I went to my favourite fraud underground forum, bought my favourite Trojan kit (I like Zeus), and then I looked through the Build-a-Trojan checkbox list to see what the next step is.
Find hosting.
Hosting. Yeah, I knew this one was coming. Trojans are not like self replicating viruses: you can’t just spread them and wait for the entire western hemisphere to crash down. I’ll actually need to keep in touch with my user base. That is to say, I need to
set up a server to command and control the army of zombie machines I hope to amass. A safe haven on which I can store all the data I’m about to steal from all those thousands of would-be-victims, access it anytime, and send update commands to my obedient thralls.
Options… Options… So many options.
I could go for bulletproof hosting. These aren’t too bad. Not very expensive either. The same fraud underground has plenty of offerings. Lets see… Oh, here’s one. Bulletproof offshore hosting. Unlimited storage, unlimited bandwidth. Good for Trojans, botnets,
Phishing, illegal content. $15 per month.
But I have a problem with bulletproof hosting. I mean, how bulletproof ARE they? Take
As Troyak which is a major hub for Zeus Trojan; it became unstable in March. And the entire McColo rogue ISP, which was supposed to be highly reliable, was
taken down in November, leaving hundreds of stranded botnets.
So, bulletproof? I’m not too sure about that. I don’t want to invest all my time in building a magnificent 50,000 hijacked PC botnet, steal gigabytes of credentials from the blissfully ignorant, and then have all of it go down in smoke.
Hey, I could host everything in the Cloud. Some
other guys do it. Trojan configuration files, drop points for stolen data, even my command and control server. I suspect, however, that it might be easily detected. Public Cloud providers try scan their infrastructure for malicious use; they don’t want
to spend their bandwidth on hardworking fraudsters like me.
I can try to build my own high-resilient infrastructure, just like the big guys do. The
Sinowal gang built a very impressive framework, with high availability and terrific disaster recovery for the Trojan operations. But I’ll be first to admit that this sort of thing is a bit beyond
my technical know-how, and is too time consuming.
So… Where does this leave me?
I’ll have to think about it. Meanwhile let me check what’s going on in my social network page…
Eureka! Social networks!
***
As the recent RSA FraudAction blog
elaborates, fraudsters started using social networks to host command and control messages to their Trojans. Specifically, the operator of a certain strand of Brazilian Banker opened a fake social network account under the name Ana Maria. Ana is quite busy:
she wrote a long string of alphanumeric garbage which starts with the letters EIOWJE. That’s a pre-defined trigger phrase that is followed by an encrypted message. The Trojan goes into Ana’s account, and reads whatever she says… Then decrypts the hidden instructions
and acts upon them.
The blog notes several other discoveries that are all related to the use of social networks to support malware infrastructure. Granted, this doesn’t provide the entire scope of bulletproof hosting, but it’s a free, high-availability, easy to use, nearly
undetected method for commanding your army of hijacked computer.
So, Social Trojing – here I come!
***
Quick summary of the hosting methods I mentioned:
- Bulletproof hosting – which you buy
- Your own infrastructure – typical to organized crime groups
- Cloud computing – moderately technical skills, high availability
- Social Networks - Free, resilient, difficult to detect
I can also ditch the entire hosting idea and just go
Fraud as a Service. ZeusTa sells a $120/month subscription for a service that will infect victims with the latest Trojan, fully managed by the provider. Think Salesforce. What you basically buy is a user name and password. Then you just wait for all the
data the Trojan steals to be available in your account.
But what’s the fun in that?
***
Let me add a final note. Social networks are a GOOD thing. They encouraged connectivity, collaboration, openness. They can be a great driver for growth if you’re a business. But like any new technology, they can be misused. And due to the very nature of
social networks, this misuse can spread fast. With time, these will be more controlled – as the threat moves to new horizons.
Oh, and if you’re bored, read the user
comments in Threatpost article about this topic ;)