Virus writers team up worldwide

Global cooperation between malware writers could result in a new wave of hard to detect viruses that bring high-cost and inconvenience to corporate IT users.


Security researchers have been touting the growing nature of professionalism among virus authors over the last several years, but new evidence points to increased cooperation between malware writers spread around the globe, according to some experts.

The practice of using widely-distributed IP addresses to distribute malware and spam to help avoid detection by security companies and law enforcement officials is nothing new among electronic schemers.

However, there is reason to believe that cyber-criminals, specifically virus authors and botnet operators, may be teaming more frequently with people in other regions of the world to help facilitate their respective attacks, said Chris Boyd, the UK-based director of malware research at FaceTime Labs, a division of software maker FaceTime Communications.

Boyd -- who used his presentation at the RSA Conference 2007 in February to detail botnet activity, including a group based out of the Middle East known as the Q8Army that is suspected to back radical Islamist activity - said that there is even evidence that hackers in China are teaming with their Western counterparts to help boost the quality of their respective attacks.

There have been ties established between groups of crimeware authors in the United States, South America, and Eastern Europe that have been evident for some time, Boyd said, but an increasing number of attacks being examined by the researcher bare clues that Chinese coders are looking outside their borders for expertise in helping to improve and spread their work.

"It was previously unthinkable that hackers in the West and China would be working together, but we're increasingly seeing interplay of code," Boyd said. "The new techniques we're seeing come out of China suggest that they are picking up tips from hackers in the West to help them fly under the radar, and we feel there will be more of this activity in the coming months."

Boyd said that like the Q8Army, which allegedly used instant messaging attacks to plant spyware on people's computers and create a massive worldwide botnet system, Chinese hackers have been known in the past for distributing somewhat crude programs that were relatively easy for security researchers to isolate.

But in recent months, the expert said, he has seen far more advanced threats with far less obvious social engineering mistakes emanating from the world's most populous nation.

While the Chinese malware writers are turning to Westerners to learn the subtleties of tricking people outside their country into falling for their attacks, Westerners are likely asking their new partners to share their techniques for avoiding detection by researchers and law enforcement.

"[Virus writers] in America want to learn the finer arts of what not to do to get caught online, and the groups in China appear to be very advanced in that regard," said Boyd. "With the government atmosphere there, where you're likely to go to jail if you get caught committing a crime, they have to be very careful."

The range of attacks -- which Boyd said he has observed on underground security research forums that he declined to identify by name -- span from less dangerous adware programs to extremely advanced root kits, according to the expert with FaceTime.

Other researchers said that such a shift in partnerships could significantly improve malware coming out of places such as China, where more complex language barriers with Western users have helped foil many threats in the past.

In addition to helping foreigners craft threats that are less likely to throw up red flags to end users and security systems, based on their improved spelling and grammar, international hacker cooperation can allow threat writers to share popular cultural items that make their social engineering ploys more effective.

"Many times, malware writers overseas have gone to great lengths to create the threats themselves, but poor social engineering is a tip-off to native English speakers," said Craig Schmugar, threat research manager for McAfee's Avert Labs group. "And by finding out what sort of things are currently popular in another region, they're also less likely to tip their hands and pull in more people with social engineering."

Schmugar said that by branching out and working with malware writers in other locales, cyber-criminals may also introduce more opportunities for researchers to infiltrate their ranks and put a stop to their operations.

He said that some attacks may also be designed by their authors to merely to appear as if they were created in a foreign nation to help throw researchers and law enforcement off their trails.

"Mostly, we're seeing individuals trying to become more globally organised, but the really organised groups do have agents around the globe and some sort of management structure," Schmugar said.

"In one token, the cooperation can help them be more effective, but on the other hand, it might present new opportunities to get caught; how do you know when you can trust what someone tells you about themselves if they're in another part of the world?"

"Recommended For You"

Is China behind GhostNet cyberspying network? China warns about mass Panda virus