Cybercriminals & Big Data Analytics

By Kate McGavin, Senior Product Marketing Manager

Big Data is the buzzword making headlines today. From improving medical diagnosis and treatment to energy conservation, businesses around the world are using Big Data analytics to transform the data they store into actionable information.  Even here at RSA/EMC, we are working to leverage Big Data analytics to improve the way our customers detect and respond to threats.  You can be sure that if legitimate businesses are using the latest and greatest technology, cybercriminals are too!

Cybercriminals are also using Big Data principles to improve their own efficiency.  They have developed a variety of tools to better sort, analyze and monetize the volumes of data they collect.  For cybercriminals, the information collected in drop zones through Trojans on infected PCs (some of which have over a million infected PCs)  is clogging their infrastructure. As a result, malware authors have developed different parsing solutions and implemented the use of separate databases in their command & control administration panels in order to distill only the most pertinent data.

RSA has analyzed several tools that shed light on these developments, and demonstrate the ways in which cybercriminals are applying Big Data methodologies within their illicit operations.  Two examples of these tools include the “IntelegentBot” log-parser plugin and the Citadel Trojan’s “Money Panel” plugin.

The “IntelegentBot” log parser plugin, shown below, is designed to help a cybercriminal operating a botnet (botmaster) query their databases for valuable data.  This web-based platform allows botmasters to connect to their Trojan databases and search for specific words such as bank URLs or names.  It also allows botmasters to search for only credit card data.  Through the use of this plugin botmasters are able to quickly and easily mine and monetize credit card data, for example. Although some search options are part of basic botnet admin panels, this one is a commercial, standalone interface that can be adapted to different Trojans.

IntelegentBot Query Command Box Source: RSA AFCC

The “Money Panel” is designed to steal only credit card data and parse into a separate database.   This second plugin uses a special set of web injections specifically targeting credit card data, 16 numerical characters.  The web injection displays when a victim accesses a specific sites, such as a bank site or Facebook.  As soon as a victim enters their card information into the injected field, the data is collected, but instead of reaching the cluttered log repository, it is sent to a separate database in a remote server.

In addition to leveraging Big Data analytics to quickly sift through volumes of data, cybercriminals are using these tactics to derive intelligence from their collections of information to better understand trends and effectiveness of attacks.  This enables cybercriminals to make better decision for future attacks and investments as they learn more about infected machines, and the success of their existing malicious applications.  RSA analyzed the administrative functions and panels for the Citadel Trojan, image captured below.  The data-filtering and charting functionality show colorful statistics on firewall brands and anti-virus software installed on infected machines, providing botmasters with insight into the tools that could pose a problem to future activity.

Administrative Panel for Citadel Trojan Source: RSA AFCC

The sophistication, agility, and speed at which a cybercriminal operates and monetizes their fraudulent information have improved through the use of Big Data analytics.  Cybercriminals can now sort their collections of data more quickly to extract financial details and view performance metrics for current malware applications. This is certainly a trend to keep an eye on.  As cybercriminals continue to master the concepts of Big Data and apply it to their operations, their cyber-attacks stand to become more effective.  To combat these attacks, businesses will need to use intelligence-driven solutions that also leverage big data to deliver timely, actionable security decisions.

Kate McGavin is a Senior Product Marketing Manager at RSA, the Security Division of EMC, within the Identity and Data Protection group.  Kate supports the go-to-market and product launch efforts for the authentication offerings at RSA.  She is responsible for the development of strategic marketing plans through market research & business analysis, competitive analysis, and pricing model evaluation. Kate holds a BS in Marketing and Information Design Corporate Communication from Bentley University.