Cyber crime is a fact often cited to scare IT managers, directors and other officers for the sole purpose of promoting the sale of services and the establishment of costly protection, this trend is about to be caught up by the reality. It is time to afford a short walk to the wonderful world of piracy policy.
Of course, this article reflects only a personal opinion and is based on facts or analysis that everyone can see on the net to get his own opinion: Recently, the press echoed many cases related directly or indirectly to cybercrime. On the other hand, targeted attacks on individuals (phishing, social or otherwise) are not considered here, the many blogs of antivirus vendors already provide good analysis.
It may be mentioned, very briefly, several relatively recent important cases:
The Chinese attacks aimed at Western
Attacks on Estonia
Attacks on many sites in Italy
And so on.
The case of China
Attacks attributed to China have recently made the headlines, which is extremely rare in terms of Internet attacks, but which is justified by the scope and intended target of the attacks:
Although China has denied these attacks more or less publicly, the respective authorities seem to say that the sources of the attacks would be much Chinese (some IP addresses of attackers indicate, despite the fact that the majority of attacks have been made by bouncing on intermediate machines) and official statements have even involved the famous People's Liberation Army (PLA).
Interestingly, the attacks have mainly taken the form of trojans installed through holes called "client-side", that is to say concerning common office software.These faults are indeed quite numerous and there are many that are not public yet or corrected by the software. Indeed, in recent years have seen the emergence and development of a market for semi-public auctions of faults, of which there are many "client-side". Here, semi-public places means that the (virtual) sales and auctions have become relatively easy to find: some companies have even made their livelihood, to the dismay of safety experts in favor of public disclosure of vulnerabilities (Full disclosure) in order that benefits the entire community.
Returning to the case of China, it seems that the situation is less clear than originally announced. Indeed, many analysts involve a "Manichaeism" in official statements, and suggested to moderate the claims stating that governments are victims themselves potentially involved in the attacks that would have provided a "virtual alibi" in gold. CERI also arises the question in his article entitled "Who is attacking whom?" . Far from saying that China is innocent, arguing instead developed the point that the espionage from China would be known for several years, and the problem would take longer in a position sudden and unanimous Western countries, on the same facts. Hence the argument raised by the article and more or less supported by the official statement that these events and public statements serve political issues larger and why not a position of Western countries.
The case of Estonia
The case of Estonia seems to be directly related to the geopolitical situation in the region. As the war in former Yugoslavia had been relayed to the cybersphere and had led a major Serbian activism, it seems that the attacks that hit Estonia in May 2007 , they are also an example of "cyber-war." Currently, the organization and planning of this wave of attacks are still unknown, and the involvement of any political sponsor can not be stated (as often) some wonder if the attacks would not the fact that isolated groups acting on their own in response to the events listed below.
The chronology seems to start with the decision of the Estonian Prime Minister to demolish a monument to the glory of the Red Army after the end of WW2. The reasons given relate to the questioning of the proper role of Russia in the liberation and reconstruction.
Following this act, many Russian blogs are echoes of a "revenge-mail", for example by using donations to finance the purchase of botnets. Botnets are networks of machines controlled by hackers without the knowledge of their owners (also known as "zombies"). These networks, relatively large for some, are capable of performing synchronized operations on the order of the pirate, such as generating massive traffic focused on a small number of servers, making them inaccessible at the same time. These attacks are called distributed denial of service (DDOS).
In this case, the attacks began in early May and quickly ramp-ups generating traffic 1,000 times above normal and overloading of entire portions of the Estonian network. Thus, some measures have shown attacks approaching 90 Mbps, over a period of 10 hours, which suggests the importance of botnets involved.
Nevertheless, these attacks have apparently he used electro-shock to a lot of security officials and researchers of all kinds, the subject has also been discussed at the Black Hat , and continues to run Much ink.
The case of Italy
The attack at issue here does not in fact that Italy, but worldwide. However, returned to Europe, the attack has mainly targeted sites in Italy, some sources speak of 10,000 sites affected 80% based in Italy. This attack is memorable because of the size and number of victims identified. For example, many websites contain malicious code, or more precisely a redirect code (iframe) to servers exploiting vulnerabilities. The attacks, relatively recent, have been very effective: ANI, MS06-044, MS06-006, MS06-014, ActiveX bugs and other XML overflows. Once exploited, the weaknesses are then used to take control of victims, to seek personal information, bank numbers or other identities ... It seems that more than 80,000 distinct IP have been controlled in this way.
The most interesting story is the fact that these faults are all tested, and possibly exploited by a malware-or toolkit called MPack (hence the name given to these events, "Italian Job" / MPack ). To understand, malware or "malware" is a software tool for performing all kinds of attacks, some tools are dedicated to very specific flaws, some more generic, but all are designed to attack target data. Nothing to see, then, with all the tools to verify, audit and improve system security.
A malware can take many forms, from simple viruses to Trojan can integrate the machine into a botnet, via the remote control tools (variants of Trojans, formerly Sub7, BO, more recently RAT or other webshell). This case therefore relates to a fraction of existing malware, also called "crimeware."
For MPack is not an isolated case: there are several toolkits available on the black market, as IcePack or TraficPro . In addition, prices may vary from $ 20 to several hundred $, which makes them very accessible. Worse, some tools are accompanied by a real customer service!SecurityFocus has published a very interesting interview with a developer MPack.
What we are interested in one way or the events above, certain elements stand out and appear relatively recurring. This is the case with the RBN, quoted example in this article .
The RBN or "Russian Business Network" is implicated in a lot of analysis, as a major source of illicit trafficking or various attacks. The previous article mentioned this: Closely tied to IS "(...) the Russian Business Network (RBN), Through Which Many Internet-based attacks take place today. The RBN HAS Become a virtual safe house for attacks out of Saint Petersburg, Russia, phishing Responsible for Reporting Products / Services, child pornography, and Other illicit operations (...)"
The same source (iDefense) is quoted in an another article : "An Organized Crime Network is Distributing malware That Takes advantage of rootkits and a state-of-the-art HTML injection to phish Consumers As They browse the web, According To a new report from VeriSign's iDefense Labs. The malware code Operates from an IP address registered to the Russian Business Network (RBN). As a result, network traffic monitoring iDefense Advised to the remote RBN server at the IP address 18.104.22.168 to look for suspicious activity related to the attack. This Is not The First Time RBN Struck HAS innocent users. The address and the group Were Responsible for the Corpse Spyware Nuclear Grabber / Haxdoor attacks Conducted in January 2007. " - SC Magazine March 3, 2007
Once the RBN identified, it seems that increasingly make reference to events and information are quick to fall. So this article to a system administrator who attended a gang war between two digital Russian groups, MPack against Storm, zombies or recovered by the toolkit Mpack against the infected machines to Storm. Unverifiable story but so romantic ... Events are also listed, in French, to this address . Let us hope that the series has only just begun, and new adventures ahead.
This list of events only lists the most "popular" and not, as such, will be exhaustive or fully representative of the current world situation. Indeed, it should not overshadow the smaller conflicts that reflect less recent view, however, the existence of groups of smaller or lesser motivation: Middle East, Turkish hacker attacks against Sweden ... On the other hand, it is clear that all countries (almost) have recently launched an arms race for numerical logically follow the trend. Note for example the creation of specialized units ( Kore , Iran, Russia , etc.). not to mention greater efforts for the West, particularly the United States that have established secondary networks for secure and combine their actions ( JWICS , SIPRNET ,NIPRNet ...).
Conclusion : The obvious conclusion of this paper is the democratization of the tools of attack, now accessible to everybody, and the expansion of a cybercrime that can protect itself while employing ever-increasing ways. This may sound alarmist, but is nothing but finally a logical evolution of the digital ecosystem like its natural counterpart. In two cases, in fact, note that the motives and objectives remain fully human, we can not expect different results.