“Start Hacking Skype Now!! What are you waiting for to get started with Skype hacking? You’re one step away from hacking any Skype password of your choice, completely free of charge! Just click on the download button below to get your hands on a free copy of Skype Account Hacker!”
So reads the advertisement for a piece of software known as, Skype Account Hacker. I’m not sure how legitimate it is, but, because Skype is infamous for its ability to be hacked, if this software is not legitimate, certainly one of the hundreds of similar programs probably is.
To qualify as good crimeware, a program must be presented in a way that anyone, even someone technologically challenged, can use it. Skype Account Hacker certainly meets this criterion. Notice, in the interface below, that, apparently, all you really need is the Skype username and you’re ready to take over someone’s account.
Now, I know what you’re thinking. Is this legal? That’s really a difficult question to answer. There is a razor-thin, fuzzy, line between legal and illegal programs. Think of it this way. Isn’t pentesting (having a hacker test your network for vulnerabilities) actually the same as hacking? It is except for one key difference. The pentester isn’t trying to exploit your site’s vulnerabilities to make profits that you don’t know about. In the same way, sites, like the one which sells Skype Account Hacker, don’t advertise their products as a way to make money. In fact, many of these sites warn against using these programs for illegal purposes. This particular one does not. This site also offers Facebook, Yahoo, Gmail, and Twitter hacks. Interestingly, for the email hacks, which only require you knowing the victim’s email, you are asked to supply your own email so that they can reply to you. Hmm, I wonder if they could then hack your email? Maybe that’s why these programs are available free of charge. Simply signing up for one of them could give the sellers a lot of useful personal information about you, let alone what they could download onto your computer when you download their software. If you’re lucky, your browser will warn you not to access some of these questionable websites. You may see a message such as the following which is connected to a program called, Ultimate Facebook Hacker.
Yes, some of these simple software programs might work to some degree, but, for the most part, you will have to use them at your own risk.
A step up from these questionable software programs are a group of programs classified as ‘hacking tools’. These are tools that are used by ethical hackers to test the security of computers and networks. Obviously, if these tools are used on computers and networks that the user has no permission to access, they become true hacker tools. They are readily available on the regular internet and most are rather easy to use. These tools can be broken into various hacking categories which include password crackers, web vulnerability scanners, intrusion detection systems (which analyze network packets/traffic), and multi-purpose tools (which perform a variety of functions). Prices of these tools vary. Some are free and most will offer a free trial of some sort. If you want a license to a full version you would have to pay real money. One of the most popular multi-purpose tools, Metasploit, will cost you $5,000 for the license. These are legitimate tools but it doesn’t take much imagination to see that they could, in the wrong hands, qualify as crimeware.
One step up from tools, on the crimeware scale, come exploits. Exploits take advantage of a hardware or software vulnerability to gain control over a computer or network. The amount of control an exploit can get is dependent on the strength of the exploit. Some can gain nearly complete control over a computer and a network. These are known as RATs, which stands for Remote Administration Tool. Among the RATs, none is more popular among hackers than Darkcomet RAT. It is readily available on the regular internet. You can usually download the basic Darkcomet for free, but updated versions will cost you a bit more… a whopping $25. Here is what Darkcomet can do:
- Find out all system information, including hardware being used and the exact version of your operating system, including security patches.
- Control all the processes currently running on your system
- View and modify your registry
- Modify your Hosts file
- Control your computer from a remote shell
- Modify your startup processes and services, including adding a few of its own
- Execute various types of scripts on your system
- Modify/View/Steal your files
- Put files of its own on your system
- Steal your stored passwords
- Listen to your microphone
- Log your keystrokes
- Scan your network
- View your network shares
- Control your MSN Messenger / Steal your contacts / Add new contacts
- Control your printer
- Lock/Restart/Shutdown your computer
- Update the implant with a new address to beacon to or improve its functionality
The interface is fairly straightforward:
And here are your menus:
Now, it may come as a surprise that there is nothing illegal in downloading or buying such an exploit. Why? Because maybe you want to remotely control your own computer or someone’s computer that you have permission to control. Again, it’s simply a matter of how the program is used. In order to use it for crimeware, you’d have to use the time-honored methods for getting it installed on a victim’s computer… some form of phishing that includes having the victim open an infected attachment, getting them to visit an infected website, or including the exploit in a download disguised as something else or combined with something legitimate.
There are a number of RATs that are definitely used for crime only. You can find some of these for sale in the deep web. What makes them different is that they are specifically designed for criminal penetration and persistence on a computer or network. One example that is up for sale is “The real GovRAT”. You can get it for about $900. Among the extra features it has is the ability to give a “VALID Digital signature for binary files”, meaning that it can appear as legitimate software. It can avoid anti-debugging attempts. It uses encryption. And, importantly, it uses a FUD (fully undetectable) keylogger. Clearly, you pay the extra money for the fact that your control over a computer or network will remain undetected for as long as possible. This can be good for both espionage and financial purposes. The average length of time before exploits are detected is around 7 months.
This brings us to the ‘gold standard’ of crimeware: the zero-day exploit. This is one that uses a previously undiscovered vulnerability in software or hardware to enter a network undetected because nothing has been developed to detect it. It, therefore, has a much longer lifespan than a normal exploit.
Surely, the use of zero-day exploits must be illegal, right? Actually, they are not. In fact, legitimate companies will pay good money for zero-day exploits discovered by ethical hackers. Google has paid at least $50,000 to a Polish team that found a bug in its Chrome browser. Governments and large corporations routinely purchase zero-day exploits to use for their own purposes. Can you buy one? Sure, if you’re rich enough.
On the deep web website, TheRealDeal, you can buy a zero-day exploit for Apple’s iCloud which can, according to the developers, allow you to:
“Access any apple id account including: – address data / name – photos – contacts list – browser bookmarks – list of purchased and downloaded apps – full email access – full calendar access – notes – reminders – GPS locations of friends who enabled location sharing – data from family sharing – shared photos – icloud drive”
All of this for a mere $17,000 in bitcoins. (Let me check my pockets.) Actually, this is a bargain price, as are many of the prices listed for various zero-day exploits on this site. The reason this is a bargain is because, according to one source, “boutique vulnerability providers, such as VUPEN Security, ReVuln, NetraGard, Endgame Systems, and Exodus Intelligence, sell subscriptions that include 25 zero-day flaws per year for $2.5 million.” The same source claims that a payment of over $1 million for a zero-day exploit is, in some cases, not unreasonable. Who would pay for such a service? Well, we’re mainly talking big governments here…which is why zero-day exploits can’t be illegal. If you make laws, you can make them so that you cannot break them. The point is that the most dangerous exploits available are available for anyone with enough cash.
To sum it up, the crimeware market is booming. There are products readily available for any need and any pocketbook. Whether you just need information or are looking to improve your financial situation, there is something designed for you. If, however, you are a law-abiding citizen or company, it’s time to begin seriously thinking of tightening your defenses, because someone will sure to be putting them to the test in the near future.
About InZero Systems’ approach to crimeware: InZero Systems bases its security on the premise that crimeware is readily available and will attack nearly everyone through vulnerabilities inherent in software. For this reason, it has chosen to defend corporate and institutional networks at the hardware level. Sure, an employee on your network may be attacked, but that employee cannot be used as a platform to attack your network. The attacker is stopped by hardware separation. The valuable information stored on the protected side of any network-connected device remains untouched.