Analysis: The Impact of Malware Developers' Takedowns

Gartner's Litan, Other Experts Weigh Long-Term Effect on Trojans' Use
Analysis: The Impact of Malware Developers' Takedowns
Avivah Litan of Gartner Research

News of a guilty plea by a Latvian hacker who acknowledged that he helped to enhance the Gozi Trojan, and reports of two new arrests apparently related to the banking malware strains Citadel and Dridex, are promising developments for the international fight against cybercrime.

See Also: M-Trends 2024: By the Numbers of Today's Top Cyber Threats & Attacker Operations

"What's changed is that law enforcement, threat intelligence and financial institutions are collaborating much more closely," says financial fraud expert Avivah Litan, an analyst with consultancy Gartner. "Also, everyone is getting better at attribution, i.e., finding the hackers behind the malware."

Litan says law enforcement and fraud teams and U.S. banks have dramatically improved their ability to attribute attacks to specific hackers because of work they have been doing to monitor activity in underground forums.

"Multiyear efforts at going underground into deep Web forums are starting to pay off," she says. "Threat intel firms and law enforcement find these hackers communicating in underground forums that have been infiltrated by the good guys. The good guys are then are able to trace those communications to real people living in real places."

But bringing these hackers to justice all depends on where these "real people" are residing.

Tom Kellermann, chief cybersecurity officer at threat-intelligence firm Trend Micro, says cross-border law enforcement collaboration is at an all-time high. "The Electronic Crimes taskforces, some of which exist in Europe, are the ties that bind," he says. "Extradition is now viable, with the exception of the hacker haven that is Russia. The 78 Russian forums will remain untouchable, as they are viewed as national assets within a culture of Robin Hood."

The real key to catching cybercriminals and bringing them to justice is closely monitoring their activity and nabbing them when they visit a country that has extradition treaties with the U.S., says another cybersecurity expert, who asked to remain anonymous. "If the targets enter a country where there is an extradition [treaty], law enforcement will pounce," the expert says.

Only time will tell if these most recent malware-related arrests, and the guilty plea in the Gozi case, will have any long-term impact on the future production and sale of banking Trojans, the expert adds.

Gozi Guilty Plea

Deniss Calovskis, a Latvian coder known as "Miami" who was charged and extradited from Latvia to the U.S. in 2013 for helping to develop and enhance Gozi, last week pleaded guilty to a single count of conspiracy to commit computer intrusion, according to a statement provided to Information Security Media Group by the Department of Justice.

Appearing before Magistrate Judge Gabriel W. Gorenstein on Sept. 4, Calovskis admitted that he wrote code used to enhance Gozi, a banking Trojan that is believed to have infected more than a million computers worldwide to resulted in the loss of millions of dollars between 2005 and March 2012, according to federal prosecutors (see Did Feds Defuse Blitzkrieg on Banks?).

"Since its inception, the Gozi Virus has infected well over a million computers around the world, including at least 17,000 comptuers in the United States, of which more than 160 were computers belonging to the National Aeronautics and Space Administration (NASA)," prosecutors.

Calovskis developed Web injections that were designed to alter how banks' websites appeared on infected computers in order to fool victims into keying in personal information, such as mother's maiden name, that was then transmitted to other co-conspirators to access and steal funds from victims' bank accounts, according to the Justice Department.

Calovskis' sentencing date has been set for Dec. 14. He faces a maximum of two years in prison.

Arrests Linked to Dridex, Citadel

Meanwhile, a 30-year-old unnamed man from Moldova wanted by U.S. authorities for bank cyber fraud was recently arrested in Paphos, a vacation destination in Cyprus, according to the Cyprus Mail. The Mail reported that authorities there were in the process of handing this hacker over to U.S. authorities, which had issued a warrant for his arrest.

Cybersecurity blogger Brian Krebs, quoting sources close to the investigation, reports that the 30-year-old arrested in Moldova is a key player in the cybercrime ring responsible for developing Dridex, a variant of malware strains Cridex and Bugat that emerged in 2014. The malware is designed to steal personal information and online banking credentials.

Krebs also notes in his Sept. 7 blog that Norwergian newspaper VG reported that local authorities in Norway had recently arrested a Russian hacker known as "Mark," who allegedly was wanted by the FBI for being the developer of Citadel - a Zeus variant that emerged in 2012 that's sold as a supported malware-as-a-service product in the underground.

The Justice Department would not comment about these two recent arrests. Several threat-intelligence sources tell ISMG that it's premature to draw any conclusions about connections between these arrests and efforts by U.S. law enforcement to bring the actors behind these malware strains to justice.

Security firm iSight Partners contends that these two arrests, even if they are, in fact, linked to Dridex and Citadel, will likely have little impact on these malware strains' use and distribution.

"Despite the arrested individual's alleged importance to Dridex malware operations, we suspect that the group [behind Dridex] will continue to leverage the malware, although [the arrest] appears to have resulted in some fluctuations in their activities and could result in changes to their operation," iSight Partners says. "As for Citadel, we do not believe the alleged developer's arrest will affect the threat the malware poses, as its source code was leaked in 2012 or 2013 and has continued to be used during the developer's nearly year-long house arrest in Norway."

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.