Who's hacking your PC?

A hacker speaks

Not all hackers are convinced that Russia is the world's centre for cybercrime, either. Abdulrahman Alibrahim (also known as 'Earthquaker') is a hacker who calls himself a 'grey hat': he claims that he never acts with malicious intent.

Alibrahim talked exclusively to PC Plus through an intermediary. "To be honest about what's written ... I think that this is not true because computer crimes happen on a daily basis from all around the globe," he says. "[The existence of] computer crime depends on the reason it has been committed: for money, private information, threat or even for fun.

"In the end, a crime is a crime, no matter who committed it and where he is from," says Alibrahim. "But in my personal point of view, [people refer] to Russians in computer crime maybe because they are so talented."

This is a view echoed by David Emm of Kaspersky Lab. "Right now," he says, "though more stuff is coming out of China, the stuff coming out of Russia is probably more sophisticated because they tend to focus on the botnet as opposed to single attacks. One of the things we've looked at is whose resources are used to host malicious programs. That doesn't necessarily mean that they develop the programs, but again China comes out top in that list. The Russian Federation is actually number five. Though a lot of the stuff gets written in Latin America and Russia, the attacks aren't necessarily hosted on machines in those countries."

So, are crooked programmers writing malicious code for profit, selling it to criminals who then perpetrate electronic crime? Or do the criminals write their own programs? "It's both, actually," says Emm. "A lot of the attacks now are drive-by downloads. They're web-based. So they look for a compromised server somewhere and secrete their code in it, so that when you go to view the page you get infected automatically. And quite often it's done through an exploit bundle where they put together a composite script that will exploit a whole series of different applications, depending on what vulnerabilities the user might have. MPack is the name of one of the most common ones."

MPack is a PHP-based malware bundle that was created by Russian hackers in 2006. It's marketed to criminals as a commercial package that costs between $500 and $1,000. Frequent updates keep it one step ahead of antivirus software. MPack even comes with a management console that allows the botnet owner to keep track of how many computers have been infected, which browsers their owners were using at the time and which countries they're in.

Following the money

Last year, Mikko Hypponen – F-Secure's Chief Research Officer – called for an international organisation to fight cybercrime. The amount emanating from Russian soil is, he claims, less than you'd think: "As a rough estimate: a third," he told us. "Note that that's not just Russia by itself but pretty much all of the old Soviet Union: Russia, Ukraine, Belarus, Kazakhstan, Latvia, and so on."

"The two other main cybercrime hotspots are China and South America," says Hypponen. "Especially Brazil, which is the number one country in the world creating trojans affecting online banks."

Dave Emm of Kaspersky agrees. "It's difficult to put a categorical figure on it," he told us. "In terms of stuff we get in, it's probably China at the top, and that's more than 50 per cent. Next would be between Russia and Latin America. A lot of the banking trojans originate out of Latin America."

Roger Thompson, Chief Research Officer at AVG Technologies, believes that cybercrime is evolving into a threat that can come from anywhere: "While there are a lot of malware and web threats coming from Russia and China, there is also lots of activity in Turkey, Romania, Brazil and the US," he says.

"We expect that these threats will continue to spread and it will become increasingly difficult to establish who is behind them. This is not about infancy, but rather a maturity of cybercriminal gangs – the groups may be international and using infrastructure and websites from many different parts of the world. The only real way to find the perpetrators, like traditional bank robberies, is to follow the money."

But just like following a chain of IP addresses, following the money is difficult. "It often involves multiple countries, and there are many different layers and players in the malware industry, from the [software development kit] writers to the botnet masters and malware data resellers," says Thompson.

Other consultants that we spoke to also aren't convinced about the size of the threat posed by Russian organised cybercriminals. The press make claims for a Russian cybermafia type organisation running cybercrime from behind the scenes. Is this the case?

"The plain and simple answer to this question is no. Personally, I believe this to be media hype," says Alex Constantinides, director and Security Consultant at MetaSec Security. "I believe that these claims are unfounded and unjust. I would love to see evidence that backs this statement up. Even if the statistics proved that the vast majority of cybercrime came from Russia, this is not evidence that the crimes committed are directly linked to the mafia."

So where does Constantinides believe that most online crime originates? "It is our belief at MetaSec that there is more high-tech crime coming from Asia than there is from Russia. On top of that, we hold no belief that this crime is run by the organised crime outfits like the Triad. No doubt the Triad probably have their part in it, but we do not believe they run it."

But could Russian cybercrime be linked to its more traditional mafia? Constantinides still isn't so sure. "The Russians in general are not small players in cybercrime by any means, but there's no way of knowing how many of the attacks that come from Russia are actually linked to the Russian mafia."

China caught red-handed

Shortly before PC Plus went to press, news broke that researchers at the University of Toronto's Munk Centre for International Studies had discovered a massive cyber espionage network with strong links to China that contained hacked computers belonging to 103 foreign governments.

Helped by Cambridge University, the group discovered a total of 1,295 compromised computers belonging to foreign ministries of countries as diverse as Bangladesh, Latvia and Iran. The discovery of the GhostNet cyber espionage network is just the latest in a trail of evidence pointing to the world's largest communist state.

"China is presently the world's largest internet population," says a recent report from the Information Warfare Monitor, a think-tank based at the University of Toronto. "The sheer number of young digital natives online can more than account for the increase in Chinese malware," it goes on. "With more people using computers, it's expected that China will account for a larger percentage of cybercrime."

China's economy has been especially hard hit by the current recession. At the CanSecWest security conference held in Vancouver in March, CEO of Beijing based Knownsec, Wei Zhao, said that the country's cybercrime industry is booming. He claimed that IT security researchers are beginning to sell network vulnerabilities rather than report them. "China is not only the world's factory, but also the world's malware factory," he said.

Perhaps the reason the West hears little about Chinese cybercrime is because the domestic pickings are huge; China has over 250 million computer users. But the annual McAfee Virtual Criminology Report shows that Chinese cybercriminals are branching out. "Thought to be a target because it houses the HQ of both the EU and NATO in Brussels, Belgium has had emails containing spyware sent to State departments.

Similarly, India claims its government and private sector networks are under constant cyberattack," claims the report. "The cyber-kingpins remain at large while minor mules are caught and brought to rights. Some governments are guilty of protecting offenders."

Regardless of which country houses the most cybercriminals, Munro warns that cybercrime could become even more organised in future. "I can almost guarantee that every power in the world of any significance has got [botnet] technology at their disposal," he told us.