To Crush the Enemy, the face of online warfare – Part one: The Eastern European virus writer

For the longest time, I have taken the immortal words of Conan to heart: "What is best in life? TO CRUSH YOUR ENEMIES, SEE THEM DRIVEN BEFORE YOU, AND HEAR THE LAMENTATIONS OF THEIR WOMEN!!!!!"

I have always dreamed of one day taking the field as a mercenary. I have studied the wars of Hernan Cortez and John Hawkwood. I have spent too many hours studying the economics and politics of the classical mercenary. But in the end, I still don’t stand a chance in becoming a great mercenary. My vision is poor, and my sword arm is flappy. I have been relegated to slowly stroking my sword in my room at night.

However, starting from a few years ago, I have been seriously considering the influence of the internet on war. Just how much of a role can the internet play on the battlefield of the future? Can I still somehow live up to my mercenary dreams somehow by becoming an internet mercenary? It looks like it is possible, and so I dove in.

After getting myself into my fair share of sticky situations, I thought I might as well just come and tell me stories here. Yep, I will be doing a series of long-form intoxicated forum posts, a specialty of mine. Gather around, and listen to my old war stories!

I’ll be writing a series on online warfare and the "hacking scene". I’m not sure how many entries I will do, it’s all up to me, my time management, and my mood. Ask me in the comments if there is something specific you would like to see! They will be posted here in the off topic section, so check back soon!

Again, everything I write about is from my personal experience, don’t hold it to me for accuracy, although I will try my best to insure its accuracy. Most of the people here that I discuss are friends of mine, but again, if you are a member of law enforcement (Hello Mr. NSA!), I don’t know them that well as to be able to provide his/her address. If you guys have any questions, just pop em off in the comments, I love comments!

Introduction

It is undeniable that Microsoft Windows has a second to none ecosystem. From hunting down noobs in Crysis, to hunting down rule-breaking users in Active Directory, Windows has always relied on its powerful ecosystem to deliver technological solutions to billions of users worldwide.

But alas, Microsoft wants you to look at the positive side of its ecosystem. They always talk about the games, the productivity, the entertainment, but just like how a travel bureau never talks about the seedy side of town, Microsoft never talks about Windows’ amazing malware ecosystem.

Well, let me take you to a whole new world, underneath the portrait that Microsoft wants you to see, into the criminal underworld. Not the idealistic world of hackers fighting the man, the masterful coders pulling off great heists, penetrating the most heavily protected servers on earth, but the lowly windows malware programmer, arguably the least glorious "professional" internet criminal. Why no OS X? Or Linux? Sure, malware writers are slowly pushing out OS X malware, but the market share is so low, there is little profit to be made. This is one of the areas where the windows has the much better ecosystem ;)

Our story starts in what you guys might consider to be an ex-soviet backwater…..


The Men Behind it

Commercial malware production is a peculiar thing. The legality of it ranges from "not very legal" to "very illegal" depending on the specifics and the jurisdiction. I can assure you that none of these guys are registered businesses accredited at your local better business bureau.

The ownership structure of 99% if not 100% of these malware creation operations are either sole proprietorships or partnerships. These guys are small, nimble operations, with a few guys, to maybe 20, 40 guys. The smaller of these operations are maybe a few friends on the internet trying to write some malware to peddle on the script kiddie communities, to maybe the bigger ones, with a few guys in a dilapidated apartment or small office with a few computers.

It has become the norm in North American online startups to operate with big budgets, hiring well paid programmers from the top schools, in cushy offices with their nice MacBook’s. All of this is funded with the huge rush of venture capital money, mostly in the San Francisco Bay area, but also in the other big centers like New York, Houston, Seattle, Toronto, and other major cities. I personally think this model is foolish, and the current gold rush will not last, but alas, that is the current state of North American startups.

Yeah, usually these guys in Eastern European don’t really have the venture capital money that their North American peers have. I have a friend in a certain former Yugoslavian republic (guy still calls it Yugoslavia), who runs a malware startup, and of course the way he runs his shop is completely different than what you would think when one mentions a startup.

Imagine the most extreme bootstrapped startup. Now imagine something even more bootstrapped. The conditions you are picturing right now are still too much better than the best Eastern European malware startup. I know one of these guys who run a malware startup, a large scale one too at that, this is what his facilities look like:

Their office looks like a web cam sex facility. The facility is divided into small "bedrooms" that are perfect for office space, the previous use of the office space is probably for webcam sex. Instead of beds, the rooms are stuffed with desks, with work stations and monitors stuffed in close quarters. The facility is relatively well equipped, IT wise. There is Wi-Fi throughout the office, with wired internet in every room for every workstation.

In an average day, the office looks like a mess. During "crunch time", the programmers usually will end up eating and sleeping at the office. Unfortunately, at those times, there is often a persistent unpleasant odor.

These operations usually employ two kinds of programmers, the self-taught genius, and the classically trained programmer. Let’s discuss the second category first.

Nowadays, institutions of higher learning in Eastern Europe are often overlooked, and they usually end up ranking quite low in international rankings. However, the quality of education in these communist era schools are surprisingly good. They have not followed the (in my opinion) destructive trends at in western universities where the education has been influenced by hype or "industry demands". They don’t offer courses like "Introduction to Visual Studio 201", or "Creating Websites with Cold Fusion". Computer science students don’t end up wasting their time in courses on classics, or feminist studies, the concept of "distribution requirements" never really caught on. Yes, there has been an explosion of the so called "java schools", catering to outsourcers, but most schools still stick to a classical curriculum.

A classically trained computer scientist in a former Yugoslavian republic would usually start his formal education would start with a healthy compliment of math. Calculus, linear algebra, geometry, and other advanced mathematics is heavily focused. It is my belief that you cannot forge a computer scientist without a strong base in mathematics. After creating a strong bath background in the first and second years, a strong technical foundation is taught to the students in their 3rd and 4th years, with a strong focus on algorithms, compilers, operating systems, and networking.

This type of classical education is quite ineffective in forging the creators of the "next big thing", as their creativity will be stifled with too much mathematics and theory, and it can be argued that all the time spent on the maths and classical computer science education have little applicable use for the job market. It is this focus on "the classics" of computer science that actually makes these students perfect for malware writing. Mastering x86 assembly probably won’t help you get a job in this day and age, but mastery of assembly would allow you to code top notch malware.

Consider the curriculum at most post-secondary institutions here in North America. If you are at a "boot camp", well, you’re probably just going to learn how to quickly hack together just another website. Many colleges and universities have gone the way of the "java school", and those who haven’t have become very workplace orientated, teaching you whatever technology is currently in demand. This education model is great for the industry, but unfortunately does not build a strong enough theoretical foundation for malware writing. Proficiency in Ruby on Rails will get you a job, but it sure won’t be able to help you program viruses.

As for the self-taught genius, I have met 3 individuals who profile as geniuses. They can easily surpass their peers, and they perform nearly infinitely better in important tasks such as algorithm design and optimization. Most of them are way, way too smart to be working at malware programming teams, but I have seen some of them succeed in this business.

Oh, and despite what movies like Hackers would like to tell you, I have never actually met a women in the malware industry. I can't explain it. Its not sexism in the traditional sense, in countries where women usually make 50 cents for each dollar a man makes at the exact same job, these malware kingpins would gladly save the 50 cents.

How much do these guys get paid? Well, compared to how much their peers get paid in America, their salaries can be rounded off as a rounding error. At the "higher end", Romanian programmers make an average of 600 or so USD a month. At the lower end, in Kosovo, programmers make significantly less than that. By basing the operation in Eastern Europe, these small operations can triple or quadruple their output, at only a sliver of the costs of basing the operation in say, San Francisco.

The customer

Well you see, just like every other industry, reputation matters very much. Especially in an industry where there isn’t a "certification" process, or any semblance of "consumer protection laws". It really comes down to reviews (which are mostly fake), brand and reputation.

How big is the malware business? I don’t know. Every security expert has their own prediction, and every idiot in the industry has their own estimate. However, I really, really don’t know. I won’t even bother to guess.

So who are the customers? The biggest buyers are the large scale criminal enterprises. After all, in this day and age, when good malware can easily sell for thousands, and the server and backup infrastructure required to operate such a system can easily run up to hundreds a day. The small players have been squeezed out of the largest tier of online criminality. If you can secure the business of a few of these big criminal enterprises, you can easily pull in up tens, hundreds of thousands a month.

The top tier is where the best profit margins and the most prestige lies. Some of these guys might even be far bigger than who claim they are. These groups are very willing to spend money, and have significant technical capabilities. You need to be able to demonstrate technical superiority over competing malware solutions. These large customers are more than willing to pay for customization, and almost mirroring legitimate IT, support contracts and training.

Then, you move down to the smaller second tier, these criminal groups are probably comprised of a few buddies, with a few hacked servers. Their scale aren’t big, and these guys are probably semi pros instead of full professionals. They are here to make a buck, and they are willing to spend money on malware. But at this level, price competition becomes more important. They want the big brands, they want the Zeus, Spyeye, and their successors. They want to buy "name brand" stuff. They lack to expertise and the finances to commission custom pieces, and prefer "mass market" stuff. The difference between the top tier and then second tier is like the difference between someone who buys an F1 race car and someone who purchases a mass market sports car. The difference is huge, but catering to the second tier can also be very profitable.

Finally, you have the bottom feeders. The guys who sell to script kiddies at places like Hackforums.net. At this tier, most of the malware creators are just a few guys doing it as a hobby and/or are here to make a quick buck. The technical expertise displayed at this level is low, very, very low. The price of course, is also very low. This is "10$ idiot proof script", the customers are script kiddies, here to hack their friend’s Facebook, and not internet criminal masterminds.

The script kiddie tier is too low for the professional eastern European studios to target. Fundamentally, at the bottom tier, the market is saturated to an extreme point. Don’t believe me, just look around script kiddie communities yourself. You have to move up the food chain to make real money.

To sell malware is to fuel an eternal arms race. You are always competing against your competitors, and the antivirus companies, who will soon figure out ways to detect and kill your malware. The customers aren’t stupid, and there is always pressure to innovate. If you don’t move, you will soon die. This is why success is almost impossible in the bottom tier, there is too much competition, and you would be forced to continuously re-invest in your product, something that will quickly eliminate your profits.

The future?

Well you see, Windows malware can only get you so far. The truth is, the barrier to entry is very, very low, and after all you only need an IDE and a computer to start programming your own malware. But to make it to the top, to deal with clients where there is actual real profit, that is very difficult.

Mobile is next, but of course, mobile malware development has its own challenges. The talent pool is much harder to find, most decent mobile developers are employed. It is also much less profitable, especially as carriers crack down on "premium" text messages and calls.

But hey, mobile malware is the future, and I can see all of the windows malware programming houses slowly shift to Android. It isn’t exactly a question of if, but a question of when.

As for OS X, the truth is, I don’t think the malware industry will really focus on it anytime soon. The market share is small, but the far bigger problem is the complacent nature of most OS X users. The numbers say that most OS X users care little about their security, after all, hasn’t it been said that "macs don’t get viruses"?

And here lies the biggest challenge in OS X malware, OS X malware just gets obsolete too slowly. Antivirus companies don’t fanatically hunt down and seek out OS X malware like they do Windows Malware. Remember, the arms dealer’s goal is to sell your increasingly big guns to penetrate your enemies’ armor. It ain’t gonna do you no good if your enemies are unarmored, or if they never upgrade their protection. That’s not to say that the OS X malware market doesn’t exist, it does, but it is innovating at a much slower pace than windows, and it has pretty much stagnated.

Up next time: the internet hitmen

Malware dealers are the arms dealers of the internet. Just like physical arms dealers, they come in all shapes and sizes, from the street corner dealer selling glocks, to the big boys outfitting war lords and governments alike.

Give me a few weeks, and I’ll try to profile the next big group of internet warriors, the "hitmen" of the internet. Are they slick suit wearing types like 47? Or are they completely different? Tune in some time in the future to find out!

Shameless self-promotion: Of course, please, if you have questions or comments, drop me a comment! I like comments. No seriously, I am addicted to them. I will do anything for some. I have nothing better to do this summer, so be prepared to see me write anywhere and everywhere for some comments. Hey, if anyone needs a security expert or a baseball expert, or a soccer analyst, or a travel expert, or a political analyst, or anything, if you can give me a writing gig somewhere where there is a comment section, I will love you forever.

Again, I will write for comments.