{"id":1411,"date":"2013-03-14T16:58:54","date_gmt":"2013-03-14T20:58:54","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=1411"},"modified":"2019-11-15T07:27:41","modified_gmt":"2019-11-15T12:27:41","slug":"inside-cybercrime-investigations","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/inside-cybercrime-investigations\/1411\/","title":{"rendered":"Inside The Belly of a Cybercrime Investigation"},"content":{"rendered":"

Whenever you read a news headline about the arrest or conviction of a cybercriminal<\/a>, you can guarantee that the bulk of the investigative work was done by the work of anti-malware researchers scattered around the globe.<\/p>\n

Whether it\u2019s the takedown of a spam botnet, the outing of the Koobface gang or the arrest of cybercriminals behind the Zeus banker Trojan, law enforcement agencies around the world rely heavily on the skills of the security research community \u2014 especially at anti-malware companies \u2014 to conduct forensic investigations and produce reliable data that may eventually lead to the conviction of a cybercriminal.<\/p>\n

Jeff Williams knows a thing or two about the hard work that goes into identifying malicious attacks and conducting research to handle remediation ahead of a criminal investigation.\u00a0 Having previously served as a principal group program manager for the Microsoft Malware Protection Center (MMPC) before moving to Dell SecureWorks, Williams was part of several major botnet takedowns, including the virulent Waledac, Zeus and Kelihos cybercriminal operations.<\/p>\n

In an interview, Williams explained that there are different types of investigations that almost always starts in an anti-malware lab somewhere in the world.\u00a0 \u201cSometimes it\u2019s a criminal investigation led by law enforcement agencies where they lead the way.\u00a0 Sometimes, it comes from a security perspective when we start investigating a new piece of malware.\u00a0\u00a0 Even when it\u2019s a criminal investigation, law enforcement will come to us to get a deeper understanding of the malware.\u00a0 At Microsoft, our priority was to protect customers, so we had to do the work to understand the scale of the problem, the impact to Windows users and the things we can do to provide protection,\u201d Williams explained.<\/p>\n

This work is multi-faceted. \u201cThe guys in the lab do the grunt work.\u00a0 They identify that the malware exists, then it\u2019s a big task to collect the samples and do the reverse-engineering,\u201d Williams said.\u00a0 This forensics work includes reverse engineering complex encryption algorithms, breaking apart the communication protocol that a malware file might be using to communicate with the attackers.\u00a0 \u201cWe want to know how the binaries are controlled by the attackers\u2019 command-and-control infrastructure, where are the nodes, what are the commands that can be issued.\u00a0 This is all work that\u2019s done in an anti-malware lab.\u00a0 It\u2019s very important work.\u201d<\/p>\n

Once the lab has a full understanding of the internals of the malware, technical counter-measures are implemented \u2014 either via a virus definition update or the improvement of defensive technologies \u2014 before law enforcement is approached to pursue legal action.\u00a0 \u201cSometimes, you have to go to a court of law to get the rights to take control of a botnet so you have to include law enforcement and work very closely with them to make it a successful operation,\u201d Williams explained.<\/p>\n

Costin Raiu, who manages Kaspersky Lab\u2019s Global Research and Analysis Team, agrees that cybercrime investigations can be \u201ccomplex.\u201d\u00a0\u00a0 Raiu\u2019s team has worked closely with Microsoft, CrowdStrike, OpenDNS and others in the security industry to manage the takedown of botnet operations and he describes the work as \u201cmulti-faceted\u201d and labor intensive.<\/p>\n

\u201cI\u2019d say the expertise of the researchers is sometimes critical and can make the difference between a convicted criminal and one that escapes,\u201d Raiu said.<\/p>\n

In addition to reverse-engineering and sharing data with law enforcement, security research teams are usually working closely with global Computer Emergency Response Teams (CERTs) to commandeer or take down hacked servers or sinkhole a server to gather evidence and data that can be used later in a legal case.<\/p>\n

\u201cCybercrime is an incredible complex domain with multiple facets. This is why anti-malware researchers are often required to offer their help as experts during trials which include high tech crime,\u201d Raiu explained.<\/p>\n

\u201cCybercrime is an incredible complex domain with multiple facets. This is why anti-malware researchers are often required to offer their help as experts during trials which include high tech crime,\u201d Raiu explained.<\/div>\n

Cybersecurity expertise in a malware lab will often include open-source intelligence, or OSINT (https:\/\/en.wikipedia.org\/wiki\/Open-source_intelligence<\/a>).\u00a0\u00a0 This part of an investigation is exhaustive and often requires trawling the Web with a fine-tooth comb to find any clues that may link an attacker to a malware operation.<\/p>\n

\u201cIn the course of an investigation, many indicators that can lead to the identity of a cybercriminal.\u00a0 Some parts of the code sample may include a nickname or a certain style of coding.\u00a0\u00a0 That information can be used as a starting point to track down a bad guy,\u201d Dell SecureWorks\u2019 Williams explained.<\/p>\n

Researchers will use a nickname or a clue from a piece of code or an e-mail address from a registered domain name to comb through web-based communities like Facebook, Twitter, YouTube, wikis, blogs or any user-generated content site where a bad guy may have used that nickname or email address.<\/p>\n

In the infamous Koobface example, Facebook\u2019s security team conducted open-source intelligence in collaboration with the security research community and went public with the names, photographs and identities of the people they believed was responsible for the attack that spread through its network.\u00a0 This information was given to the media as part of a \u201cname-and-shame\u201d operation.<\/p>\n

\u201cThe bulk of the work is done on the technical side to protect customers but that information gets shared with law enforcement to effect arrests.\u00a0 When it comes to final arrests and court cases against cybercriminals, you can bet the bulk of the work is done in a research lab,\u201d Williams added.<\/p>\n

\u201cAttribution and arrests may not necessarily be part of the initial operations.\u00a0 But when a malware lab is doing disruption and protection of the ecosystem, the results of that work may be passed on to law enforcement to handle arrests and legal action,\u201d Williams added.<\/p>\n

Williams reiterated that the work of the research community has to be of a very high quality because the information will eventually have to be presented to a court in a credible manner.<\/p>\n

\"a2\"<\/a><\/p>\n

Cybersecurity researchers often bristle at the slow pace of legal investigations into some of the more virulent attacks, especially the banker Trojans and botnets that conduct financial fraud.\u00a0 This snail\u2019s pace prompted Facebook to go public with the Koobface investigation details before any law enforcement operation but Williams pointed out that things are getting better.<\/p>\n

\u201cThere definitely needs to be better harmonization of laws across borders. Criminals do have an awareness of where laws are lighter and the things they can do to stay under the radar and avoid arrests.\u00a0 However, I think law enforcement is getting a better understanding about how to push these cases. We\u2019ve seen successful criminal cases where existing laws that had nothing to do with cyber crime were used,\u201d he added, citing the Zotob case where cybercriminals were prosecuted via money laundering, tax evastion and financial fraud laws.<\/p>\n

\u201cThere definitely needs to be better harmonization of laws across borders. Criminals do have an awareness of where laws are lighter and the things they can do to stay under the radar and avoid arrests,\u201d said Williams.<\/div>\n

\u201cIt is the natural evolution of defense to work towards disruption, takedown and attribution of the parties responsible for cybercrime. Without [botnet] takedowns, money is generated by criminals and that money gets reinvested in future attacks.\u00a0 Without disruption, it\u2019s an uneven playing field.\u00a0 I think we are finally getting to the point where defenders have sufficient collaboration, relationship, technologies and law enforcement cooperation to turn the tables,\u201d Williams added.<\/p>\n","protected":false},"excerpt":{"rendered":"

Whenever you read a news headline about the arrest or conviction of a cybercriminal, you can guarantee that the bulk of the investigative work was done by the work of<\/p>\n","protected":false},"author":39,"featured_media":1425,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5],"tags":[77,36],"class_list":{"0":"post-1411","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"tag-cybercrime","9":"tag-malware-2"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/inside-cybercrime-investigations\/1411\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/inside-cybercrime-investigations\/1411\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/inside-cybercrime-investigations\/1411\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/inside-cybercrime-investigations\/1411\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/inside-cybercrime-investigations\/1411\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/inside-cybercrime-investigations\/558\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/inside-cybercrime-investigations\/1411\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/inside-cybercrime-investigations\/1411\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/cybercrime\/","name":"cybercrime"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/1411","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/39"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=1411"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/1411\/revisions"}],"predecessor-version":[{"id":31180,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/1411\/revisions\/31180"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/1425"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=1411"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=1411"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=1411"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}