Ask any researcher who's infiltrated the dark side to gather information on malware or an attacker, and he or she describes the rush of hanging out in a seedy IRC chatroom and posing as a bad guy trying to buy malware or stolen data. But they also say it's a little frightening, too.
Don Jackson, a security researcher for SecureWorks Inc. , had his first such experience recently after helping an acquaintance clean up his infected computer and discovering a new trojan, which SecureWorks has dubbed "Gozi." Jackson went undercover on some known "bad actor" IRC channels and got hooked up with a Russian-speaking one that purportedly sold the malware in question.
"It was a little bit scary," Jackson says. "You never really know who you are talking to, and you know law enforcement is monitoring those, so you want to make sure you communicate with them and let them know so they don't [inadvertently] track you down there."
Jackson, who was posing as a buyer of the malware, says he mostly got a bunch of notes telling him to get lost: "'Newbie, stop asking us... If you don't know the account number, you're not welcome,'" he says.
He may not have fooled the bad guys on their virtual turf, but Jackson did outsmart them by dissecting the trojan and tracing it to stolen information from over 5,200 home PC and small business users. It added up to about 10,000 account records, including account numbers and passwords for major global banks and financial services companies, U.S. retailers, and online retailers. The malicious server, run by Russian hackers, also included data and employee login information for sensitive government and law enforcement applications. They were selling the information for more than $2 million, all told, according to SecureWorks.
A subscription service offering the information was taken down on Monday, but law enforcement officials are apparently still monitoring the host server for now. Jackson provides a detailed, play-by-play account (with screenshots) of his investigation on his blog if you want more details.
The Gozi trojan was innovative in that it used a sniffer to get SSL-protected data, Jackson says. "It used a rootkit-like technique to hide itself," he says. "I could find spyware and malware, but this wasn't getting identified, and no tools could detect it."
Jackson found it manually, so he had to isolate it himself. When Windows booted up, the malware would install itself into the registry and then run and inject its code into Windows Explorer.exe to stay hidden. And SSL-based communications does not protect a user against this malware, he says.
One of the most intriguing and frustrating things about this case is that it's not one monolithic crime ring. It's a moving target with layers of bad guys and loosely affiliated groups. "They swap, trade, and do what they need to accomplish to turn this attack into cash," Jackson says.
Even a seasoned researcher can't just jump in and pretend to be a part of the scam, as Jackson learned firsthand. He's currently on the lookout for variants of Gozi, which is now on all major AV vendors' signature lists. "I want to monitor this for a while to make sure the server is taken down," he says. "And there are two other development servers, and we can see them making improvements on it right now. So I still want to follow this group on the backend."
If Gozi variants do show up elsewhere, he says that just confirms there are networks of people associated with this crime ring.
Kelly Jackson Higgins, Senior Editor, Dark Reading