In the latest Tales of the Cyber Underground instalment, Tom Brewster looks at the Blackshades bust and considers what it means for the future of cyber policing
European and US law enforcement bodies were almost beatific this May when they announced the arrest of at least 90 individuals related to the Blackshades malware. It was declared an “unprecedented global law enforcement operation”.
But whilst it was impressive in terms of collaboration, the Blackshades crackdown will not send shockwaves amongst serious cybercriminal circles. It was a relatively cheap and dirty RAT (remote access Trojan) that could be bought for between $50 and $100 from the now defunct bshades.eu site. The surveillance tool wasn’t big on underground forums, although many were shoving Blackshades through crypting services, which obfuscate code to avoid anti-virus detection. Compared to the $5,000 Trojans that appear on the darkest of criminal marketplaces, Blackshades was small fry.
“Blackshades has always been regarded as a simple tool for the unskilled…The forums did not react greatly to the latest news outside of ‘newbie’ posts asking for similar software”, says Alex Holden, CTO and founder of Hold Security. “Sales of Blackshades were never good…we have seen the software re-distributed on the black market.”
Even law enforcement knows Blackshades wasn’t a huge menace, outside of its occasional usage to spy on people via webcams and extortion attempts. Andy Archibald, current head but soon to be deputy director of the UK National Cyber Crime Unit, tells me that one of the biggest benefits from the operation was learning about how best to work with international partners.
“Is it the highest, greatest threat? Perhaps not”, he says. “There are some challenges in [international collaboration on cybercrime investigations] and what we want to do is to do it in a way and an environment and in cases where we can identify what goes well, what doesn't... so that when we do get to the high end, the malware that causes the greatest threat, we've ironed out some of the difficulties.
“Part of this is about sending out a powerful message, the rest is about international collaboration, engagement with industry, arresting people, tackling malware.
“In the future we will have learned from this operation.”
There were suggestions that the Blackshades arrests might not end up in convictions as law enforcement may have arrested some who simply owned the malware but were not using it. But at least some of the leads were based on genuine infections, as Symantec passed on related domains the malware owners were using by tracking connections from Blackshades victim machines (it’s also worth noting that if the command and control infrastructure of Blackshades users was that easy to track, its operators weren’t exactly the most advanced of criminals).
Archibald also says the law enforcement agency is going to contact those people who own Blackshades but aren’t using it, giving them a gentle warning not to start infecting others’ machines. It’s an interesting tactic, reminiscent of the warnings sent to downloaders of pirated content.
“The message isn't that we're going to charge you. It's that we know you have it and to remind people not to be tempted into the criminal environment”, Archibald adds. “The step to move from owning it to using it is quite a big step. It’s about influencing behaviour”.
“Why would you buy it without using it?”
This is a big question in terms of legislation right now: should owning malware be made illegal? Many security researchers fear legislation, as it would stop them tinkering with malicious software and therefore hinder good work. Archibald won’t answer me directly on whether he’d want to change the law. He says police need to make the best use of the law available to them and where there are gaps, that’s where they will have a discussion with government. He won’t say what those gaps might be.
One also wonders how police found the owners of Blackshades toolkits that weren’t being used and whether they were confused with criminals. Clearly the police had more than just command and control domains to go on. Archibald won’t comment on the NCCU’s techniques, for fear of revealing too much.
What’s become apparent from the Blackshades aftermath and my chat with Archibald is that the response to the rise of digital criminality is still in it embryonic stages. Evidently, global cyber forces are still figuring out their modus operandi and sharing processes, whilst the likes of UK-CERT and CISP are only just getting started on improving collaboration within the UK. There is much work left to do improving the infrastructure used by police to track online crooks.
But we can expect bigger cybercrime busts in the coming months involving the NCCU and the European Cyber Crime Centre at Europol, using current laws. Blackshades is a sign of things to come.
Both Archibald and Troels Oerting, head of the Europol centre, intimated that towards the end of the summer we’ll see some significant cases detailed in public. If they can take on some of the most prevalent malware types that cause the most damage, with significant arrests, whilst working alongside other nations’ law enforcement, it will be a sign that the police are finally catching up and that information sharing partnerships are actually working.
Online detectives need wins like Blackshades, but they’ll need bigger cases to prove their worth and stem the tide of digital crime.
One more slightly depressing point to end on. The arrests won’t signal the end of Blackshades usage. Whilst the alleged creators have now been apprehended, cracked versions and the Blackshades source code, which was leaked in the early stages of development, are available for criminal use.
It’s really rather difficult to kill malware, even if it’s not particularly high-grade code. As Holden notes: “Would the remaining Blackshades users abandon the software? Possibly, but it is still functional and will do the intended damage.”