Cybercriminals and the markets they use have changed in 2012, with both tactics for controlling attack campaigns as well as hackers' marketing and sales strategies getting more sophisticated.
In an interview with SecurityWeek, Trend Micro Senior Threat Researcher Loucif Kharouni said that once the ZeuS and SpyEye creators left the scene, researchers have noticed a growing business in offering installation to other cybercriminals who would install ZeuS 220.127.116.11 or 18.104.22.168 for a fee.
"You never get the toolkit by itself, they would provide you the binary to spread too," he said. "Same thing for SpyEye, the latest version 1.3.48 is one year old now and similar to ZeuS, you would find some guys making the installation for you and provide you the binary. Same thing with Citadel, this is what we call SaaS (software as a service). Toolkit creators and exploit pack creators are now more reluctant to give away their creation."
The notorious Blackhole kit has also moved towards a SaaS model to avoid any leaks of their code, he said.
"Compare to a toolkit, an exploit pack is just composed of a php file and could easily be manipulated if not protected," he told SecurityWeek. "Compared to any other exploit pack, Blackhole is well coded, stable and reliable with a good infection rate, due to the latest exploits used and provided in the pack. The creator do not provide the pack itself and instead installs it for you and will protect the php files using the well know ioncube software which is used to encode php files."
This is also beneficial for the customer as they are not spending money on products that will be leaked and made available to everyone for free, he said.
Cybercriminals are also paying more attention to securing their tools and the servers they use, he noted. For example, attackers in Latin America have stopped using hijacked servers to host command and control (C&C) servers, spam tools or malware. Instead, they have begun using their own servers in data centers around the world and are staying off of Google search results by not registering any hostname and only using IP addresses, he blogged.
The time when researchers could find an open server is essentially over, and more and more cybercriminals are providing secure webhosting to other criminals, he wrote.
"Recent take downs and hacks have taught everybody in the underground a lesson," the researcher blogged. "They now have to be more secure and cautious, protecting their servers against researchers and other criminals. Usually, researchers look for open folders and servers. This is basically looking for accessible folders and/or configuration files and also login shells to gain access to the server and start investigating it."
To deal with today's underground, researchers need to develop partnerships with Internet Service Providers (ISPs) for takedown operations and look for new ways to find information, he blogged.
"Security researchers need to adapt and adjust to these new methods and try to find new solutions to track attackers and follow the evolution of their business and operation," he noted. "Scanning servers and hoping to find open servers isn’t enough anymore. Neither is monitoring forums – these are now used mainly to chat and advertise, but private messages are no longer being used to carry out business. Instead, they are used to exchange instant messaging accounts where the actual transaction is done."