Criminal network to trade botnets and malware uncovered
Called Golden Cash, the network enables cybercrooks to buy and sell control of compromised computers, as well as trade tools for creating malware and controlling and collecting data from botnets. Also, the platform contains about 100,000 stolen FTP credentials for sale.
The discovery of the Russian-based platform, believed to be run by individuals related to the Russian Business Network (RBN), was noted in the second issue of Finjan's 2009 Cybercrime Intelligence Report.
Finjan CTO Yuval Ben-Itzhak told SCMagazineUS.com on Wednesday that Golden Cash represents the next step in the professionalism of cybercrime markets. As a result of such platforms, people can expect attacks to grow in speed and efficiency, he said.
"It's no longer a big, technical effort [to conduct attacks]," Ben-Itzhak said. "This is the first time everything has been managed through the same interface. It's everything combined."
The going-rate to purchase packages of 1,000 compromised machines on the network ranges from $5 to $100, according to Finjan. Once the batches are bought, partners are then paid to distribute the botnet and collect FTP credentials entered on the victim PCs. Meanwhile, sellers can use the network to earn up to $500 per 1,000 zombie computers.
Those running Golden Cash also have found ways to protect their operation, Ben-Itzhak said. For one, the platform blocks IP addresses belonging to security vendors (Finjan researchers used IP addresses not owned by the company). In addition, Golden Cash sits behind a number of proxy servers that hide the origin of the actual web server being used.
Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham, said many in the investigative community have known about Golden Cash for some time, but this discovery helps spread the word about the slickness of the criminal underground.
"The news is that they've just been outed," Warner told SCMagazineUS.com on Wednesday. "Finjan has just exposed them to the public eye through their report. I would guess something will happen to them very quickly now that this has happened."
Finjan has notified law enforcement in Russia and Estonia. As of Sunday, the network still was operating, but Ben-Itzhak expects action to be taken soon.
He said businesses can do their part to lessen the success of such operations as Golden Cash by applying patches for vulnerabilities as they become available.
"When you leave these doors open, someone will come in your door," he said.