Queen’s researchers on the front line against cyber crime

On 2nd June 2014 numerous news outlets globally ran a story about a Russian man being charged with being behind a major cybercrime operation that affected individuals and businesses worldwide and added to the FBI’s most wanted list. Evgeniy Bogachev, also known as “lucky12345” and “slavik”, is wanted for his alleged involvement in a wide-ranging racketeering enterprise and scheme that installed, without authorization, malicious software known as “Zeus” and a variant called “GameOver Zeus” on victims’ computers.

Zeus is a type of malware known as a bot which makes up part a network of hijacked home computers, typically controlled by a criminal gang called a botnet. The software was used to capture bank account numbers, passwords, personal identification numbers, and other information necessary to log into online banking accounts.

In a non-descript glass fronted building in the heart of the Northern Ireland Science Park the news came as no surprise to a crack team of cyber security researchers who barely raised an eyebrow. The team, based in Queen’s University Belfast’s (QUB) Centre for Secure Information Technologies (CSIT), is at the forefront of researching and developing new technologies to detect bots, botnets, malware and Advanced Persistent Threats (APTs) since it was established as the UK’s Information and Knowledge Centre (IKC) in 2009. The Zeus botnet, and the plethora of variants it has spawned, has been of particular interest to the team who work as part of the Secure Digital Systems research cluster headed by Professor Sakir Sezer.

Sakir Sezer 250 166Professor Sezer says: “As the internet has evolved into a multi-trillion pound business, the threats have evolved as well. To date members of the gang who operate the Zeus botnet have stolen an estimated $500 million. This represents a huge loss to citizens and businesses alike. Our research is helping minimise the fraud and theft enabled by this pernicious software through the development of hardware and software tools and technologies which have been proven to detect and prevent this type of malicious activity.”

In a secure laboratory within the facility Professor Sezer’s team of researchers and engineers have installed a complete botnet for the purposes of determining how it replicates, evolves over time and communicates with command and control systems. The team are reluctant to say too much about their findings in an effort to stay one step ahead of the criminals in this cat and mouse game. What they will say, however, is that the solution they have developed has the ability to analyse gigabytes of network traffic, in real-time, pinpointing botnet activity on corporate, mobile operator or Internet Service Provider (ISP) networks. This malicious activity can be traced to a specific machine, laptop or mobile device which has been infected with the malware.

Notwithstanding, the research isn’t a purely academic endeavour. Through its unique ‘Open Innovation’ model CSIT works to exploit and transfer knowledge to industry through member companies such as global giants McAfee and IBM, as well as via commercial R&D and consultancy engagements with local SME’s such as RepKnight and AirPOS. This ensures the research is both industrially relevant and that findings can be put to work as quickly as possible to limit the impact of malware and botnets on society as well as bringing new cyber security technologies to market.

Highlighting ISP and mobile network operator’s failure to adopt technology to limit the damage wreaked by malware and botnets Professor Sezer says: “We have the proven technology to detect and stop these malicious applications at the ISP and operator level but many are reluctant to take on responsibility for providing this service to their customers. Common Carrier status means the ISP is not responsible for anything illegal taking place over the network.  For example, Warner Brothers can’t sue BT because their digital content (films) are being illegally streamed to BT broadband subscribers.  The ISPs use this legal provision to see no evil.  Hence they make no attempt to protect subscribers from malware. However, they are quite happy to detect and block Skype traffic when it effect’s their bottom line. The legislative framework needs to change to enable broader use of this technology to protect internet consumers.”

MSc_in_Cyber_SecurityNew technology is only one part of the CSIT story.  Currently, the demand for cyber security experts is growing at twelve times the rate of the overall job market. The Centre has listened to the needs of industry and is complementing its technology research by developing a new Master’s degree in Cyber Security to skill up the next generation of cyber security professionals. The course is open for application now and will begin in September 2014.

Professor Maire O’Neill, Co-Ordinator of the new MSc in Cyber Security, says: “The emphasis of the MSc is to provide graduates with a comprehensive understanding of the cyber security challenges facing industry and society, today and in the future, and equipping them with the skills necessary to address those challenges.”

Finally, the Centre recognises its wider responsibilities to society in terms of supporting citizens, industry and government to tackle the scourge of cyber-crime as well as capitalising on the huge global demand for technologies in this area. CSIT staff are involved in a variety of prominent advisory bodies such as the Organised Crime Task Force’s Cyber Crime Sub Group, the UK Cyber Growth Partnership and chairing the Royal Society’s Cyber Security Research policy committee.

You can find out more about CSIT and the MSc in Cyber Security on its website here: http://www.csit.qub.ac.uk/

Hi-tech crime terms

  • Bot – one of the individual computers in a botnet; bots are also called drones or zombies
  • Botnet – a network of hijacked home computers, typically controlled by a criminal gang
  • Malware – an abbreviation for malicious software i.e. a virus, Trojan or worm that infects a PC
  • APT – Advanced Persistent Threats are a set of stealthy and continuous computer hacking processes, often orchestrated by human targeting a specific entity.

Advice from Get Safe Online

  • Install internet security software from companies listed on Get Safe Online’s website to download a free tool to scan for Gameover Zeus and remove it from your computer
  • Do not open attachments in emails unless you are 100% certain that they are authentic
  • Make sure your internet security software is up-to-date and switched on at all times
  • Make sure your Windows operating system has the latest Microsoft updates applied
  • Make sure your software programs have the latest manufacturers’ updates applied
  • Make sure all of your files including documents, photos, music and bookmarks are backed up and readily available in case you are no longer able to access them on your computer
  • Never store passwords on your computer in case they are accessed by Gameover Zeus or another aggressive malware program