Botnet Involvement In Securities Fraud
It’s not uncommon to hear (or read a piece written by) a security researcher or analyst regarding a real world example that depicts an event of interest, illustrates it and becomes a reference point. Botnets are in the news often. Many times this involves the relaying of events surrounding a compromise or exploit that either failed or was successful (using the technique or technology du jour) to execute a crime. This happens so frequently that times I wonder if people turn deaf ears and blind eyes to the realities which are relayed to them. I worry that at times enterprises and individuals become desensitized to the grave nature of what we communicate as a result. The reality is that examples are presented on a near daily basis which articulate and express the concerns, realities and warnings which we speak to our clients and peers about routinely. In fact, as in the case that I will describe below, proximity is closer than we realize.
This blog deals with a story that deals with botnets. I love botnets; I love studying them (and have for over a decade), watching them, monitoring their growth, proliferation and use. This story deals with the economics associated with the use of botnets from both a supply and demand perspective. This is the story of Christopher Rad and James Bragg’s’ entry into the world of cybercrime. Yesterday Rad was charged by the United States Department of justice for his role in orchestrating a scheme to inflate the prices of penny stocks (which constitutes federal securities fraud) for the now defunct RSUV (Remote Surveillance Technologies) and VSHE (VShield Software). Rad faces up to five years in prison and up to 500,000 USD in fines for his role. His accomplish Bragg pleaded guilty in October of 2010 for his role.
Why The Botnet
To me, the most interesting element of this story is the choice to use the botnet to deliver spam to promote the stocks in question. Many times we here at DVLabs discuss with our peers in the research community and clientele the behavior and use cases seen and associated with botnets. Spamming is certainly not a new use case though I can’t recall another case where the spam in question was being generated to excite potential consumers of securities. In the federal indictment which was unsealed Monday March 21, 2011 Rad “…acted as a middleman between stock promoters seeking to pump shares of stock, and computer experts located inside and outside of the United States who used various means, including ‘spam’ email campaigns, ‘botnets’, and hacking to pump the stock’. Rad allegedly established contact with two botnet masters – an allegedly Russian Botmaster known only as B.T. and another Botmaster known only as D.S. Neither of the Botmasters have been arrested though they are listed as co-co-conspirators as they reside outside of the United States.
The botnets in question were designed to accomplish a simple mission:
- Evade anti-spam controls thus ensuring delivery of the payload
- Target recipients
- Barrage as many recipients as possible in the hopes of pumping up the price of the stock so it could be then sold by Rad and Bragg
Though there is more detail about the additional non-botnet centric crimes associated with this story here, it is important to note the use case demonstrated here. Botnets are leveraged for a massive amount of purposes; some grandiose and sophisticated others less so. The key point to grasp from this story though is that they are:
- Available for a price
- Used in ways many might never consider
Addressing botnets is not trivial though it can be accomplished. There are many points from which an organization could begin but an obvious place to begin looking is within the network infrastructure and log environments. Identifying the following will aid you as you begin to question your susceptibility to attack via a botnet and your potential participation within one:
- Anomalous traffic patterns active on random times / dates
- Anomalous presence of peer-to-peer traffic and / or IRC traffic
- The presence command & control activity (such as that which provide in our filters)
- Outbound calls to ip addresses & domains which your organization does no business with (which we provide in our Reputation DV service)
- The presence new or questionable binaries either in queue for download or being called down from the Internet