This report focuses on the development of Russian cybercrime. Firstly, it summarizes the economic and geopolitical factors that underlie computer crime, and which must be taken into consideration by researchers seeking to predict upcoming developments in cybercrime and cybercrime targeting. It goes on to look at the other ways in which Russian presence in the criminal cybersphere can be tracked, considering the technical approaches used by hackers in the region, how they link with economic and geographic factors, as well as with the part played by law enforcement in the investigation of international computer crimes. The presentation will cover the following topics: 1. How cybercrime is interlinked with economic and geographical factors in Russia. The implications of the banking and instant payment systems of the Russian Federation. 2. Law Enforcement. The laws that currently obtain in the area of Russian computer crime: Legal evasions and loopholes. 3. Technical trends. The use of botnets to steal money from the Internet banking system for corporate clients: Technological and statistical analysis of the malware families involved, the organizational structures of the perpetrators, and the calculation of damages. 4. Successfully prosecuted cases in 2010. Complex investigation: spam affiliates, the WinLock case and others. 5. How DDoS attacks and botnet operations in Russian networks were tracked in co-operation with the Russian honeynet Project.

1. Cybercrime in Russia: Trends and issues
Robert Lipovsky, Aleksandr Matrosov and Dmitry Volkov

2. This presentation is confidential
and not subject to public
disclosure

3. Agenda
General cybercrime trends in 2010
Most prevalent threats and incidents
Reasons for the incidents’ growth
Evolution of the cash-out scheme
Legal evasions and loopholes
Successful criminal prosecutions
Analysis of malware used in the attacks

4. Group-IB
oFirst and only public company in Russia
engaged in digital crime investigation and
computer forensics consulting
oEstablished in 2003
o Assistance to law enforcement authorities
on particularly difficult cases
o Partners and researchers in 48 countries
o Russian HoneyPot-Net project
o 24/7 monitoring and incident response

5. Cybercrime in 2010
Global computer crime market turnover at
7 billion dollars
Share of cybercriminals living in Russia
estimated at 1.3 billion dollars ~19% of
global crime
Cybercriminals from Russian speaking
countries: 2.5 billion dollars ~36% of
global crime
*research report "The Russian cybercrime market in 2010: status and trends”
http://www.group-ib.ru/wp-content/uploads/2011/04/Group-IB_Report_Russian-cybercrime-market_2010_eng.pdf

6. Most prevalent threats and incidents
1. Fraud targeted at Russian banks and
payment systems
2. SMS fraud using premium
numbers(“winlockers”/LockScreen
trojans)
3. DDoS attacks – Growth in number and
in power
4. Unauthorized access to sensitive
corporate information
*research report "The Russian cybercrime market in 2010: status and trends”
http://www.group-ib.ru/wp-content/uploads/2011/04/Group-IB_Report_Russian-cybercrime-market_2010_eng.pdf

7. Incident statistics by Group-IB forensic lab
1000
931
900
800
700
Share of cybercriminals living in Russia
586
600
estimated to increase to 2009
500
400
1.8 billion dollars in 2011 2010
300
(vs. 1.3 billion213 2010)
in
200
124
72 92
100 60
30
0
unauthorized
brand attacks DDoS bank fraud
access
SMS fraud (LockScreens) not shown because the numbers are
disproportionally greater

8. DDoS attacks: Growth in number and power
attackers DDoS bank if transaction
exceeds 150 000 $
most powerful attack 100 Gb/sec
(victims: UkrTelecom, Yandex, EvoSwitch
but real target was a dating affiliate program)

9. SMS fraud using premium numbers:
LockScreen malware
o If your country is affected, please, contact us for information
o Group-IB developed a case-tutorial for this type of
investigation

10. Reasons for the incidents’ growth
o Legal evasions and loopholes
o Low cost of services in Russia
o Lack of legal jobs for young IT-
specialists
o High profit and minimum investments
from cybercrime
o Low information security vs. high
cybercrime groups activities
o Shift of attack targets back to USSR :)

11. Cost of services in Russia
 Hacking of a website: from $50
 Guaranteed hack of a mailbox (Yandex, Mail, Rambler, Gmail):
from $45
 Mobile phone bug: from 5000$
 SMS service bug: from 1000$
 Massive distribution of Trojan and spyware: from 20$ (1000
users)
 Spam services:
o 400,000 companies - $55
o 1,800,000 private persons - $100
o 90,000 companies in St. Petersburg - $30
o 450,000 private persons in Ukraine - $50
o 6,000,000 private persons in Russia - $150
o 4,000,000 emails on @mail.ru - $200

12. Evolution of the Cash-out scheme
For amounts up to 40k $

13. Evolution of the Cash-out scheme
For amounts 40-200k $

14. Evolution of the Cash-out scheme
For amounts over 200k $

15. Chapter 28 of the Penal Code
Article 272. Article 273. Article 274.
Illegal Access to Development, Use and Violation of Rules for
Computer Information Spreading of Malicious the Operation of
Software Computers, Computer
Systems or Their
Networks
Criminal responsibility
Maximum fine of
300 000 RUB
Imprisonment for up to Imprisonment for up to
or
7 years 4 years
imprisonment for up to
5 years.

16. Legislative initiatives
The Committee against Cyber-Crime at the
Russian Association of Electronic
Communication (RAEC)
Improvement of Russian legislation in the
field of cyber crimes
Anti-SPAM legislation
Support against online child pornography

17. Successful criminal prosecutions
o Group-IB, Economic Crimes Division and Dept K MVD
busted a group of cybercriminals who developed and
spread the “LockScreen” malware
o 10 cybercriminals have been arrested

18. Successful criminal prosecutions
Leo Kuvaev case (BadCow)

19. Successful criminal prosecutions
Leo Kuvaev case (BadCow)

20. Successful criminal prosecutions
DDoS case (Cxim)
o Provided DDoS as a service
o Arrested for DDoS against Russian banks
o 8 months in jail

21. Successful criminal prosecutions
Russian bank-fraud case
Group #1
o stole 600 000$ in a single transaction
o case in court
o used Win32/Sheldor
Group #2
o stole 832 000$ (over 1 month)
o case in court
o used phishing sites (hosted on
Gogax)

22. Interesting facts about Russian bank fraud
• Mass distribution since 2009
1
• Six cybercrime groups attacking Russian
banks
2
• Maximum amount stolen at one time from
single bank account: 14 814 820$
3

23. Interesting facts about Russian bank fraud
These guys are still free!

24. Analysis of malware
used in the attacks on Russian Internet Banking systems

25. Overview
2010: year of attacks on Russian banks
• number of incidents has more than doubled compared to 2009*
Over 95%* of incidents involve banking trojans
Malware tailored to Russian banks and payment
systems
However!
• Can (and IS) used in other countries as well
*research report "The Russian cybercrime market in 2010: status and trends”
http://www.group-ib.ru/wp-content/uploads/2011/04/Group-IB_Report_Russian-cybercrime-market_2010_eng.pdf

26. Malware family share by incidents (%)*
(in the last 6 months)
40
30
20
10
0
*as investigated by Group-IB

27. Most prevalent banking malware in Russia
Malware Family Description
Win32/RDPdoor Backdoor; uses MS Remote Desktop; botnet
Win32/Sheldor Backdoor; abuses the TeamViewer application;
botnet
Win32/Carberp Universal trojan with modules for targeted
attack on Russian banks; botnet
Win32/Hodprot Downloader; installs other malware modules;
strong encryption of its C&C protocol
Win32/Qhost Malware that modifies the hosts file

28. Win32/RDPdoor

29. Stealing money using MS Remote Desktop…
Win32/RDPdoor overview
Appearance: First samples detected in April 2010
Cost: ~ 2.000$
Key feature: Abuses components of Thinsoft BeTwin for RDP
• Most prevalent banking trojan in Russia
• Bypassing advanced security mechanisms (Smartcards,
etc.)

30. Win32/RDPdoor detection statistics by country
Cloud data from ThreatSense.Net
April 2010 – March 2011
Russia
Ukraine
Kazakhstan
Belarus
Thailand
Bulgaria
United States
Israel
Moldova
Rest of the world

31. Win32/RDPdoor installation
infected Win32/RDPdoor
computer C&C
run dropper and send system information
1
authentication on C&C and provide Thinsoft BeTwin for installation
2
send status information
3

32. Win32/RDPdoor installation

33. Win32/RDPdoor installation

34. Stealing authentication data
1. Install GINA extension DLL
2. Display fake logon screen
3. Capture user name &
password
4. Send to C&C

35. Win32/RDPdoor bot commands
Bot Command Description
“P” change password for BeTwin terminal
session
“B” reinstall BeTwinServiceXP module
“S” administration of BeTwin terminal
session
“R” install BeTwinServiceXP module
“T” BeTwin backconnection initialization
“U” update main modules and
configuration

36. Win32/RDPdoor bot commands

37. Win32/RDPdoor updating
New dropper with a new configuration embedded is received after „U‟
command

38. Win32/Sheldor

39. Win32/Sheldor overview
Appearance: First samples detected in June 2010
Cost: ~ 2.500$
Key feature: Abuses the TeamViewer application for remote
access
• Using the TeamViewer cloud adds another level of
anonymity

40. Win32/Sheldor detection statistics by country
Cloud data from ThreatSense.Net
April 2010 – March 2011
Russia
Ukraine
Kazakhstan
Moldova
United States
China
Belarus
Israel
Georgia
Rest of the world

41. Win32/Sheldor and TeamViewer in action
1. Request cloud ID
2. Set cloud ID
3. Send ID to C&C TeamViewer
4. Malicious connection cloud
1 2
infected
4
computer
Win32/Sheldor
3
GET C&C
/getinfo.php?id=414%20034%20883&pwd
=6655&stat=1

42. Win32/Sheldor and TeamViewer in action
1. Request cloud ID
2. Set cloud ID
3. Send ID to C&C
4. Malicious connection
GET
/getinfo.php?id=414%20034%20883&pwd
=6655&stat=1

43. Under the hood: DLL hooking
TeamViewer.exe
TV.dll
(proxy DLL)
TS.dll
(original TS.dll)

44. Malicious DLL call graph

45. Malicious DLL decompilation
Functions for calling
from original TS.dll
Load original TS.dll
Hook functions
C&C URL

46. Win32/Sheldor bot commands
Bot Command Description
exec download and ShellExecute/CreateThread
additional module
monitor_off send command “stop monitoring” to C&C
monitor_on send command “start monitoring” to C&C
power_off ExitWindowsEx(EWX_POWEROFF,
SHTDN_REASON_MAJOR_OPERATINGSYSTEM)
shutdown ExitWindowsEx(EWX_REBOOT,
SHTDN_REASON_MAJOR_OPERATINGSYSTEM)
killbot delete all files, directories and registry keys

47. Sheldor C&C panel

48. Win32/Carberp

49. Win32/Carberp overview
Appearance: First samples detected in February 2010
Cost: ~ 9.000$
Key feature: Advanced information stealing trojan with
plug-ins
• Customizable to specific banks
• Man-in-the-browser attacks (IE, FireFox)
• Grand Theft: Real cases with millions of $$$ stolen

50. Win32/Carberp detection statistics by country
Cloud data from ThreatSense.Net
April 2010 – March 2011
Russia
Ukraine
Spain
United States
Turkey
Kazakhstan
Italy
Mexico
Thailand
Netherlands
Argentina
Belarus
Greece
United Kingdom
Rest of the world

51. C&C panel: Bots by country

52. Win32/Carberp detections over time in Russia
Cloud data from ThreatSense.Net
April 2010 – March 2011

53. Win32/Carberp bot commands
Bot Command Description
update Download new version of Carberp
dexec/download Download and execute PE-file
kill_bot/killuser • Delete trojan from the system
• Delete user's Windows account (latest version)
startsb/loaddll Download DLL and load into trojan's memory
address space
grabber Grab HTML form data and send to C&C

54. Win32/Carberp self-protection
Self-protect method Win32/Carberp.W Win32/Carberp.X
Bypassing AV-emulators many calls of GUI WinAPI many calls of GUI
functions WinAPI functions
Code injection method ZwResumeThread() ZwQueueApcThread()
Command and string custom encryption
encryption  algorithm
Bot authentication on C&C file with authentication
 data stored on infected
PC
API function encryption custom encryption custom encryption
algorithm algorithm
Detection of AV hooks comparison of the first comparison of the first
original bytes original bytes
Bypassing static AV adds random junk bytes to adds random junk bytes
signatures dropped files to dropped files
Hiding in the system hook system functions hook system functions

55. Win32/Carberp distribution channels
Direct distribution Distribution via partners
control “partnerka”
affiliate ID
panel (affiliate program)
exploit pack
• BlackHat SEO
• Infected Blogs
• etc

56. Win32/Carberp botnet control panel

57. Win32/Carberp control panel – Bank settings

58. Cab-files with stolen data

59. Stolen data: BS-Client IB system

60. Stolen data: CyberPlat payment system

61. Stolen data: iBank IB system

62. Stolen data: SberBank IB

63. Stolen data: UkrSibBank IB

64. Win32/Carberp Summary
Cybercrime kit using multiple stealing techniques
Since early 2010 targeting other regions too
Several independent cybercrime groups involved
Joint investigation of Russian police, Group-IB and
ESET

65. Summary
Win32/RDPdoor Win32/Sheldor Win32/Carberp
First appearance April 2010 June 2010 February 2010
Cost 2000 $ 2500 $ 9000 $
Prevalence Russia, Russia, Russia,
Ukraine, Ukraine, Ukraine,
Kazakhstan Kazakhstan Spain,
USA
Remote Access RDP via ThinSoft Via TeamViewer Via plug-ins
BeTwin
Information stealing manually manually automated
Plug-ins
  
Complexity
  
Botnet
  

66. Conclusion
• Banks in other countries becoming new targets of
Russian cybercrime groups
• Attackers respond to new security measures with new
methods to bypass them
• Cybercriminals use stolen money to stay out of jail
• Disabling C&C servers not enough to stop them
• Only way of fighting them is by cooperation

67. Questions

68. Thank you for your attention ;)
Robert Lipovsky, ESET
lipovsky@eset.sk
Aleksandr Matrosov, ESET
matrosov@eset.sk
@matrosov
Dmitry Volkov, Group-IB
volkov@group-ib.ru
@groupib