UK’s top ecrime investigator describes a life fighting cybercrime

Filed Under: Featured, Law & order, Malware

Bob BurlsUK cybercrime investigator and Sophos consultant Bob Burls has been on the inside of some of the biggest law enforcement takedowns of the last decade. Speaking with Naked Security, he says that, while investigators are getting better at what they do, cyber crooks are too: creating smaller and more efficient malware and focusing, more than ever, on a big score.

Burls, a retired Detective Constable with the Police Central e-Crime Unit for the UK's Metropolitan Police, said that he has seen malicious code become smaller, more efficient and more focused on economic crimes in more than a decade as a cybercrime investigator.

"It used to be pure pwnage," said Burls, who started his career as a cyber crime investigator in 2001 for the then newly-formed National High Tech Crime Unit (NHTCU). "In the old days it used to be 'We own you because we can.' Now it’s mainly financially motivated."

Burls has worked on some of the most prominent cyber crime crackdowns of the past ten years.

In 2006, he was part of a joint UK-Finnish operation, dubbed "Operation Kennet," that took down the m00p virus writing group, which was responsible for a wave of email-borne virus campaigns. Using clues buried in the malware created by the group, investigators found clues that led them to the malware author and botnet operators.

The Stinx Trojan horse contained a reference to the M00P gang inside its code

In joint raids, police arrested a 23 year-old career criminal in Finland, Artturi Alm, and a Matthew Anderson, a 33 year-old father from Drummuir, Scotland who used the online handle "Warpigs."

Burls said that the typical image of a computer criminal is of a young man with pallid complexion, dressed in black and hidden away in a dark room. But that's not the case. "It's a mistake to believe that," Burls told Naked Security. "These people could look like you or me."

Working on some of the UK's biggest computer crime cases, Burls said that criminal malware has become far more sophisticated and stealthy in the last decade. Early malware variants, such as Troj/TKBot were enormous by comparison with today’s modern malware Burls recalls.

"There was an IRC client component with an FTP server packaged together with scripts," he recalled of Troj/TKBot, which was the creation of a UK-based hacking group called "Thr34t-Krew" and spread by exploiting a hole in Microsoft's IIS Web Server.

2003 news report about the Thr34t-Krew

Over time, however, malware authors figured out how to distil their creations into single, efficient binaries such as 2004's W32/Agobot.

And, finally, to the super-efficient programs like Zeus (also known as Zbot) and SpyEye that typify modern malware.

Burls said the sophistication of modern, data stealing programs is astonishing.

Attackers no longer need to rely on victims' opening malicious email attachments to get a foothold on their machines. Instead: exploit kits coupled with compromised websites can deliver a malicious payload without any user interaction.

ZeusAnd malware has gotten more aggressive in vacuuming up sensitive information in order to turn a profit for the malware authors, he said.

"When you seize a Zeus Command and Control server reconstruct and examine it, and you see the amount of data that it has gathered and how invasive it is, it's simply breathtaking in detail. You're talking about passwords, email addresses, seeing what the victim bought online, phone numbers he or she uses and key stroke logging, as well as harvested financial account information."

The sophistication of the criminals behind the malware isn't always as impressive. Alm, the Finnish cyber crook arrested in connection with the m00p malware, famously embedded his government id number in the malware he created, and tattooed his online handle, "Okasvi," on his arm.

Similarly, law enforcement has greatly improved its cyber investigative capabilities in the last decade.

When Burls started his cyber investigation career, the UK had no centralized computer crime force. That changed with the creation of the NHTCU, which Burls joined in 2001 as a Network Investigator before moving on to the prestigious Metropolitan Police Computer e-Crime Unit (PCeU)in 2004.

"I think one of the biggest challenges is still the multi-jurisdictional nature of the internet," he told Naked Security. "The first malware case I dealt with involved people in both the UK and across US who had never actually met. Yet they formed an online group and created an internet worm," he said.

"It's the nature of the internet to make information accessible to all," Burls said. "But that can make it difficult to investigate these cases. For example, a group of criminals can be resident in different countries, and their infrastructure located in other jurisdictions where different laws apply."

And the barriers aren’t merely legal.

"Something as simple as time zones can have an impact and need to be factored in, during a case," Burls said. "An investigator who you are working with may be eight hours behind you or ahead of you, so just finding time to talk needs consideration. Cybercrime investigations are complex and more than just email communication is needed."

Timezone clocks. Image from Shutterstock

After years of working alongside his counterparts in the anti malware industry, Burls said he joined Sophos as a consultant to lend his law enforcement experience to the job of researching cybercrime.

"The data sets that Sophos has are vast," Burls said. "I think I can bring my investigative experience to bear on that. It is a very exciting opportunity."

Asked to give Naked Security readers advice about how to avoid being the victim of a cyber crime, Burls said that he sees user awareness of security issues growing, but that popular misconceptions can still leave consumers vulnerable to attack. It’s vitally important to be vigilant as well as keeping both your operating system and critical applications like your web browser patched and up to date, he said.

"People think 'Windows Update ran, so I'm safe.' But they don't realize that perhaps they may be running an out of date version of an application - leaving them vulnerable to exploits." he said.


Timezone clocks image from Shutterstock.

, , , , , , , ,

You might like

2 Responses to UK’s top ecrime investigator describes a life fighting cybercrime

  1. Joris Bolsens · 665 days ago

    Size is becoming one of the biggest things in malware, 200kb is now considered a huge bin and will not be used by most "hackers"

  2. Ellen · 392 days ago

    3 months a malicious attack began with disabling Facebook. Skype screen contained photos fixed and immovable. Surveillance via computer screen, and intrusion on my computer, adding apps and photos. Malware including a trojan horse and spigots. After surgery you just sometimes focus on other things. Then the iPhone was remotely jail broken, loaded with cyber propaganda.

    She's back. Disabling passwords at lightning speed. Choosing apps for the computer and broke into my Google Web Browser to surf the Anonymous Hackers and their associates in cyber crime. (I was suspended for a month...) I lost 6 e-mail accounts altogether, and all this fun goes on in the middle of the night. Isolation is a way of life, as most people wouldn't believe it anyway. The federal agencies have no time.

    I have a plan in place that should work involving forensic analysis. Money is no good to me living this way. FYI, the US needs some crisis and trauma workers trained in the field. This is a diabolical, intrusive, hateful, sadistic crime. Educate yourselves, and change passwords.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul is a Boston-based reporter and industry analyst with more than a decade of experience covering the IT industry, cyber security and hacking. His work has appeared on threatpost.com, The Boston Globe, salon.com, NPR's Marketplace, Fortune Small Business, as well as industry publications including ZDNet, Computerworld, InfoWorld, eWeek, CIO , CSO and ITWorld.com. Paul got his 15 minutes as an expert guest on The Oprah Show - but that's a long story.