The Life of a Cybercrime Investigator

An anonymous reader writes "Steve Santorelli gets computing experts and law enforcers to cooperate in a global fight against organized Internet crime. This article talks about the role of law enforcement in identifying and battling online threats as they change and evolve. Quoting: 'The common wisdom about hacking and cybercrime is, in Santorelli's view, severely out of date. He says cybercriminals aren’t lone wolves; they are financed and directed by international criminal syndicates. ... Organized crime also has vast resources derived from its traditional operations to finance the hiring of quality hackers around the world. There is even evidence that some syndicates are investing in research and development, looking to create proprietary, next-generation hacking tools, Santorelli says.'"

We noticed

[DCFusor]

A good while back, while we were still on dialup, actually. Being a small software shop who delivered results and of course our bills over the 'net, we did a ton of email traffic. At the time it was a windows shop as well (by customer demand). We "captured" many viruses in emails, didn't catch them -- we were all pros and knew better. Since we had all the best tools money could buy, we looked pretty closely at these "captured" (eg, not caught) viruses. At first, they were obviously not the work of very skilled or well financed people. Many still had debug symbols in the code, and things like Devstudio and reverse compilation showed they were usually done with a "free" C compiler, not GCC, but Borland.
Most were pretty crummy code, at least by our standards, though there were a few interesting tricks, like pushing data on the stack and then doing a return to get a goto to happen, often into a system function.
All of a sudden, things got better or worse, depending on your POV. The stuff we were capturing suddenly changed, a lot - it was well written, well obfuscated, and tricky stuff -- we even got a cool idea or two from it, and the new stuff was much smaller and made better use of the system API to do nearly all the work -- none of the obviously malicious code was in the virus itself, just system calls with destructive parameters. This would have been around the 2006 timeframe.
It was obvious that someone had started putting money into the game, or for whatever reason the quality of the crackers had suddenly gotten a heck of a lot better, which usually implies the former. Real talent.
To the fanboi who said "it's not windows", sorry pal. Might have been true once, for bot farms and so on, that need volume. Today's cracking is financially based, and much more targeted. And most machines that deal with tons of money aren't running windows -- after being burned a few times, you think the financial business has any loyalty to the guys in redmond? Or anyone at all, for that matter? Linux is just plain more difficult to crack, and more proactive about patching when possible vuln's are discovered. Anyone who looks at the flow of updates to Ubuntu and how many of them "fix a possible security bug" knows this. Many bugs that would have been zero-day exploits are fixed before anyone has put an exploit out for them at all, just by doing some fairly obvious code analysis, looking for ways to overflow allocations and such.
Could be windows guys do that some too, but since they long-delay even well known holes, and you can't see what is in those closed source, uncommented updates, (sometimes there's a KB entry, but not always and always little detail) how could you prove that? I don't think you can.