Who's hacking your PC?

New York, Moscow, Sao Paulo, Timbuktu – if a hacker is determined to empty your bank account, they can do it from the comfort of their own home.

Few crimes are so ethereal and work so effortlessly across international borders. Ask any law enforcer in the know: pinning down the epicentre of cybercrime is a notoriously difficult task.

Watch a Hollywood film and it'll depict hackers as fast-talking American kids – pale faced, coke swilling, super-smart and capable of doing the impossible. This is, of course, a fiction.

If you were a career computer criminal, would you choose to base yourself in a country with mature computer crime laws and strong-arm enforcers? No. You'd want to be somewhere comparatively lawless. If you're looking for hackers, look east – towards China and Russia – and you'll be barking up the right tree.

That's what the analysts say. But even here myths and rumours get in the way. The Berlin Wall may have fallen but the KGB is still alive and clicking. Beijing has an army of hackers eyeing the West's data. Stories of dark doings and espionage at the keyboard abound. The truth, however, is hard to come by.

Take Russia. While there's no doubt that the ex-Soviet state is genuinely computer-savvy, is there any hard evidence that it poses a greater threat to your PC than, say, South America? In case you're wondering, Brazil is regarded as a leader in banking trojan technology.

Are the Russians phishing like there's no tomorrow? Or are security firms reviving Cold War paranoia in the hope of making 'the enemy' look bigger and uglier, all in order to sell us antivirus software? In this exclusive report, PC Plus magazine goes undercover in the hunt for cybercrime's epicentre.

The code war

Boris Miroshnikov seems almost proud of the criminals that he chases through cyberspace. He's a Lieutenant General with the Russian police's Department K, which fights domestic cybercrime. Speaking at the 2005 E-crime Congress in London, Miroshnikov told delegates: "Our software writers are the best in the world; that's why our hackers are the best in the world."

"You're right in thinking that Russia and Eastern Europe are playing a big role in organised webcrime," says Con Mallon, Symantec's Product Marketing Director for Europe, the Middle East and Asia. "Information made public by various arrests of underground economy groups suggests that groups in Russia and Eastern Europe are more organised and professional operations, and that they also possess greater abilities and manufacturing facilities to mass-produce physical credit and debit cards."

Many Russians have been convicted for cybercrime in the past decade. Vasiliy Gorshkov and Alexey Ivanov are from Chelyabinsk, 75 miles from the Kazakhstan border. In 2001, the FBI tricked them into visiting the USA, where they were arrested and charged with 20 counts of conspiracy, fraud and other offences.

In 2004, Department K broke up a criminal gang that had extorted money from nine British bookies, causing a total of over £45million in lost business. And after extorting more than £2million from British companies in 2006 using distributed denial of service (DDoS) attacks, Ivan Maksakov, Alexander Petrov, and Denis Stepanov were convicted after an international effort by Interpol, the FBI and the UK's now-defunct National High-Tech Crimes Unit.

During their six-month spree, the gang launched over 50 blackmail attempts in 30 countries. When UK based bookmaker CanBet Sports refused to pay the $10,000 demanded, the subsequent DDoS attack saw the company lose around £100,000 per day.

In May 2007, Estonia came under a concerted botnet DDoS attack that knocked out the tiny Baltic state's government, media and business websites, halting its largely web-based banking systems. Similarly, during the Russian invasion of Georgia last year, hackers poured DDoS traffic into the troubled country in order to knock out its infrastructure. But were these hackers Russian?

Reasonable doubts

Ken Munro is Director of the Penetration Testing Division of the National Computer Centre (NCC). "The people who do use botnets are extortionists, and we know there are huge volumes of compromised machines out there, synchronised, ready to run, and you can point them wherever you like," he says. "Who's to say that [the Georgian attack] wasn't another foreign power trying to undermine the Georgian government, and it just happened to coincide with the Russian attack?"

The problem with botnets is that the infected computers could be anywhere. As a result, it's difficult to quantify the amount of cybercrime originating from Russia. "I'm not going to give you a figure," says Munro. "The problem with all these things is that no one genuinely knows. And even with vendors who give you numbers, all they're relying on is what they perceive to be the source IP addresses. That means absolutely nothing, because anyone could use an open proxy on a compromised machine and relay their traffic to any other system in the world."

Even if you trace malicious traffic back to a single machine, it might not be the real source. "It could be some poor home user who's got an XP system sat there on the internet and doesn't know they're being used as a back door," confirms Munro. "So, there's almost no confidence in the statistics."

There's no denying that press reports of Russian hacker convictions are true and that they're on the rise, but there have also been plenty of non-Russian convictions over the last decade. Some of the crimes perpetrated by US and non-Russian European hackers have been very sophisticated.

Take Gabriel Bogdan Ionescu, for example. He's a 22-year-old Romanian currently serving three years in an Italian prison for setting up a cloned copy of the Italian Post Office's website and siphoning off money in a sophisticated phishing scam.

Meanwhile, in the US, Robert Moore was convicted of what, to most people, looked like an ingenious scheme to steal VoIP services and sell them through a second company. In an interview before he was due to start a two-year prison sentence, he described what he had done as being "so easy a caveman could do it". In all, Moore broke into 15 telecommunications providers and "hundreds" of private companies.

And Kiwi hacker Owen Walker, who was convicted in April 2008, managed to create a botnet of 1.3 million compromised computers as his part of a large online crime ring. The botnet was used to siphon off millions of dollars from unsuspecting users' bank accounts.

The now-infamous Estonian DDoS attack of 2007 was initially linked to the Russian government by the press. However, a subsequent investigation revealed that it had been perpetrated by an impromptu 'flashmob' who were angry at the removal of a Russian war statue in the Estonian capital Tallinn. Though the first person to be convicted of the attack, Dmitri Galushkevic, was Russian by birth, he lived in Estonia and attacked from within.

A hacker speaks

Not all hackers are convinced that Russia is the world's centre for cybercrime, either. Abdulrahman Alibrahim (also known as 'Earthquaker') is a hacker who calls himself a 'grey hat': he claims that he never acts with malicious intent.

Alibrahim talked exclusively to PC Plus through an intermediary. "To be honest about what's written ... I think that this is not true because computer crimes happen on a daily basis from all around the globe," he says. "[The existence of] computer crime depends on the reason it has been committed: for money, private information, threat or even for fun.

"In the end, a crime is a crime, no matter who committed it and where he is from," says Alibrahim. "But in my personal point of view, [people refer] to Russians in computer crime maybe because they are so talented."

This is a view echoed by David Emm of Kaspersky Lab. "Right now," he says, "though more stuff is coming out of China, the stuff coming out of Russia is probably more sophisticated because they tend to focus on the botnet as opposed to single attacks. One of the things we've looked at is whose resources are used to host malicious programs. That doesn't necessarily mean that they develop the programs, but again China comes out top in that list. The Russian Federation is actually number five. Though a lot of the stuff gets written in Latin America and Russia, the attacks aren't necessarily hosted on machines in those countries."

So, are crooked programmers writing malicious code for profit, selling it to criminals who then perpetrate electronic crime? Or do the criminals write their own programs? "It's both, actually," says Emm. "A lot of the attacks now are drive-by downloads. They're web-based. So they look for a compromised server somewhere and secrete their code in it, so that when you go to view the page you get infected automatically. And quite often it's done through an exploit bundle where they put together a composite script that will exploit a whole series of different applications, depending on what vulnerabilities the user might have. MPack is the name of one of the most common ones."

MPack is a PHP-based malware bundle that was created by Russian hackers in 2006. It's marketed to criminals as a commercial package that costs between $500 and $1,000. Frequent updates keep it one step ahead of antivirus software. MPack even comes with a management console that allows the botnet owner to keep track of how many computers have been infected, which browsers their owners were using at the time and which countries they're in.

Following the money

Last year, Mikko Hypponen – F-Secure's Chief Research Officer – called for an international organisation to fight cybercrime. The amount emanating from Russian soil is, he claims, less than you'd think: "As a rough estimate: a third," he told us. "Note that that's not just Russia by itself but pretty much all of the old Soviet Union: Russia, Ukraine, Belarus, Kazakhstan, Latvia, and so on."

"The two other main cybercrime hotspots are China and South America," says Hypponen. "Especially Brazil, which is the number one country in the world creating trojans affecting online banks."

Dave Emm of Kaspersky agrees. "It's difficult to put a categorical figure on it," he told us. "In terms of stuff we get in, it's probably China at the top, and that's more than 50 per cent. Next would be between Russia and Latin America. A lot of the banking trojans originate out of Latin America."

Roger Thompson, Chief Research Officer at AVG Technologies, believes that cybercrime is evolving into a threat that can come from anywhere: "While there are a lot of malware and web threats coming from Russia and China, there is also lots of activity in Turkey, Romania, Brazil and the US," he says.

"We expect that these threats will continue to spread and it will become increasingly difficult to establish who is behind them. This is not about infancy, but rather a maturity of cybercriminal gangs – the groups may be international and using infrastructure and websites from many different parts of the world. The only real way to find the perpetrators, like traditional bank robberies, is to follow the money."

But just like following a chain of IP addresses, following the money is difficult. "It often involves multiple countries, and there are many different layers and players in the malware industry, from the [software development kit] writers to the botnet masters and malware data resellers," says Thompson.

Other consultants that we spoke to also aren't convinced about the size of the threat posed by Russian organised cybercriminals. The press make claims for a Russian cybermafia type organisation running cybercrime from behind the scenes. Is this the case?

"The plain and simple answer to this question is no. Personally, I believe this to be media hype," says Alex Constantinides, director and Security Consultant at MetaSec Security. "I believe that these claims are unfounded and unjust. I would love to see evidence that backs this statement up. Even if the statistics proved that the vast majority of cybercrime came from Russia, this is not evidence that the crimes committed are directly linked to the mafia."

So where does Constantinides believe that most online crime originates? "It is our belief at MetaSec that there is more high-tech crime coming from Asia than there is from Russia. On top of that, we hold no belief that this crime is run by the organised crime outfits like the Triad. No doubt the Triad probably have their part in it, but we do not believe they run it."

But could Russian cybercrime be linked to its more traditional mafia? Constantinides still isn't so sure. "The Russians in general are not small players in cybercrime by any means, but there's no way of knowing how many of the attacks that come from Russia are actually linked to the Russian mafia."

China caught red-handed

Shortly before PC Plus went to press, news broke that researchers at the University of Toronto's Munk Centre for International Studies had discovered a massive cyber espionage network with strong links to China that contained hacked computers belonging to 103 foreign governments.

Helped by Cambridge University, the group discovered a total of 1,295 compromised computers belonging to foreign ministries of countries as diverse as Bangladesh, Latvia and Iran. The discovery of the GhostNet cyber espionage network is just the latest in a trail of evidence pointing to the world's largest communist state.

"China is presently the world's largest internet population," says a recent report from the Information Warfare Monitor, a think-tank based at the University of Toronto. "The sheer number of young digital natives online can more than account for the increase in Chinese malware," it goes on. "With more people using computers, it's expected that China will account for a larger percentage of cybercrime."

China's economy has been especially hard hit by the current recession. At the CanSecWest security conference held in Vancouver in March, CEO of Beijing based Knownsec, Wei Zhao, said that the country's cybercrime industry is booming. He claimed that IT security researchers are beginning to sell network vulnerabilities rather than report them. "China is not only the world's factory, but also the world's malware factory," he said.

Perhaps the reason the West hears little about Chinese cybercrime is because the domestic pickings are huge; China has over 250 million computer users. But the annual McAfee Virtual Criminology Report shows that Chinese cybercriminals are branching out. "Thought to be a target because it houses the HQ of both the EU and NATO in Brussels, Belgium has had emails containing spyware sent to State departments.

Similarly, India claims its government and private sector networks are under constant cyberattack," claims the report. "The cyber-kingpins remain at large while minor mules are caught and brought to rights. Some governments are guilty of protecting offenders."

Regardless of which country houses the most cybercriminals, Munro warns that cybercrime could become even more organised in future. "I can almost guarantee that every power in the world of any significance has got [botnet] technology at their disposal," he told us.