In the earlier days of computers, virus writers and hackers were viewed as fame-seeking and adrenaline-hungry teens with nothing better to do. But as PC usage and the Internet grew, the amount of potential victims grew exponentially and money became the hacker's greatest motivator; spawning a whole new cyber-lexicon that now includes the term criminal. Because of this, hacking and creating malware can be done by just about anyone that’s willing to venture down to the black market with a fist full of cash.
This money-making opportunity has created an entire cyber crime ecosystem of goods and services. There are a plethora of malware do-it-yourself (DIY) kits; malware development organizations and hackers-for-hire -- many located in countries where these activities are not illegal and/or tolerated.
There are also numerous other associated services out there that are required to carry out a large successful attack such as malware quality assurance (QA) (yes, it's true), distribution, and search engine optimization (SEO). All these goods and services can come together to make a cookie-cutter process for the attack originator while also making it nearly impossible to catch them due to all the third-party providers involved.
Understanding this black hat hacking and the processes can help you better realize what you’re up against when in IT security field.
Attacks and scam
There are numerous attacks and scams that almost anyone can pull off when utilizing the numerous underground resources. Here are just a few examples:
- Installing fake look-a-like antivirus software on PCs that fools users into thinking they have viruses and asking for payment to remove them; often called scareware (even Apple is not immune to this one).
- Installing key loggers on PCs to capture usernames and passwords for websites. These sites may include banks or online gambling sites where they could transfer money out of and email accounts or social networks to help spread malicious links or programs.
- Installing malware that looks for and steals specific files for select programs like money management software to obtain sensitive financial details.
- Accessing a particular website or server so many times it brings it down; performing what’s known as distributed denial of service (DDoS) attack, which may be done to aid in the process of hacking or just to wreak havoc.
- Accessing a particular website over and over to increase ad revenues, for instance with pay-per-click campaigns.
- Installing a proxy program onto someone else’s PC, so they can remotely use their Internet access to perform attacks or do illegal file transfers.
Some attacks are targeted towards a particular businesses or organization for the purpose of stealing some sensitive information or large amount of money. But as Gunter Ollmann, vice president of Research at Damballa, has been writing about in his blog, most victims are chosen randomly. The misunderstanding by many businesses that most of these are targeted attacks leads to overall less security. Smaller businesses, for instance, might not feel the need to spend time and money fully securing their network since they’re small and not "vulnerable" because "Who would want to target us?"
Process of deploying malware
The beauty of this system is you don’t have to know programming -- or be technical at all -- to create malware and perform attacks. There are free malware creator programs, like the now parked domain of BitTera.C we saw a couple years ago. More powerful DIY kits, such as Zeus (which is alive and well, unfortunately), are sold on the black market for $400 retail or $50 on the street -- or, ironically, free via pirated copies.
If you’re looking for something even more custom or powerful and have cash to spend, there are endless programmers and hackers-for-hire out there. Custom scripts, antivirus removers, screen grabbers, and password stealers can be purchased for less than $100. Malware loaders can run about $400 and a botnet manager around $800. Some even offer zero-day money-back guarantees so you’re ensured it won’t be caught by antivirus programs right at launch. (How's that for honor among thieves?)
Whether you generate your own malware or pay for it, you might want to be completely ensured it isn’t detectable by the antivirus programs. For this there are independent malware quality assurance (QA) services you can use that run your malware through all the different antivirus engines. Similar to malware sellers, they may too offer a zero-day guarantee.
Depending upon your particular attack and technique, you might also need to setup some overhead resources to pull the whole thing off. For instance, if you’re deploying a fake antivirus program or running a phishing scam you may need to setup a website: maybe copy another attacker’s site, put one together yourself, or pay to have it done. For even more of a fake façade, you might even pay for outsourced phone support that suspecting victims can call to get reassurance.
Once you have your malware created and tested, you have to distribute it. You could use Web crawlers to get email addresses and use mass mailer programs to send spam. However there are pay-per-install (PPI) services to help automate the process and uses multiple distribution channels. One channel may include botnets (a network of infected PCs (called bots) that can be controlled remotely and act as proxies to spread your infection). There are botnets out there at this moment with hundreds, thousands, and even hundreds of thousands of bots. You can rent these bot PCs or install more malware on them by going directly to the botnet owners. Or, if you’re really into the malware game, create your own botnet.
Flooding a website, server, or network with traffic to perform a DDoS attack or traffic is typically made possible by botnets. There’s even a name given to these special botnets, called a DoSnet (denial of service network). You could create your own DoSnet or, like with botnets, rent usage of bots from an existing DoSnet owner.
Want to know more?
To learn even more about hacking and malware, consider studying for the Certified Ethical Hacker (CEH) certification given through the EC-Council. You’ll learn the common exploits, vulnerabilities, techniques used by hackers to better understand the counter measures you should take as an IT security professional.
For hands-on experience, consider downloading -- at your own risk -- a malware DIY creator kit on an old PC. A safer option is experimenting with the BackTrack live CD. Also visit Hack This Site to test and expand your skills. To meet and network with others in the hacker community, attend a DEF CON conference or local meeting.
Always remember, don’t attack or hack anyone else’s network or PC without full written permission! It's probably best to use your hacking skills to better IT security and doing legal penetration testing.
Eric Geier is the founder of NoWiresSecurity, which helps businesses easily protect their Wi-Fi networks with the Enterprise mode of WPA/WPA2 security. He is also a freelance tech writer. Become a Twitter follower or use the RSS feed to keep up with his writings.