Whenever you read a news headline about the arrest or conviction of a cybercriminal, you can guarantee that the bulk of the investigative work was done by the work of anti-malware researchers scattered around the globe.
Whether it’s the takedown of a spam botnet, the outing of the Koobface gang or the arrest of cybercriminals behind the Zeus banker Trojan, law enforcement agencies around the world rely heavily on the skills of the security research community — especially at anti-malware companies — to conduct forensic investigations and produce reliable data that may eventually lead to the conviction of a cybercriminal.
Jeff Williams knows a thing or two about the hard work that goes into identifying malicious attacks and conducting research to handle remediation ahead of a criminal investigation. Having previously served as a principal group program manager for the Microsoft Malware Protection Center (MMPC) before moving to Dell SecureWorks, Williams was part of several major botnet takedowns, including the virulent Waledac, Zeus and Kelihos cybercriminal operations.
In an interview, Williams explained that there are different types of investigations that almost always starts in an anti-malware lab somewhere in the world. “Sometimes it’s a criminal investigation led by law enforcement agencies where they lead the way. Sometimes, it comes from a security perspective when we start investigating a new piece of malware. Even when it’s a criminal investigation, law enforcement will come to us to get a deeper understanding of the malware. At Microsoft, our priority was to protect customers, so we had to do the work to understand the scale of the problem, the impact to Windows users and the things we can do to provide protection,” Williams explained.
This work is multi-faceted. “The guys in the lab do the grunt work. They identify that the malware exists, then it’s a big task to collect the samples and do the reverse-engineering,” Williams said. This forensics work includes reverse engineering complex encryption algorithms, breaking apart the communication protocol that a malware file might be using to communicate with the attackers. “We want to know how the binaries are controlled by the attackers’ command-and-control infrastructure, where are the nodes, what are the commands that can be issued. This is all work that’s done in an anti-malware lab. It’s very important work.”
Once the lab has a full understanding of the internals of the malware, technical counter-measures are implemented — either via a virus definition update or the improvement of defensive technologies — before law enforcement is approached to pursue legal action. “Sometimes, you have to go to a court of law to get the rights to take control of a botnet so you have to include law enforcement and work very closely with them to make it a successful operation,” Williams explained.
Costin Raiu, who manages Kaspersky Lab’s Global Research and Analysis Team, agrees that cybercrime investigations can be “complex.” Raiu’s team has worked closely with Microsoft, CrowdStrike, OpenDNS and others in the security industry to manage the takedown of botnet operations and he describes the work as “multi-faceted” and labor intensive.
“I’d say the expertise of the researchers is sometimes critical and can make the difference between a convicted criminal and one that escapes,” Raiu said.
In addition to reverse-engineering and sharing data with law enforcement, security research teams are usually working closely with global Computer Emergency Response Teams (CERTs) to commandeer or take down hacked servers or sinkhole a server to gather evidence and data that can be used later in a legal case.
“Cybercrime is an incredible complex domain with multiple facets. This is why anti-malware researchers are often required to offer their help as experts during trials which include high tech crime,” Raiu explained.
Cybersecurity expertise in a malware lab will often include open-source intelligence, or OSINT (https://en.wikipedia.org/wiki/Open-source_intelligence). This part of an investigation is exhaustive and often requires trawling the Web with a fine-tooth comb to find any clues that may link an attacker to a malware operation.
“In the course of an investigation, many indicators that can lead to the identity of a cybercriminal. Some parts of the code sample may include a nickname or a certain style of coding. That information can be used as a starting point to track down a bad guy,” Dell SecureWorks’ Williams explained.
Researchers will use a nickname or a clue from a piece of code or an e-mail address from a registered domain name to comb through web-based communities like Facebook, Twitter, YouTube, wikis, blogs or any user-generated content site where a bad guy may have used that nickname or email address.
In the infamous Koobface example, Facebook’s security team conducted open-source intelligence in collaboration with the security research community and went public with the names, photographs and identities of the people they believed was responsible for the attack that spread through its network. This information was given to the media as part of a “name-and-shame” operation.
“The bulk of the work is done on the technical side to protect customers but that information gets shared with law enforcement to effect arrests. When it comes to final arrests and court cases against cybercriminals, you can bet the bulk of the work is done in a research lab,” Williams added.
“Attribution and arrests may not necessarily be part of the initial operations. But when a malware lab is doing disruption and protection of the ecosystem, the results of that work may be passed on to law enforcement to handle arrests and legal action,” Williams added.
Williams reiterated that the work of the research community has to be of a very high quality because the information will eventually have to be presented to a court in a credible manner.
Cybersecurity researchers often bristle at the slow pace of legal investigations into some of the more virulent attacks, especially the banker Trojans and botnets that conduct financial fraud. This snail’s pace prompted Facebook to go public with the Koobface investigation details before any law enforcement operation but Williams pointed out that things are getting better.
“There definitely needs to be better harmonization of laws across borders. Criminals do have an awareness of where laws are lighter and the things they can do to stay under the radar and avoid arrests. However, I think law enforcement is getting a better understanding about how to push these cases. We’ve seen successful criminal cases where existing laws that had nothing to do with cyber crime were used,” he added, citing the Zotob case where cybercriminals were prosecuted via money laundering, tax evastion and financial fraud laws.
“It is the natural evolution of defense to work towards disruption, takedown and attribution of the parties responsible for cybercrime. Without [botnet] takedowns, money is generated by criminals and that money gets reinvested in future attacks. Without disruption, it’s an uneven playing field. I think we are finally getting to the point where defenders have sufficient collaboration, relationship, technologies and law enforcement cooperation to turn the tables,” Williams added.