An Inside Look at the Malware Black Market
-- "The best program in its class I have ever seen!" gushes one review. "One of the most powerful products on the market," reads another. They're common lines, indistinguishable from thousands of others for thousands of programs. Until you come to this one: "Works well ... to find a new attacker."
These aren't just any reviews. They're comments from satisfied customers of black market malware and utilities, left on forums and sites where user ratings are just one way the shadowy online crooks who profit from spewed spam, virus-laden PCs, and identity theft use standard business practices to sell their illegal bounties. For instance, those user comments affect a seller's displayed reputation rating, a la eBay. Popular underground forums also offer their own product testing reports that make clear whether an attack program can do what its seller claims--something long done by PC World and other groups for benign technology products.
The illicit entrepreneurs even offer tech support and free updates for their malicious creations, and some forums feature escrow services for purchases made through their site. In these cases, the forum holds onto the transaction money as a neutral party until both the buyer and the seller appprove the deal--just like the escrow process of buying a house.
Thomas J. Holt, an assistant professor in the Department of Criminal Justice at the University of North Carolina, has spent the past year discovering these practices as he and his team sift through black market sites and collect data on Internet attacks. At the recent DefCon hacker's conference in Las Vegas, he told the crowd how today's malware-peddling Web forums use these buyer-friendly tactics to draw shoppers to their site.
Seller reputations may seem paradoxical in a realm where anonymity is prized. But the identity-hiding handles used by sellers--such as Corpse, or the Cyber Underground Project, or Cr4sh--work much the same as eBay account names, in the sense that they allow reputations to accompany the handle.
A new seller debuts as an unknown, Holt says. Then, as he garners positive user reviews like those above, his reputation improves until he becomes a "verified seller." Conversely, if he's out to swindle the swindlers, he'll become labeled as an untrustworthy "ripper"--someone who rips people off.
Those reputations can persist even if a particular forum is shut down by authorities. Holt discovered one database of rippers that maintains a reference list of known scammers, and even distinguishes public, unverified ripper complaints from vetted private complaints from registered members that are deemed more reliable. It's a sort of black market Better Business Bureau.
As surprising as they may be, virus vendor reputations are only one example of modern marketplace practices in the underground. Some poisonous program promotion sites also mimic the extensive testing from labs that run independent reviews of technology products. The PC World Test Center, for instance, is usually hopping with evaluations on everything from processor speed to application reliability to digital camera photo quality.
Some malware forums offer the same kind of product testing, but instead of benchmarking a computer's speed, they'll test whether a given Trojan can conduct the type of denial-of-service attack claimed by its author, or whether it communicates with other infected PCs in the promised manner. Holt found that some sites will even spot-check a batch of stolen credit card numbers using account verifiers to ensure they're actual, useable accounts. Prospective buyers see the site review listed alongside the product pitch.
So just what can a would-be Internet criminal buy on these sites? According to Holt, for $400 you can purchase the "Illusion DDoS Bot" from the Cyber Underground Project, which touts the malware app as capable of launching a variety of denial-of-service attacks that can overwhelm Web sites and servers, with control managed through an IRC channel or a Web site. If you're on a budget, $30 will get you a customized Pinch data-stealing Trojan that its seller guarantees will not be detected by antivirus applications when it's delivered. Tech support is included.
If you need services, not software, you can hire "razorsasa" to churn out millions of pump-and-dump stock scam messages for $150 per million. And if you're not above dirty tricks to beat out an online competitor, a full day's worth of denial-of-service attacks costs a paltry $100.
If you're in the "carding" business and want to rake in illicit earnings using stolen credit card numbers and financial account information, you can pick up data dumps from ID-theft malware for as little as 20 cents per megabyte.
Whatever the purchase, a buyer will typically contact the vendor privately using an ICQ number, e-mail or, in some cases, a private message sent through the forum. Money generally changes hands through untraceable online services such as e-gold or WebMoney.
It might seem that you'd have to be in the know to find the malware black market. But when Holt began his hunt for these sites, he didn't try for tips from people with dodgy connections. He did what we all do. He Googled.
After wading through a few pages of search results for terms such as "bot, sale, dump, and Trojan," Holt found some junk sites that cut-and-pasted for-sale postings from other locations in the hopes of catching unwary buyers -- Rippers, in other words. But those ripper sites eventually led him to the real action, where trusted forum admins vet malware and rank sellers.
Holt says he and his university team found sites in Vietnamese, Spanish, English, Chinese and even Arabic, but the most popular sites are in Russian. The team translates sites using a combination of automated and human translators.
That variety of languages is one reason English-speaking authorities can't easily locate and shut down these forums, Holt says. It also takes time and skilled personnel to monitor and analyze posts. Consider that Holt's team has been at work on this for the better part of a year.
Holt says he does share his data with law enforcement, and there have been successful takedowns against known black market sites, such as the U.S. Secret Service-run Operation Firewall three years ago. That operation against the notorious Shadowcrew resulted in 28 arrests around the globe.
But just as a major drug bust can't be expected to dry up the drug trade, Operation Firewall didn't make much of a dent in the online black market. Other sites quickly popped up to replace those that were taken down, and the business practices of the underground malware economy are continually evolving.