The Endless Fight with Cyber Crime By Rahul Tyagi

About Author

Rahul Tyagi is one of the top computer security experts available in

India, Brand Ambassador of TCIL-IT Chandigarh, Vice- President of

Cyber Security and Anti-Hacking Org, India, and Technical Head of

News Paper Association of India.

Website:- www.rahultyagi.net Mail:- officialrahultyagi@gmail.com

My Self Rahul Tyagi and like others, I love the internet and yes it’s

true, think about everything it brought to us, think about all the

applications – services we use, all the technology like Smart Phones

like iPhone 4 with internet, which help us to grab the world in our

palm, and I feel good that it’s happening during my and your

lifetime. Internet exists from era in the world but few years will be

remembered as the years that got online (2008-11), in these years

we build something truly global. Think once again about Facebook,

Twitter, PayPal, Google and many more, these services are like

breath to us today and we cannot really survive without them.

But it also true that along with these facilities our cyber world have

problems, very serious problems, problems with security, problem

with privacy and information. I am spending my carrier by awareing

people from these threats. In this paper i am not going to show Big

Defacements, A Customized Crypter coding etc or something else,

because I don’t think so that it is my job. My job is to show

something which really affects the cyber society and I think this

paper will help you to gain knowledge about the global crime and

criminal strategies.

So to understand the crime scenario lets go back to 1986. This below

is a picture of a famous virus called Brain.A. This virus was the first

PC virus we have ever incurred for the PC.

What was

Funny part in that actually we know where it came from because it

said so. If you see the boot sector of the virus carefully. It says

“Welcome to the Dungeon, 1986 Basit-Amjad (pvt) Ltd. BRAIN

COMPUTER SERVICES 730 NIZAM BLOCK ALLAMA IQBAL TOWN

LAHORE-PAKISTAN PHONE: 430791,443248,280530.”

Basit and Amjad are the first names and off course Pakistani

Names. That was the virus comes in 1986 and now today is 2012. PC

virus related crimes are today’s top most cyber crimes proceeded

through process called RATing etc having the Trojan’s with FUD

(Fully Undetectable) nature.

In 2011 Mid Mr. Hippo Chief Security Researcher officer visited

Pakistan to meet them on the same address which was shown in the

virus code. After reaching the building he knocked on the Door. [:P]

, You wana guess who opened the Door ? Its Basit and Amjad who

opened the door (They are still their never caught). Here is the pic

standing in the picture is Basit and Sitting is Amjad.

Image Property:- Mr. Mikko H. Hypponen

So virus we see in the 1980 and 1990 are not a problem anymore. In

1990’s its very easy to detect that our computer is being infected by

a virus because its shows up. At that time virus and worms are

written by teenagers and kids mostly. Today viruses are big

problems. If we talk about phishing and same kind of attack, they

can be prevented by some basic precautions. Here is a screen shot of

the virus found by MacAfee.

Picture Property: - Rahul Tyagi

Here we can see hundred and thousands of malware coming up in

seconds. So the next question comes to your mind. Again new

question arises where they are coming from, today is the organized

criminal gangs writing and hiring people to write these viruses,

because they make huge money with these viruses.

Here is one gang called GANGSTABUKS operated in Moscow.

So how this site is usefull for a computer hacker or a coder. Well if

you are malicious virus writer coder and you are capable of infecting

popular operating system’s like Windows used in majority in the

world., but you do not know what to do after infecting the computer,

you can sell those infected computers ( Someone else’s computer) to

these guys, and they will monetize those infected computers and I

hope we all know how they monetize , For example they can use

banking Trojans which will steal money when you go for online

banking. But the things they were looking for is the sessions when

you go online and do online shopping.

In India it’s not a big problem yet but in future it will be. Now after

getting your credit card details and other things they will sell those

details to others. In below image we can see these cyber criminals

openly sell them in very cheap price.

In just $2 they are giving you the credit card ownership and after

purchasing you can go for online shopping in a flash. Credit Card

hacked in Russia can be used in Pakistan for shopping and hence no

one can stop and even chances for arresting people behind

purchases are very few.

We have many underground market places on which these illegal

selling and purchasing is being done.

Here we have first underground market place forum known as

alboraaq.com here people can sell hacked profiles like Facebook

Profiles, Twitter Profiles and many other.

There are many forums like this which are providing market place

at once it looks familiar but when you go deep you will find many

people who are selling purchasing illegal tools like, FUD Crypter,

Email Hacking Tools, Remote Accessing Tools and many more. And

the worst I have seen is the majority of users who are on these kinds

of forums are teenagers and good coders. They do not know will be

the outcome of these things which they are doing intentionally or

unintentionally.

Let’s have a look on the real cyber criminals wanted by the FBI. We

have some real cyber criminals which are behind big cyber crime

scenarios, if you go to FBI official site.

Image Source: - http://www.fbi.gov

Image Source: - http://www.fbi.gov

These two people were running online criminal gang called “I AM

YOU”. Through it they generate millions, right now they are on run

nobody knows where they are even dead or alive. Recently US

Officials froze a Swiss Bank Account belongs to them and that

account was having $14.9 Million , so one thing which is clear from

this that the amount of money online crime generate is significant.

What more worst I come to know that these days cyber criminals

are capable of investing into their attacks. They are hiring

programmers, and other testing people to test their attack before

the start of attack to check the efficiency and success rate of the

attack.

Internet as I said is truly global now and cyber criminals are making

the best use of that. Internet is international that is why we call it

internet.

Now what if we know even how to shut it down? Again problem

remains the same as we tries to shutdown it will jump from one

place to another, one country to another hence we cannot shut these

guys down. It is just like giving free plane tickets to the cyber

criminals on the internet helping them to reach us now in a effective

manner like never before.

Here we have a case study of a criminal tracked down by F-Secure.

This is a boot sector of a image which was having a virus attached

with it. And at first sight it seems fine but actually its boot sector is

encrypted with XOR Function 97(Popular Function used to encrypt

content).Here in the below image it is being decrypted by XOR

Function 97.

After decrypting the content here we can see in the below image

yellow portion text is the text which was decrypted recently.

If you see carefully in the image you will see some contents like

website address like http://unionseek.com/d/ioo.exe and some

kind of signature 0600K078RUS.

Link written shows that as the someone open the image this virus

ioo.exe, will automatically downloaded from the link and enters into

the computer without any alert or notification by the antivirus, is ok

but here the signature 0600K078RUS, which have no connection

with the code. And when Mr. Hippo who was investigating this case

Goggled it , they found nothing- ZERO Hit. There was a Russian

employer who was working in F-Secure , and when he saw this

signature he said that 78 is a city code for Saint Petersburg in

Russia.

After some investigation they found a blog which is related to

unionseek.com and what they see is that blog is of a 20 years old

boy, and thing which really amazed him that that boy was having a

Mercedes Benz S600, having V12 Engine along with 400 Horse

Power. For a 20 years old boy this was something big . How they

come to know about the car ? Because he blogged it on his blog. Here

are some pic which he uploaded into his blog.

On the left hand side it’s his Mercedes and on the right some other

car he hit from behind. But in the below image if you see his car’s

number which was 0600K078RUS which was same found in the

source code of the virus.

Now this is how we rest the case. Now what happen when they

caught, in reality cyber crime agencies never goes so far like this.

They even do not know from which country the attack is coming,

and if they even find the online criminal there is no outcome.

So one thing more pretty clearer now that it’s very difficult to stop

these cyber criminals. But if we say precaution is better than cure,

so what will be your precaution against these kinds of Virus attacks?

Now again I am sure as I used the word Virus then first protection

came into your mind will be Antivirus, but unfortunately these days

even your Paid –Premium fully updated Antivirus not going to

protect you from viruses , having FUD (Fully Undetectable) nature.

Let’s see a demonstration of it how cyber criminals make their

infection files Fully Undetectable.

Here this is a infection file of Trojan used to infect

computer and after infection help in Remote accessing. This is non

FUD and if we scan it with online virus scan it will come up with

following results.

Out of 43 anti viruses 38 detected that this is a malicious file. Now

lets try to make if FUD here below I am using a Crypter that will

make change the signature of the virus file and make it purely

Undetectable.

Here after browsing to the server.exe file as we click on build it will

change the signature hence will make server.exe fully undetectable .

You can see the new file coming up after crypting the old server.exe ,

now let’s again scan it with virus total portal and check what will be

the results.

Now we can

say it is undetectable by Top 43 anti viruses. So what to do now quit

using computer, stop using online services?. And truly speaking

giving answer to this question is really difficult for me too.Suppose if

your computer is being infected by this kind of virus what you can

do?.

Think about the services we use today and think at one day you

can’t have them for some reason or what. I see beauty in the future

of the internet but I am worried that we might not see them because

we are in big trouble created by cyber criminal and if it will be going

like this the we will have the situation of losing it all.

I have diverted my carrier towards cyber awareness and I do

feel like if we do not fight online crime now, then we are

running a risk of losing it all. We need a true global strict law

enforcement work done to find the organized criminal gangs

that are making millions from these attacks , which is more

important than installing and running firewall and anti viruses.

Finding the people behind these attacks and more importantly,

we have to find the people especially teenagers and script

kiddies who are going to be the part of these crime. We have to

find the people who have the potential but lack of opportunity

and have to guide them to devote the time and mind in

protection rather than destruction.

About Author

Rahul Tyagi is one of the top computer security experts available in

India, Brand Ambassador of TCIL-IT Chandigarh, Vice- President of

Cyber Security and Anti-Hacking Org, India, and Technical Head of

News Paper Association of India.

Website:- www.rahultyagi.net Mail:- officialrahultyagi@gmail.com