By Dancho Danchev
Just how easy is it to generate an undetected piece of malware these days? Too easy to be true, largely thanks to the rise of managed crypting services, and the re-emergence of the DIY (do it yourself) trend within the entire cybercrime ecosystem.
With hundreds of thousands of new malware variants processed by the industry on a daily basis, it’s fairly logical to conclude that over the years, the bad guys have adapted to signature-based antivirus scanning protection mechanisms, and have achieved disturbing levels of automation and efficiency. How do they do that?
Let’s find out by profiling a recently spotted Web-based DIY malware cryptor, emphasize on the future potential of such underground projects, as well as provide MD5s of malware samples known to have been generated using it.
Sample screenshot of the DIY malware cryptor as a Web service:
As you can seen in the attached screenshot, the DIY Web service allows full customization of the malicious output. Thankfully, the service fails to “innovate”, and it also lacks major differentiation factors like the ones found in popular DIY malware generating tools available on the underground market. In fact, a malware as a Web service that I profiled in 2007 had a better emphasis on customization features compared to this service, publicly advertised in early 2013. What about the pricing? $7 per sample. And the service currently accepts Western Union, MoneyGram, WebMoney and Liberty Reserve.
It’s worth emphasizing on the fact that, in 2013, despite the availability and constant development of desktop based DIY malware cryptors, cybercriminals tend to rely on managed services that not only accept bulk orders, but also, anonymously pre-scan these binaries against the most popular antivirus scanners, ensuring a decent degree of QA (Quality Assurance) in these campaigns. In fact, one of the most popular services often integrated in such underground market propositions currently supports API calls for automatic domain/URL checking against public and vendor-specific blacklisting services, and even has a Tor network server address. Although the service isn’t vertically integrating just yet, it’s revenue stream from advertisements of managed and DIY malware crypting services are worth mentioning in the context of how cybercriminals tend to collaborate.
Are we going to see more Web based DIY malware cryptors? Definitely, especially for use in targeted attacks. However, for the time being, the real competition within the cybercrime ecosystem is where the bulk order processing vendors are.
Sample MD5s crypted using the service:
Webroot SecureAnywhere users are proactively protected from these threats.