware, they'll ask what kinds of platforms can it go across? Can you provide me with denial of service attacks for, say, a 24-hour period against a specific target? And the sellers will go back at that point and try to address some of the questions. They may put something simple like, knock me an ICQ or contact me an ICQ and I'll answer some of your questions. They provide basic information. But what's critical for sellers is to have your customers say how good your service is. We know that they're going to be reviewed by a moderator, by checkers, but we want the customers, or at least the malware writers, want their customers to come back and say how good or how bad your product is. It's kind of like eBay in that the better your review, the more likely people are to buy from you. Let me give you an example of what I mean. This is a series of comments from one of the forums, particularly for a tool called FreeJoiner. And I'll talk a little bit more about FreeJoiner later on. You can see all four of these people say thank you for FreeJoiner. It's the best program in its class. I like this joiner. It's very useful. This is one of the most powerful products on the market. It's just super. It works well. Huge respect for the sponsors of the program. Great respect for the author. It's a remarkable tool. These kinds of very positive comments will make people say, great, this guy's trustworthy. He's got a good product. I'll buy from him. So now that you know a little bit about the process, let me walk you through what we actually see. First, I'll talk about some bots. This one in particular is called SuicideDDoSBot by a guy named Rkl or Crash. And he posted it in a couple of different forums. It's been reviewed. People generally say it's very good. In fact, in a review of the best bots of the year of 2006, Suicide was one of the top. And it can be controlled through the web, through IRC. The Botmaster controls can be separated out. It does ICMP, SIN floods, HTTP floods. It can disguise itself. It can be packed. It can be used for a number of different things. We didn't find a lot on price and it's varied. We don't know exactly how many people are using this bot, but at least we know that it's a popular code to be purchased. The same is true with this one called Illusion. Illusion is a bot written by the Cyber Underground Project, or CUP. Initially, this was being sold for about $400. Recently, though, we've seen it being posted in different forums for free, but you have to be a substantial member within the forum. Basically, you have to have over 100 posts before they'll give you a copy of it. And we see that happen a lot. Older bots, older malware. Once it's gotten used, people don't want to pay as much for it. Someone will say, here you go, it's free. So it kind of becomes like wares. And with Illusion, they say that it's good for SIN floods, ICMP floods, UDP, HTTP gets. It can do spoofing. You can send multiple commands at once. In fact, we've gotten the command book for this specific bot so we could understand what actually happens. They just posted it for free and said, here's our commands. Here's how you would use it in an IRC channel. And so you could say, flood this specific target at this rate for however many microseconds. This one also has something that was kind of interesting. It says the bot password. So your control password is MD5 encrypted and is used to prevent the evil enemy from getting your password and controlling the bot net. So sort of it's hacker-proof, if you will. And they say that it's got an easy-to-use command interface. A lot of these individuals will provide either video of how their tool works in action or they'll provide you with screen caps so you can see kind of what you're dealing with. This is a shot from Illusion from the provider and you can kind of see some of the different things that it can do. There's the password, there's the MD5 Crip portion, some of the options as to what works and what it can do. So that's a little bit about the bots. Let's talk about Trojans. Everybody wants to know about Trojans. Basically, one of the most well-known is one called Nuclear Grabber, created by a guy named Corpse. He's even got his own website where he's advertising this tool. You can purchase it directly from Corpse. Unfortunately, it's about $3,000. They say that it's very, very good. Corpse has a lot of great reviews. If you follow the security community at all, you've probably heard of this before. Unfortunately, for Corpse, we've seen cracked versions appearing. So people are getting this tool for free. You don't have to pay $3,000. You just have to know how to actually use the tool. So what does it do? It's a universal TAN, or Transaction Authorization Number Grabber. Any bank that you want to target, you can do so. It makes it possible, he says, to effectively gather TANs and more. And he calls it a consummate phishing tool. So you can get and make transfers with the data that you capture. Let me show you a screen cap from Corpse's nuclear grabber. So they say that nuclear grabber can be used for phishing. Here's kind of an image that will be created using this tool. On the left, you'll see a Wells Fargo sign. So your username, password, sign under your account. What's the difference in this one? ATM PIN number. That's correct. So this is the phishing one. Username, password, ATM PIN number. And you hit Enter, and all your information goes. What happens is that the data is split into three different streams and sent out to a selected server and then redirected to the actual, in this case, Wells Fargo domain. So you'll go right to your account. You think everything's fine. Whoever has installed this piece of malware, though, gets your data. And he goes so far as to say that this will actually defeat virtual keypads. It captures the side text, so it'll get actual data on username, password, so you can see what it is that you're dealing with. And with NuclearGrabber, we've seen a few instances of people actually selling stolen data from this tool. Back in January of this year, a guy named Death, which interestingly enough is another pseudonym for Corpse, was selling data that he picked up from the U.S. In fact, he went so far as to tell us later that, or not tell us, but tell some of the forum users, that this was from Dallas, Texas. So he was selling data by pieces, so you buy it in megabytes. So for 8 megs, you pay 6.5 WMZ, or WebMoney U.S. dollars. So for 6 bucks, you can get 8 megs worth of stolen data. And he's selling it in lots. Most of the folks who are in these carting and malware markets provide bulk discounts or they prorate their prices as they go up in volume. So the more you buy, the better price you get. And Death was giving people a pretty good deal here. So this was back in January. Another one that you may have heard of is a tool called Pinch. And Pinch is a pretty well-known trojan. It's been around for a pretty long time, actually. It's gone through a number of different iterations. I believe it's on version 3.1 at this point. And it was originally sold by its creator, a guy named Kobin2K. In fact, there's a very interesting interview with Kobin2K on a Russian hacker site where he talks about why he made Pinch in the first place. There's some controversy, though, as to how it became this very freely available public trojan. Initially, Kobin said he just released it to the public after it had been bought a few times. He said everybody should have this. However, there are some people who say that a group cracked it and then released the version for free. Either way, you can find Pinch on a number of different sites and download it yourself, but it takes some effort. There are also custom builds that are out there, so people will provide Pinch in a number of different services. They sell the latest version. They sell these unique builds for whatever it is that you specifically needed to do. Let me talk a little bit about an older version of Pinch, or at least the latest version that we saw. And it's Pinch 2.99. It's written in assembler. It's pretty small in size. He says that there's no special knowledge needed to use Pinch. It's apparently something that can be run pretty simply. It obtains passwords from 33 different programs, including Outlook, the BAT, RDP. It sends passwords from HTTP, SMTP, or FTP. You can get statistics about the machine. It binds itself to different executables. It can kill processes. It can create different favorites in IE. It'll add information or listings on a host file. You can even turn it into an IRC bot if you're so inclined. It says that it can hide itself from MS config, uses a couple of different packers, and it adds itself to the Windows XP-SP2 firewall allow list. So it tries to hide itself and allow itself to do a lot of different things. That version of Pinch was being sold for $30, and it could be customized to whatever your specific needs are. And the seller guaranteed that it wouldn't be detected by antivirus when it was sent to you for use. This is the person's ICQ number. Because Pinch is released and is so freely available, the specific seller was very clear that if you didn't buy it for me, don't contact me for customer support. In other words, if you get this tool without coming to me first, I'm not going to help you. And so for $30, you get a pretty good deal. They'll revise it for $5 a pop, and you can get statistics server software for $100. So it's a pretty good deal, all things considered. It's certainly a lot cheaper than nuclear grabber. This is kind of small, so I'm sorry that I read it pretty clearly for you. In terms of Pinch as a trojan for stealing data, we see people constantly providing stolen data from Pinch. In fact, in a one-week period this March, five different people were selling data that they obtained through Pinch, and they clearly stated sales of data from Pinch, 100 pieces of data, $3. Another guy was selling traffic for 100 pieces for $2, so undercutting the previous seller. And they were saying that the data came from the U.S., England, Russia, Germany, and Italy. And they'll offer discounts the more that you buy. So here's my ICQ number, contact me. The last guy there, same thing. Another seller named Exim. You can see he's got a very nice little logo here. He's a very proud seller. You've seen our famous trojan Pinch sales, in fact. He's really good at what he does, apparently. They say that they sell two different types of data. They sell information that's been parsed, or they just sell lots of data at once, so nothing that's been parsed. And whatever kind that you want to buy will make the price different. So if you want the parsed version, it's $3. If you want just the basic, it's $0.30. And you can buy it in a minimum order of 20 megs. So they like to deal. So for $6, you get 20 megs worth of data. They say that most of this data for this specific seller was coming from Russia, but there was some from Europe, some from the U.S. So clearly this is an international problem. Another tool that we just found recently in March. This is called PG Universal Grabber. I haven't heard much about it. We haven't seen anyone selling data from this tool yet, but if it can do everything that it claims to do, then this is going to be as effective a tool as nuclear grabber. It was posted on a forum, and the individual posting it was acting as a middleman, or the advertiser for the actual writer. So he was saying that it works through IE, and with different browsers based on an IE engine. You can get it and install it for $700, and they'll provide you with antivirus protection for another 30. And they'll give you updates and optimization for free, but if you need essential updates or if you need something custom, then they'll charge you for it. So they're giving some customer service. What can it actually do, though? It acts as a grabber, and it can get information from, you'll see PayPal, eBay, banks, trade, et cetera. And it will capture flash keyboards, so virtual keyboards. It does the keys for Bank of America, and the keys for different banks in particular. It gets protected storage data. It works with eGold, and basically what you can do with this one when it comes to eGold, is once it's installed, and your victim tries to use their account, it'll send the info to you, hit you on your ICQ number, and then you can immediately get in, your victim is locked out from their account, and it'll transfer 98% of the account to you. So you can drain somebody's account pretty easily without them being able to do anything. It also works with TANs, not unlike Nuclear Grabber, specifically TANs from Germany, but they do different countries as well, Poland, Lithuania, any country that works with TANs, and it can be used for phishing in terms of redirects. They say that it's got a very easy to use administration panel, it works for page substitution, and the Trojan is compiled by default to fake Wells Fargo, Bank of America, Lloyds, and Barclays. So it's got all these images pre-built. What else? There is a variety of different smaller services that are offered out there. For example, there's a tool called FreeJoiner. This is the one that you saw some reviews for earlier. This is basically a polymorphic joiner, so it'll put your specific piece of malware or whatever it is and bind it with other things. And you can obfuscate what it actually looks like. You can change it to appear as any kind of file. You can edit this file in particular. You can change the language interface. It's got integrated packers. And for $30, you can get this very nice build, but he provides a free version as well if you're interested. If you want some limited functionality, Gloth is saying just download it from my site. If you want the great service, pay me $30, and you can use it. In fact, here are some screenshots from FreeJoiner. You can see, well, maybe you can, maybe you can't. Here we've got Pinch, the Trojan we were just talking about, and it's going to be bound with something called girls.jpeg. So your victim would want to open it. Nice deal there, right? And on the right, you can see a little bit about the actual interface. What do you want it to do? What do you want it to bind? How do you want the product to look like? So you can see what file, how do you want to edit it? What language do you want it to look like? What kind of a packer do you want to use? So that's FreeJoiner. The same author, or at least a friend of this author, guy named Xploit, was releasing something called SymbiosCryptor. And this is an encryption tool that will be used to bind and basically hide your executable as it's going through. He offers this for $10, pretty inexpensive, with $2 updates. And if you buy from him, he'll even hook you up with the private version, that $30 version of FreeJoiner. And this can hide different tools. It says it will get around firewalls, and it's got a lot of good functionality. And here's another screenshot from the SymbiosCryptor. As you can see, this is all primarily in Russian. So it's a little bit obfuscated. But the individual Xploit is providing his ICQ number, his email address if you need support, if you need help, just contact. He's very good at providing customer service. So we have encryption tools. What else? We see some people in limited circumstances offering denial of service attack services. This group in particular, hackshop.org.ru, says, have your competitors started a pressure? Is somebody trying to prevent you from doing business? Is it necessary to take out your opponent? Well, we offer a solution. Our botnet's constantly increasing. We can attack countries wherever for long periods of time. We have zombies in all kinds of time zones. So for one hour, it'll be $20. If you want 24 hours of service, it's $100. And they'll do larger projects, just depending on what you have in mind. $400 or $200 are more. And we've seen people selling denial of service attack services for anywhere from $50 to $100, although many people complain based on the price, because there are so many zombies and bot herders out there. So we have denial of service offerings. We also see a lot of spam services for sale. This group in particular, the infected team, is saying, hey, we've got this great database of email accounts. We offer this professional, note they say that, professional service. It's operational. And depending on what you want to do, here's what we sell. If you want to hit targets in the US, we have a base of 1,200,000 email addresses. And if you want actual physical individuals, we have a 3 million account base to draw from. They have all kinds of different organizations and different individuals included here. We also see individuals selling ICQ numbers and different tools. This is something that we don't fully understand because ICQ is free, but we have a few ideas as to why this may be happening. It may or may not be clear, but we have different numbers for sale here, like 444X, so the last number is something different. So you can buy that for $1,500 from this particular provider over here. Another guy is selling basically the same service just for different prices. What we think, or at least what we assume based on some of these different sellers is that you can pay a lot of money for an easy to remember ICQ number. If it's only a two or three-digit combination, something basic, it might be good to help establish a name or it might be related to the age of the ICQ number. So there's a couple of different potential explanations that may be present, but there's a range of prices here. Most of these sites also offer a lot of free services. They'll provide older bots, cracked versions of different pieces of malware. They give password scanners, FTP checkers, ICQ tools, including encryption and different products there, proxy checkers. They also provide a lot of articles in terms of computer security, new exploits, old exploits, and a lot of wares. In particular, antivirus software for testers and different individuals who are working for these groups to run it against known bots, a lot of the Microsoft products, one group that had a lot of Linux stuff posted also. So a lot of things are free and you can basically build a nice arsenal of attack tools by going to some of these different sites. In terms of how you actually go about buying these things, individuals contact the seller privately. If you remember in that first slide, I talked about how these forms are actually structured. So in a string, you may have some questions for the specific seller or the writer. And you may ask, well, here's what I want. And they'll say, knock me on ICQ or send me an email. A limited number of people also use private messaging systems in the forum. It just depends on the person. But the person who's interested in buying contacts, then they say, here's what I'd like to get. And the buyers will have to go through the specific seller's provider for service. Some people use e-gold, some people use WebMoney, limited circumstances. We see them using Western Union, but they charge more if you want to go that route. So escrow payments offered in some of the boards. And these escrow services are designed so that the forum acts as a middleman. They will take a payment from a buyer. They'll contact the seller and say, hey, we have your money, please send the product. So the seller sends whatever it is to the buyer and says, I just sent the materials. Please contact the buyer. The buyer gets contacted. Did you get it? Yes. And then the forum will release the money to the seller. So it's just a way to guarantee service and money. And in terms of the organization of market actors, there's a continuum of sellers that we see based on their reputation, based on their trustworthiness. And it runs from rippers to unverified sellers to verified sellers. It's a process. So if you've created a new bot or a new virus or a new Trojan and you go to one of these forums and say, I'm interested in selling my specific services, please contact me. They'll send their code to the forum for testing and the forum will say, yes, it does what the person claims so you can buy from it. The first time someone posts in one of these forums, they don't have a lot of status. People don't know whether or not they can trust them. So they'll be labeled as an unverified seller. Over time, if people buy from them, if their products are sound, if they're selling stolen data and it works well and provides people with a lot of money, the customer feedback comes in. And if people are saying, gosh, this guy is great, his services are wonderful, then the forum will begin to put a little bit more trust and faith into this individual. And over time, they'll go from being an unverified seller to a verified seller, meaning whatever you want to buy from this person is going to work. So becoming a verified seller means that you have a lot of status. People can deal with you and we know that you're going to offer something worthwhile. However, there are a number of people who post in these forums who provide information that may not work, who provide bad services. And in those contexts, individuals will say this stuff doesn't work, this exploit isn't very unique, it's not anything new, why would we even want to worry about it? The bot doesn't do what you say it can do. And so that individual may become labeled as a ripper because you're providing bad services. If you take money from someone and never send them code or never send them their data, then people will say, hey, this guy's ripping me off. And that's what the term ripper is referring to. This person's a rip-off artist. And if you become a verified seller and for some reason if things don't work out, if you become unreliable, you'll get knocked back down to that unverified status. And if you continue to get bad reviews, eventually people will begin to call you a ripper. And if you're labeled as a ripper, it's essentially like being blackballed from the community. You can go somewhere else, but people will try to follow you. In fact, there's something called the Ripper's database, which is sort of like an internal site for all these malware writers and carters where you can say, hey, this specific individual is a ripper. He's unreliable. Here's the Eagle transaction where I paid him. I never got what I asked for or his services were bad. And so they maintain this list for everyone who wants to know, who can I trust? Many of these forms will operate their own white and black lists where you can determine, hey, is GloF a good seller? Is Crash actually reliable? Is he in the white list or is he on the black list? Do I not want to deal with him? So this organizational continuum reflects a lot about how the markets actually operate. We've seen, after looking at a year's worth of this data and from various sites, we've seen some interesting things with regard to what actually shapes the relationships between individuals. It appears as though the cornerstones of these markets are structured based on general business practices. People want to know that if they want to buy something from you, they can get ahold of you quickly. If you contact them in ICQ, how long does it take for them to get back to you? If they can provide the data that you're asking for very quickly or if they send you code in a fast, reputable fashion, then people are going to say, hey, this guy's great. One of the best comments that appears in these forums is someone saying, I can always get ahold of him. Whenever there's a problem, I can get him. Whenever I want new data, I can get ahold of him. It's especially important thinking about stolen data when there's time-sensitive materials involved. These guys don't want to sit on it. They want to get it as soon as possible. If a victim's been compromised and they're aware of it, they may get that account closed. So for a carter or for someone who's in this business, they need to know I can get it quickly and I can use it as fast as possible. Pricing is also important. Guys like Corpse who are offering these very complex, sophisticated tools can charge a lot of money because there's not products like it out there. But over time, people will begin to figure out how their program works and build competing models. And so prices begin to drop. With the DDoS services, for example, it's relatively inexpensive because there are so many bot herders and bot operators out there. So you have to offer prices that are competitive and reflective of what it is that you're actually giving to other individuals. You also have to provide reliable products. So if your bot is functional, is great, does whatever you claim it can do, then people will want to buy from you. If you're selling stolen data, then people want to know that your accounts are going to be valid, that there's going to be money in them. And customer service is also very important. There are individuals who operate kind of like tech support. If you have a problem and you buy this Trojan for me, contact me. I'll help you get it set up. They'll tell people in advance, this is a highly technical tool. You have to know what you're doing when you get it. I'll offer you limited customer service, but you're going to have to handle some of this on your own. But they do provide updates. They like to give their customers whatever it is to help them get along. And with stolen data in particular, we see individuals providing these bulk discounts for purchases. If their data doesn't work or if it's not functional for them, they'll just trade it for new ones. If you buy from one of these sellers, for example, and you say the data that you gave me was junk, they may send another three megs for free and say, hey, I'm sorry for the inconvenience. At least that's what the good verified sellers will do. And this seems to be what drives the markets. These four factors really seem to shape the practices and the behaviors of different individuals. We also see something kind of interesting. They try to negate their responsibility to some extent, and this is probably no surprise. They say that whatever we're offering is for security. It's for pen testing, especially with some of the bots, like this first quote here. The bot is a means of testing its network to the object of vulnerabilities. In other words, it's just for testing your network, but not for attacks or incorrect actions. For its use, for any illegal purposes, the author does not bear responsibility. We see these disclaimers at the bottom of pages all the time, where this program was created for informational purposes to check your own protection or security. The author's not liable. Whether or not that's a valid claim is something else, but at least they try to negate their responsibility, as with many different forms of crime. So taking this as a whole, what can we glean from all this information? There's a great deal of malware and stolen data that's being sold and that's being freely made freely available to individuals in these forums. The prices are reasonable. They may be particularly inexpensive depending on the product, and some of these types of tools allow anyone to become involved in computer crime and identity theft. You don't have to have any technical skill if you buy a denial-of-service attack service from someone for 24 hours. You're just paying for what it is that you need. And based on how individuals actually operate within these markets, they run like a legitimate business to some extent, especially since it's based on trust and based on general business practices of turnaround pricing, et cetera. And some of the writers and some of the carters try to justify their actions much like other types of crime. So it's an interesting thing to observe. Unfortunately, there are some complex issues that come into play, too. The instances of law enforcement interdiction like Operation Firewall have had some impact on these markets, but they're still around. They still come up regularly. In fact, we've seen groups trying to take donations to get the Shadow Crew website back up and running. So while they may go down for a while, it appears as though it's not a permanent solution. It's very hard to attack and really take out some of these individuals. It's sometimes hard to attribute the creation of a tool to any specific individual with something like Pinch when it's gone through so many different versions. And we may not know that the individual author who created this did it for a specific purpose. It got cracked and then got released. Well, he's claiming something else. It can be sometimes hard to figure out who's actually behind some of these things. The language issue also complicates the process of research and examination. If you don't have Russian speakers, if your software doesn't provide an accurate or reliable translation, what is it that you're actually looking at? And it takes a lot of time to go through these threads, to look at the markets themselves, to analyze what's going on. It may take us a couple of days to figure out what a specific post means or where this tool came from. So it's not just a quick rapid-fire kind of exam. It's got to take some real time to review. And considering the range of markets that we're actually dealing with, it's not necessarily something easy. If you consider we have 30 different sites that we could go to around the world, then it may be very difficult for us to go through all 30 of them in the course of a week. We may only get to five or six. It just depends. And the transitory nature of these forums complicates things. They go up, they go down. Groups hack each other. ISPs get complaints, and so they take the site down. They come back again a few weeks later. The Rippers database provides kind of a unique examination of, this forum is up today. This one's down because they're changing the content. This one got hacked. So they can tell you a little bit about a select number of forums. But as a whole, they're present one day. They may be gone the next. Eventually they'll come back, but it's not necessarily easy to follow. And just for any of you interested, here's a couple of the key terms translated into Russian. And I've got some related readings if you're interested at the end of the slide. That's it. I'm open to questions at this point. Yes, sir. Thank you very much. No, no, we do not. We make no purchases. We go... Yes, the question was, in the course of our research, do we actually make any purchases? Where do we draw the line in terms of what is acceptable, what is ethical? We don't buy anything. We go to forums where we can examine, where they make things freely available, but we never ever buy anything that is for sale. We don't buy any data. We don't buy bots. If they're saying, here's a free release, here's the distro, we will try to get it, but we don't purchase anything. Any other questions? Yes, sir. You mentioned Western Union out there. Western Union. The question was, Western Union was on the buy list. Yes, they are. Yes, Western Union is involved. We see people, in particular, when they say you can buy through Western Union, they set a specific amount above what the minimum order may be. That's $3,000, or just as an example. They may say, if you want to pay me through Western Union, you're going to have to pay $5,000, because they take some of that extra money to cover the cost, to maybe have the money switch from actual currency into e-gold or something else. So, yes, Western Union is involved, it just depends on the person itself, or on the person themselves. Yes, sir. Yes, the question is, do we want to see any kind of international law enforcement cooperation to deal with these problems? Yes, we try to communicate everything that we find to different law enforcement agencies. If we know that it's something that seems very significant, if it's a threat to a specific target, we try to share that information as much as possible. We're somewhat limited in terms of who we can communicate it to since we don't have direct ties with international law enforcement agencies, but that is something that we would definitely like to see. Yes, sir. What's the ethical nature of getting ... What's the legality of it? Well, the legality of selling a bot and then if somebody cracks it, what do you do? Well, these sellers generally police themselves. The bot writer isn't going to go to someone and say, hey, that's my intellectual property that you just stole. We see people become labeled as rippers for cracking a specific kind of code or for releasing information to the public, but nothing tends to happen, really. Oh, is it legal for us to distribute what it is that we're finding? That's something that we negotiate with our law enforcement partners to determine what can we do with that. It just depends on the situation. You, sir, in the front. Do moderators do verification testing, collecting the information? It's not clear to us at this point if they actually get paid for their services, and moderators may or may not do the testing. There may be a middleman involved in that, so I can't honestly answer that at this point. Yes, sir, you and the way back. We try to go through, the question was, how do we obfuscate who we are? We try to go through proxies and conceal our identity to some extent to minimize or mitigate some of the threats that may come our way as a consequence, and we try to use relatively secure computers and networks. Yes, sir, you in the front. Basically, you're asking what happens if somebody drains an account, can it be tracked? Yes, it could be when we see individuals who sell, for example, hey, I've got data from Wachovia Bank of America and MB&A. Then we try to account for how many, say, accounts that they have, what their prices are, and we do try to ship out information to specific groups in our law enforcement community so that they can share that information back. Yes, it seems like there are ways to track it. The problem comes in to the amount of data that's out there. Like if you think about the TJX thing, accounts floating around, we don't know when those are actually going to be funneled through or how long it will take for data to actually turn around. So it is possible to check. It's just hard to know when a compromise happened. Yes, sir? Is there a buyer rating service that kind of comes into play with the different white lists on a board? One other thing that we do see with sellers or writers who are very well known or who are trying to develop a reputation, they will say, I've listed my data on four different forums, and I've been reviewed there, so they'll provide links to that specific thread within another forum as a way of verifying their identity and saying, hey, if these folks over here like it, if these folks like it, then I must be reputable. So not a site so much like Ripper's database where they're saying here's the best sellers, but groups do tend to manage themselves and say here are some good groups. Yes, sir? Can you repeat the question again? I'm sorry. Yes, sir? Not specifically, but we do see a pretty consistent range of banks that are targeted, and it does appear to be relatively straight from point to point to point. So yes, there is some way to verify, or at least we can say that there are some banks that are targeted more often than others. Yes, sir? Yes, sir? Yes, sir? Oh, like write your own code in an easy to point and click kind of environment? No, we don't see individuals selling those kits at least not in the places we go to. That's not to say that they're not out there. I think VX Heaven is one of the places you can get a lot of those point-and-click kinds of malware generators, but we do see a lot of different types of malware that are not out there. I think VX Heaven is one of the places you can get a lot of those point-and-click malware generators, but we haven't seen them for sale. Any other questions? Yes, sir? The question is what OSs are being targeted most often. Consistently, yes, it appears to be IE-based, or at least Windows-based systems. We have seen one or two instances of Apple-related products, but generally not. There's some variability in terms of whether something is Firefox or IE or Opera or what have you, but yeah, Windows tend to be the biggest targets. Yes, sir, you and the way back. Yes, that is something that we want to develop since we do these reports weekly, and we do try to aggregate at the end of the month. We can say that there are some banks that are targeted more consistently. I don't have specific stats right at the moment, but that is something we do want to develop, yes. Do we need assets at another university or research institution to help? It's possible. I'll talk to you about it later if you're interested. It just kind of depends. Yes, sir, you and the back again. Sure, the question is how do people manage their identities and how do we say that someone in particular is responsible for something? Don't they have multiple accounts in different forums to say, oh, yeah, I'm Johnny89 and I'm Turk182 or whatever. That's something that we are trying to work on to validate who is who and what identity is what. The interesting trick is that some of these guys use the same label or at least use the same handle for consistency's sake so that they'll know so that the general public will say, oh, yeah, that's crashes suicide bot. That thing is good. We also see sometimes people providing their blogs and saying, oh, hey, here's the recent language pack that I added to this specific service. And at the same time on their blog they'll say, oh, yeah, I'm a university student and I'm studying accounting. I like computer security. I like boating. And here's my picture. Here's my picture with my friends. We see that with some Russian groups and some Chinese groups and we don't know if it's just a consequence of young people using social networking as a means to share information. But there are some ways to attribute people to specific products. Yes. You sir in the back. Yes sir. That is a very good question that we have had some difficulty ferreting out. We've seen people that, oh, I'm sorry, the question was what about proxy services? Which ones operate best? Have we done any examinations of proxy services? We've seen people that provide proxy checking tools to say this is a good speed, this is a reliable connection. But we haven't looked at that one very heavily. But that is something we are interested in examining further. So I don't have a very good answer for you at the moment. Yes sir. That's a good question. Basically, how do people verify if they buy say some dumps or some stolen account data? How do they verify it and use it for whatever they may have in mind? Making cards or making online transactions. We have seen a site where it's just a bin lookup and it'll provide all the information for you. It's very blank, it's very bland, we don't know who wrote it or why it's there. We are very interested in trying to consider how this works. We do see people selling services to check and tell you what, I'm unfortunately going to have to go, but there's a Q&A room and I can answer more questions more fully. So thank you for coming, I really appreciate it.