Return of the Web Mob

Parore writes "eWeek is running a story about the return of the web mob, highlighting all the similiarities between the online attacks and the real-world mafia. From the article: "Black hat hackers have set up e-commerce sites offering private exploits capable of evading anti-virus scanners. An e-mail advertisement intercepted by researchers contained an offer to infect computers for use in botnets at $25 per 10,000 hijacked PCs. Skilled hackers in Eastern Europe, Asia and Latin America are selling zero-day exploits on Internet forums where moderators even test the validity of the code against anti-virus software."

People that matter don't care

[liliafan]

There is obviously a problem with botnets, virii, and trojans, part of the problem comes from a 'not my problem' attitude from law enforcement and ISP's.

Dozens of times when networks I maintain have been attacked I have contacted ISP's with all the information they would need to trace the user performing the attack and notify them that their machine is infected, however, the response I usually recieve is, 'it is our policy not to blah blah blah', when I have had verified hack attempts on my systems and have notified the authorities about it, I have been transfered all over the place, put on hold, transfered a little more until I completely loose interest, when I do get to report something it never gets investigated.

Until the people that can actually do something about these zombie machines and malicious users, get off their asses the problem will just keep getting bigger.

Re:People that matter don't care

[Moby+Cock]

The day will come when the owners of the infected computers will be responsible. This is of course insane, but it is an easy way to assign blame. The real culprit, of course, is too difficult to track.

Re:People that matter don't care

[liliafan]

We know the people responsible are mean vicious hacker types, my point is that an ISP has a responsbility to not just protect its users from the internet but to also protect the internet from the user, if an ISP recieves a report that one of their users is doing something wrong they should take the time to check this, the same goes for law enforcement.

Users should take responsbility but you are right this will never happen, and a long as it is profitable the malicious users will continue to write their infections, the impact can be minimalised if ISPs take some responsibility for the users they allow to connect.

Re:People that matter don't care

[gowen]

The day will come when the owners of the infected computers will be responsible

Presumably, this will be the same day that women in short skirts will be responsible for their own rapes?

No matter how tempting a target I make myself, the responsibility for the crime will always remain with the criminal.

Re:People that matter don't care

[giorgiofr]

I don't think it's as insane as you think. It's quite akin to hold passengers responsible for whatever some ill-intentioned guy put in their luggage without their knowledge. After all, it's your duty to know the dangers of the machine you're operating: people are responsible for the damage if they drive at 150 km/h into a building and lose control of the car, even if they "did not know" that it was dangerous to do so.
Besides... responsible people are always the ones who have to pay for everyone else. If I keep my machine clean and safe, why do I have to suffer because you can't keep yours as mine? Is it my fault if you're stupid/misinformed/uninterested? Clearly it is not. On the contrary, I will think you are responsible for any damage (probably just some wasted bandwidth, but still) your machine is causing.

Re:People that matter don't care

[giorgiofr]

the responsibility for the crime will always remain with the criminal

and if, after being the victim, you start being the criminal, you will be held responsible for your crimes. for example: if you get HIV while being raped (btw... that's sad in so many ways I cannot count them) and you later go around merrily spreading it, you are certainly not responsible for being raped but you are for spreading the disease.

Re:People that matter don't care

[LordOfTheNoobs]

Maybe some administrators need to do what they did when there was no enforcement in the American old west. Take justice into their own hands. So you have the IP of a vulnerable bot that is assaulting your network? Nuke the SOB. If you must be friendly, leave a happy little "Your machine has been hijacked and when asked, your ISP was too busy to tell you. So I have conveniently and remotely removed all network drivers from your system."

Or, with a nod to the William Gibson, a little BLACK ICE to damage the foreign system beyond repair.

This is unrealistic I'm sure, illegal almost definately ( proactive self defense ? ). But damn would it be nice.

Is anyone really surprised?

[khasim]

What did anyone expect?

The problem with anti-virus software is that it is 100% reactionary. The anti-virus companies don't release updates for viruses that they haven't seen yet.

That's why I view viruses/worms as a failure of the security model of the system.

Trojans are a different matter. But even with those there are ways to mitigate the effects. If nothing else, requiring a password before installing an app will solve most of the "naked pictures of celebrity" emails. There will always be a few idiots.

Foreigners... it's always foreigners.

[gowen]

Skilled hackers in Eastern Europe, Asia and Latin America are selling zero-day exploits on Internet forums where moderators even test the validity of the code against anti-virus software

Phew, its a good job there are no malicious hackers in North America.

Thank God for the calming, lawful influences Mom's Apple Pie, Truth, Justice and Barry Bonds' adrenal glands.

Things That Make You Go Hmmmm...

[rueger]

Let's see, the ISPs and other "authorities" can't do anything to stop the "black hat" hackers and mafia, or even refuse to do so.

Yet at the same time ATT is channelling massive amounts of customer traffic to the NSA for examination and interpretation.

Perhaps someone needs to define Mafia=Terrorist?

Look at the Price!

[Spinlock_1977]

$25 to infect 10,000 pc's sure is cheap. If this guy can get only 25 bucks per 10,000, he must have competitors (read: there's a lot of people doing this), and it must be easy to do. These, of course, are not good signs.

However, it occurs to me that the best measure of Microsoft's success in security is the market price for 10,000 infections. For example, if Vista turns out to be an inpenatrible tank, we should see the price go up to 50 or 100 bucks, maybe more.

At the end of the day, until we all stop using the same operating system, we're doomed to a continual barrage of large-scale infections (remember the Irish potato famine?)

$25 for 10.000 computers

[SmallFurryCreature]

No wonder Bill Gates doesn't believe in the 100 dollar laptop. He is supplying the world with PC's that cost you a fraction of a cent.

Only kidding of course, well partially. How many botnets consist of linux or OS-X machines?

It does however show just how hopeless windows security is. Even criminals have costs so if they can make a profit after paying their hosting and electricity and hardware and man power with just 25 dollar per 10 thousand machines then the cost and labour of infecting a windows machine must truly be trivial.

Lets face it the mafia doesn't do it for penny profits. They are not supermarkets surviving on a 1 cent per sale profit. They want millions and they want them now.

How many times $25 does it take to intrest a mobster?

Frankly I don't think the problem is going to go away. The idea that MS is ever going to provide a secure OS is laughable and even if they did nothing helps against a dimwitted user who happily installs anything if it promises a nudie picture.

They only two easy solutions I see is to install a serious watchdog on the net. One who can kick off ISP's that host the mob AND users who let their PC's get infected.

Would that be workable? Even "respectable" western ISP's barely respond to complaints about attacks. We got a spam watchdog that already kicks of ISP off the email net when they misbehave and this just barely works. If the same was applied officially to the net as a whole entire parts of the world would be disconnected.

Perhaps it is just something we got to live with. The real live mafia never went away. Why should the net be any different. As long as their is money to made people will attempt to get it.

Some don't care, some don't understand...

[trazom28]

Most law enforcement I've worked with are great at their job.. if they can see it. Example - someone commits a crime, they can investigate and arrest. However I'd say about 1/2 of general law enforcement people do not grasp the concepts of the "virtual" world, through no fault of their own.

While Opping on irc, I noted a person claiming to sell laptops at 1/2 retail cost.. new ones. I pretended interest, and got some contact info.. forwarded this on to law enforcement for his area... within a week, the detective emailed me to say they'd busted a fraud ring. It was tangible, they could deal with it :)

Internet crimes still deal a lot in the virtual world, and if you haven't been trained on how to.. visualize and understand it, it's a tough concept. Not everyone gets it.

As with a lot of things, the key would be training. You're probably not going to get a small town sheriff trained, however some of the larger sheriff's departments would be excellent centers for this.. keep it to county level, forward to state or federal if needed.

Re:Some don't care, some don't understand...

[AK+Marc]

It was tangible, they could deal with it :)

They are all tangible at some point. Someone uses a stolen credit card number to buy a widget. Sure, it takes 20 steps of "cyber crime" until the actual fraud is committed, but the crimes always come back to the physical. The problem is that the physical is too late to stop, in most cases.

I called the FBI on two occassions and told them of people that were trying to defraud me. They asked, "did they already get any money from you?" when I told them I wasn't that stupid, they said they weren't intersted in the solicited fraud. They wouldn't investigate without actual loss, they are too busy to prevent crime or catch people that probably did successfully defraud others. They'd rather have the open case they can ignore when the next person doesn't know what a 419 is...

And people wonder...

[John+Hansen]

... why other people can take advantage of their computers?

I run a network in a medium-sized business. When I came in, there was no IT staff to speak of. All the workstations were Dell computers, mostly running the default installations of Windows XP. There was a Windows 2000 domain controller set up, but most of the computers were not set up for the domain, meaning that there were no default security policies. The E-mail server had an antivirus scanner installed but it wasn't updating its definitions.

Since I came in, I've had to reformat & reinstall at least half of the workstations because they've been infected with spyware and viruses. This is because, despite having virus scanners, spybot scanners (Microsoft Anti-Spyware, Spybot, and Ad-Aware), and Firefox installed, the absence of IT staff meant that the company staff were ignoring spybot warnings, the antivirus was not up to date, and they were browsing the web with Internet Explorer.

I'm still fighting the use of Internet Explorer, since we have no real reason to be using it -- most all of the websites we access are Firefox friendly. However, the momentum means that I can't just block out access to it in the domain policy. People need to migrate their bookmarks and preferences over, and that isn't done overnight. It's maddening.

So who do I blame when I see headlines like this, or when I look at the company I work at and see a mess? My first point of blame lies with Microsoft for creating such a vulnerable infrastructure to begin with. And that's not because I'm an anti-MS or Linux zealot. It's true, I run Linux at home on every computer. It's also true that since coming in, I've set up a number of Linux servers and a Linux firewall. I know how to work with Microsoft products and lock them down to a reasonable state. It's just that it frustrates the hell out of me when a product built-in to the operating system has so many vulnerabilities, and it's a freaking product used to browse the web! Not something essential to the system like the kernel (which has problems too)... a web browser! Something that should have no system access!

So yes, I lay most of the blame for this kind of travesty at Microsoft's feet. Had they actually thought their design through before they started coding, I can almost assure you that we would not be having this kind of problem to begin with. There would be viruses for Windows, yes. There would be worms for Windows, yes. But I find it unlikely that a properly-designed Windows would have made it possible for there to be millions of zombie PCs across the world, able to be bought by the highest bidder.

The rest of the blame I lay on user education. Most people with computers are totally oblivious about what's on the Internet. They just click on the big 'e' and surf their favorite porn sites, check email for funny comments, et cetera. And then they wonder why they get hundreds of popups and their computer runs slow as frozen molasses. Some of this could be stopped if network admins took some effort to educate their users in a business environment (herculean but possible, and I know some organizations actually do so). Which leaves the home PC users. What do you do about them? Well, I think that's more Microsoft's responsibility, since they're the ones who created the product.

In the meantime, I'm setting up Ubuntu for people who want it, or giving out CDs with it on them and directions. And most people I've switched have been quite happy with it, since their main needs are web browsing and Email and it covers those. So until Microsoft produces a product that I can actually recommend to my mother, I cannot recommend Windows.

IE purchase?

[qwp]

So........
When i went to purchase these 25,000 computers with my trusty Internet Explorer v4.0, I actually got A DEAL!. They tossed in a extra computer now I control 25,001. These guys are soo nice!.

Oddly Appropriate Quotation

[pmike_bauer]

Considering the topic, the quotation at the bottom of the page is appropriate:

You can do more with a kind word and a gun than with just a kind word. -- Al Capone

AV software is akin to a kind word when it comes to combating the net mafia.

During the Wild West days when law enforcement was scarce, militias and posses were deputized to keep the peace. Today, police and government are stretched thin, so Congress should deputize 'white hats' to attack/track down virus writers. This has got to be better than the reactionary stuff we are legally permitted to use.

This will never happen

[Opportunist]

Holding Joe Sixpack responsible for his computer's actions? Doubt it.

Remember that he's the one that generates money for the ISPs. He's not downloading Terabytes of movies.
He is the one that buys the crappy "download accelerators" and other useless programs.
He is the one that uses online banking.
He is the one that buys at Amazon.com and EBay.

Let's face it, he is the one they shape the internet for! The 'net ain't our net anymore. Hasn't been for well over 10 years now.

Now imagine he's held responsible for what happens out of his box. He doesn't know jack about his PC. He doesn't know he has a zillion dialers, trojans, adbots and whatnot, from klicking EVERYTHING presented to him. He only knows that "the net" somehow "did this" to his PC.

What is he going to do? Learn how to use it? Or stop using it altogether?

Which one is more likely? And would the industry like that reaction?

So will he ever be held responsible?

But some are trying

[BenEnglishAtHome]

I've installed and run investigative workstations for my employer. It ain't easy. Our methodology is to set up workstations that are as bulletproof as we can make them (considering the places we're going to visit, that's a given) and then let specialists try to develop leads. We have procedures to allow non-LEO personnel do the initial legwork; they surf and chat and poke around, extensively logging everything. When something interesting pops up, they're free to dig deeper. Eventually, when they think they have enough information to write up a report, they do so and turn it over for review. If it's picked up for serious investigation, either on the criminal or civil side, it passes from their hands and they never really know what becomes of it. That's fine with me; the initial lead development is what's fun, anyway. I'm one of the few people I know who can say he's spent a great deal of time being paid by Uncle Sam to surf porn (and other unsavory stuff).

What bugs me are the amateurs. There's a certain nexus between the sleazy side of the porn world and financial crimes, so I've spent a bunch of time in places that, at first blush, might seem more titillating than profitable. You would not believe how many transparently fake attempts are made by local, often small-town cops to entice people into illegal behavior. By far, the most common problem is the "I'm a 12-year-old girl. Would you like to talk to me about sex?" thing. Yes, some of them are that crude. Apparently, there are a bunch of Barney Fifes out there who have convinced their bosses to set up an AOL account for them in a back room at the police station for the purpose of generating a few easy, cheap, and sensational arrests that'll get the name of the local DA in the paper before the next election.

I used to wish they'd just go away, but afaik perhaps they already have. I haven't worked in lead generation for several years so I haven't been in any of those places in quite a while.

Anybody have any recent experience with this? Are there still woefully clueless LEOs out there popping up at inappropriate places pretending to be hot-to-trot preteens? God, I hope not; they were a royal pain in the ass.