The making of a cybercrime market

I recently had the opportunity to speak with two representatives from the Netherlands-based security research firm Fox-IT--Maurits Lucas, InTELL Business Director, and Andy Chandler, VP of WW Sales & Marketing. Collectively, the two shared an in-depth story of cybergang warfare suitable for Hollywood.


I recently had the opportunity to speak with two representatives from the Netherlands-based security research firm Fox-IT--Maurits Lucas, InTELL Business Director, and Andy Chandler, VP of WW Sales & Marketing. Collectively, the two shared an in-depth story of cybergang warfare suitable for Hollywood.

As the events unfolded through their words, I quickly began to see into the business minds of the cybercriminals they described. Even more interesting to me was that a cyberbusiness was actually being created and an entirely new market was being defined. This piece provides a glimpse into how the cybercriminals used business best practices to rake in the cash.

The start-up

Our business case begins in 2006 and is rooted in technology. On the surface, this business case could sound like any other presented by one of the top universities, where the subject business is created from a well-balanced mix of supply & demand, driven by revenue, enabled by innovation, and rife with competition. However, this story isn't about your traditional mainstream commercial business. Instead, it is one of a lucrative underground cybercrime business.

Commercializing the POC

The proof of concept (POC) for the new business began with the creation, introduction, and successful use of a man-in-the-browser (MitB) malware kit that formed a botnet specifically targeting financial institutions. Victims were typically companies or wealthy individuals with large amounts of cash periodically available in their bank accounts--for example, funds transferred to a specific account to pay the wages of their employees.

The malware itself was designed to first attach itself to the host browser, allowing it to modify any Web page it wanted to before rendering it to the user. Once hooked to the browser, the malware would insert additional code (a botnet) into the banking website page(s) the user visited.

This isn't the scary stuff, however. The real payload comes when the botnet leverages its newly-formed connection to the banking systems located on the other side of the browser as a channel through which it can insert the real attack--the insertion of monetary transaction code that essentially creates a digital money mule.

Zbot, now publicly referred to as ZeuS, was the first appearance of such a malicious botnet, complete with phone-home and command & control service management. Its creator, known on underground channels as Slavik, sold the industry's original malware kit on the cyber underground for a going rate of $8K. Slavik's proof-of-concept turned out to work extremely well; he made a lot of money and some of his customers made even more money by launching some serious online banking attacks using the malware kit he created and sold.

As the new market grew, the question for the business eventually became one of scale, margins--and greed.

I spy some competition

It took three years for a new version of the ZeuS botnet to surface. In 2009 ZeuS version 2 appeared, adding a tremendous amount of new functionality to the product. ZeuS v2 was more robust, capable of handling take-downs better, and included new features such as the ability to monitor network traffic, capture screen shots, record the victim's keystrokes, steal certificates, and even connect to other systems using the victim's IP address. New versions signaled success: A business had been born.

As with most businesses, the exposure and recognition of success spurs the introduction of new offerings from one or more competitors. While the business of cybercrime is neither legal nor moral, it happens to be no different from a legitimate business in this sense. So, as you can imagine, as Slavik created and established this new bot-based banking fraud market, at least one viable competitor would surface. And it did.

The first competing product, SpyEye, was authored by someone using the underground aliases Gribodemon and Harderman. While the first versions of this malware were laughably bad--meaning they often failed to run and would even blue-screen-of-death the host victim's computer--these kits only cost $400. This was a huge slash in price compared to the $8K charged by Slavik for his ZeuS malware kit.

With its aggressive pricing, the market took notice of SpyEye. The revenue generated by SpyEye was seemingly re-invested by Gribodemon to quickly improve the software, and the competing product soon started to gain market share--even after Gribodemon found he could successfully increase the price of his kit from $400 to $1K.

As its foothold solidified and the SpyEye software became more mature, its author began to get extremely aggressive in other areas of the business. Gribodemon went directly after the ZeuS market share, looking for complete domination. A fierce battle ensued.

One example of a traditional tactic used by SpyEye was a competitive takeout. Gribodemon's goal was not only to just win net new customers but also to replace existing ZeuS customers. Gribodemon built his SpyEye malware kit such that, upon successful injection of the botnet into the host browser, it would check for the existence of the ZeuS botnet and remove it, essentially taking over the system and all banking accounts previously compromised by ZeuS.

In true business form, Slavik responded in kind with updates to his Zeus kit. Another example of a traditional business tactic applied by SpyEye was one of a competitive migration. Gribodemon delivered a feature in SpyEye called "Spy Config" that extracts the configuration defined in the ZeuS malware kit, loads it into the SpyEye configuration, and provides additional documentation on how to leverage the ZeuS configurations.

With the configuration mapping and education complete, SpyEye's users would know how to follow the ZeuS injector; they would also have a clear view into what ZeuS was up to and what to do with the system, connections, and accounts. Most everyone interested in the SpyEye kit knew how to read ZeuS malware configurations. This feature made it extremely easy for customers to switch from the ZeuS malware kit to the SpyEye malware kit.

"Recommended For You"

Zeus Trojan alternative created from scratch hits the underground market 'Gameover ZeuS' P2P bank-theft botnet has infected 678,000 Windows PCs