Every time you read that a cybercriminal has been convicted or arrested, you can be sure that security professionals and malicious application researchers from around the world have done a great deal of work to investigate this crime.
Whether it’s disabling a spam botnet, taking the Koobface gang out of the game, or arresting criminals who used the ZeuS banking trojan, in all cases law enforcement agencies around the world have been actively using the help and skills of the expert community – especially those working for anti-malware companies – to conduct investigations and expertise that can then convict cybercriminals.
Jeff Williams knows something about the hard work that needs to be done to identify malicious attacks and research in anticipation of a criminal investigation. Previously serving as team leader at Microsoft Malware Protection Center (MMPC), before joining Dell SecureWorks, Williams was involved in several important botnet shutdowns, including Waledac, ZeuS and Kelihos.
In his interview, Williams explained that there are several types of investigations that almost always start with an antivirus lab in one part of the world. “Sometimes this starts with a law enforcement investigation. Sometimes with a new malware sample that we investigate.
But even in the first case, the police and intelligence agencies come to us to better understand the malicious application that serves as a crime weapon. At Microsoft, our priority was to protect our customers, so we immediately needed to assess the scale of the problem, its impact on Windows users, and what we needed to do to protect them,” said Williams.
This job is multifaceted. “The guys in the lab are doing some rough work. They certify that the malware does exist, and then there’s the time-consuming collection of samples and their research (reverse engineering),” Williams said. The police expertise also needs to disassemble complex encryption algorithms and analyze the protocol for “communication” between botnet elements and the command center.
“We want to know how executable binary files are controlled by the botnet’s management infrastructure, where the botnet’s nodes are, and what commands can be given. All this is done in the antivirus laboratory. This is a very important job,” said Williams.
Once the lab has fully understood the malicious application, technical countermeasures are taken: antivirus databases are updated or security technologies are improved – all before law enforcement agencies start their work.
“Sometimes it takes a court order to take control of a botnet, so you need to work closely with law enforcement to be successful,” Williams explained.
Kostin Raju, head of Kaspersky Lab’s Global Threat Research and Analysis Center, agrees that cybercrime investigations can be extremely complex.
Kostina’s team has worked closely with Microsoft, CrowdStrike, OpenDNS and other security industry players to disable several large botnets, and he describes this work as multi-faceted and time-consuming. “The expertise of the researchers is sometimes critical, and it’s up to them to judge a criminal or avoid responsibility,” said Raju.
In addition to reverse engineering, which helps to fully understand the botnet’s algorithms, and data transfers to law enforcement agencies, expert teams usually collaborate with the Computer Emergency Response Teams (CERTs),
to capture hacked servers or redirect requests to a fake server, as this helps to gather evidence for trial.
“Cybercrime is an extremely complex and complex area, so malware researchers often have to be experts in high-tech crime proceedings,” Raju explains.
Antivirus lab expertise often includes open source research (OSINT). This is a very tedious part of the investigation, as it requires a small comb through the network to find any hints of attacker or attack itself.
“During an investigation, many indicators can shed light on the identity of a cybercriminal. Some parts of the malicious code may include a villain’s alias or be programmed in a “corporate identity”. This can be the starting point for finding the bad guy,” says Williams.
Researchers use aliases or other hints from the virus, or a mailing address associated with one of the domains involved in the attack, and then scour communities such as Facebook, Twitter, YouTube, wikis, blogs and other sources of user-generated content in the hope that the bad guy used the same alias or email somewhere.
In the already mentioned Koobface example, the Facebook security team conducted a similar study and published the names, photos and other data of people who were suspected of committing the attack. These names were given to the press as part of Operation Name-and-shame.
Most of the technical work is done to protect consumers, but the information is then passed on to law enforcement to help the arrests. When it comes to arrests and trials, it is possible to bet that a significant part of the work has been done in a research laboratory.
“Identification of hackers and arrests are not necessarily part of the original operation. But when the laboratory acts to protect the ecosystem and discovers something important, the results can be passed on to law enforcement to take legal action,” Williams added.
He also reiterated that the work must be done at a high level, as it will be shown in court and must be trusted by lawyers.
Researchers often complain about the low speed of police investigations, especially when it comes to more dangerous attacks like banking Trojans. It was the turtles that forced Facebook to move to public action in the case of Koobface, but Williams noted that things are gradually getting better.
“There is definitely a need to harmonize laws in different countries. Criminals know where the laws are softer on their part and what to do to avoid being noticed and arrested. But law enforcement agencies are increasingly aware of how to conduct such investigations.
We’ve seen successful cases that have successfully used existing laws that are not specifically against cybercrime,” he added, referring to the Zotob case, in which criminals were jailed for money laundering, fraud and tax evasion.
“It’s a natural evolution of defense to adapt to change and begin to disrupt botnets and find their organizers. Without disabling botnets, criminals earn money and can invest it in future attacks.
Without changing the law, the game is one gate away. But now we seem to be approaching a point where the defenders of peace have the experience of cooperation, the connections and technologies that have been established, and cooperation with law enforcement to move the game to the other half of the field,” concludes Williams.