Saturday, June 20, 2009

Web Fraud 2.0: Franchising Cyber Crime (Washington Post: Security Fix)

For the most part, cyber gangs that create malicious software and spread spam operate as shadowy, exclusive organizations that toil in secrecy, usually in Eastern Europe. But with just a few clicks, anyone can jump into business with even the most notorious of these organizations by opening up the equivalent of a franchise operation.

Some of the most active of these franchises help distribute malicious software through so-called pay-per-install programs, which pay tiny commissions to the franchise operators, or so-called affiliates, each time a supplied program is installed on an unsuspecting victim's PC.

IChome.JPG

These installer programs will often hijack the victim's search results, or steal data from the infected computer. Typically, affiliates will secretly bundle the installers with popular pirated software titles that are made available for download on peer-to-peer file-trading sites. In other cases, the installers are stitched into legitimate, hacked Web sites and quietly foisted upon PCs when people visit the sites with outdated, insecure Web browsers.

Experts say one of the longest-running and most successful of these pay-per-install operations is an organization called "InstallsCash," which pays distributors to spread a variety of invasive programs. After you've signed up for a free account, InstallsCash will provide you with an installer file (.exe). They will then pay you between $5 and $140 per 1,000 installs (with higher rates for installations in countries like the United States, United Kingdom and Italy).

InstallsCash tells affiliates that the program they're distributing merely changes the victim's homepage, adds a browser toolbar, and installs aporn dialer, which hijacks the victim's dilal-up modem to make expensive 1-900 phone calls. Working with security researchers, Security Fixsigned up for an account at IntsallsCash to learn what their affiliates were really installing.

What we found was the installation program given by InstallsCash to distributors installs some of the most sophisticated and aggressive malicious software in circulation today.

According to one analysis by researchers at Atlanta based managed security services firm SecureWorks, an InstallsCash installer delivered to affiliates in mid-May dropped no fewer than 15 pieces of malware on victim systems, including Cutwail, one of the most sophisticated and prolific spam bots on the planet. Also included were variants of theKoobface worm -- which spreads via social networking sites like Facebook (hence, the anagram of Facebook), as well as the Zeus or PRG Trojan, a sophisticated password stealing program.

Separately, experts with security research firm Team Cyrmu looked at a different installer offered by InstallsCash. Team Cymru found that the installer seeded PCs with quite a different crop of malware, including several Trojan horse programs, a rootkit, a virus and backdoor calledVirut, and a generic spam Trojan that turns the victim PC into a spam relay.

No offices or phone numbers are listed on the group's Web site. On its "About Us" page, Installscash lists six different instant message accounts that can be used to contact them. SecurityFix left messages at all six. One who did answer, named "Install_Support," said "Ask me your questions, maybe I will answer,", but then declined to answer any of them, except to say that he or she was located in Ukraine.

ictest.jpg

A publicly-accessible test page on the group's Web site indicates that the last person to administer the site did so via an encrypted connection from a DSL account in Kiev, Ukraine.

It is illegal in most countries to distribute malicious software, such as computer worms, with the intention of infecting computers without the owner's permission

Michael LaPilla, director of malicious code operations for iDefense, a Sterling, Va. based security intelligence group owned by Verisign, said InstallsCash has a long and storied history, albeit under different names: The affiliate program previously went by the names Iframedollars and Iframecash, and for a long time was among the most visible arms of the infamous Russian Business Network.

"They've been active for so long," LaPilla said. "They just took new names after too much public attention got their old domains shut down."

LaPilla said exactly what that installer program will plant on infected machines varies from day to day, based on two factors: Where the victim lives, and which cyber criminal gangs are paying InstallsCash to distribute malware that week.

In 2007, iDefense analysts launched an investigation to see whether the malware being downloaded by the InstallsCash installer changed depending on geographical location of the victim PC. Sure enough, iDefense found that most of the PCs receiving password-stealing Trojans sought credentials for financial institutions specific to the victim's region.

No comments: