The very first virus written wasn't an assault on a major banking institution, rather is enabled a programer to automate repetitive or tedious tasks.
With that said, The FBI has recently reported in a sterilized press release that International Blackshades - has been taken down. What we don't read in the release is perhaps as instructive as what is placed on paper. Thus a good reason to dig a bit deeper and try to wrap a little context around all the fanfare. This isn't about using limited FBI resources on taking down just any cyber criminals.
For those of you who followed me at InfraGard we produced a weekly IGtv program wherein I spoke with security professionals from the world over. In this weekly Internet show I interviewed a number of professionals from RSA Security's Israel lab. During these reports and discussions we learned that the world of malware had developed from a freakish once and while mad scientist type of thing to a very purposeful blackmarket type of business operation. Blackshade is not some backroom mad scientist, rather they are business people selling software and as we will learn much more. They are careful to insist that those buying their software signoff on a statement of use and legal disclaimers carefully avoiding international and in country laws. Because they are in fact a software company and a very good one at that, right?
Blackshades develops many different types of software and one that focuses our attention is RAT (remote application tool). Their are many variations of the RAT and the focus of our post here is the Blackshades NET. In reseaching Blackshades we found it useful to also take a look at DarkComet, another RAT with some pretty good potential but not nearly as powerful as Blackshades. However, DarkComent has a history in international affairs which would be useful in reading as we move forward to learn more about Blackshades. We can see how the development of software has worked its way into State Sponsored Actors. Recall how Russia used technology to kill communication lines prior to the invasion of Georgia and now the Ukraine. DarkComet has played a role in Syria. So pay close attention when we talk about functionality of Blackshades in comparison to DarkComet, it becomes increasing important why the FBI would get involved and purposefully release a sterile press release on the takedown.
Blackshades is distributed through some common social media channels as well as phishing attacks, P2P channels and much more. All very common and known to the industry. Its functionality dwarfs DarkComet in comparasion. As Malwarebytes states:
"The BlackShades web site mentions a lot of the functionality the RAT is capable of, from various system administration functions to surveillance functions and computer security. It doesn’t actually mention ALL of its functionality, as we will discuss, and I think that they might have a hard time explaining on their website the purpose of some of the following functions."This software toolkit is explosive and is used to hijack websites with its Ramsomeware which basically locks you out of your site or maybe encrypts everything (no key provided) until such time as you pay the fee. Another interesting aspect of Blackshades is the Facebook Controller which basically takes over your account and posts for you. Remember, it is said that one in fourteen people in the world are on FB. Most FB users aren't aware that "always on" means that if the software is exposed to you even if you are logged off the web and you're still on FB Blackshades will for sure takeover. Logging in and out is a pain, but in today security environment is a MUST do. So when a nation state is acting, it uses many channels to build or tare down a point of view, a surveillance, etc.. This tool has built in DDOS and other attack capabilities as well as java exploits. But more importantly as Brian Krebbs, reported:
“Blackshades was a tool created and marketed principally for buyers who wouldn’t know how to hack their way out of a paper bag,” wrote Brian Krebs of Krebs on Security. “The product was sold via well-traveled and fairly open hacker forums, and even included an active user forum where customers could get help configuring and wielding the powerful surveillance tool.”
As stated in Symantec, the Blackshades tools (rats) are popular with cyber criminals and state actors like Libya and Syria. For forty to fifty dollars one can aquire a very effective software product which can be very destructive, but a product which has helped underground elements to extract millions of dollars from companies the world over as well as some governments.
In summary, Blackshades is a more nefarious piece of software then its predecessors that infected over 500,000 computers world wide then anyone is letting on and in hindsight the FBI takedown is a signal to those "business people" lookout we're watching and we're on top of it. Ninety arrests in 19 different counties is telling about the scope and depth. Uncertain is whether this is nipping at the edges or taking out the C/C capabilities and principles involved. Most likely the FBI is both happy for the case and noticeably reluctant to say game-over. This snake will continue to sliver in and out and pick up again under another name with more willing players looking to strike it rich quick. Malware is no longer the mad scientist, its hit Main Street and the profit center. Malware is making millions for some of those willing to take the risk of getting caught. Malware has also made the center stage as a component of state actors. International cyberwarfare is our now reality and has been for some time now. If you weren't aware you'd do well to read up.
LINKS:
http://www.symantec.com/connect/blogs/blackshades-coordinated-takedown-leads-multiple-arrests
http://resources.infosecinstitute.com/darkcomet-analysis-syria/
http://abcnews.go.com/Technology/fed-cyber-sleuths-stop-gameover-zeus-cryptolocker-crime/story?id=23964827
http://www.washingtonpost.com/news/morning-mix/wp/2014/05/20/5-scary-things-about-blackshades-malware/?tid=pm_national_pop
More Info:
In the Bureau's custom of sharing the most accurate, vetted information, they updated others today with the latest figures:
Arrests: 103
Searches: 375
Interviews: 163
18 countries involved
Approximate victim computers globally: 700,000
No comments:
Post a Comment