Spyware Warriors: The Digital Underground Part One - Read the Transcript
by SpywareGuide Staff
This is a transcript of a podcast originally appearing at ThoughtShapers.com.
Spyware Warriors: The Digital Underground Part One
Jeff Molander: Hello, this is Jeff Molander and welcome to a candid chat with Wayne Porter and
Chris Boyd, both of a company called FaceTime Communications. Wayne is a long time researcher and product strategist type guy with a deep background in online affiliate marketing, which is something that has evolved into a foundation or a platform of sorts for businesses and phenomenon like adware. Hence, FaceTime Communications found Wayne's security software company that he had created and also a data warehouse on various forms of malware to be irresistible. Wayne's company was acquired in early 2005. Today Wayne is Senior Director of Greynet Research at FaceTime and is a prominent blogger at Revenews.com, which is also a blog site he founded in the late 1990's, which makes him an old man when it comes to blogging. One fateful day, while walking the halls of a CNET spyware conference last year Wayne met Chris Boyd and the rest is essentially history.
Jeff Molander: Chris, also known as Paperghost, is Director of Malware Research at FaceTime Communications and is also, like Wayne, a prominent blogger and he's quickly, again like Wayne, becoming a pretty respected security industry expert. In fact, he recently participated in the Anti-Spyware Coalition.
Jeff Molander: So welcome gentlemen, great to have you here. What is this I hear about you guys just yesterday being handed an award or something like that from Microsoft, some sort of designation MVP-designation which is only given out to a handful of security professionals globally, is that right?
Chris Boyd: Yes, it's a community driven program by Microsoft. It's actually performed over a wide variety of fields. There's MVP awards for everything from Microsoft Office to Xbox and server administration, of course. We've gotten one in security, this is my third go round, pleased to say that it's Wayne's first time round. It's basically awarded to anyone that performs in the online security community, be that across forums, coming up with various types of code to remove infections, working in server data bases, things like that. It's a wide variety of skills and resources.
Jeff Molander: Awesome, congratulations to you guys both. How do you feel about that Wayne?
Wayne Porter: I was pretty stunned. I just got my MVP package and Microsoft treats you well. Now we have dual MVPs on our research team, so that's definitely a plus.
Jeff Molander: Before we get into the story of this "RinCe" character, which you guys described in this Digital Underground piece that you wrote up at Spyware Guide, which inspired me to get you guys on the line and hear about it. I want to talk just briefly about FaceTime and what FaceTime does and then we'll get into the whole automated software bots scanning hundreds of thousands of users' machines for their financial and credit card information, not to mention, doing damage to certain machines and corporate systems.
Jeff Molander: Correct me if I'm wrong, but in terms of security solutions and what you guys provide, you're a provider of solutions for the management and control of what is commonly being called Greynet applications. What that really means is that you guys help big companies protect themselves from adware and spyware, also control things like instant messaging, web access, e-mail, peer to peer file sharing, anytime there is something opened up on the network where there could be a penetration of stuff that people who run networks don't want penetrating. In fact, several of the eight largest US financial institutions, according to your website, rely on FaceTime, for systems protection, is that right?
Wayne Porter: Right. We have a lot of big customers, The Chicago Stock Exchange, Bank of Montreal, Bank of New York, Deutsche Bank, Fidelity, a wide array of enterprise customers.
Jeff Molander: So, tell me about these two botnet networks. First of all, what is a botnet network and what from fifty thousand feet did you guys uncover that is such big news?
Chris Boyd: At its most basic, a botnet is effectively a whole chain of PCs that have been infected, cracked by the hacker in question. Generaly, they tend to get keyloggers, rootkits, PC, so they can keep getting back in. Though, if end user manages to remove some of the infection, they'll still be able to get back in [audio cuts out] boolean [audio cuts out] files and keep hold on these PCs. What they do is they chain all of these infected PCs together and they can use them to perform denial of service attacks, which is basically knocking legitimate sites offline. They can use them to buy and sell individual infected PCs on bot trading forums in return for new types of infections and new [audio cuts out] and of course, they use them to install various types of malware and get in their adware system and make a bit of money on the side, while continuing their infections.
Jeff Molander: So, these guys are not only involved in just trying to knock stuff out, knock out networks, but they're also in this for the money?
Chris Boyd: Oh yeah, there's a very active community scene. There's lots of different forums out there where guys, they call them script kiddies, who don't know how to code infections scripts and what they're actually doing, but they can push a button and watch all hell break loose. These guys will sit in the basic sections of the forum and the guys that control these things will only give access to the key players and the trusted players and the private areas where the code actually does work and the real up to date bots, so there's quite a bit of a sort of a power play in the background as well.
Wayne Porter: Jeff, I'd inject there, that's really where we are seeing a paradigm shift in security. It used to be a macro virus or a virus or a Trojan horse, a lot of times were written for glory or fame or bragging rights, but now we've seen a complete underground economy, a black market of sorts that has emerged, partly driven by adware. But, you can see anything from trading of credit card numbers or expoits, a hot exploit could be worth several thousand dollars on these black markets. Then again, the spyware-adware definitely plays a role into that, because once you have control of a machine, you can inject those and you're paid by the supplier.
Jeff Molander: OK, I want to just go right into the heart of this thing. You guys find a botnet, now what this particular botnet is up to is like any botnet, it's going to propagate itself. It's designed to do two things, it's designed to make money through the use of adware and primarily it sounds like through installation of software that people want installed and it's also installing itself. It's also at the same time, on the consumer's machines and certainly business users as well, but it's also being used to do denial of service attacks. So, essentially it's a software application that's being unleashed on the machines and once it's on the machines it can do all kinds of things. It can attack other machines, it can present advertisements, forcing downloads, all kinds of stuff. So, you meet this guy, who you're calling RinCe, and he somehow helps you sleuth around and find some information. Can you start us maybe, Chris, with the beginning of the story here?
Chris Boyd: Well, as far as RinCe goes, he was a guy who initially saw an article of mine that appeared on Digg.com. Digg.com is a site that shovels huge amounts of traffic to other sites when they get posted on it. He used a feature that I've got, which allows people to report anonymous tip offs and let you know if things that are going on that shouldn't be going on and then I go and investigate them and see what the deal is. In this particular instance, he came to me and he mentioned that a group of people who he had known from his past asked him about exchanging some paypal accounts in return for a bunch of credit card numbers that they had.
Jeff Molander: So, you essentially you met this guy online?
Chris Boyd: Yes.
Wayne Porter: Jeff, that's a core part of our strategy, in terms of blogging and community involvement, you'd be surprised at the number of tipsters and whistle blowers or just everyday users that have useful information. So, a big part of our strategy is to try to reach out to those people and take that intel and then investigate it and qualify it and turn it into something useable.
Jeff Molander: So, how do you guys separate out the bogus information and leads from the good leads, so you're not wasting your time?
Wayne Porter: Well, I think some of it just comes with experience. We have a lot of technical expertise, we actually look at files, we analyse binaries, we look at the structure of the whole setup, sometimes we'll look at the financial structure, how these things are going on. It's sort of part science, part artform, I would say.
Jeff Molander: So, like I said, I read on the website, on SpywareGuide.com, what amounted to be basically a transcript. I'm not sure if that was a phone transcript, or e-mail, or IM chat, but here's this guy who appears, who's going to help you now. So, what are his motivations, who is this guy and what exactly does he help you with?
Chris Boyd: Well, as far as this guy goes, he basically got into the hacking scene a few years back. He fell in with those people, got to know them. He'd never really got involved to the extent that he was actually out there performing exploits himself, it was for more curiosity than anything else. Then he sort of fell out of it, but didn't tell these people that he'd dropped out. They all thought he was still involved, so he knew what was going on and who was pushing what exploits. When they came to him and said, "We've got these credit card numbers." That got him intrigued, so he followed it up and queried them as to how they'd got these things and these guys just spilled the whole story to him basically . They had this custom built script that was able to scan potentially vulnerable payment databases, economic databases, basically anything that would store people's credit card numbers or their information, and they were able to use this script to extract that information and send it back to base. Then of course, they would buy and sell these credit card numbers. They would use them to purchase items off the internet, do pretty much whatever they wanted with them really.
Wayne Porter: In this particular case, it was interesting because in the past, one of the primary vectors of attack has been e-mail and obviously ActiveX drive-bys on websites. This particular vector, which we know has been growing, we've seen quite a bit of growth, was through instant messaging. You got a message and you click, it could be from a user, a trusted user on your list, you click and the file was injected in to the system and then that starts the whole process. Without getting into the technical details, once the application is installed, the computer is now compromised and it can be accessed remotely so they can stuff more malware applications onto the desktop. But the real damage here was a script that, like Chris said, was specifically designed to uncover exploits and shopping cart applications. Once they found those exploits, now they're funneling out credit card numbers and paypal accounts and various personal details, so really, you go from the nuisance of unwanted pop-ups to something that's really dangerous and it's coming from a vector that a lot of people just don't think about. They think about instant messaging being really safe, but it's really not. It's a prime place for social engineering attacks, and again, because this comes from trusted people on their buddy list it spreads like wildfire.
Chris Boyd: Of course, there's no sort of remorse or feeling of guilt on their behalf, it's basically a huge game to them. They would pass around screen shots of compromised paypal accounts. I saw one screen shot that was a guy's hacked paypal account and it had eleven thousand dollars in it.
Jeff Molander: I think what you guys are saying here is that, just to take a step back for a moment, we used to have to worry about in the past, where we surfed, certainly the e-mails we received and the links inside those e-mails, do we click on those, do we not, based on a lot of things like do we know who's sending it to us. Also, just casually surfing the internet, Wayne you mentioned ActiveX drive bys, which is a kind of term that we use in the industry when we talk about catching some thing from just surfing websites. Adware, spyware, you really didn't do anything other than click a link, change a web page, view an ad, and you were able to catch something that doesn't do nice things to your computer. So now, what you are saying is other things aren't safe, without panicking everybody here, instant messaging is being exploited at this point. I think that's when you say a vector, that's what you mean is it's coming at a consumer, it's coming at a computer user from a different angle, a different source.
Wayne Porter: Oh definitely, especially in enterprise. It's definitelysomething that IT administrators have not paid attention to when it's really something really critical. It's a primary vector and again, it's a fast moving vector, because people IM very quickly and pass things around very quickly through instant messaging or through Skype. If you're a financial institution, this is really a problem. We're seeing two things, the vectors of attack are changing, because web based attacks are a little easier to locate and find and neutralize and track back, or e-mail or phishing, that's another type of attack, again that goes back to a website. But now we're seeing they're using instant messaging, or they're blending it in with IRC and we're not just seeing a single adware file, we're seeing, like Chris said before, sort of a Frankensteinian approach. They're throwing a number of mixed exploits together or a rootkit, which masks the whole thing. With a rootkit, it evades any virus software, makes it almost impossible to find. The attacks are changing in complexity, the vectors are changing and becoming more creative. Again, this dark economy has sprung up and you now have real resources put into it. You can almost see organized cyber crime emerging, just like you'd see organized crime offline, it's now coming online. We're now seeing the formative stages of that now, it will only get worse, only get more sophisticated.
Jeff Molander: Damn scary stuff, Wayne. Let's go back to RinCe real quick here. Again, who is this guy and why is he helping?
Chris Boyd: Yes, as far as RinCe goes, he was invaluable in the early stages, because the first thing you do when you get a report like this, you don't just blindly believe someone and go, "Oh yeah, great they're doing this, this, and this" and stumble into it because you do have people reporting things to you that are trying to set you up, which does happen, so you've got to be quite wary. That's happened a couple of times, I haven't fell for it yet, thankfully. At first, we did small things like I would effectively get RinCe to social engineer the hackers, we would perform various acts of confidence trickery on these guys. I would discuss with RinCe at length, what sort of information we could get out of these guys, so we could confirm what he was saying. I would send him in, he would come back with various bits of personal information that these guys had stolen and then we would go off and perform various checks to see if this was legit. On one occasion, we got a whole bunch of infected PCs onto a honeypot server we set up, which is a effectively a trap. It looks like a normal IRC server that these guys control all their bots from, in reality you're controlling it and you're logging all the information that goes in and out. The channel filled up with a good few thousand infected PCs and everything he was saying was confirmed at that point. Of course, we had the file scans from e-commerce databases to look at as well.
Jeff Molander: So quite literally, this is just a guy who didn't like what he saw and that's essentially his motivation, his motivation was pure.
Chris Boyd: Yes, yes, there's always the potential for angles involved. In the next case, he basically just stumbled across it by accident and was quite happy to pass it on to someone else and I was more than willing to take it off him.
Jeff Molander: So, you guys put bread on your table by doing this, and there are certain trade secrets and no one here is going to ask you to reveal those. But certainly, from fifty thousand feet, I'm thinking that you can describe how the hell do you pull this off? You've got some accomplices here, you've got people willing to help you every once in a while, but can you tell us just from afar, how do you do the voodoo that only you do here?
Chris Boyd: There is various technical ways you can do it, and they're not particularly any great secret, so I can quite happily to into those. There's obviously things like following money trails, which I'm sure Wayne can talk about at length. As far as the hands-on technical approach goes, there's a number of standard ways of finding and then getting into the inner workings of a botnet.. There's numerous tools you can run, numerous automated malware collectors and there's a whole set of tools that I employ specifically that will sniff the internet basically for new infection files that look like they're coming from botnets. These are tools that you pretty much build yourself with a couple of minor variations here and there. These things will suck down these files automatically and then it's up to you to reverse engineer these things, find out where they've come from, who they connect to, what they do on the infected machine. At that point, that's where the bit of artistry kicks in, because you're effectively trying to get into the channel that the infected PCs joined in the botnet that you're hunting down, and you try and make your PC look like an actual infected drone.
Chris Boyd: I don't know whether your listeners have seen an IRC room or seen the inside of a botnet channel [audio cuts out] the infected users, it's almost like a chat room, in a really crude way to describe it [audio cuts out] in fact, it's used as the joiner channel. We'll have certain letters, they'll usually be grouped by country and there'll be a whole bunch of letters and numbers after the country, depending on how the botnet owner set it up. So, you've got to know exactly what's in there before you go in and you've got to disguise yourself as best as possible. So, you just lurk in those channels for as long as possible without being discovered, and when the botnet owner issues his commands to the infected PCs, at that point you can log in things, taking records, noting everything down, but you've got to be really careful with it because if they do spot you in there, it's not uncommon for the whole thing to be shut down and moved on to another server, and of course you'll incur the wrath of [audio cuts out] and denial of service attacks and more besides.
Jeff Molander: This is sexy stuff, I mean, this is cloak and dagger type of stuff.
Wayne Porter: Yes, there's a number of moving parts and we do have a large team with various competencies, people who specialize in IM, people who specialize in file analysis, specialize in traffic analysis, what's going back and forth; people like Chris and myself, who specialize in social engineering or synthesizing what's moving out there in the back channels or the underbelly of the internet. Taking that raw intel and feeding it into our research team and we refine it and keep refining it until we pinpoint on the problem. Then at that point, our job is to translate that into a protective solution. I really hate to scare people, we don't want to scare people off the internet, but that's actually what we're starting to see. Even with my discussions with hardware vendors or PC shop owners, they are saying that the majority of their repairs customers are junking their PCs. They're coming in and are usually infected with a number of spywares or a multitude of, what I call the aggregate effect, a number of adware programs or they've been Trojaned or very simply just turned off by the internet, they're not going to go there anymore. The really frightening thing and I guess the take-away for the e-commerce audience is if this goes unchecked. Merchants continue to fund and participate knowingly or unknowingly in these channels, polluting the very environment in which we do commerce.
Jeff Molander: You're talking about adware here.
Wayne Porter: Eventually the lake becomes so polluted that no one wants to swim in it any more. "I'm not going to shop online. I'm not going to do this, I'm not going to do that, because it's just not safe." We haven't reached that point yet, but if people don't step up. I believe merchants carry a big part of that responsibility because we are seeing this massive flux because it's money driven. Some of the money is derived from denial of service attacks, [audio cuts out] attacks on machines, or trading stolen credit card numbers. A lot of the money is derived through adware, placing it on their machines is a lucrative business and that's created a warm petri dish for this dark economy to evolve.
Jeff Molander: This concludes part one of Spyware Warriors in the Digital Underground, tune in next week for part two. Need to be alerted when the program is released? Simply visit http://www.ThoughtShapers.com/podcasts and subscribe, we'll send you an e-mail the moment the program is available.
Unless otherwise noted this article is Copyright © 2014 by FaceTime Communications, Inc. This article may not be resold, reprinted, or redistributed for compensation of any kind without prior written permission from FaceTime Communications, Inc. For reprint or media inquires please contact us with the phrase "Spyware Guide Articles" in the subject line and we will by happy to assist you. Links to this article from other websites are appreciated and encouraged. Users are also encouraged to utilize our RSS system to provide unique content and extracts for their site.
Read other articles (back to full list)