Keeping up with crimeware

If you are a cracker who has written an exploit, you have a choice between fame and fortune. In the good old days, crackers chose fame. But now fortune appears to be far more appealing. 

Crimeware is a multibillion-dollar economy, according to Chad Harrington, vice president of marketing at FireEye, makers of a crime-stopping — or should I say cracker-stopping — appliance that uses virtual technology to stop an exploit before it gets into your network.

Lest you think crimeware is the domain of some 16-year-old kid with too much time on his hands, here’s the multilayered reality. At the bottom level, there are the crackers. These guys sell the vulnerability information to the next level up, called bot herders. A bot in crimeware terminology is a compromised machine. The bot herders assemble this botnet of compromised machines and sell it to what are called the fraudsters. The fraudsters use the exploited machines to steal identities, customer and employee data, intellectual property, and the like. On the open market, an exploit can be sold for as little as $200 and as much as $50,000, Harrington says.

Although there are layers of security to contend with beyond compromising the operating system, once in the door, the rest is relatively easy pickings.

“Getting back out again is the tricky part,” Harrington says.

Bot herders typically charge $1 per compromised machine, per month. But if they’ve cracked into a major corporation with access to customer and employee data, they could charge as much as $100 per system, per month.

What’s scary is that these botted systems are computers inside the firewall. Harrington tells the story of a botted system that sent out notification of upcoming layoffs and directed employees to a bogus HR site that was hosted on the local domain and managed by a bot herder.

One of the major trends in crimeware for 2007 will be polymorphing botnet worms. These worms morph — change their signature — every four to six hours. FireEye is using virtualization to combat these worms. Rather than trying to guess whether a packet will harm the network, FireEye runs virtual machines and fools the system into sending the worm to one of these VMs rather than the actual network. I asked whether this process slows down the network. Harrington says latency is measured in a couple of seconds if it is something the system hasn’t seen, and microseconds if it has.

FireEye runs most OSes plus a full stack of applications and browsers with users adding what they like.

It sounds as if anyone can set up their own VM solution to do what FireEye does. Harrington admits it is a simple idea but says you have to intercept the traffic in real time, which takes a few patents.

If you set up a honey pot — a machine intended to be compromised — the attacker has to find that machine and compromise it. What FireEye does is “sniff the traffic” off the network and pretend it is the end point.

“There is a conversation on the network going on between Machine A and Machine B. We create a shadow version from Machine A Prime to Machine B Prime. As the protocol goes back and forth, we pretend we are the end point of this conversation,” Harrington says.

Unfortunately, crimeware is a not a virtual reality. It’s the real thing. Will 2007 be the year we finally gain the upper hand? Only time will tell.