Cyber crime imitates legitimate business
Introduction
We have earlier discussed the fact that cyber criminals are getting increasingly sophisticated in their attempts to succeed in obtaining illegitimate gain.
See for example our articles
- Domain name registration - a malware spreading vector
- Developing malware using the open source approach
- Malicious identity production
- Internet gaming - new opportunities for the (shady) visionary
We will now look into an example of how illegitimate businesses imitate legitimate.
The case: The malware builder kit ZeuS/Zbot
In brief
ZeuS/Zbot is perhaps the most used malware kit specializing in creating malicious programs for obtaining banking information.
The malware kit has been around for some time, and includes a set of different modules, which may be purchased from the creator(s) [presumably]. These modules are separately priced. Examples of some modules are support for Windows 7 / Vista, and Virtual Private Network (VPN) functionality. The modules are quite expensive, and allegedly cost from some hundred USD to the most expensive in the range of USD 10 000.
Computers infected by ZeuS/Zbot are set up to participate in botnets controlled by those who have purchased the malware. ZeuS/Zbot created malware uses different speading techniques, and also uses quite advanced techniques to avoid detection from antivirus programs.
The irony
ZeuS/Zbot malware has by far been the most successful (seen from the criminals point of view) malware for stealing banking information in recent years. It is estimated that several millions of computers have at one or several points in time been infected by ZeuS/Zbot generated malware.
And what happens if a non-free program is that popular? It is also being illegally installed on a substantial number of computers!
This is exactly what has happened to the ZeuS/Zbot malware generation kit. The creator(s)' business model is thus jeopardized. The latest version of the kit is consequently reported to have bulit-in protection mechanism.
A common countermove against illegal distribution
Various techniques to prevent illegal copying of software have been used for decades, and several technologies have been deployed. Among those considered quite safe, are the hardware dependant (there are several sub-classes), which is what the ZeuS/Zbot's creator(s) seem to favor in the current version of the malware kit.
The protection is said to function in such a way that a unique key is created for each "legitimate" user, based on characteristics on the computer where the kit is installed. If - for whatever reason - the malware kit needs reinstallation on another computer, a new key has to be obtained from the malware kit's creator(s). Seen from the users of the kit's point of view, this is of course somewhat cumbersome.
More irony
Ironically this may turn out to be an advantage for the potential victims of the malware generated from this kit. The ZeuS/Zbot malware kit becomes less wide-spread, and one may actually assume that overall less malware is produced than if the kit was not protected. The creator(s) intent by this maneuver is to avoid "illegal" installations, and subsequent spreading of malware from these "illegal" installations.
It remains to be seen of someone cracks ZeuS/Zbot's protection mechanism and posts a free version on warez sites. Such an outcome would have been triple ironic.
Conclusion
Once more we see an example of the fact that those involved in Internet-based criminal activity are adopting business models used in legitimate commerce. Criminals are facing the same threats to their business models as legitimate businesses do, and they act in the same manners to obtimize their profit.
More information
For more detailed information about the malware generator ZeuS/Zbot, we recommend SecureWork's research article.
The malware generated is described in Norman's description of the Zbot family of trojans.
