Meet Ice IX, Son Of ZeuS

Earlier this year the online banking malware ZeuS trojan's source code was leaked. One of the predictions made by security researchers at the time was that the leaked code would be used by independent malware developers, who would explore it and develop their own hybridized versions of ZeuS, adding custom features and advancements to it.

A new trojan was briefly presented to cybercriminals in the Russian-speaking underground in late April 2011 (as v1.0.0). The developer who wrote the new trojan, and named it "Ice IX", openly declared that he developed his new trojan based on the ZeuS v2 source code, and in doing so allegedly perfecting flaws and bugs he believed needed fixing to improve the product's value to its cybercriminal customers.

What's in a name: the meaning of "Ice IX"
The naming of Ice IX is quite interesting; there are a number of sources from which the developer could have been inspired to name the new trojan Ice IX. I've listed these in order from "most likely" to "least likely" to have been the inspiration.

1. Ice 9 is a fictional computer virus from the film "The Recruit" (2003). The malware, named Ice-9 in tribute to Kurt Vonnegut's ice-nine (see item no. 8 below), would erase hard drives and travel through power sources which are not protected; possibly erasing data from every computer on Earth.
2. Ice 9 is an album by Russian rock band Smyslovye Gallyutsinatsii, two songs from which won the Russian Golden Gramophone award twice. The band is also known under a much shorter name "Glyuki", a slang term, which means basically the same as the long name: glitches in your brain. More: http://en.wikipedia.org/wiki/Smyslovye_Gallyutsinatsii
3. ICE is a well known cyberpunk reference to "Intrusion Countermeasures Electronics" - software which works to prevent intruders/hackers/cyberpunks getting access to sensitive data. It is "visible" in cyberspace as actual walls of ice, stone, or metal. Black ICE refers to ICE that are capable of killing the intruder if deemed necessary or appropriate; some forms of black ICE may be artificially-intelligent.  More: http://en.wikipedia.org/wiki/Intrusion_Countermeasures_Electronics
4. In cryptography, ICE (Information Concealment Engine) is a block cipher published by Kwan in 1997. The ICE algorithm is not subject to patents, and the source code is in the public domain. More: http://en.wikipedia.org/wiki/ICE_(cipher)
5. The term ICE, referencing the cyberpunk usage, has been adopted by some real-world security software manufacturers: BlackICE, security software made by IBM Internet Security Systems. Black Ice Defender, security software made by Network ICE. Network ICE, a security software company. 
6. On April 28, 2009, the Information and Communications Enhancement Act, or ICE Act for short, was introduced to the United States Senate by Senator Tom Carper to make changes to the handling of information security by the federal government, including the establishment of the National Office for Cyberspace. More: http://www.opencongress.org/bill/111-s921/show
7. Ice IX is a form of solid water stable at temperatures below 140 K and pressures between 200 and 400 MPa. It has a tetragonal crystal lattice and a density of 1.16 g/cm³, 26% higher than ordinary ice. It is formed by cooling ice III from 208 K to 165 K (rapidly—to avoid forming ice II). Its structure is identical to ice III other than being proton-ordered. More: http://en.wikipedia.org/wiki/Ice_IX
8. Ice-nine is a fictional material conceived by writer Kurt Vonnegut in his 1963 novel "Cat's Cradle". It is different from, and does not have the same properties as, the real-world ice polymorph Ice IX; existing, for example, as a stable solid at room temperature and regular atmospheric pressure. More: http://en.wikipedia.org/wiki/Ice-nine
9. Ice 9 is a song by Joe Satriani from his album Surfing with the Alien.
10. Ice Nine is a first-person shooter game for the Game Boy Advance console. More: http://en.wikipedia.org/wiki/Ice_Nine_(game)
11. A substance called Ice 9 is referred to in the Nintendo DS game "999: Nine Hours, Nine Persons, Nine Doors". It seems to be a reference to Vonnegut's ice-nine substance, and not to the real thing. More: http://en.wikipedia.org/wiki/999:_Nine_Hours,_Nine_Persons,_Nine_Doors
12. Ice Nine is the name of a new screenplay which is currently in development by New York production company Whiskey Outpost. More: http://whiskeyoutpost.com/ice.html

Wow, bet you never knew there was so many references to ICE and ICE 9 in the world right? !! So ... back onto the Malware form of Ice IX...

Tracker Evasion
The new feature considered most valuable by Ice IX's developer is the implementation of a defense mechanism designed to evade Tracker sites, which he managed to implement in version 1.0.5 of the Ice IX trojan. Repeatedly stressed by Ice IX's developer, his buyers will finally be able to sidestep what has apparently become quite the hurdle for cybercriminals - ZeuS and SpyEye trackers. The two main tracker sites, "ZeuS tracker" and "SpyEye tracker" are operated by a Swiss-based organization which monitors and reports malicious C&C (Command and Control) servers to web users, service providers, CERTs and law enforcement agencies. Ice IX's developer claims that the evasion mechanism means the malware can be hosted on standard (legitimate) hosting servers, as opposed to having to use so called "bulletproof" servers which are expensive and typically operate specifically to service cybercrime-based customers.

A Better Injection Mechanism
The injection mechanism refers to how the malware is able to "inject" code and data into the webpage of an online banking site while the user is actually using the site in order to alter the function of the page. Typically ZeuS has had problems when injecting into javascript and also had difficulty maintaining original look and feel of a page when CSS was used. Ice IX seems to have overcome some of these issues, giving the malware a much better success rate.

Marketing the Malware
Extracts from the original text posted by Ice IX's developer in a Russian forum, translated to English:

Ice 9 is a new private Form Grabber-bot based on ZeuS, but a serious rival to it. Built on a modified ZeuS core, the core was re-worked and improved. The bypassing of firewalls and other proactive defenses was perfected. Moreover, the injection mechanism has been improved, allowing much more stability for the injections. The main purpose of this trojan was to counteract trackers, raising the conversion rate and the bots' TTL (time to live), as compared to its predecessor. These features were successfully implemented as we constantly work to further improve the code.

Main Functions

• Keylogging
• HTTP and HTTPS Form Grabbing, injecting its own code into IE and into IE-based browsers (Maxton, AOL, etc..), as well as Mozilla FireFox.
• .sol Cookie Grabbing and scraping info from saved forms
• FTP client credentials grabbing: FlashFXP, Total Commander, WsFTP 12, FileZilla 3, FAR Manager 1, 2, WinSCP 4.2, FTP Commander, CoreFTP, SmartFTP
• Windows Mail, Live Mail, Outlook grabbing
• Socks with backconnect possibility
• Real-Time screenshots, plus the option to automate taking screenshots while the bot browses to preset URLs
• Grabs certificates from MY storage space and clears storage (certificates marked as “Non-Exportable” cannot be exported correctly). Once cleared, all new certificates will be sent to the bot master's C&C server.
• Upload specific files from the infected machine or perform searches on local disks enabling wildcards.
• TCP protocol traffic sniffer
• Elaborate set of commands to control the infected PCs 

Advantages

• Protected from trackers¹
• Host your botnet with conventional hosting, not needing bulletproof servers, which will save you loads of money.
• Better bot conversion rate², frequent version upgrades and tech support.
• Developing more modules and features may be negotiated per the client’s request.

¹ By trackers, the developer means the ZeuS tracker and SpyEye tracker: Swiss-based Anti malware organizations.
² Bot conversion rate is the ratio of the number of bots which actually communicate with the C&C server divided by the total number of bots infected.

Licensing and Prices for Version 1.0.5

• BASIC LICENSE: Trojan with hardcoded C&C server: $600. You get the Bot + the Builder that generates the configuration file.
• COMPLETE LICENSE: Open Trojan with unlimited Builder license: $1,800 

Ice IX is offered at a lower price than what one would have paid for a comparative ZeuS kit or a SpyEye kit (SpyEye is still being sold for an approximate $4,000 USD today). According to earlier posts about Ice IX an open license to the first version v1.0.0 was sold for $1,500.

Upcoming Enhancements
In an English-speaking online forum, the trojan's developer gives potential buyers a glimpse into what will be included in the next upgrade:

• HTML & JavaScript injections that will work on the Firefox browser.
• A function that will block the SpyEye trojan on Ice IX-infected PCs (this sounds exactly like the 'Kill ZeuS' feature of SpyEye).
• As with ZeuS, Ice IX will encrypt communication with the C&C server, using a different encryption algorithm to ZeuS.

Review of Ice IX by another Cybercrime Vendor
After the posting of Ice IX, another vendor selling HTML injections offered his stamp of approval of the Ice IX trojan. The new Ice IX buyer had some opinions on the injection mechanism of Ice IX:

• JavaScript files are easily injected, and you can’t say that about ZeuS 
• CSS files are successfully injected; it appears that Ice IX supports the use of Cascading Style Sheets in the process of integrating injected content into the original website's look and feel. This improvement steps-up the appearance of injected content and web page replicas. 
• The order of data_before, data_after, data_inject blocks plays no role. The trojan understands them in any block order. When referring to data_before / data_after blocks, the fraudster is speaking of the delimitations that must be specified to a web injection.  For example:
• Data_before: When a login set requires username, password and secret question, the data_before is all three sets
• Data_inject: The additional data that the fraudster would like to inject into the page
• Data_after: The lower limit field of the data the trojan looks for

In the ZeuS trojan's injection mechanism, these three blocks had to come in a specific order. Using Ice IX, the order no longer matters; the trojan understands what it has to locate and inject. This means that the new injections are more fail-tolerant than the way they were used in ZeuS. Other changes applied to the code also aim to facilitate ease of functionality, rendering Ice IX more tolerant in a sense, where the use of wildcards in URL names does not slow page loading and case-sensitive search terms could be incorporated into the data fields searched by the trojan.

Conclusion
So we can expect that from now on, more new banking malware will be based on ZeuS (and SpyEye) code. New malware developers, hoping to profit from cybercrime, will attempt to create their own new alternatives based on this source with the addition of incremental improvements over the older versions.

Follow @dodgy_coder

Subscribe to posts via RSS

Classifying Hacking in 4D: Impact, Illegality, Evilness and Complexity

This chart is an attempt to classify hacking events and methods with something more than the simple black, white and grey hat hacking classification. After looking through a number of different possible attributes, the ones I came up with were the following, each rated on a scale of 0 to 10.

• IMPACT
  what sort of damage has been done to systems or to finances. a score of 0 means an improvement was made to the system due to the hack.
  
• ILLEGALITY
  where on the legal scale does the event lie in the range of 100% legal to 100% illegal, or it might be a bit of a "grey area"?
  
• EVILNESS
  yes, a bit subjective I know, but can we generalize that the motivation of the attacker is good, evil or maybe something in between?
  
• COMPLEXITY
  how complex was the attack, is it a simple DDOS or an advanced threat like an online banking password stealing botnet?

Please note that this is just the first draft of the chart, and I've guesstimated the above data as best as I could. This is an attempt to see how the chart feels when classifying hacking methods.

Any comments would be most appreciated.

Follow @dodgy_coder

Subscribe to posts via RSS

Online Banking Safety

Specialist eBanking Malware

• Specialized trojan malware infecting PCs used for internet banking are becoming prevalent.
• For example the ZeuS Trojan or SpyEye Trojan are both designed to infect a Windows-based PC and enlist it into a botnet of controlled PCs, from which can be harvested online banking usernames, passwords and credit card credentials.

What Happens During An Attack

• The trojan malware only becomes active when a user on the infected computer connects to a bank website, during which the trojan starts to record account details, passwords and other confidential information.
• The trojan malware will typically add one or more new employees or payee accounts in the name of "money mules".
• A transfer between $1,000 and $10,000 will be made to a "money mule" account - a legitimate bank account held by a real customer. 
• Owners of these "money mule" accounts have agreed to transfer sums they receive to someone else, after taking a cut. They are often unaware of being involved in a crime, and are typically targeted by "work at home" type scams offering easy money, or given some other legitimate reason why they are required to transfer the money.
• By the time the police have investigated the attack, the recipient of the money will usually have collected the transferred money, and is usually residing outside of the country of both the victim, and the money mule.

The Source of the Problem

• The source code for the ZeuS Trojan was originally offered for sale for approx $10000 to enable criminal gangs to control their own botnet or customise it for their particular market's needs.
• The source code of the ZeuS trojan has now been leaked and is available for free (or at a nominal cost) on hacker forums.
• The leak of the ZeuS source on May 7, 2011 is described here.
• The SpyEye 'builder' crack was leaked on August 11, 2011, as described here. 
• French security researcher Xyliton, part of the Reverse Engineers Dream (RED) Crew reverse engineered the 'builder' (the tool that generates the SpyEye malware) and was able to crack its hardware identification (HWID) layer which locked the SpyEye builder to a particular physical device.
• The cracked SpyEye builder enables new trojan developers to avoid the attribution that was previously associated with the high-priced toolkit and launch their own, untraceable versions of SpyEye. Where previous trojans built using the kit could be traced back to the original buyer of the toolkit, this will make it more difficult to track SpyEye botnets back to the source, since they have no attribution.

A Virtual Turf War: ZeuS vs SpyEye 

The ZeuS malware package has been around long enough to earn the title "crimeware toolkit" from Symantec. The relatively newer SpyEye, first seen in 2010, includes a component called KillZeus that destroys its "competitor", ZeuS, on any machine they share. In addition to eliminating a competing botnet operator on an infected machine, being able to delete the older ZeuS Trojan gives the newer SpyEye operator a pre-configured bot which has already proven that its owner isn't going to discover the infection immediately. In both ZeuS and SpyEye, the malware developers have tried to build anti-kill functions into their own malware, so ZeuS can now defend itself against SpyEye's KillZeus module. It seems that in the world of botnet development, as with legitimate product sales, existing victims (read customers) are a lot more stable and valuable than new, unproven ones.

Attack Prevention and Mitigation Methods

• Ensure an up to date browser and operating system.
• Avoid Microsoft Internet Explorer if possible; Mozilla Firefox and Google Chrome are generally safer.
• Ensure an up to date and effective commercial anti-virus software is installed.
• If possible use a dedicated PC specifically for commercial internet banking only. This means it will see no general-purpose internet usage, and is therefore less likely to get infected.
• Change online banking passwords regularly, at least once per month for commercial internet banking.
• Implement two-factor authentication for banking/payroll transfers.
• Ask your bank to remove or restrict the capability to add new employees and/or new payee accounts from your online account. Replace this operation with a secure method, requiring at least two factor authentication and/or phone support.

Recent Cases of Businesses and Organisations Targeted by Banking Trojans

July, 2011   Total scammed: $217,000
Metropolitan Entertainment & Convention Authority (MECA), a nonprofit organization responsible for operating the Qwest Center in Omaha, Nebraska was targeted by unspecified malware infecting one computer via an email attachment. Details here.

July, 2011   Total scammed: $28,000
The Town of Eliot, Maine - the PC belonging to the town controller was infected with unspecified banking trojan malware. Details here.

February, 2011   Total scammed: $150,000
Port Austin, Michigan based United Shortline Insurance Service Inc., an insurance provider serving the railroad industry, discovered on Feb. 5 that the computer used by their firm’s controller had been infected with the ZeuS trojan. Details here.

January, 2011   Total scammed: $378,000
The town of Poughkeepsie, New York was hit by unspecified cyber criminals from Ukraine who took over control of their online bank account. Details here.

November, 2010   Total scammed: $63,000
Green Ford Sales of Abilene, Kansas was infected with the ZeuS trojan malware.  Details here.

October, 2010   Total scammed: $600,000
The city of Brigantine, New Jersey had their online banking credentials compromised by unspecified malware.  Details here.

March, 2010   Total scammed: $465,000
California-based real estate escrow company, Village View Escrow infected by the ZeuS trojan. Details here.

November, 2009   Total scammed: $200,000
Plano, Texas based Hillary Machinery Inc. was hit by cyber criminals from Romania and Italy who transferred $801,495 out of their account in 48 hours. In this case the bank, PlainsCapital, managed to retrieve roughly $600,000 of the money. Details here.

Follow @dodgy_coder

Subscribe to posts via RSS

2011 Year of the Hack: A Timetable of Ownage

Click to Enlarge...

Click to Enlarge...

Follow @dodgy_coder

Subscribe to posts via RSS

AntiSec Hacks US Law Enforcement: 10GB of Emails and Data Made Public

The home page of the website where AntiSec have dumped the leaked data

In retaliation for recent arrests, the AntiSec hacking group say they've released their "largest cache yet" of data stolen from law enforcement agencies in the US, and have dubbed it "Shooting Sheriffs Saturday".

The Leaked Data Contains:

• Over 300 email accounts from 56 law enforcement domains, totaling more than 200,000 messages.
• 7000+ home addresses, usernames, passwords, phone numbers, credit card numbers, and SSNs (Social Security Numbers) from the Missouri Sheriff account dump (mosheriffs.com).
• Online Police Training Academy files (PDFs, videos, HTML files).
• List of "Report a Crime" informants (60+ entries).
• Plesk (Website administration tool) server passwords giving access to FTP, SSH, Email, CPanel and .HTACCESS Protected directories.

Recent Arrests
Law enforcement around the globe have arrested several suspected Anonymous members in recent days, including the UK's Jake Davis who is suspected to be LulzSec spokesman Topiary. Before this came the arrests of 16 people in the US, four in the Netherlands, and a 16-year-old in London (suspected to be LulzSec member Tflow) as part of a global investigation into denial-of-service attacks on PayPal late last year in support of WikiLeaks, and other attacks. The AntiSec release says this attack was made "in solidarity with Topiary and the Anonymous PayPal LOIC defendants as well as all other political prisoners who are facing the gun of the crooked court system".

DHS Bulletin
One of the motives for AntiSec seems to be a recent DHS (US Department of Homeland Security) bulletin.

From AntiSec: "A recent DHS bulletin has called us "script kiddies" that lack "any capability to inflict damage to critical infrastructure" yet we continue to get in and out of any system we please, destroying and dropping dox on the mightiest of government systems that are supposed to be protecting their sick nightmare of "law and order". GIVE UP. You are losing the cyberwar, and the attacks against the governments, militaries, and corporations of the world will continue to escalate."

Here are the two relevant passages from the DHS bulletin which seem in particular to have irked AntiSec:

1. "The actors who make up the hacker group “Anonymous” and several likely related offshoots like “LulzSec”, continue to harass public and private sector entities with rudimentary exploits and tactics, techniques, and procedures (TTPs) commonly associated with less skilled hackers referred to as “Script Kiddies”. [Script Kiddie: Unskilled individuals who use scripts or programs developed by others to attack computer systems and networks and deface websites.] Members of Anonymous routinely claim to have an overt political agenda and have justified at least a portion of their exploits as retaliation for perceived ‘social injustices’ and ‘freedom of speech’ issues.  Attacks by associated groups such as LulzSec have essentially been executed entirely for their and their associates’ personal amusement, or in their own hacker jargon “for the lulz”. 
2. "So far, Anonymous has not demonstrated any capability to inflict damage to critical infrastructure, instead choosing to harass and embarrass its targets."

How they did it
The initial compromise to the sheriff websites was done about two weeks ago on Arkansas-based web designers Brooks-Jeffrey Marketing (BJM), which hosts sheriff association websites.  The hackers say they were easily able to get back into the compromised servers after they were taken offline to have their security beefed up by the law enforcement agencies. "We were surprised and delighted to see that not only did they relaunch a few sites less than a week later, but that their 'bigger, faster server that offers more security' carried over our backdoors from their original box. This time we were not going to hesitate to pull the trigger: in less than an hour we rooted their new server and defaced all 70+ domains while their root user was still logged in and active."

An internet security expert claims AntiSec may have gone after the sheriffs' offices because their hosting company was an easy target. Dick Mackey, vice-president of consulting at SystemExperts of Sudbury, Massachusetts, said many organizations did not see themselves as potential targets for international hackers, causing indifference that could leave them vulnerable. "It seems to me to be low-hanging fruit," he said. "If you want to go after someone and make a point and want to have their defences be low, go after someone who doesn't consider themselves a target."

In a further embarrassment, AntiSec used the stolen credit card details to make donations to the American Civil Liberties Union, the Electronic Frontier Foundation, and the Bradley Manning Support Network, according to the statement. They are strong supporters of whistle-blower site WikiLeaks and Manning, the Army soldier arrested last year for leaking classified data to the site.

Links

AntiSec's original media release: http://pastebin.com/iKsuRkUj

The AntiSec statement signs off with some poetry/rap:

I take a left at the light, turn off the headlights and ride real slow
Now holla at me when you see the 5-0
Alright Dirty, yall boys ready?
Bout to turn drive-bys revolutionary
*POW POW POW POW POW* YEAH MUTHAFUCKA YEAH!
*POW POW POW POW POW* YEAH MUTHAFUCKA YEAH!
Look at 'em run, too scared to pull they guns
Outta shape from them coffees and them cinnamon buns
This shit is fun, how I feel when the tables is turned
Hollow tips hit yah flesh through yo vests and it burn
That's a lesson you learn, comin straight from the slums
And it don't stop till we get full freedom

Follow @dodgy_coder

Subscribe to posts via RSS

McAfee Operation Shady RAT: A Media Storm is Unleashed

On Thursday morning August 4, I switched on the radio on the way to work to listen to the news headlines by the local radio station and was gobsmacked to be hearing them talking about the "biggest cyber attack" ever having been found by McAfee, dubbed Operation Shady RAT. For the first time I can every remember, an infosec story had made it on the news headlines of my local radio station, and in the process gained some valuable PR and credibility for McAfee...

How it played out

The storm of media interest was sparked at 9.14pm, Tuesday night US time, August 2, when the original blog post and research report was released by McAfee researcher Dmitri Alperovitch. The first media article appeared on Vanity Fair which was given the web exclusive story first.

Many thousands of other media outlets then ran with the story on the following day (Wednesday), typically
summarising the research report, with many claiming it to be the biggest cyber attack in history. Many also pointed the finger of blame squarely at China, without any real evidence. Jim Lewis, a cyber expert with the Center for Strategic and International Studies who was briefed on the hacking discovery by McAfee, said it was very likely China was behind the campaign because some of the targets had information that would be of particular interest to Beijing. "Everything points to China. It could be the Russians, but there is more that points to China than Russia," Lewis said.

The facts of the case, as presented by McAfee's report

• Botnet-like malware communicating with a single C&C (Command and Control) server was found on the 72 infected computers.
• A variety of different exploits were used to gain access to the victims computers, largely through spear phishing type attacks.
• 72 organisations were identified across a swathe of areas including government, industrial, technology, defense, sporting, corporate and non-profit NGOs.
• 49 of the victims were from the USA.
• There was no evidence presented of any specific or important data being lost.
• There was no mention of the total number of unique IP addresses that were found to be infected.

The research report clearly states that "In all, we identified 72 compromised parties (many more were present in the logs but without sufficient information to accurately identify them)". In an interview on Friday with Risky.biz, Sean Duca of McAfee Australia contradicted the research document by pointedly remarking that the total number of infected hosts was limited to only the 72 organisations listed in the report. However, in an interview with PC Mag, Dmitri Alperovitch said "I think it's fair to assume, that if you look at the totality of activity that's occurring, it's in the thousands of targets".

As Graham Cluley of Sophos' Naked Security Blog stated "What the report doesn't make clear is precisely what information was stolen from the targeted organisations, and how many computers at each business were affected." Cluley decried the way the media has rushed to blame China for the attacks. "I don't think we should be naive. I'm sure China does use the internet to spy on other countries. But I'm equally sure that just about *every* country around the world is using the internet to spy. Why wouldn't they? It's not very hard, and it's certainly cost effective compared to other types of espionage." he wrote.

Hon Lau from Symantec has poured cold water on the "biggest cyber attack" headlines surrounding the case - "While this attack is indeed significant, it is one of many similar attacks taking place daily." He also outlines the way the attackers used spear phishing to target individuals, typically through email attachments including Word documents, Excel documents, PDF files or PowerPoints. "These files are loaded with exploit code, so that when the user opens the file the exploit code is executed, resulting in the computer becoming compromised." he wrote.

One thing is for sure, it may not have been the biggest cyber attack in history, but it is certainly one of the most successful infosec media releases ever made, and for that McAfee must be congratulated: at least it has again focused some much needed attention in the media for such an important topic.


Follow @dodgy_coder

Subscribe to posts via RSS

Bitcoin Price vs Google Search Trend: Correlation

An interesting relationship has come to light between the closing price of Bitcoin (on the MtGox USD exchange) and the level of interest in Bitcoin as measured by Google Insights for search. The above data was taken for the last 90 days. The faint blue line represents the search interest in the term "bitcoin" and the dark black line represents the closing price of Bitcoin on the MtGox USD exchange.

Is Bitcoin a Bubble?

As the Bitcoin wiki itself states, yes, Bitcoin is a bubble, but only insofar that the US Dollar and Japanese Yen are also bubbles, i.e. they only have value in exchange and no value in use by themselves. If a loss of confidence occurred in any currency, its value could drop dramatically overnight.

The definition of a Speculative Bubble on wikipedia lists a number of possible causes, not least of which are those related to crowd psychology, such as the greater fool theory, which identifies bubbles as being driven by the behavior of irrationally exuberant market participants (the fools) who buy overvalued assets in anticipation of selling them to other speculators (the greater fools) at a much higher price. Another related explanation lies with herd behavior, the observation that speculators tend to buy or sell in the direction of the market trend. This is sometimes pushed along further by market analysts, who try precisely to detect those trends and follow them, which creates a self-fulfilling prophecy.

A well known side effect of a bubble is that market participants with overvalued assets will tend to spend more because they "feel" richer, due to the wealth effect. In history, bubbles have been observed repeatedly in experimental markets, wherever there is some degree of uncertainty, and when market participants find it difficult or impossible to calculate the intrinsic value of the assets.

The phases of a classic bubble

Now lets compare the bubble chart above with the actual year to date (up to Aug-11-2011) closing prices of Bitcoin on the MtGox exchange. Yeah, its looking more like a bubble every day, even if the scale doesn't quite match those of the classic bubble phases.

Follow @dodgy_coder

Subscribe to posts via RSS