"Cyber Crime Toolkits" Hit the News

On the BBC website:

"They are starting to pop up left and right," said Tim Eades from security company Sana, of the sites offering downloadable hacking tools. "It's the classic verticalisation of a market as it starts to mature."

Malicious hackers had evolved over the last few years, he said, and were now selling the tools they used to use to the growing numbers of fledgling cyber thieves.

Mr Eades said some hacking groups offer boutique virus writing services that produce malicious programs that security software will not spot. Individual malicious programs cost up to £17 (25 euros), he said.

At the top end of the scale, said Mr Eades, were tools like the notorious MPack which costs up to £500.

The regular updates for the software ensure it uses the latest vulnerabilities to help criminals hijack PCs via booby-trapped webpages. It also includes a statistical package that lets owners know how successful their attack has been and where victims are based.

In one sense, there's nothing new here. There have been rootkits and virus construction kits available on the Internet for years. The very definition of a "script kiddie" is someone who uses these tools without really understanding them. What is new is the market: these new tools aren't for wannabe hackers, they're for criminals. And with the new market comes a for-profit business model.

Posted on September 5, 2007 at 7:10 AM • 18 Comments

Comments

Omar HerreraSeptember 5, 2007 7:51 AM

And I wonder if the anti-malware industry is updating their strategies and solutions accordingly. It seems to me that they are still targeting malware created mostly by amateurs seeking a few seconds of publicity rather than targeted and silent attacks by malware created by these criminals.

For instance, I don't know if those "100% detection" awards are still worth anything (if they ever were). How can we measure detection effectiveness of malware that is now specifically designed to fall well below the radar of the anti-malware industry?

It is not only a technical and context problem; detecting malware custom-made for specific companies or small groups of people to create detection signatures for everyone is not cost-effective for anti-malware companies with black-list based products (even behavior based products still rely on thresholds to guess what is bad). However, it seems that this is exactly the opposite for criminals.

bmcmahonSeptember 5, 2007 8:36 AM

The new users of packaged malware aren't exactly "script KIDDIES" any more; how's "script thug" sound?

Nick LancasterSeptember 5, 2007 8:55 AM

I'd be suspicious of anyone who offered such a kit. I'd at least ask them for a photo of a squirrel ...

Regarding 'script thug,' - nah, has to be flashier and more current, like 'Script terrorist!' (I'm sure at some point, computer crime will be added to the growing pile of 'ooooh, terrorism, fear!' that has attached itself to the public consciousness.)

dmcSeptember 5, 2007 9:36 AM

Again, you have to wonder who is going to buy these kits.

Wouldn't an intelligent criminal be suspicious of what they were getting? I mean, just as we worry about spyware reporting our legitimate but private activities to data miners, wouldn't they worry about spyware in these kits putting them at risk of extortion from other criminals?

Script kiddies don't think that far ahead, hence the popularity of this sort of kit. But serious criminals or terrorists?

kurt wismerSeptember 5, 2007 9:52 AM

consider this - malware generated algorithmically won't necessarily get very far if the generating algorithm itself is known (which seems unavoidable if it's being sold publicly)...

TNTSeptember 5, 2007 10:18 AM

"Wouldn't an intelligent criminal be suspicious of what they were getting? I mean, just as we worry about spyware reporting our legitimate but private activities to data miners, wouldn't they worry about spyware in these kits putting them at risk of extortion from other criminals?"

With tools like Mpack and similar and the "exploit frameworks" the risk of the criminals being themselves victims of fraud is minimal. The source is there (php), the generated exploits (html/javascript) are there, what they provide is a general wrap-up to make it easier/faster for the criminals to use it. Unless they're complete morons who don't know anything about these things, the criminals know what they're getting.

Matthew SkalaSeptember 5, 2007 10:59 AM

The danger of a double-cross exists in any enterprise that requires the cooperation of more than one person - including but not limited to criminal enterprises. And yet, such enterprises do exist. Some people are willing to take the risks of trusting each other in order to get the benefits; and there are often things they can do to mitigate those risks. For instance, if the product doesn't perform as it was claimed to, the customer could carry out threats of violence against the seller - or just hand over evidence on them to the police.

UNTERSeptember 5, 2007 1:34 PM

How are the sales handled?

For drugs, it's mostly done person-to-person making enforcement difficult. But to market products for criminal use on the internet -- it would seem that even minimal police work should be able to catch or interrupt sales. And since these products are at low prices, quite a few sales are needed to recoup R&D costs.

scavokSeptember 5, 2007 2:40 PM

Selling a kit like this over the Internet sounds like a good way for an enterprising law enforcement agency to catch some criminals.

AnonymousSeptember 5, 2007 3:45 PM

@UNTER, scavok et al
Unless possession of the tools is an offense in and of itself, what will the police really be able to do? I'd suspect they would;t even botheras, they'd have to devote a lot of resources to thenm monitor the individual making the purchase and hope to somehow catch them using the tools maliciously...

MilanSeptember 5, 2007 4:13 PM

Given the relatively low prices, you would expect at least some security vendors / software producers to buy these kits, figure out how they work, and make their products more secure.

I am sure this already occurs, to some extent.

Filias CupioSeptember 5, 2007 4:22 PM

I see lots of opportunity for things to go wrong for the sellers or buyers of such software. These are anonymous transactions in a world without law.

I create a really impressive "i113g4l 1337 hax0r's k17" and start selling it for $500. Someone else buys a copy, and starts selling them for $100. Police buy a copy, trojan it to send them incriminating information, and sell copies. Or I trojan it to give me back doors into other crook's botnets created via it. I sell to crooks who pay by stolen credit card, and later the charges are reversed.

VWMSeptember 5, 2007 4:47 PM

@Unter, Matthew Skala: Western Union and alike services can make it pretty hart to track the receiver of the money.

NoKidSeptember 6, 2007 1:30 AM

The people selling these kits depend upon their reputations. You might use a nick-name, but that is enough for people to deal with you. There are forums for these things, just like there are for spammers. Word gets around as to who delivers the goods and who doesn't. The low price means that it isn't worth spending months building up a reputation just to rip off a couple of people.

As for how the users can buy the goods and remain anonymous, that's not that difficult either. The whole business revolves around anonymous payment and delivery of information. People sell kits to botnet herders who sell proxy bandwidth to spammers who sell bulk mail delivery to pharma marketers. There's always Paypal, credit cards under false names, wire transfers, etc.

As for delivering the software, all they have to do is send it to an e-mail address. Making a Hotmail account and using it once doesn't take much work or knowledge.

UNTERSeptember 6, 2007 9:32 AM

But doesn't anonymity work only backwards? If you use paypal, Western Union, etc, the system is anonymous because the data linking seller and buyer was never saved - the guy who takes your money doesn't ask your name, doesn't remember what you look like and the same on the other side.

On the other hand, to make enough sales to repay your investment, you're running the risk of forward investigations. You have a reputation. The cops order a copy, and go to WU with a subpoena to track the money. They follow the cash until someone, somewhere actually collects the cash.

I doubt that a jury wouldn't find conspiracy when your handle is 'l33t haxor #1' and you did your adds on 'Killer Hacks Pirate Forum'.

It seems that the market can only survive because no significant police investment has gone into busting it. The police are fragmented, while the market is global.

SondraJuly 13, 2009 3:59 PM

Good evening. Insanity in individuals is something rare - but in groups, parties, nations and epochs, it is the rule. Help me! Please help find sites for: Find audi dealers in montreal. I found only this - audi dealer in atlanta. Research audi before you buy with new car comparisons, new audi invoice get audi dealers to compete for your business. To purchase original audi clutches and accessories at shouldn you use the same clutch as audi fyi audi dealers sell clutches in an audi box. ;-) Thanks in advance. Sondra from Dominican.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..