In the trenches: what it takes to fight a global war against cyber criminals

By Vito Pilieci
The Ottawa Citizen

The cramped 20-by-20 room is the domain of Donal Keating, the senior manager of Cyberforensics at Microsoft Digital Crimes Unit. Here, he and a team of six monitor the goings-on of the vast majority of the computing world — a tough, unending job that pits them against some of the biggest criminals on the planet.

Supercomputers hooked up to touch-screen displays constantly analyze data from billions of PCs that use Microsoft software and are programmed to report diagnostics back to the computer giant’s corporate headquarters.

About 700 million computing “events” are logged every day, including possible infections, encounters with malicious code and other issues experienced by computers around the world.

The information is displayed on a giant animated map, and colour-coded columns tell Keating and his team in real time which systems are infected with what, and where, and whether information is being shared with a hacker.

On one sunny day in early June, Ottawa had more than 4,200 computers infected with a botnet called ZeroAccess. Another 2,244 were infected with Citadel, software that steals bank account information. The computer worm Conficker was working its way into 841 computers in the city, while 213 were running ransomware called Gameover Zeus, software that allows a hacker to basically blackmail a computer user by locking the user out of their machines unless they pay a fee.

In a city of a million people, the low number of infected systems was impressive, especially compared with more populous areas in Asia, which were reporting millions upon millions of infected systems that day. Canada in general fares pretty well: Fewer than 14 per cent of computers in the country reported the need to block the installation of malicious software  during the last three months of 2013, while in places such as India and Vietnam as many as 50 per cent of computers do.

That’s because infecting computers with viruses and worms has become big business for those with the talent to write malicious code: It’s estimated that cybercrime costs consumers and businesses more than $445 billion US a year.

With money like that at stake, more and more criminals want a piece of the action. Groups that once derived their income mostly from drug running, such as La Familia in Mexico, the Triad in China and other organizations such as PCFritz in Germany, have been branching out.

And they’ve grown dissatisfied with simply trying to infect computers to steal banking or other personal information. They want more.

Many have taken to counterfeiting Microsoft’s software, a brilliant bit of criminal innovation since they get you “coming and going.”  They make money selling the counterfeit product to unsuspecting people or those looking for a deal on an operating system or office software. But they’ve also been caught loading malware onto the software before it ships, ensuring a computer with that software installed becomes infected with a virus that allows them to later extort money from the user.

“This isn’t about going after the college student that’s trying to save a few bucks. I don’t care about one or two copies of anything. I care about millions. We are talking about global cybercrime. Criminals will follow the money,” says Bryan Hurd, director of the digital crimes unit and Keating’s boss.

“These are not kids in mom’s basement. These are evil people.”

The scale of the counterfeiting operations is massive. During one recent raid with police, Keating and his team stopped a shipment of 1.5 million copies of counterfeit Microsoft products which were being sent from a printing plant in Italy to Germany. By comparison, a typical shipment of real Microsoft products heading to a legitimate partner rarely exceeds 40,000 units. Another raid on a counterfeiting operation in China revealed a production facility that had the ability to produce more Microsoft product than the company’s entire legitimate production pipeline.

The product looks good, too. In a side-by-side comparison, there is no telling the real version from the counterfeit one. Even Keating and his team have a hard time and have resorted to analyzing the “shoe print” on the actual disc itself, a tactic that is quickly becoming obsolete as digital downloads of Microsoft software take over.

Every disc printer has a unique printing pattern that leaves near untraceable nicks, marks and scratches on each disc it produces. These markings make up the shoeprints of the disc. Microsoft now traces the shoeprints of discs made on legitimate production lines so it can compare those prints to ones coming from unsanctioned suppliers.

In one corner of the Redmond bunker is a locked cage filled with manila envelopes, boxes of counterfeit Microsoft software that look like they were pulled straight from the shelves of a big-box retailer, and a handful of extra computer components. Oversized white letters glued across the glass door read “Evidence Locker.”

“That’s got to be one of the smallest evidence lockers in the world,” says Keating, rubbing his eyes as he explains how they only keep a select amount of evidence on the premises while the rest is sent to facilities for storage until it’s needed by law enforcement officials.

“We’ve actually filled two warehouses with stuff.”

While the bunker is the nerve centre for the digital crime unit’s activities, Keating works with a team of about 100 who perform similar, although more localized, analytic work all over the globe.

It’s all part of the company’s bid to better serve its customers. Long chided for releasing virus-prone and glitch-filled software, the firm is trying to shut down the attackers and their ever-increasing technical prowess.

But it goes way beyond individual consumer experience and the inconvenience of crashing your personal computer at home. Banking and payments systems, electrical grids, water treatment plans, nuclear facilities and millions of other devices are connected to the Internet. One large-scale attack could cripple it all.

Because 88 per cent of the world’s computers run some sort of Microsoft software, Keating and his team can keep an eye on cyber criminals in a way that few, if any, other organizations can match.

Their efforts have been so successful, in fact, that Microsoft is no longer the main target for hackers, who have moved onto easier and more lucrative prey.

According to Microsoft, by 2025 there will be more than 4.7 billion Internet users around the globe. Around 75 per cent of those users will come from emerging nations such as China and India and most will be on mobile devices. With consumers doing everything from banking, personal video calling, running ebusiness applications and even transporting sensitive emails and data files on these devices, they are a potential gold mine.

Google Inc.’s Android operating system is already under constant attack. Even Apple Inc.’s products are no longer impervious. In June, a hacker managed to load a virus on the iPads of hundreds of people in Australia, locking the devices down until they paid a ransom to remove the bug.

Of all the smartphones sold globally in 2013, 70.1 per cent were running Google Inc.’s Android. An additional 21 per cent we were running Apple Inc.’s iOS. When it comes to tablet computers, 53.8 per cent of the thin computing devices were running Apple’s iOS last year, while 42.7 per cent were running Android. The proliferation of Android and iOS has made them prime targets for today’s hackers.

Another attractive target for hackers is the “cloud” — large anonymous computer server warehouses — because it allows them to focus their efforts on a single highly prized target. Businesses are basically building digital-versions of Fort Knox in the cloud, each holding untold riches and attracting the attention of hackers the world over.

“If somebody gets a virus or whatever, it’s only stuff on their computer that gets lost. But, once you start putting stuff into the cloud, it’s high concentration. If you are able to get the keys to the kingdom you get everything,” says Brad Haines, a security researcher for InfoSec Institute who goes by the name “RenderMan” online.

“It’s one of those, all-your-eggs-in-one-basket kind of thing.”

With more valuable information, payment systems and other data being stored in massive cloud computing centres, the security industry needs to raise its game.

“The best hackers in the world aren’t even hackers, they are programmers. They make the code and then sell it in underworld markets,” says Tom Kellerman, vice-president of cyber-security at Trend Micro and former commissioner of U.S. President Barack Obama’s cybersecurity council. “The worst malware out there isn’t designed to infect thousands of computers across the globe, it targets one or two systems without being detected.”

According to anti-virus firm Symantec, which is a division of computer processing giant Intel Corp., hundreds of thousands of unique viruses, worms and other malicious programs are released every week. Most of these will be isolated and shut down within eight hours or so of their release. A handful will go on to become larger problems. The ones that do go on commit acts of corporate espionage, cyber espionage against nation states or, like Citadel, wreak major havoc while remaining undetected.

Driving the development of these bugs is the relatively light legal punishments levied on hackers.

Drug convictions carry far stiffer penalties than those dished out for cybercrime in many countries, especially those in Eastern Europe. Allegations of state-sponsored attacks from that region against Western nations further muddy the waters.

Also compounding the issue is the creation of cyber currencies such as Bitcoin, Litecoin and Dogecoin, which are being used to launder the proceeds of cybercrime and move money around the world in ways that are untraceable by law enforcement.

“These currencies weren’t developed for cybercrime purposes, but they are being used for that purpose,” says Kellerman.

“We need to follow the money. … We need positive public policy changes regarding digital currencies and anonymous payment systems that are being used to fund cybercrime.”

Tired of always being reactionary, computer makers, software firms and even lawmakers are beginning to plan their own attack against the cyber criminals.

Microsoft has proposed a “co-ordinated malware eradication” project that would see several organizations team up to tackle hackers and virus makers, a tactic that hasn’t been tried before. The group won’t launch a full-out offensive against hackers because the collateral damage – the disruption of financial markets, payment systems and other critical infrastructure – would be substantial. Instead, the group needs to use surgical precision to fight modern threats.

Microsoft envisions the project using antivirus specialists to shut down or seize control of computers, servers and other hardware being used by hackers. Anti-virus makers would then identify and block the offending software. Internet service providers would be notified of the IP addresses, the computer’s version of a street address, of infected machines so owners can be notified. Machines being used to propagate the malicious code could also be isolated from the Internet. Servers themselves could be blocked. Large-scale cloud computing platforms would isolate infected machines and block the traffic from coming across their networks, and banks and other financial institutions would shut off payments to accounts associated with malware, removing financial incentives. Finally, global law enforcement would be called in to raid suspected property and make arrests.

“The ultimate aim is to create that deterrent by getting these people arrested, named or banned, to the point where everybody considering joining the underground economy takes a look and realizes the risks are not just theoretical, but very real and they will get arrested and prosecuted,” says Vikram Thakur, senior principle software engineer at Symantec Corp. and one of the lead researchers who helped to bring down the botnet GameOver Zeus.

“Shaming one of these guys isn’t going to stop them, but it’s a step in the right direction. If we are able to forge this public/private relationship and go after a set of people, tomorrow we can expand that list and go after others. In the meantime, we will continue doing what we do. Disrupt the networks, or bring the problems to the attention of the authorities.”

Key to the initiative will be people like Microsoft’s Keating and his staff collaborating with others from around their world.

From inside the bunker the team will be among the first to identify areas of concern and communicate those red flags to others taking part in the project, while keeping an eye on counterfeiters and the impact they are having on Microsoft’s user base. For Keating and his team, one thing is for sure. The criminals are getting smarter and they need to find new ways to catch them.

“Our world has changed,” he says. “The criminals are getting more and more sophisticated.”

[email protected]

Microsoft invited the Citizen to tour its security operation, and covered all expenses for this trip. Microsoft did not direct or approve this content.

By the numbers

42 per cent
Number of Canadians that reported falling victim to cyber crime in 2013.

114.6 per cent
Increase in cyber crime damages to Canadians between 2012 and 2013. Last year, Canadians are estimated to have lost $3.09 billion due to cyber crime, in 2012 the estimated losses were $1.44 billion

$445 billion US
The cost of cyber crime globally in 2013.

552 million
Number of identities stolen by hackers in 2013.

40 million
Number of Americans who had their identities stolen by hackers in 2013.

4.7 billion
Number of Internet users that will be online within the next 10 years thanks to skyrocketing interest in mobile and other connected devices

Percentage of Canadian companies that have had their networks infiltrated by hackers over the past 12 months.

Percentage of “Flappy Bird” apps for Android devices that contained viruses allowing hackers to be able to make phone calls, install additional apps, extract contact lists, track location data, and obtain uninhibited control over anything on the device, including the recording, sending, and receiving of SMS messages.

Comments are closed.