This is the final part of the study where The Grugq and Fyodor Yarochkin are explaining more details of the Russian hacking business during the Q&A section.
Yarochkin: Alright, do you have any questions?
Question: On your point about the ratios: so, this guy was offering the best ratio; do you know any figures?
The Grugq: That is an excellent question. One of the things that we planned to do, if we’d actually been accepted for this talk before yesterday, is we wanted to develop metrics to see how costs of services have changed and costs of goods have changed over time, and also the number of people offering things – you can see that partnerships start appearing at one point, and there’s one guy offering it, and suddenly there’s ten; and you could track all these trends. So we wanted to develop metrics and stuff like that. But we didn’t, because we didn’t have the time. What are the ratios for that? I have no idea. I know that the word for it is “otstuk” (“отстук” in Russian), which means something close to “feedback”.
Yarochkin: In one of the advertisements, they mention a 30% “otstuk”. So, if you get 1000 visitors – 300 get infected.
The Grugq: We came across a post about a botnet where they’re making fun of a guy for charging so little. These dudes are ragging each other a lot on the forums; it’s a really hostile environment. For example, some dude shows up and says: “I’m offering this thing for sale”, and all of a sudden he gets “You suck!” in response. It’s just guys like us. Another case: there was some guy trying to sell a botnet for $440 (440WMZ), and everyone’s like: “How come it’s so cheap?”
Yarochkin: The guy says: “I’m selling a botnet, complete set, for $440. All questions via ICQ”. And then the other guy goes: “Is it only 20 bots or what?” And the guy answers: “No”. The next question is: “Fewer?” And some other guy says: “It must be Zeus botnet”. You know, Zeus is like a builder for botnet binaries so you can build custom binaries with custom function, and they are not supposed to be detectable by signature-based antiviruses. And then the guy goes: “I’ve got over 5K bots in my botnet”. And the other guy asks: “5K bots – is that online ones, or total number?” And they answer is: “Of course it’s total. 5K online bots cost more”.
The Grugq: So, one of the things you see is that with botnets the actual membership fluctuates quite a lot, based on whether PCs are up and they’re able to connect. But you will have a large pool of infected machines and a subset of ones that will be available every time.
Yarochkin: Yeah. He’s giving some further details on the package: “Apart from the bot, I’m also selling 5 clean builds of the loader”, – a clean build means it won’t be detected by an antivirus, – “also hosting and domain pre-paid for a month”. That’s it.
The Grugq: So, these dudes are really funny online. We also saw on a forum someone selling a botnet for $2000, but he didn’t offer a lot of information, and it was obviously too rich for these guys. What other funny stuff have we got?
Yarochkin: There was an incident in Russia, where an online video player was requiring you to download a codec, and the codec would be a binary which, aside from being a codec, would manipulate your Hosts file and send your traffic somewhere else. There’s, like, a Russian version of Facebook called Vkontakte.
The Grugq: So, there was a phishing website set up for this Russian counterpart of Facebook. And the binary was weak, and their PHP skills were lame; and it ended up that the password was actually available on the Internet. Basically, it was posting everything directly to one address and you were able to download it.
Yarochkin: You could get the source code for the phishing Trojan.
The Grugq: So, that’s the fascinating world of the Russian hacking forums.
Yarochkin: Do you have any more questions? Anyone want a free beer?
Question: Aren’t most of these forums monitored by Kaspersky?
Yarochkin: I think the volume is too large. I don’t think Kaspersky actually follows up this stuff.
The Grugq: I think a lot of the stuff that they post on these forums is not binaries or something; it’s not like: “Here’s the latest virus that I’ve now written, please download it for free and add it to your antivirus signatures”. It’s more like this stuff: “Hey guys, I’m selling a botnet” or something. So, monitoring it is not going to generate revenue for Kaspersky unless they want to start doing open source intelligence gathering.
Question: These are not password-protected forums, right?
Yarochkin: Not really. You have to sign up if you want post stuff, but even if you don’t have a login and password, you can still see most of the stuff; you might not be able to see some links and attachments.
The Grugq: They don’t have very long time spans, so they won’t be monitored a lot.
Yarochkin: They’re coming up and going down all the time. The longest possible time span there is probably a year or so.
The Grugq: One of the problems is that I’m pretty sure a lot of these forums get registered with hacking, like with stolen credit cards. So, after 1-month payment cycle the web host goes away; and they move on.
Yarochkin: There are good websites to look for new forums. Those are like online bookmarking services in Runet, the Russian Internet, and you can search for the keywords – and this way you find new forums.
The Grugq: We really wanted to make a lot of this automated and then be able to pull out metrics and start being able to offer information, but… We’re looking for numbers; we’d like to be able to track what’s happening. As I said, part of our problem has been that Fyodor doesn’t scale.
Yarochkin: Maybe I will.
Question: Why don’t you just hire some of the guys on the forums?
The Grugq: Yeah, for 3 bucks a day. I think if they could speak any English at all, they would probably make a lot more money than they are doing now. You see that pretty much everything and anything gets for sale. These dudes can come up with the rudest ideas of what they can sell for money. Well, that roughly comes to the end of everything we were going to talk about. So, thank you guys very much! Who said they wanted free beer?
Read previous: From Russia with Love.exe 4: Geeks, Not Gangsters