January: Discovery
Don Jackson is a security researcher for SecureWorks, one of dozens of boutique security firms that have emerged to deal with the inherently insecure, crime-ridden, ungovernable Internet. Jackson’s company and others like it usually sell security products, but their real value is in the research they do. With law enforcement overtaxed by and under-trained for electronic crime, these firms have become a primary source of intelligence on underground Internet activity and VXers’ latest innovations.

Seems like an expensive hobby for a small company but the expense associated with the hardcore intel and technically arduous research is more than paid for by its value as a marketing tool. Being the first to market, even when your product is bad news about security, wins press attention and, it’s hoped, customers. As such, the little security startups stock up on researchers like Jackson who have a working, or sometimes intimate, knowledge of the criminal hacker underground. All day, every day, security researchers at these small companies are dissecting malware that they discover, chatting with bad guys and poking around their domains.

Still, neither the sheer number of firms and jobs like Jackson’s created in the past five years, nor the fact that larger companies like Verizon, Symantec, IBM, and BT are acquiring those companies, are signs that the good guys are catching up. It’s more a sign of how much money can be made trying to catch up. Internet crime is profitable for everyone, except of course its victims.

Jackson’s friend was a victim, but of what he wasn’t sure. All he could say was that several of his online accounts had been hijacked and that a scan of his computer turned up a conspicuous executable, or exe, file, one that wasn’t detected as malware, but wasn’t recognized as something legitimate either. The friend asked Jackson if, as a favor, he’d take a look.

Jackson obliged and discovered that the file had been on the system since December 13, 2006, almost a month. If it turned out to be something new and malicious, then Jackson had discovered a 0-day exploit. It would be a publicity boon for SecureWorks.

Jackson downloaded the exe to a lab computer. “Generally, the exe is not all that exciting to researchers who see hundreds of samples each month,” says Jackson. “There are some exceptions.” This was not an exception. Jackson found a derivative of Corpse’s Haxdoor form grabber, just a new cultivar of an old species, albeit a reasonably well-crafted one Like several form grabbers before it, this one intercepted form data before it was SSL-encrypted, meaning that the little glowing lock in the corner of the browser, the one that online merchants will tell you ensures you that you’re on a safe page, meant nothing of the sort.

Jackson named his discovery after the transliteration of a Russian word he found inside the source code: Pesdato. Later, when he learned what that word meant in Padonki, a kind of Russian hacker slang, he changed its name, instead choosing the moniker of a cartoon character that he made up in grade school: Gozi.

The process of fully deconstructing Gozi took Jackson three days. On the third day, as he pored over the source code, Jackson noticed that the sample on his lab computer was communicating with an IP address that he thought was owned by the Russian Business Network. RBN is a notorious service provider out of St. Petersburg, Russia that Jackson and others say is an ISP with a reputation for accommodating spam and other malware outfits. Normally, Jackson thought, bots would be stealthier about communicating with RBN. Maybe this was a mistake. Curious, he decided to poke his head in and look around on the RBN server that Gozi was talking to.

And what he found stunned him. As he sailed off through the servers and in and out of files and almost over a database to where Gozi’s home base was, Jackson found a full-fledged e-commerce operation. It was slick and accessible, with comprehensive product offerings and a strong customer focus. Jackson, no one really, had ever seen anything like it. So business-like. So fully conceived. So professional.

It was early February by the time he found a 3.3 GB file containing more than 10,000 online credentials taken from 5,200 machines—a stash he estimated could fetch $2 million on the black market. He called the FBI as he prepared to go undercover to learn more. If he had known at the time what pesdato, that Padonki slang word meant, he might have uttered it under his breath when he realized what he had stumbled on to.

He had stumbled on to the next phase of Internet crime. Gozi was significant not because the Gozi Trojan was innovative or hard to detect. It wasn’t. It was in many ways no different than its four-year old ancestor Berbew. No, Gozi was significant, Jackson thought, because it wasn’t really a product at all. It was a service.

The Golden Age
Gozi represents the shift taking place in Internet crime, from software-based attacks to a service-based economy. Electronic crime has evolved, from an episodic problem, like bank robberies carried out by small gangs, to a chronic one, like drug trafficking run by syndicates.

Already every month, Lance James’ company Secure Science discovers 3 million compromised login credentials—for banks, for online email accounts, anything requiring a username and password on the Internet—and intercepts 250,000 stolen credit cards. On an average week, Secure Science monitors 30-40GB of freshly stolen data, “and that’s just our company,” says James.

Given that, you think you’d have heard more about Gozi, or about this chronic condition in general. But you haven’t. Beyond the research community, Gozi and the other Trojans stealing all this data have been largely ignored. A half-dozen CSOs and CISOs contacted for this story, including some representing banks and online merchants, had either never heard of Gozi or vaguely recalled the name and not much else. And why would they? Gozi made it through a news cycle and it was reported without context, with a tally of the known damage, like a traffic accident. And yet, Gozi wasn’t that at all. It was an idea, a business model.

Even after it fell out of the news, and despite the fact that Don Jackson and the FBI believed they knew how it worked, and who was running it, the Gozi Trojan continued to adapt to defenses, infect machines and grab personal information.

“Do you have a credit card? They’ve got it,” states another researcher who used to write malware for a hacking group and who now works intelligence on the Internet underground and could only speak anonymously to protect his cover. “I’m not exaggerating. Your numbers will be compromised four or five times, even if they’re not used yet.”

“I take for granted everything I do on the Internet is public and everything in my wallet is owned,” adds Chris Hoff, the security strategist at Crossbeam and former CISO of Westcorp, a $25 billion financial services company. “But what do I do? Do I pay for everything in cash like my dad? I defy you to do that. I was at a hotel recently and I couldn’t get a bottle of water without swiping my credit card. And I was thirsty! What was I gonna do?”

That’s the thing about this wave of Internet crime. Everyone has apparently decided that it’s an unavoidable cost of doing business online, a risk they’re willing to take, and that whatever’s being lost to crime online is acceptable loss. Banks, merchants, consumers, they’re thirsty! What are they gonna do?

The cops lack resources and jurisdiction. And in some cases, security companies are literally shifting their strategies away from trying to secure machines connected to the Internet; they’re giving up because they don’t believe it can be done.

It’s a conspiracy of apathy. For the criminals, this is great news. They stand blinking into the dawn of a golden age of criminal enterprise. Like Barbary Pirates in the 18th century, and like Colombian drug cartels in the 1970s, malicious hackers will run amok, unfettered, unafraid and perhaps even protected. Only they won’t use muskets or mules. They’ll use malicious code to run syndicates that will be both less violent and more scalable than in the past.

Now is the criminal hacker’s time. In Archangelsk, Russia, it is the HangUp Team’s time.

Next: The inner workings of an identity theft service.