The Global Fight Against BotsInternational Collaboration Curbing Malware
Moscow-based cyber-intelligence firm Group-IB is working with INTERPOL to monitor and track online criminals through the takedown of botnets.
See Also: OnDemand | The Future of Code Security
The forensics firm, which has assisted in the takedown of botnets such as Grum, has been working with international law enforcement to profile cybercriminals. And during this interview with Information Security Media Group [transcript below], Group-IB researcher Andrey Komarov explains how his firm monitors undergrounds forums to track the steps of the hackers who sell malware and oversee command-and-control centers.
"We share different cyberintelligence information, including profiling on cybercriminals and also information about money mules," he says.
One of the Group-IB's newest partners is the INTERPOL Digital Crimes Center, which the firm will join in 2014.
"We plan to relocate some of our employees there to provide expert help in digital forensics and cybercrime investigations, including botnet intelligence support," Komarov says.
The Digital Crimes Center's aim is to bring together experts responsible for cyber-investigations to receive threat intelligence from different sources, such as Group-IB, he explains.
"[Currently] there are no unions, especially internationally, which are efficient and have a practical approach for sharing cyberintelligence information," Komarov says.
During this interview, Komarov discusses:
- The increasing need for more global information sharing about cyber-intelligence;
- Emerging mobile malware attacks that are targeting North American banks;
- Why point-of-sale Trojans are quickly becoming the cybersecurity world's biggest worry.
At Group-IB, Komarov oversees international projects related to cyber-intelligence. Before joining Group-IB, which was founded in 2003, he worked within the research institutes of the Federal Export Technical Committee of the Russian Federation and in the structural units of the Ministry of Industry and Trade. Komarov also is a member of the security committee of business for the Chamber of Commerce and Industry of the Russian Federation.
TRACY KITTEN: Group-IB is in a somewhat unique position because of the access that it has to underground forums in Russia. What can you tell us about this unique perspective that your organization has because of your presence in Russia?
ANDREY KOMAROV: Group-IB was founded in 2003 as quite a small company; but right now we're over 90 people and we have branches in New York and Singapore. In 2008, we founded our own CERT and we do lots of stuff together with other CERTs all over the world to share cyberintelligence information about different threats, botnet activities, malware and fraud. We have a special analytics group that's responsible for monitoring different underground communities and forums. They do profiling of cybercriminals, because our key target is to get a full understanding about the profile of the cybercriminal, including physical location. This information we share with law enforcement of different countries, which helps them to reduce the fraud and also to stop some international organized crime groups. We have some good understanding about all cybercrime with Russian-speaking roots; it's very important to understand that right now cybercriminality is located in other countries, such as the former U.S.S.R. countries; it's not only Russia. The great problem for us is to find them in foreign countries, because most of them are moving to E.U. [European Union] and Asian countries, so-called risk zones, where lots of providers ignore abuses or law enforcement requests, which is really difficult for investigations.
KITTEN: Group-IB's mission is to track down the actors behind these cyber-attacks, as well as emerging malware. What kind of work is Group-IB doing to profile cybercriminals?
KOMAROV: First of all, we monitor them for quite a long time, gathering their context in different underground forums or other instant messages. For example, last year we found some developed systems that are used by cybercriminals to share messages with each other, especially during communications with money mules or other fraudsters in other countries, and they try to make such conversations very secure.
We also monitor their physical locations. That's why sometimes we get some support from law enforcement or private investigators to make physical surveillance. Our analytics usually receives some sensitive information about their real meetings in the real world, and it's very important to track their locations - their places of interest. Sometimes it takes maybe two or three years to get a full understanding about not just one member of their cybercriminal gang, but the whole group.
Last year, we had assisted Ukrainian law enforcement in arresting eight members of the Carberp group. It's really a transnational group, recording malware development, for example. The bot-kit model for Carberp was developed by Chinese hackers. It's a true and confirmed fact. It's really important to monitor the whole group, not just several personalities.
One of the key interests for us is the monitoring of the owners of underground communities and the authors of modern banking malware, too, because it helps us track their customers, so-called underground customers, or the products, and to make efficient cybercrime investigations. We share lots of e-crime intelligence information with financial institutions and law enforcement. It's impossible to do it efficiently without this data. I can say that we have confirmed information about authors of all modern banking Trojans with Russian roots, like Zeus, SpyEye, Citadel, Carberp, Andromeda and many others.
KITTEN: What exactly is your company doing to detect fraud?
KOMAROV: The most unique technology we use is botnet striking. We have a special engine called Bot-Trek, which helps us monitor botnets in different networks without physical installation. We do it absolutely remotely and we extract their data about compromised clients from the botnets and share it with banks, e-commerce or other companies, providing them with compromised data, such as credentials, compromised online banking accounts, credit cards, intercepted forms by Trojans, and many other things for reducing potential breaches or fraud. Currently, we have had some successful cases with Microsoft's Digital Crimes Unit, Spamhaus and a series of countries, such as Poland, in joint takedowns of several big botnets such as Virut and Grum. Right now, we provide this software-as-a-service to the banks and the financial industry.
KITTEN: Was Group-IB involved with Microsoft's Digital Crimes Unit's takedown of the Citadel botnet?
KOMAROV: Yes. We have assisted Microsoft's Digital Crimes Unit to help them with sink-holing and takedowns on command-and-control centers located in Russia on .ru and .icu domains, because we control these domain zones by an official agreement with the Ministry of Telecommunications and the National Coordination Center. That's why we can get any personal details about any owner of the domain, or we can block the domain and re-delegate if it's fraudulent or malicious. I can say that, according to our statistics, the biggest part of Citadel command-and-control centers has a Russian-speaking author and currently we're working on investigating his physical location to help Microsoft and law enforcement arrest him.
KITTEN: Has Group-IB been doing any back-end work to help track the growth and activity of Brobot, which is the botnet that's being used to wage distributed-denial-of-service attacks against U.S. banks?
KOMAROV: Yes. We had some information on that and several of our U.S. and U.K. partners asked us for help, because this malware has Russian roots. Several of the command-and-control centers were placed in Russia. ... We established several authors responsible for its development located in the Ukraine and also we have received the full list of targets with timing.
KITTEN: To what do you attribute the pause in DDoS attacks that have been hitting U.S. financial institutions since mid-September. Do you think it's related to some of these command-and-control centers being taken down?
KOMAROV: Possibly, but I would like to mention that right after this investigation we have blocked several so-called bullet-proof hosting operators located in Romania and some Asian countries, with help from police departments in some of those countries. I can say that probably it's because of that. It's very important to locate command-and-control centers. Two of the people we have found were arrested, but they were arrested for other crimes, including money laundering and online banking theft. Probably other members of the group were worried and they stopped their cybercriminal activities for some time; but it could be because of other reasons, too.
Working with FS-ISAC, Interpol
KITTEN: Group-IB is also working with the Financial Services Information Sharing and Analysis Center, as well as international law enforcement agencies such as Interpol. What can you tell us about the work you're doing there?
KOMAROV: Currently, we share different cyberintelligence information, including profiling on cybercriminals and also information about money mules. We monitor money mules in different countries, including the U.S. by watching underground and special underground services which provide money mules to the hackers. We collect the lists of and then share them with banks and law enforcement to stop these mules in the bank or to investigate their details. With Interpol, its Digital Crimes Center is one of our new partners. We will join it in 2014, when the center will be built and ready. We plan to relocate some of our employees there to provide expert help in digital forensics and cybercrime investigations, including botnet intelligence support.
Digital Crimes Center
KITTEN: The Digital Crimes Center is opening in Singapore in 2014. Can you tell us about the purpose of this center?
KOMAROV: I was very surprised when we received information about the center. We were really waiting for quite a long time. Thee are no unions, especially internationally, which are really efficient and have a practical approach for sharing cyberintelligence information. Interpol's Digital Crimes Center is an official law enforcement structure. The key aim and role of the center is to gather different police experts and police officers responsible for cybercrime investigations to receive intelligence from different sources and to share it with national bureaus of countries that official members of Interpol. It's very pleasant and interesting that this center is quite open for the expert community, and some of our close partners are also involved. We're happy to assist and will do our best for them to reduce fraud worldwide and to make cybercrime investigations finalized.
KITTEN: What kind of cyber-intelligence are you sharing with banking institutions?
KOMAROV: We can divide it into several categories. One, the largest, is compromised data. It's the compromise of online banking accounts used by the customers of those banks, including compromised credit cards. The second is money-mule intelligence. It's the list of so-called active money mules. The third category is information about different threats, including brand abusing or phishing. Our CERT helps to monitor phishing. It's very important to have your own cyberintelligence resources or solutions. Modern antivirus or any security hardware, such as hardware firewalls or Trojan-detection systems, they're helpful but they can't reduce fraud. An example is when lots of customers have antivirus systems, but nearly 30 percent of them are infected by new banking Trojans or different private malware; that's why the banks need someone who can assist them and help them to stop fraud proactively.
Emerging Malware Attacks
KITTEN: You've recently identified some unique banking Trojans that were targeting banks as well as mobile devices. What can you tell us about these emerging malware attacks and what made them unique, as well as the organizations that they were hitting?
KOMAROV: We have found several private malware [strains], including new banking Trojans for mobile platforms, especially for Android. Several weeks ago, we found a new sample targeting Australian and Canadian banks. Previously, we have seen the same on U.S. banks. Previously, hackers infect with malware banking customers' standard computers and then they ask the customer to install something additional, such as a mobile banking application, and they upload the malicious application, which helps them monitor the customer - the physical location, the history of the codes and messages - and also to block the calls from the bank if the bank's fraud management department finds something suspicious. The malware also can intercept messages containing one-time passwords. They intercept them and hide from the end-customer. Then they use it for making transfers, and they do this transfer absolutely in silence. That's why the customer can't react to such threats. Point-of-sale malware is also an emerging threat, because we have found nearly 30 command-and-control centers of such malware, [including] BlackPOS. It seems to be Ukrainian authors who are responsible for it. We also monitor new exploit kits, which help hackers spread malware through vulnerabilities in Internet browsers.
KITTEN: What can you tell us about the greatest cyberthreats Group-IB has identified over the last six months? Which industries would you say are most at risk?
KOMAROV: First of all, it's the Grum botnet, because right after its takedown, according to statistics, the total percentage of world spam was reduced by 20 percent. It was targeted not on specific customers, but lots of users worldwide who were infected and their machines were used for spam and DDoS on banks as well. The second is new point-of-sale malware, such as BlackPOS. We have very deep investigations going on now with Visa, because some of the Visa merchants were hacked. Because of poor security, someone placed this malware there. We do this job together with the U.S. Secret Service and the FBI [Federal Bureau of Investigation]. Also, we share this information with Interpol's Digital Crimes Center. For the newest cases, I can't tell you the exact facts, because some of them are confidential. But I can say that in the next month, we plan some very serious arrests of a very big group; possibly some Citadel authors will also there.