Read Fatal System Error Online

Authors: Joseph Menn

Tags: #Business & Economics, #General, #Computers, #Security, #Viruses & Malware, #Online Safety & Privacy, #Law, #Computer & Internet, #Social Science, #Criminology

Fatal System Error (23 page)

BOOK: Fatal System Error
9.37Mb size Format: txt, pdf, ePub
ads
The second office had a different name on the door, Alfa Soft. Behind that door was another door, this one made of metal as thick as those guarding bank vaults. There was no handle: it opened only from the other side. Igor banged on it and a man answered gruffly, telling Igor to go away. Igor mulled his options and then sent for a fire brigade with a circular saw. For an hour they seared noisily away at the stubborn door, their impatience and anticipation mounting.
When they at last broke through, they saw a dumbwaiter that was big enough to take a person and a computer—or many computers, one at a time—out through a hole in the floor. Then they looked up and saw an empty rack where servers would normally be. Andy looked closely at a thick cord that would have connected those servers to the Internet and the world outside. It was still swinging back and forth.
In a report to his superiors, Andy swallowed his rage that, as the MVD concluded, Romanov had been tipped off by a corrupt official. He also glossed over how close he had come to catching someone he later realized was allied with the despised Russian Business Network. “I’m not going to tell my fucking boss that it happened while I was on the other side of the door,” he reasoned.
“It is suspected that the server in question was located at the office and had recently been removed,” Andy wrote dryly. He declined to say who tipped off Romanov, but in St. Petersburg, only the local office of Dept. K had known what was about to happen.
THE EVIDENCE AGAINST BRA1N and his potentially more powerful ally Scope had been spirited away. But Andy was determined to at least cut Brain off from his botnet. Andy knew from Maksakov that he had to do more than physically knock a command server offline. At the same time, he had to get rid of the bad guy’s domain name server, which might be thousands of miles away. And he had to persuade or force the bad guy’s domain name registrar, which might well be crooked, to kill the domain name itself. It was like decapitating several of the Hydra’s heads and burning all the necks except the main one, which had to be put under a heavy rock.
Andy had pulled off that trifecta with Milsan’s server and the one named “jerry.” Now he did it again on the day of the St. Petersburg raid. As they were cutting through the vault door, the U.S. Secret Service was at a hosting company called ZoneEdit Inc. on Broadway in New York, disabling Bra1n’s domain name server, and the Moscow registrar Runet was removing
fbi.pp.ru
from the Internet, separating Brain from his botnet and leaving him no way to reconnect. So the raid was far from a total loss, at least as far as companies suffering from DDoS attacks were concerned. The instant that Alfa Soft’s server disconnected, an ongoing assault on a major payment processor suddenly stopped.
The operation had its benefits for the MVD as well. Under Russian law, goods confiscated in an investigation can be turned over to the police for their own use, even if no charges are forthcoming. Within days, the flat-screen computer displays that had adorned the Alfa building in St. Petersburg had replaced the boxy monitors in the offices of Igor’s squad.
Brain proved to be extremely resourceful. He launched a new botnet within two weeks of the raid, controlled from a server called zombies.zombies.name, which this time was physically based in the U.S. In June, Maksakov watched as that network attacked the domain name servers of Time Warner Inc. and others. At the end of the month, Andy pulled off another Russian MVD- and U.S. Secret Service-assisted triple play targeting Brain.
Then in July, Brain started over again with a server called syscab .biz. This time the domain name server was in the Russian city of Samara and the domain registration was through a company in Hong Kong. Maksakov watched as it attacked Bet365 and Prolexic, which had the gambling company as a client. It took a couple of weeks, but Andy shut that botnet down too.
After that, Brain switched strategies, stumping Andy and Maksakov for months. Eventually, though, they worked out what their worthy adversary was up to. Instead of relying on IRC servers, Brain had made the most of advances in the botnet world and moved to manage his zombie armies through websites. He created four new German-language sites to control the mechanical throng. Carefully tracking Bra1n’s every move, Maksakov also saw how Brain was infecting new computers. He established two websites that appeared genuine,
www.highconvert.com
and
www.installme.info
, both porn pages hosted on machines at a major St. Petersburg service provider, Eltel. Those sites would infect Web surfers using an “exploit” that took advantage of a security hole in Internet Explorer. Andy and Igor set up a simultaneous takedown for December 30, 2005, and then retired to a sushi bar two blocks from MVD headquarters. Andy manned three cell phones and Igor two as they ordered the seizure of all four control sites and the two infectious pages. Andy thought about sending Brain a “Happy New Year!” email but decided against it.
After examining the computers operating the infectious sites, the forensics team finally worked out what made them so effective. For most visitors, including the sleuths, the sites appeared normal and harmless. But Brain had a friend in St. Petersburg who could hack into domain name servers and “poison” them, sending surfers seeking one site to a different one instead. If they agreed to pick
Nike.com
, for example, most people typing in that address would have gone to any of a large number of domain name servers and then to the right place. But if they happened to stumble on one of the poisoned servers, which were altered for just a half hour at a time, they would have been sent to
highconvert.com
or installme.info. Within ten seconds, the machines behind those websites would realize that the visitors were approved targets, check to see if they were running Internet Explorer as a Web browser, and if so use an exploit to install Trojan programs that would give control of the computers to Brain. Then they would dispatch the users to the real
Nike.com
.
Few consumers complained about a ten-second detour. If they did, and thought to check their browser history for where they had been, technical support people tended to assume that the user had clicked on the wrong thing and not noticed. In the worst-case scenario, they would navigate directly to the porn site, see that it wasn’t trying to install anything malicious, and tell the user there was no problem. All in all, it was a damn good scheme, one that illustrated how the best criminal hackers were rapidly becoming more proficient.
That last takedown, one of the most complicated in history, finally got through to Brain. In an online chat watched by Maksakov, he complained that all of his bots were getting killed as soon as he started to use them. Maksakov felt a surge of triumph. Then he read the rest of the comment. From now on, Brain wrote, he would only use his bots to harvest the financial information that was stored in the computers or typed in by their oblivious owners.
Brain was through attacking big companies. Now he would be going after tens of thousands of consumers. On the underground forums where users bought and sold the most sensitive financial information in batches of millions, he bragged that he would never be caught. He lived in Kazakhstan, where the foreign law enforcement had no power and, he said, the local authorities would never arrest him.
9
THE UNDERGROUND ECONOMY
ANDY CROCKER HAD JUST CRASHED into the same epiphany as Barrett Lyon. If the worst criminals had improved their technology to the point that they could leave denial-of-service attacks behind, a whole new war was opening up. The previous one, he thought, had been at best a draw: most companies survived, but police caught only a handful out of the hundreds of thugs involved. Crossing the borders was one big challenge, and beheading the botnets another. But at least the DDoS schemes required central coordination, because all of the zombies had to ping the target site simultaneously. Siphoning off sensitive consumer information could happen slowly, over weeks and months, and the means to do it were already in hand. Brain and his ilk didn’t need much more than a password-protected data center to hold the goodies until they crawled through the Net to collect them.
Andy pondered how to proceed. He would continue going up the food chain, trying to catch Brain and the other men above Ivan Maksakov, and he had to start thinking about the trial for the initial crew—Maksakov, Alexander Petrov, and Denis Stepanov. But beyond that, it looked like there was going to be a major problem for Internet commerce, and potentially an explosion in all manner of identity fraud. Andy saw just one weakness for the crime lords. No one could handle every part of a mass identity heist by himself. The ringleaders would have to coordinate with others; the underground markets were their lifeblood.
On such sites as CarderPlanet and the U.S.-based Shadow
crew.com
, Bra1n’s denial-of-service ring advertised its services and King Arthur offered enormous quantities of credit card data. Also for sale: exploits for hacking into systems, versions of Bagle and other viruses for computer roundups, “phishing kits” for do-it-yourselfers to lure rubes with spurious emails, and rented time on the botnets. Website members could buy and sell banking particulars, passwords, and everything else a crook might want—together with professional services from “cashers” who turned bank account data into money, encoders who manufactured bogus credit cards with real numbers, and “executives” who provided networks of mules to pick up loot from Western Union, e-Gold, or Webmoney and deliver it to the guys in charge.
You could catch the masterminds if you could somehow tap those forums, the same way the feds used to watch restaurant hangouts as New York mobsters met and did business. The real question was whether the dark economy had evolved as quickly as the technological weapons in the criminal arsenals. If so, it might be too late to stop a hundred-year flood of sensitive financial data. Certainly the stealth markets were changing to stay ahead of law enforcement. Admittance was now granted only to those recommended by one or more trusted members. And the websites shunned sellers of financial information whose products were substandard due to age or overuse. They relied on electronic feedback like that used on eBay: no one would deal with a vendor who had more than one negative comment.
But those doing business over such sites still relied on people they weren’t sitting down with and in many cases had never met. That gave committed law enforcement officers an opportunity to penetrate the rings. If detectives busted one member of a password-protected site, they could offer leniency in sentencing in exchange for the perpetrator’s continuing to do deals under police supervision, as Andy was doing with Maksakov. Even if the suspect didn’t cooperate, the detectives could send him to jail and assume his online identity, luring bigger targets into sting operations. Merely being a leading practitioner of identity theft didn’t guarantee that one’s own identity wouldn’t be stolen.
Back before the launch of CarderPlanet and Shadowcrew, sites sold counterfeit documents as “novelties,” and other entrepreneurs with good access through their workplaces offered detailed credit reports and supplemental information from the likes of Georgia-based ChoicePoint, delivering account numbers and asset listings. The successor sites were mega-malls, providing every tool in one place. CarderPlanet began first, in 2001. According to U.S. investigators, it grew out of a group of hackers based in Ukraine, although many leading members came from Russia. At the time, there was virtually no enforcement of computer intrusion laws in Ukraine. The group felt secure enough to publicize parties. At one such gathering, at an Odessa restaurant, the leading members decided to open the site for business.
The brazen group called itself the International Carders Alliance, and the top man went by Script, after the slang for a computer program.
CarderPlanet.com
had the gall to advertise on other Internet sites, boasting in slickly animated videos: “Looking for professional solution? Discover the power of technology.... The team you can rely on.” Registered members could message each other in private or post publicly to forums dedicated to such topics as “Hacking,” “Questions of beginners,” and “Scammers/rippers activity,” where the criminals complained about getting duped by fellow thieves. Practitioners who submitted their products or services to official reviewers, Script explained in a posting, could earn Reviewed Vendor status, allowing them to advertise counterfeit passports and other ID documents, U.S. addresses for receiving goods bought through fraud, and other vitals of the trade. Above the reviewers and the reviewed vendors sat site executives bearing Italian titles derived from mafia lore, like Gabellotto Timur Arutchev
BOOK: Fatal System Error
9.37Mb size Format: txt, pdf, ePub
ads

Other books

Alluring by Curtis, Sarah
The Last Girl by Jane Casey
The Royal Family by William T. Vollmann
An All-Consuming Fire by Donna Fletcher Crow
L.A. Blues III by Maxine Thompson
Paris: A Love Story by Kati Marton