When Cyber Criminals Eat Their Own

Some of the most prolific and recognizable malware disbursed by Russian and East European cyber crime groups purposefully avoids infecting computers if the program detects the potential victim is a native resident. But evidence from the Conficker worm -- which by some estimates is infecting more than one million new PCs each day -- shows that trend may be shifting.

According to an analysis by Microsoft engineers, the original version of the Downadup (a.k.a. "Conficker") worm will quit the installation process if the malware detects the host system is configured with a Ukrainian keyboard layout. However, the latest variant has no such restriction. Stats collected by Finnish computer security firm F-Secure show that Russia and Ukraine had the second and fifth-largest number of victims from the worm, 139,934 and 63,939, respectively, as of Tuesday, Jan. 20.

In the past, attackers from the infamous rogue anti-spyware families -- such as Antivirus 2009 -- have been programmed so that they fail to install if the installer detects the system is running a Russian or Ukrainian version of Windows.

Cyber crime affiliate sites such as "installscash.com" will pay affiliates good money for installing their adware and spyware on machines in dozens of countries. But affiliates who try to make money infecting Russian and former Soviet Republic nations that make up the Commonwealth of Independent States (CIS) are out of luck (see snapshot above, taken from installscash.com).

"We do not purchase Russian and CIS traffic," reads the "terms" page of the installscash.com affiliate agreement.

The same goes for the popular pay-per-install affiliate program run by webmaster-money.org, which pays from one to 55 cents per install, depending on the country where the user victim lives. That program does not pay for installs in Russia and in nearly two dozen other countries, nearly all of which are CIS nations.

All of this strongly supports the notions that not only are some of the most active malware writers living in Eastern Europe, but they've also found it easier to fly under the radar of local law enforcement by not fleecing their own people.



E.J. Hilbert, a former FBI investigator who now works security for MySpace.com, helped Ukrainian authorities pursue some of the most wanted cyber crooks of his day. Hilbert was heavily involved in going after guys who frequented online cyber crime bazaars like Carderplanet.com, which traded in stolen credit cards and other personal data. Hilbert said the only real rule on Carderplanet and other such forums was that users didn't traffic in data belonging to CIS residents.

"There was a simple rule on Carderplanet: 'You don't mess with the Commonwealth of Independent States,'" Hilbert said. "The subtext there was: 'If you ignore that rule, [the authorities] would come knock at your door.'"

But Eugene Kaspersky, co-founder of Russian computer security software maker Kaspersky Lab, said the perception that all Eastern European cyber criminals - both individuals and groups - avoid attacking their own is neither accurate nor complete.

Kaspersky said cyber crime groups and individual actors in that region generally fall into one of three camps:

"Some of them [are] clever enough not to attack victims in their native country," Kaspersky told Security Fix, so as not to attract attention from local authorities. "Some of them [are] 'patriots.' They said things like, 'We do not attack our own country, citizens/businesses but only targets abroad,' and 'We invest money into the country by stealing from Western victims.'"

A great many Russian and CIS-based criminal hackers, however, don't pay much attention to where their victims are located, simply because it doesn't matter to them, Kaspersky said. What does matter, of course, is extracting cash or other useful resources from victims.

"Many criminals -- but not majority, of course -- in the third category were arrested or are under investigation, but those criminals are replaced with newcomers."

There are signs that with the explosive growth in ready-made exploit kits, such as keystroke-logging malware like Zeus and Limbo, plenty of people in Kaspersky's third category are willing to take the risks.

In December, Security Fix highlighted research that examined the geographic distribution of victims who had Zeus or Limbo on their computers. This is possible because both keylogger programs record the country code indicated by the victim's Internet address, and because the researchers had access to more than 70 so-called "drop sites" where these keyloggers regularly delivered data stolen from victim PCs.

Most of the drop sites studied in that report were created by Limbo keylogger toolkits. Overall, Russia had the largest number of Limbo victims, with 26,700 infected machines (16.3 percent of the total). The next largest group of Limbo victims were from the United States (14.4 percent) and Spain (12.7 percent).

Hilbert said even if the attackers in control of those Russian PCs infested with keylogger software don't use or sell financial data stolen from those machines, they can still use those systems to relay junk e-mail or attack others online.

"You may not get much [financial data] from a bunch of PCs used primarily by Russian schoolkids, but you're still going to get a bunch more PCs to add to your botnet," Hilbert said.

Update, Jan. 30, 11:44 a.m. ET: Data from anti-spam outfit Spamhaus.org also supports the notion that cyber crooks increasingly are targeting their own. Spamhaus's "composite block list" or CBL, lists the number of distinct Internet addresses identified as sending spam. In the CBL's breakdown by country, Russia is home to the second-highest number of spam bots, just behind Brazil. Ukraine ranks sixth on Spamhaus's CBL, just before the United States.