Russian Underground 101
12.07.2015 Views
Share Embed Flag

Russian Underground 101

Russian Underground 101

Russian Underground 101

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
trendmicro.co.uk

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

START NOW

IntroductionFile Encryption and Crypting ServicesThis research paper intends to provide a brief summaryof the cybercriminal underground and shed light on thebasic types of hacker activity in Russia. The bulk of theinformation in this paper was based on data gatheredfrom online forums and services used by <strong>Russian</strong>cybercriminals. We also relied on articles written byhackers on their activities, the computer threats theycreate, and the kind of information they post on forums’shopping sites.Online fraud has long since moved from being a merehobby to a means for cybercriminals to earn a living. Thispaper examines what is being sold on the most popularcybercrime forums like antichat.ru, xeka.ru, and cardingcc.com;which items are in demand; and what servicesprofessional fraudsters offer.The fraudsters consider the Internet a playing field. It hasmany vulnerable sites and a great deal of unprotecteddata. While “protected” data do exist, the places they arestored in can still be hacked. Some cybercriminals sharedtheir experience in hacking; generating traffic; and writingcode for Trojans, exploits, and other malware via onlinearticles.This paper discusses fundamental concepts that <strong>Russian</strong>hackers follow and the information they share with theirpeers. It also examines prices charged for various types ofservices, along with how prevalent the given services arein advertisements. The primary features of each type ofactivity and examples of associated service offerings arediscussed as well.Each section of this paper focuses on a specific typeof criminal activity, good, or service in the <strong>Russian</strong>underground market.File crypting is primarily employed to conceal infectedfiles or malware from security software. The offerings inthe crypting market can be categorized into two—actualservice provision to encrypt individual files (e.g., .EXEand .DLL files) and crypter sales. To hide a maliciousfile or malware from security software, cybercriminalsuse various crypting techniques. The more effective thetechnique used, the more expensive a file is.One of the most important things to be aware of in thissphere is the crypter stub, a piece of code used to decodean encrypted piece of malicious code. A particular crypterstub is attached to and used in conjunction with a certainencrypted file, somewhat increasing the final file’s size.Crypters can be classified as either statistical orpolymorphic. A statistical crypter’s stub is a separateprogram to which the encrypted file is tied. Whenlaunched, the file is extracted, decoded, and executed.Some crypters do not write the file to the hard disk,they instead launch the file from memory. This cryptingmethod, however, is not effective.Statistical crypters use different stubs to make eachencrypted file unique. That is the reason why authorsusually create a separate stub for each client. A stub thathas been detected by security software has to be modifiedor, in hacking terms, “cleaned.”Polymorphic crypters are considered more advanced.They use state-of-the-art algorithms that utilize randomvariables, data, keys, decoders, and so on. As such, oneinput source file never produces an output file that isidentical to the output of another source file. This can beachieved by using several algorithms, including:• Shuffling blocks of code while preserving a maliciousfile’s ability to run: Blocks of code are encryptedusing a specific technique. Several decoders are thencreated for the malware body, which is randomlydecoded. This applies also to variables and other data.• Creating macros: A macro is created duringpreprocessing. When invoked, it repeatedly performsan instruction.PAGE 1 | RUSSIAN UNDERGROUND <strong>101</strong>

• Inserting garbage code: Blocks are split into sections,in-between which garbage instructions are inserted.These instructions do not affect the code but force anemulator to “sweat.” Not only are garbage instructionsused in code blocks, these are also used to executehelpful actions that complicate the work of an antimalwareanalyzer in every possible way.• Combining all of the above-mentioned methods:All of the aforementioned methods, along withdynamically generating algorithms after encryptinga specific block of code based on random conditions,may also be used.Joiners [Склейка] refer to a variation of crypters. Ajoiner, aka a “binder,” is a program used to stitch severalfiles (e.g., a .JPG file and a malicious .EXE file) togetherand put them in a single container. When launched,the container extracts the files from the container andexecutes them. As a result, the composite file will have theextension name .exe, .bat, .cmd, .scr, .com, or .pif. Malwareare most commonly made compatible with highly popularprograms to ensure that these will affect as many users aspossible.On average, crypting services cost US$10–15. Offeringscosting US$6 and US$50 can, however, also be found,depending on what kind of crypting service is requiredand how complicated the service is. Polymorphic crypters,which usually encrypt .EXE and .DLL files, cost more.Crypter PricesOfferingBasic statistical crypterStub crypter with variousadd-onsPolymorphic crypterJoinerPriceUS$10–30US$30–80US$100+US$10–30Table 1: File encryption and crytping service pricesSome exotic offerings are also available such as a servicethat stitches a .PDF file and an .EXE file into a .PDF file.Here’s a sample cybercriminal post offering cryptingservices (translated from <strong>Russian</strong>):“You give me an .EXE and any ordinary .PDF file (if youdon’t have one, I can use a blank .PDF or my own) thatshould be shown to the user. I will stitch them together andgive you a toxic .PDF file. When it’s opened, the .EXE and.PDF are extracted and the toxic .PDF is replaced by theordinary .PDF and displayed to the user. This service costsUS$420.”Crypting services that use infamous malware such asZeuS, Pinch, and other bots and Trojans are also mostfrequently sold online. ZeuS encryption services, forinstance, cost US$30–50. These can, however, also bebought at lower prices. Crypting and obfuscation servicesare also available for exploits at US$10–30. The morecomplex the service is, the more expensive it is. A onetimeexploit crypting service bundle costs approximatelyUS$50–150 per subscription, which includes five cryptersin a span of one month. File-stitching services costUS$10–15. In general, regular and wholesale customers canget special offers for file encryption and other services.PAGE 2 | RUSSIAN UNDERGROUND <strong>101</strong>

Dedicated ServersProxy ServersA dedicated server [Дедики] is one that a user does notshare with others. It can be used for various maliciousactivities, ranging from brute forcing to carding, thata hacker would prefer not to do on his own machine.Hackers typically connect to a dedicated server via VPN,which provides them anonymity. Dedicated servers areamong the most popular goods in the undergroundmarket. These are considered unique consumables withmore or less constant demand. Dedicated servers areusually sold by the tens or hundreds with prices dependingon their processing power and, to a larger extent, Internetaccess speed.Servers are a must in a cybercriminal operation,particularly for brute force attacks on wide ranges ofIP addresses. Hackers also offer brute-forcing servicesbecause dedicated servers have so-called “lifetimes,”depending on several factors, the most important of whichare what measures an administrator implements to ensureserver security.Bulletproof-hosting services [абузоустойчивые], whichallow cybercriminals to host any kind of material on asite or page without worrying about it being taken downdue to abuse complaints, are also widely available in theunderground market.Dedicated Server PricesOfferingDedicated serverPowerful serverBulletproof-hosting service(i.e., VPS/virtual dedicatedserver [VDS])Bulletproof-hosting servicewith distributed denial-ofservice(DDoS) protection, a1Gb Internet connection, andother extra featuresTable 2: Dedicated server pricesPriceUS$0.50–1US$10–20US$15–250 per monthUS$2,000 per monthA proxy server [Прокся] is an intermediate computer thatacts as a “proxy” or mediator between a computer andthe Internet. Proxy servers are used for various purposeslike accelerating data transmission and filtering traffic buttheir main purpose, which makes them popular amonghackers, is to ensure anonymity. Anonymity, in this case,comes from the fact that the destination server sees theIP address of the proxy server and not that of the hacker’scomputer. Even hackers, however, frequently noted thatdespite the assurance of proxy server operators, all suchservers, even paid ones, keep logs and cannot providecomplete anonymity.The main types of proxy servers are:• HTTP proxy server: The most prevalent form of proxyserver. In fact, a proxy server most often refers tothis type of server. In the past, this kind of server onlyallowed users to view web pages and images as well asto download files. The latest versions of applications(e.g., ICQ, etc.) can run via an HTTP proxy server. Anybrowser version also runs via this type of proxy server.• SOCKS proxy server: This kind of proxy server workswith practically every kind of information available onthe Internet (i.e., TCP/IP). To use SOCKS proxy servers,however, programs must explicitly be made able towork with them. Additional programs are requiredfor a browser to use a SOCKS proxy server. Browserscannot work on SOCKS proxy servers on their own butany version of ICQ and several other popular programswork very well on them. When working with SOCKSproxy servers, their versions (i.e., SOCKS4 or SOCKS5)must be specified.• CGIProxy server, aka “anonymizer”: This type ofproxy server can only be used for browsers. Usingit for other applications is difficult and unnecessarygiven HTTP proxy servers. Since this type of proxyserver is expected to inherently work for browsers,using them is exceptionally easy. It is easy to enable ananonymizer to work. One can also create a CGIProxychain without any trouble.PAGE 3 | RUSSIAN UNDERGROUND <strong>101</strong>

SOCKS Bots• FTP proxy server: This type of proxy server isquite rare and hardly used except in corporatenetworks. FTP proxy servers are commonly usedby organizations that put up firewalls—systems thatprotect computers from external intrusion—whichprevents direct access to the Internet. These aresupported by many popular file managers (e.g.,File and ARchive [FAR] and Windows Commander),download managers (e.g., GetRight and ReGet), andbrowsers.Like dedicated servers, proxy servers must also beacquired. Various methods to do so exist, ranging fromdoing a simple Google search to using assorted scanners,including those that hackers write themselves. Somespecial Trojans also transform Internet-connectedcomputers into proxy servers. Like dedicated servers,proxy servers are also frequently sold in bulk by the tensand hundreds and are in constant demand.Here are sample cybercriminal posts offering proxyservices (translated from <strong>Russian</strong>):A SOCKS bot is embedded in a system, resides in theexplorer.exe process, gets around firewalls through adriver, is recorded in stats, and opens SOCKS on a chosenport. It stores information about itself in a script, whichtells it when to access a server. If a SOCKS connectionsucceeds, the bot writes itself to the database of validSOCKS bots. Its processes remain invisible as it runs inthe explorer.exe process. Apart from bypassing firewallsthrough a driver, it also bypasses proactive securitymeasures by pinching and poking using buttons. It is easyto administer; displays all possible information about acaptured machine, including the contents of protectedstorage; can download and execute .EXE files fromany URL; self-destructs when found; has the kamikazefunction; can issue commands to individual bots or botsin different countries; has two backup administrativeprograms in addition to a primary program for botmanagement; supports SOCKS5; when compressed, is only56kb in size, which is essentially unimportant if a loader isused; is written purely in C++; and is sold for US$100.“SOCKS service (online ~1,500 servers); price: US$2/day,US$7/week, US$13/2 weeks, US$25/3 weeks”“List of proxy servers: On average, US$1.50–3 for a list of300, US$2–4 for 500, US$3.50–5 for 1,000”“List of SOCKS4/5 servers: US$3 for 100 servers”“Proxy service: HTTP, HTTPS, SOCKS4, SOCKS5; prices: 5days = US$4; 10 days = US$8; 30 days = US$20; 90 days =US$55”PAGE 4 | RUSSIAN UNDERGROUND <strong>101</strong>

VPN ServicesVPN technology is used to create a secure and encryptedtunnel on a computer when connecting to the Internetthrough which data is then transmitted. This allows ahacker to use all kinds of conventional programs (e.g., ICQ,Skype, email, or website administration) while ensuringthat data remains encrypted even when transmitted. Inaddition, the data appears to be transferred not fromthe hacker’s IP address but from that of the VPN serviceprovider.In other words, one who does not use a VPN doeseverything online with the aid of his chosen ISP, includingopening websites and performing other services uponrequest. Using a VPN—an intermediary—allows hackers toencrypt all requests issued to and incoming data from theInternet. VPNs protect data and preserve their anonymityby sending requests for online resources and transmittingdata using their IP addresses and not those of the users,making them valuable to hackers.“VIP72.com prices: Proxy/SOCKS service—unlimited/monthUS$33 proxy/SOCKS service—250 SOCKS/month US$25proxy/SOCKS service—90 SOCKS/10 days US$10, VPN:Day—US$3, week—US$9, month—US$30, 6 months—US$125,year—US$235”“US—US$15/month; France—US$15/month; Brazil—US$20/month; Mexico—US$20/month”* Note that VPN service prices for Mexico and Brazil cost more becausethey are less developed technically compared with other countries.A VPN protects data by encrypting all incoming andoutgoing traffic to and from the computers connected toit. It preserves anonymity, meanwhile, by allowing hackersto access websites using the unique IP address attachedto it. It also allows the use of dual IP addresses, making itimpossible for a provider to log traffic that comes fromand goes to it.VPN Service PricesOffering1-day service7-day service1-month service3-month service6-month service1-year servicePriceUS$1–5US$8–9US$11–40US$50–55US$105–125US$190–240Table 3: VPN service pricesHere are sample cybercriminal posts offering VPN services(translated from <strong>Russian</strong>):“PPTP VPN, open VPN, double VPN service, price: US$11/month”PAGE 5 | RUSSIAN UNDERGROUND <strong>101</strong>

Pay-per-Install ServicesIn the pay-per-install (PPI) service [Залив с отстуком]business model, advertisers pay publishers a commissionevery time a user installs usually free applicationsbundled with adware. In a PPI attack, an install refers todownloading and launching a file on a victim’s computer.Downloads can come in the form of an exploit bundleor from a botnet. In such an attack, a user who visits anexploit-hosting site using a vulnerable browser downloadsand runs a malicious script and gets his computer infected.This is one of the most popular means to distributemalware (i.e., most often Trojans).Pay-per-Install Service PricesOffering download services is a widespread practice. Inthis business model, a customer provides the malicious filefor a service provider to distribute. Download services areusually offered based on the target country.OfferingAustralia (AU)Great Britain (UK)Italy (IT)New Zealand (NZ)Spain (ES), Germany (DE), orFrance (FR)United States (US)Global mixEuropean mixRussia (RU)Table 4: PPI service pricesPrice per 1,000 DownloadsUS$300–550US$220–300US$200–350US$200–250US$170–250US$100–150US$12–15US$80US$100Mixed-traffic download services (e.g., European, Asian, orglobal mix) are also frequently sold.The value of traffic is primarily based on how importantits owner is. The bigger the organization it belongs to, themore expensive it is. Most of the business traffic sold comefrom the United States and Australia. Since most of theU.S. traffic, however, are porn related, Australian traffic isconsidered of higher quality and, thus, more frequentlyused for carding activities.In other words, a country’s rating is determined by thelikelihood that a malicious file will be downloaded andopened by some businessman or firm in it, which will allowcybercriminals to gain access to all sorts of confidentialinformation (e.g., credit card numbers) and maybe evenroot access to corporate sites or networks.Two basic types of activity take place in the downloadservice market—either a customer offers a malicious file todownload service providers or a download service provideroffers services to customers. Partner programs for bothdownload- and traffic-related services also exist.Traffic partner programs [партнерки] convert traffic todownloads. Download partner programs, meanwhile, aresold per 1,000 installs. Download partner programs usuallyrequire two components—traffic and an exploit bundle.Traffic, by itself, has no value. It must first be convertedinto downloads to be of any use. For instance, 1,000 uniquevisitors in a 24-hour period can yield up to 50 downloads.To obtain downloads, hackers use exploits [сплоиты],which are scripts that permit the execution of a desiredaction through a vulnerability in some program (e.g., abrowser), or exploit bundles, which are collections ofexploits that have been stitched into a single script forbetter reach. An exploit bundle’s reach is equal to theamount of traffic it turns into downloads. It is, however,impossible to precisely ascertain reach based on trafficfrom only 1,000 hosts; typically, at least 20,000 hosts needto be put up to enable measurement.Maintaining an exploit bundle also requires a host. Hackersgenerally use dedicated servers [дедики] or bulletproofhostingservices [абузоустойчивый] in order to directtraffic [залить] to an exploit-laden web page in order toobtain downloads. The “ingredients” for getting downloads(i.e., traffic, exploits, and bulletproof hosts) are soldseparately.PAGE 6 | RUSSIAN UNDERGROUND <strong>101</strong>

Programming ServicesHere’s a sample cybercriminal post offering downloadsoftware, which is occasionally found online as well(translated from <strong>Russian</strong>):“Download bot! -=UA-BOT=- Check out my nextdevelopment—a bot with simple and convenientadministrative controls in PHP. It downloads and launchesdifferent programs. As a bonus, it includes the ability toexecute HTTP GET requests; very similar to a DDoS (makessense only with a large number of bots or, alternatively, forwildly cranking up counters and other such pranks, or forcreating a wrapper for sensitive scripts, etc.). Contact ICQ9490610 for all the details. As part of my testing, I’m givingaway a bot configured using test administrative controls. Abot costs US$30, stitching costs US$5.”Programming services refer to those required to writecomputer programs. Programmers who want to make aliving offer their services to write customized programsusing languages that range from assembly to Python. Theofferings can also be very diverse, including spammers,Trojans, and worms.Software SalesSelling off-the-shelf programs constitutes a large portionof the underground market. The most popular waresinclude different kinds of malware, Winlockers, Trojans,spammers, brute-forcing applications, crypters, and DDoSbots. Licenses for ZeuS, Pinch, SpyEye, and other populartoolkits are also sold. Note, however, that some programvendors are not necessarily the actual programmers. Themost prevalent wares available are web applications (i.e.,PHP + MySQL) and programs written in C++ and C#.Programming Service PricesService prices may depend on who the programmer is.Prices are usually results of negotiations between a buyerand a programmer, depending on feature complexity,timeline, and other such factors.Here are sample cybercriminal posts offeringprogramming services (translated from <strong>Russian</strong>):“Programming service; Perl, PHP, C, Java, etc. Prices: FromUS$100; injects writing: From US$200; web server hacking:From US$250”“Writing and selling Trojans and other malware; available:Trojan for bank account stealing—US$1,300, Trojanfor web page data replacement in a client’s browser—US$850, WebMoney Keeper Trojan—US$450, DDoSbot—US$350, credit card checker—US$70, backdoor—US$400, LiveJournal spammer—US$70, fakes of differentprograms—US$15–25”PAGE 7 | RUSSIAN UNDERGROUND <strong>101</strong>

Here are sample cybercriminal posts offering DDoSservices (translated from <strong>Russian</strong>):“Optima DDoS bot: The file name on the system isn’tnumbers and it isn’t just a set of random letters. Rather, itis a perfectly fitting word or abbreviation, albeit randomlygenerated.• Bypasses Windows Firewall: The administrativepanel shows not only the version of the bot andthe OS but it also shows the account type (e.g.,administrator or standard user).• A/U correspondingly• Ability to overwrite: A file can be installed on topof other versions of the bot; the older copies areremoved. Updating Optima requires an overwrite.The command, exe=url, is used to perform anupdate. An entire team has worked on the bot:Testers, coders, vendors, and promoters. Thismeans that every day, the bot is getting better.Bugs are being found and fixed quickly. The botfeatures four types of DDoS attack: HTTP, ICMP(ping), SYN, and UDP. Our bot places virtually noload on a system, which will allow it to remainundetected for a long time. Our bot installs in asystem almost instantaneously, which avoids anysuspicion from the victim. The bot is lightweightand behaves well on a system. The convenient andintuitive control panel is highly optimized, whichreduces the load on the server.• In two languages (RU, EN): The bot runs on 100 (!)threads; a timeout can be set. Furthermore, thethreads are nearly perfectly synchronized witheach other, making it possible to generate thegreatest amount of HTTP traffic.• Able to simultaneously attack several URLs on asingle server• Attack individual servers (e.g., a forum, a newsblock, or file storage): During this type of attack,each bot instance selects targets independently,which results in a manifold increase in the serverload because the responses cannot be cached.• Able to transfer and launch your .EXE files• SOCKS5 proxy support: The standard port is 1080but it can be changed when a build is created. Notethat this is ordinary proxying—it doesn’t work overNAT. The bot is compatible with the entire Windowsfamily: Microsoft Windows 95–Windows7. There’sno reason not to install.• Works correctly on 64-bit systems• Works correctly under both an administrator’saccount and a standard user’s account• Protects against unfair downloads (if a bot isdownloaded on a PC that is already infected, theword “FAIL” is displayed in the administrativepanel). In individual cases, it may be possible toarrange for shutting down a process or processesand other light tweaking.• Fabulous performance• Advanced system for issuing user agents andreferrals: It’s randomly generated for each call.• Continuous technical support• Regulates the strength of the attack• A command can be followed by a parameterthat indicates a delay for each thread (e.g., | 5):The values range from 0 to 9; “0” means “nodelay.” The default is “1.” See the FAQ for moreinformation. This change increases the bots’ abilityto survive.• Supported by the dd1 and dd2 commands• Support for certain features to bypass certainanti-DDoS protection measures: The bot emulatesa browser.• Modularity: You can buy bot add-ons (i.e., generalpurpose and custom).• Minimal: The DDoS bot with no free advertising isUS$450.• Standard: The DDoS bot plus one month of freeadvertising is US$499.”“Smoke DDoS bot; HTTP GET/POST flood, UDP flood, SYNflood; price: US$300; rebuild: US$30”PAGE 9 | RUSSIAN UNDERGROUND <strong>101</strong>

Spamming Services“DDoS bot ‘ibot’; price: US$350 (for the first fivecustomers)”“DARKNESS (OPTIMA) DDoS bot HTTP, ICMP (ping), trash,SYN 100 threads price—pack: US$350, updates: US$85,rebuild: US$35”“DDos bot G-Bot; price: US$150; builder: US$1,500”Spamming [Спам] refers to the mass distribution ofmessages online. Spam can be themed or unthemed.Themed spam are meant for a specific target audience(i.e., dating, job search, business, and pornographic sitefrequenters). A database of bulk message recipients playsa key role in distributing themed spam.Unthemed spam, on the other hand, are sent to virtuallyanyone in a particular order. What is most important tothis kind of spam is that they get to as many users aspossible.Spam can also be categorized in terms of distributionmedium—email, ICQ, social network, or forum spam. Eachmedium requires its own set of recipients and distributionresources.Spamming Service PricesThe spamming service market is quite diverse. Databasesand forum and social networking accounts are most indemand. Databases are usually sold in bulk, depending onthe target audience (e.g., date or job seekers).Social networking account credentials, which are requiredfor spam distribution, are also available in the market.Spam distribution tools and/or programs via ICQ and emailcan likewise be bought. Tools to spam forums and socialnetworks, however, are less commonly seen. Their pricesdepend on features, distribution speed, and the like.Private spamming services, which are used to distributemessages using a customer or proprietary user database,are more expensive.Several flooding services, particularly call and SMSflooding services, are also available in the market thoughthey are not that commonly seen. If at all, the main goal oftheir users is to annoy victims.PAGE 10 | RUSSIAN UNDERGROUND <strong>101</strong>

BotnetsOfferingCheap email spammingserviceExpensive email spammingservice using a customerdatabaseSMS spamming serviceICQ spamming service1-hour ICQ flooding service24-hour ICQ flooding serviceEmail flooding service1-hour call flooding service(i.e., typically takes call centerservices down)1-day call flooding service1-week call flooding serviceSMS flooding serviceVkontante.ru accountdatabasePriceUS$10 per 1,000,000 emailsUS$50–500 per50,000–1,000,000 emailsUS$3–150 per 100–10,000 textmessagesUS$3–20 per50,000–1,000,000 messagesUS$2US$30US$3 for 1,000 emailsUS$2–5US$20–50US$100US$15 for 1,000 text messagesUS$5–10 for 500 accountsMail.ru address database US$1.30–19.47 per 100–5,000addressesYandex.ru address database US$7–500 per 1,000–100,000addressesSkype SMS spamming toolEmail spamming and floodingtoolUS$40US$30Table 6: Spamming and related service pricesA botnet is a network of computers that are somehowcontrolled from a single control center—a command-andcontrol(C&C) server. A standard botnet comprises a C&Cserver and bots or zombies. Botnets can, however, existwithout a C&C server. In this case, a botnet uses a peer-topeer(P2P) architecture. Commands are transmitted fromone bot to another, making botnet takedown substantiallymore complicated to perform. Certain chat protocolssuch as IRC can also be used to control the bots in such abotnet. A botnet command center can also take the formof a web server—the most prevalent method at present, aninstant-messaging (IM) medium (e.g., ICQ or Jabber), anIRC channel, or other more exotic methods.To add a machine to a botnet, a special program must beinstalled in it. This program allows hackers to remotelyexecute certain actions on a compromised machine. Acomputer can get infected in various ways (e.g., drive-bydownloads and vulnerability exploitation).Botnets are rather versatile resources as they can be usedfor spamming, launching DDoS attacks, and instigatingmass downloads. Botnet owners, aka “botnet masters,”can also rummage through the logs bots send. These logscan contain all sorts of information valuable to fraudsterslike victims’ social networking account passwords andcredit card numbers.ZeuSOne of the most infamous botnet toolkits is ZeuS, whichcreated botnets that remotely stole personal informationfrom victims’ computers. ZeuS botnets intercept WinAPIsin UserMode (Ring 3), which means that a bot does notneed drivers or calls in Ring 0, the level with the mostnumber of privileges. This feature allows the bot torun regardless of a user’s access rights to an infectedcomputer (i.e., administrator, user, or guest). It alsoguarantees stability and adaptability to any Windows OSversion.A bot can do the following:• Sniff TCP traffic• Intercept FTP logins via any port• Intercept POP3 logins via any portPAGE 11 | RUSSIAN UNDERGROUND <strong>101</strong>

Security Software ChecksTrojansSome hackers offer security software checks [AVПроверка] or services to check a malicious file againstvarious security software. The more security software afile is checked against, the more expensive the service is.In such cases, customers get reports at very little cost.Even if various online file-checking services exist, hackerstend to be wary of them because some can be set upby security companies to obtain information about themalicious files that have been tested.Security Software Checking PricesOffering1-time security softwarechecking1-week subscription1-month subscriptionPriceUS$0.15–0.20US$10US$25–30Table 8: Security software checking pricesA Trojan [Трояны], short for a “Trojan horse,” is amalware masquerading as a legitimate computer programor application. Trojan spyware, malware specificallydesigned to steal user data, are also available. The kinds ofdata Trojan spyware steal include ICQ passwords, contactlists, confidential documents, bank account numbers, andthe like. Forum and social networking account credentialsdo not come cheap.ICQ numbers are used to distribute spam or for floodingpurposes. FTP account credentials are sold and used forblackhat search engine optimization (SEO) purposes.Trojans can also include keyloggers and other spywarethat track various user actions. The best known Trojansinclude the following:• Limbo• Adrenalin• Agent DQ• Pinch• ZeuS• SpyEyeTrojan PricesHere are sample cybercriminal posts offering Trojans(translated from <strong>Russian</strong>):“Spider Keylogger Pro v. 1.2.4. FUD 100%. Price: US$50.”“Trojan (steals passwords from Opera, Mozilla Firefox,Chrome, Safari, Mail.ru agent, qip). Price: US$8.”“Backdoor for sale (software for remote access tocomputers); price: US$25; price of source code: US$50.”“Keylogger Detective 2.3.2 (Trojan with hiddeninstallation); price: US$3.”“Trojan emulates WebMoney Keeper Classic; price:US$500.”PAGE 13 | RUSSIAN UNDERGROUND <strong>101</strong>

“Check out my private version, which was designed tointercept keys for the widespread iBank banking system.iBank is used by major banks in the CIS such as AlfaBank,UkrSotsBank, Bank of Moscow… For details, review the listof banks (Russia). The main functionality is implementedin a DLL and begins working automatically as soon as thelibrary is loaded to memory (i.e., you can easily add thefunctionality to your tools). This is how it works:• The Trojan searches for the bank’s client window,captures all key presses, and calls to files in theJava virtual machine (i.e., THERE ARE NO FAKEWINDOWS that can easily give away the Trojan’spresence on the machine due to the absence of thebank’s logo).• After the bank’s client window has been closed, theTrojan creates a session file based on the captureddata that contains all the pressed keys and thebank key in an encoded form!!! The Trojan is suitedto both online and local versions of the bank’sclient application.”“I also offer an ICQ bot that gives command-line accessto a machine and has an integrated CONNECTED-DEVICEDETECTOR (i.e., you’ll know when the bank token hasbeen inserted!!)!!! Size: 15kb uncompressed; developed inassembly (FASM). For eavesdropping, the Trojan alters theexport list of one of the Java DLLs. This ensures STABLEsystem operation as opposed to the INJECTION method. I’llconsider selling the Trojan and source code (US$3,000).”“I’m selling a program to intercept SMS. The programis based on a mobile SMS spy. It works using alarms.The program’s functionality lies in its simultaneoustransmission of SMS.• You send an SMS from Skype to the victim’s phone.An MMS arrives. When the MMS is opened, theprogram is automatically installed on the phone.• Instant access to all services: Ability to read all of asubscriber’s incoming and outgoing SMS.• Function to view the sender/recipient, including hisname as it is (as recorded in the address book ofthe phone on which the program is installed)• Full stealth mode, that is, there are no externalsigns of the program’s operation• Completely anonymous, nobody will ever be ableto figure out who installed the program in thephone• The application works when roaming• A version has been implemented that runs incomplete invisible mode• The mobile phone begins transmitting messagesonly when in standby mode, that is, when its menuis off and no buttons are being pressed• Consequently, the user won’t suspect a thingThe program costs US$350.”“I’m selling Limbo source code. If you don’t know, this isa Trojan that has been around for two years. The price isUS$300. Contact the author via PM.”“I’m selling three administrative controls for SpyEye1.3 (client, main, and form grabber); plug-ins for thenew version of SpyEye; collector from the new version;database dump from the new version; the most detailedmanual on configuring and installing SpyEye 1.3. Each linein the settings is spelled out: What, where, how, and why.That is, all the modules from the new version. No publicity!I’m ready to show you screenshots of the administrativecontrols and whatever you want. The suite costs US$300.”• Now, everything that comes to the victim’s phonewill come to you at the same time.• SMS Spy lets you catch others’ SMS in flight.Would you like to do some spying? Do you want to besure of your partner? Or would you like to laugh at yourfriends? Then you’ve come to the right place! Be in theknow! This is the service for you! Does your girlfriendconstantly send SMS and say that they are to hergirlfriend? When she dials a number you can’t see, doesshe go into another room and say that she called hergirlfriend? Would you like to find out?PAGE 14 | RUSSIAN UNDERGROUND <strong>101</strong>

Social Engineering ServicesHacking ServicesSocial engineering is a term crackers and hackers use todenote unauthorized access to information by means ofsomething other than software usage. The objective is tooutsmart people in order to get their passwords or otherconfidential information that can help cybercriminalsbreach their computer’s security. Classic fraud typesinclude making telephone calls to a company to ascertainwho has the necessary information then calling itsadministrator using an employee with an urgent systemaccess problem’s identity.In its pure form, social engineering does not attractfraudsters. Social engineering training services can,however, be found though they are quite rare. Socialengineering primarily allows fraudsters to hack victims’email or social networking accounts. It also effectivelylures people to visit exploit-laden and phishing web pages.Account hacking [Взлом акков] is very popularamong cybercriminals. The demand for such a serviceis enormous so advertisements for this abound inunderground markets. The most common hacking targetsare email and social networking accounts. Hacked siteand forum accounts are less commonly seen. In fact, eachconcrete order is usually handled separately in a privateconversation.Brute ForcingBrute forcing [Брут] is one of the oldest means by whichcybercriminals hack email and other accounts (e.g.,FTP, Telnet, and ICQ). Brute forcing is simply “guessingsomeone’s password.” Special programs that automatethis process are available in the underground market. Allit requires is to compile a good dictionary feed. It will thentry each password one at a time and report which oneworks.The most popular brute-forcing programs are Brutus andHydra. Hacking accounts via brute forcing is very difficultbecause the required password may not be in a program’sdictionary. Besides, trying every password can take aconsiderable amount of time. The growth of computingpower, however, is allowing brute forcing to once againgain relevance. Some cybercriminals even offer services todecrypt hashes.Guessing Answers to Secret QuestionsGuessing answers to so-called “secret questions” isrelevant to hacking email accounts. Because peoplefrequently set questions such as “Where do I live?”or “What is your favorite food?” as prompts to accesstheir accounts should they forget their user names orpasswords, it is not so difficult for cybercriminals to hackthese.PAGE 16 | RUSSIAN UNDERGROUND <strong>101</strong>

As one of the oldest means by which cybercriminalssteal passwords, phishing remains effective to this day.Bad guys create fake copies of login pages, which gatheruser credentials. Users who scrutinize URLs and pages,however, are more likely to fall for more sophisticatedmeans of data stealing, hence the rise of socialengineering.“Mail.ru (List.ru, BK.ru, Inbox.ru): US$70; Yandex.ru:US$70; Rambler.ru: US$70; Gmail.com: US$85; Pochta.ru:US$60; UKR.net: US$60; Odnoklassniki.ru (given an emailaddress): US$85; Vkontakte.ru (given an email address):US$85”Hacking Service PricesThe most popular email domains cybercriminals hackin Russia are Mail.ru, Yandex.ru, and Rambler.ru. Socialnetworks, Vkontakte and Odnoklassniki, are also populartargets. Services and tools for hacking Gmail, Hotmail, andYahoo! Mail are also somewhat available but at premiumprices. Offerings for hacking ICQ, Skype, Twitter, andFacebook accounts as well as other services are not verypopular but may also be found.OfferingMail.ru, Yandex.ru, andRambler.ru accountsVkontakte and Odnoklassnikiknown accounts (noguarantees)Vkontakte and Odnoklassnikiunknown accounts (noguarantees)PriceUS$16–97US$97–130US$325+Table 10: Hacking service pricesHere are sample cybercriminal posts offering hackingservices (translated from <strong>Russian</strong>):“Mail.ru (@BK.ru, @inbox.ru, @list.ru): US$41; Mail.ru, Bk.ru,Inbox.ru, List.ru: US$100; Yandex, Rambler: US$150; Gmail,Googlemail.com: US$180; Yahoo.com: US$350; Hotmail.com: US$350; Odnoklassniki: US$100; Vkontakte: US$100”“Mail.ru, Bk.ru, Inbox.ru, List.ru: US$97; Mail.qip.ru: US$97;Gmail.ru: US$97; Yandex, Rambler: US$130; Ngs.ru, Inbox.lv, @gmx.de, AOL.com: US$130; @i.ua (UA.fm, Email.ua),@ukr.net, @ukrpost.net, Bigmir.net: US$130; Gmail.com,Googlemail.com: US$162; Yahoo.com: US$162; Hotmail.com: US$162; if the email address for social networks, ICQ,and Skype is unknown, the cost amounts to US$325; if theemail is known, then: Odnoklassniki: US$130, Vkontakte:US$130, Mamba.ru: US$130, Facebook.com: US$130, Twitter.com: US$130; IM services: Skype.com: US$130, ICQ.com:US$130; acquiring the IP address of the target: US$65;corporate email: US$500 per mailbox”PAGE 18 | RUSSIAN UNDERGROUND <strong>101</strong>

Ransomware ServicesSerial Key SalesThe most widespread online extortion practice involves theuse of a Windows blocker. A blocker such as Winlocker is aspecial type of malware designed to paralyze a computer’sOS. Its execution spurs the appearance of a prompturging a user to deposit a certain amount of money tothe hacker’s account in order to unblock his system.Winlockers are sometimes sold in the underground market,albeit rarely.Ransomware Service PricesOfferingWinlockerWinlocker builderWinlocker source codePriceUS$10–20US$20–25US$8Selling software activation keys is common in theunderground market. In fact, serial keys can easily beobtained at low prices.Here are sample cybercriminal posts offering serial keys(translated from <strong>Russian</strong>):“Windows 7 Ultimate: US$7, Windows 7 Professional: US$5,Windows 7 Home Premium: US$3, WinServer 2008: US$5;MS Office 2010: US$4; MS Office 2011 for Mac: US$4”“Kaspersky Internet Security 2010/2011 activation keys: 1year: US$4, 2 years: US$$7”Table 13: Online extortion service pricesPAGE 20 | RUSSIAN UNDERGROUND <strong>101</strong>

ExploitsExploits [Сплоиты], aka “sploits,” are programs, moreoften scripts that exploit vulnerabilities in other programsor applications. The most prevalent type are browserexploits, which enable the download of malicious files.Exploits introduce code that download and launchexecutable files on a victim’s computer.An example of an exploit attack is causing an integerbuffer overflow in the setSlice() method in theWebViewFolderIcon ActiveX component. Using a speciallyconstructed webpage or email, a remote user can corrupta computer’s memory and execute arbitrary code.Arbitrary code execution occurs when a person using avulnerable browser navigates to a web page embeddedwith an exploit.Exploits are usually installed in hosting servers. An exploitbundle is a special script, most often written in PHP, whichcombines several exploits. Using a bundle is much moreeffective than using individual exploits. Conventionally,bundles are categorized as either “intelligent” or“unintelligent.”An unintelligent exploit bundle simply downloads all ofthe exploits in a bundle at one time, regardless of whatbrowser a victim uses. As such, it is not a very efficientsolution because running several exploits in a bundlemay do more harm than good. One exploit’s routinesmay interfere with those of another exploit. Unintelligentbundles are generally less expensive than intelligent ones.Intelligent bundles determine a victim’s browser and OSversions before downloading the appropriate exploits. Ifthey do not have an exploit for the user’s OS and browser,they do not download anything.As a rule, bundled exploits are encrypted to avoid malwaredetection by security software. Bundle developers also tryto obfuscate their exploits’ source code to prevent victimsfrom noticing them running on websites. Each bundle mayalso be able to obtain statistics (e.g., a mechanism forrecording the number of visitors, their OS versions, theirbrowser versions, etc.).An exploit’s reach is a measure of its efficiency–the ratioof users on whose computers the exploit worked to thetotal number of users who visited a page in which it wasembedded. As such, if 1,000 users visited an exploit-ladenpage and the computers of 200 people were successfullyinfected with a Trojan, that exploit’s reach is equal to(200 / 1,000) * 100 or 20%.XSS exploits are also available in the undergroundmarket. XSS vulnerability exploitation occurs when ascript that is usually malicious embedded in a site is ableto communicate with content in a different site or in alocal HTML page, hence its name. Unlike in other attacks,hackers use servers susceptible to XSS as intermediariesto attack the visitors of infected websites, forcing theirbrowsers to execute malicious scripts.In an XSS attack, after the execution of a malicious script,the script begins to receive commands from a remoteresource, controlling a victim’s browser without alertinghim to what is happening and carrying out requiredactions. A script may be locally invoked on a system ormay reside in an inactive state on a compromised webserver until the affected user makes calls to an infectedweb page. The script then becomes active on the user’smachine and begins to execute harmful operations.Successful XSS attacks require the satisfaction of severalcriteria—the use of an insufficiently secured browser thatdoes not compare a script’s origin with the permissionsit seeks and a carelessly written web page that lackssufficient data entry verification. Social engineering isfrequently employed to get a potential victim to click a linkto a page that has been embedded with malicious code.The majority of XSS attacks target users’ session cookies—files saved in systems every time they visit a website.Stealing cookies allows hackers to impersonate users andperform actions in their name. Cookies are transmitted toattackers via the execution of commands in the maliciousscript. A successful XSS exploit can prevent its victimsfrom accessing important data and can expose them toidentity theft. Hijacking sessions allow a script’s owner toengage in any kind of activity that the true owner of theaccount is capable of like reading and deleting emails,conducting financial transactions, and writing socialnetworking posts.PAGE 21 | RUSSIAN UNDERGROUND <strong>101</strong>

XSS can also be used to steal data from forms. XSSexploits can conventionally be categorized as either activeor passive. A passive XSS exploit requires a victim’s directparticipation, for instance, clicking a malicious link, whichrequires social engineering and trickery.An active XSS exploit, on the other hand, does not requireany additional action on a victim’s part. All a victim needsto do is to open an XSS-laden web page to automaticallyexecute malicious code. Because of its automated nature,active XSS exploits are more expensive.Exploit PricesExploits may be sold individually or as bundles. Some arealso available for rent.OfferingExploit bundle rental:24 hours1 week1 monthStyx Sploit Pack rental (affectsJava and Adobe Acrobat andFlash Player)Eleonore Exploit Pack v. 1.6.2(for Microsoft Data AccessComponents [MDAC], IEpeers,SnapShot, HCP, JDT, JWS, PDFcollab,collectEmailInfo, PDFSING, and Java Invoke(chain)1.5/1.6; average reach of10–25%)Phoenix Exploits Kit v. 2.3.12(for Internet Explorer [IE] 6MDAC, Java Deserialize, JavaGSB, PDF Collab/Printf, AdobeFlash Player 9 and 10, IEpeers,Java SMB, HCP, PDF/SWF, PDFOpen, and PDF Lib TIFF)Less popular and lesseffective bundleXSS exploit for Mail.ru:Active XSS exploitPassive XSS exploitPassive XSS exploit forRambler.ru and Yandex.ruXSS exploit for Gmail.comSQL exploit for a site with50,000 visitors a dayExploit bundle cryptingservice:1-time1-month subscription (5 times)PriceUS$25US$125US$400US$3,000 per monthUS$2,500–3,000US$2,200 per domainUS$25+US$50–150US$10–35US$10–50US$200US$100US$50US$150Table 14: Exploit service pricesPAGE 22 | RUSSIAN UNDERGROUND <strong>101</strong>

FakesTrafficA fake is a program that copies the interface of anotherprogram or site to capture certain kinds of data, primarilypasswords. The primary objective of using a fake is to tricka user into entering his user name and password or otherkinds of confidential data to a form.Fake ICQ clients as well as bank and social networkingweb pages are sold online. Fakes are closely related tophishing—one of the most common methods used tocommit online fraud. Phishing basically refers to a setof actions to trick users into giving away personal orconfidential information. Modern-day phishing can bebroken down into three types—online, email, and hybrid.The oldest phishing means is accomplished via email.Online phishing, meanwhile, relies on the use of fakes andinvolves copying official sites but using similar-lookingdomain names or URLs. This is also known as “sitespoofing,” wherein users who visit fake sites type personalinformation into forms, believing they are in official sites.Finally, hybrid phishing involves creating a counterfeitversion of a legitimate company’s website. Hackers pesterusers with prompts to urge them to do something on thesesites.Fake PricesFakes are no longer in high demand mostly due toincreased computer literacy among users. As such, fakesare rather inexpensive.OfferingFake siteFake WebMoney Keeper1-year prepaid phishingdomain (e.g., vk0ntakte.net.uaand vkontaktu.net.ua)PriceUS$5–20US$50US$50 eachTraffic [Траф] refers to the stream of visitors to aparticular website. Traffic volume refers to the number ofvisitors (i.e., unique or otherwise) to a site over a certainperiod of time. The traffic cybercriminals use can be splitinto two categories—traffic for exploits to get downloadsand traffic for blackhat SEO purposes. Several trafficsources exist, including hacked websites, white-listed sites,doorways, and spam distributors.Iframe traffic though is most commonly used to obtaindownloads. In order to get traffic, a website is hackedby inserting an iframe to one of its pages. An iframe,aka an “inline frame,” is a “floating frame.” Because it isconcealed, visitors to hacked sites are unknowingly andautomatically led to the hackers’ web pages. As a result,the hackers get a lot of traffic, which they can either sellor use for their own malicious purposes.Managing the contents of hacked websites can beaccomplished via an FTP account or a web shell. A webshell is a special program or a script designed to remotelymanage the contents of a website.Traffic can be topical in nature, depending on the kind ofwebsite it came from. Business traffic is most valuablebecause business site visitors are generally serious peoplewith money. As such, their downloads are likely to turn intoprofit for hackers. Adult traffic (e.g. traffic from porn sites)is also worth mentioning even if less valuable becauseporn sites receive many visitors.Traffic is frequently classified according to the visitors’countries. Traffic from Australia, the United States, GreatBritain, Germany, and Italy are most in demand. The trafficthat comes from these countries is primarily businesstraffic. Traffic mixes are often sold as well.Traffic for blackhat SEO purposes increases the numberof visitors to a selected website. Traffic is managed via atraffic direction system (TDS). 1Table 15: Fake prices1 http://www.trendmicro.com/cloud-content/us/pdfs/securityintelligence/reports/rpt_malware-distribution-tools.pdfPAGE 23 | RUSSIAN UNDERGROUND <strong>101</strong>

Blackhat Search Engine OptimizationServicesTraffic PricesAs expected, traffic costs much less than downloads.Traffic from European countries and the United States ismore expensive (i.e., US$7–15 for 1,000 visitors) than trafficfrom other countries. Overall, the country ranking in termsof price is the same as that for downloads. Ads for TDSsmay sometimes be found though very rarely.Here are sample cybercriminal posts offering traffic(translated from <strong>Russian</strong>):“U.S. stream of 50,000/day; iframe. I’ll sell for US$9. 30%is adult traffic; the rest is related to movies, music, games,and dating.”“US$6 for 1,000 visitors (IT, PL, BR, AR, ES).”“1,000 visitors: US$10 (RU); 1,000 visitors: US$4 (mix)”“Portal TDS + unique redirect system, price: US$600. Allupdates are free.”SEO uses various techniques to promote websites andoptimize these for searches. It is a legitimate means bywhich organizations raise awareness for their sites, makingthem appear on top of search results pages.An important concept frequently encountered in relationto SEO involves the Topical Citation Index (TCI). It is amethod used by the Yandex search engine to ascertainthe “authority” of an Internet resource based on thecharacteristics of the links to it from other websites. TheTCI is computed using a specially developed algorithm inwhich special weight is given to the “topical proximity”of a resource and the websites that link to it. Onlyapproximate values are specified, which helps roughlydetermine websites’ authority.Several ways to improve a site’s TCI exist, includingregistering to catalogs and article directories, commentingon forums with links back to one’s site, signing guest bookswith links back to one’s site, posting on announcementboards, and exchanging links.Blackhat SEO is the malicious way of using SEO. It ofteninvolves the use of doorways or websites generated bya program (i.e., doorway generator) whose pages areoptimized (i.e., have a lot of search spam and crosslinks)for various search queries in order to redirect visitors, aka“drones,” to a certain website.Xrumer [Xрумер] is one of the most popular blackhat SEOtools available online. Several versions of the program, infact, are sold with features like:• Direct posting: A customer’s text is distributed inforums, guest books, or blogs.• Aggressive posting: Similar to direct posting, exceptfor the fact that a topic is created in all of the sectionsof more than one forum.• Profile use: Profiles with links to the customer’s siteare registered on home pages, resulting in “endless”back linking.PAGE 24 | RUSSIAN UNDERGROUND <strong>101</strong>

Conclusion• Ref spam method use: Consists of sending refrequests to a website’s pages with referer=“your_website” set in the request. As a result, the address ofa customer’s website is displayed on all of the websiteson a special page, primarily focusing on searchengines.Blackhat Search Engine OptimizationService PricesOfferingXrumer database with 30,000sites (mostly RU and EN):Direct postingAggressive postingProfile useRef spam method useXrumer 7 Elite (licensed)Xrumer 7 posting service:With 9,000–10,000 profilesFor 30,000 postsXrumer posting on forums,blogs, and guest booksPriceUS$20US$25US$20US$7US$295US$20US$7US$6 per 100,000 postsAs the <strong>Russian</strong> underground community continuouslymodifies targets and improves technologies, securitycompanies and users must constantly face the challengeof effectively protecting their money and the informationthey store in their computers and other devices.This paper covered only the most basic and fundamentaltools and technologies cybercriminals create and use toenhance their business. It also contains pricing snapshotsgleaned from underground forums in order to painta comprehensive picture of the <strong>Russian</strong> undergroundeconomy and how much it resembles real-world business.The <strong>Russian</strong> shadow economy is an economy of scale, onethat is service oriented and that has become a kleptocracywherein crony capitalism has obtained a new lease on lifein cyberspace.Table 16: Blackhat SEO service pricesHere’s a sample cybercriminal post offering SEO services(translated from <strong>Russian</strong>):“SEO service in YouTube, MySpace, FaceBook, Twitter;prices: YouTube: 1,000 views for US$16; MySpace: 5,000plays of track (views of page): US$50; 1,000 FacebookLikes: US$140; 1,000 Twitter followers: US$35”PAGE 25 | RUSSIAN UNDERGROUND <strong>101</strong>

AppendixBased on ongoing research and monitoring of various<strong>Russian</strong> underground forums, we assessed the popularityof various malicious activities and/or services and rankedthem below:1. Programming services and software sales2. Hacking services3. Dedicated server sales and bulletproof-hostingservices4. Spam and flooding services, including call and SMSflooding services5. Download sales6. DDoS services7. Traffic sales8. File encryption services9. Trojan sales10. Exploit writing services and sales11. Scanned document copy sales and reworkingservices12. Ways to earn money online document sales13. Proxy sales14. Fake sales15. Botnet and bot sales, particularly ZeuS botnets16. VPN services17. Blackhat SEO services18. Serial number and activation code sales19. SMS fraud services20. Windows blocker sales and ransomware services21. Security software checking services22. FTP account and web shell sales23. Malicious code obfuscation services24. Rootkit salesThe top 10 forums where <strong>Russian</strong> cybercriminals buy andsell their wares were:1. antichat.ru2. xeka.ru3. carding-cc.com4. Exploit.IN5. InAttack6. XaKePoK.su7. HACKER-PRO CLUB (HPC)8. XAkNet.ru9. zloy10. HackForce.RUTREND MICROTrend Micro Incorporated (TYO: 4704; TSE: 4704), a global cloud securityleader, creates a world safe for exchanging digital information with its Internetcontent security and threat management solutions for businessesand consumers. A pioneer in server security with over20 years’ experience, we deliver top-ranked client, server and cloudbasedsecurity that fits our customers’ and partners’ needs, stopsnew threats faster, and protects data in physical, virtualized and cloudenvironments. Powered by the industry-leading Trend Micro Smart ProtectionNetwork cloud computing security infrastructure, our productsand services stop threats where they emerge—from the Internet. They aresupported by 1,000+ threat intelligence experts around the globe.TREND MICRO INC.<strong>101</strong>01 N. De Anza Blvd.Cupertino, CA 95014U.S. toll free: 1 +800.228.5651Phone: 1 +408.257.1500Fax: 1 +408.257.2003www.trendmicro.com©2012 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or companynames may be trademarks or registered trademarks of their owners.PAGE 26 | RUSSIAN UNDERGROUND <strong>101</strong>

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!