Criminal Infrastructure Lets Malware Thrive

The lurking Trojan and the password-hungry keylogger are only the tip of the iceberg.

As in today's globalized legit economy, malware's ability to spread and make money for its dastardly creators rests upon on a wide array of underhanded support services. At the RSA conference in San Francisco Wednesday, researchers who have dug deep into the criminal online infrastructure described some of those services.

Lawrence Baldwin of described an "Xsox" botnet of malware-infected PCs that provides an anonymization network for criminals who want to hide their tracks - or make it look as if a bank login is coming from Alabama, say, instead of somewhere like the Ukraine.

The simple GUI interface that Baldwin displayed allows a bad guy to see all the currently available Xsox-infected computers, with their IP address, country, uptime and other information readily displayed. Simply clicking on one establishes an encrypted connection and use of that PC as an "exit node," Baldwin said, so that any connection to a bank site or anywhere else appears to come from that exit node instead of the crook's computer.

This service-providing botnet has been around for about 3 years, Baldwin said. He estimates it's used to withdraw between US$2 and $5 million from banks per day, and says that the ISP that hosts the botnet has never received a complaint in 3 years.

Another black-market offering provides malware-installation services for those would-be crooks who lack the skills or the inclination to infect computers themselves. One example service charges $130 for 1000 malware installations in the US, $60 for the same number of infections in Italy, and only $5 for anywhere in Asia.