By Dancho Danchev
In a series of blog posts shedding more light into the emergence of the boutique cybercrime ‘enterprise’, we’ve been profiling underground market propositions that continue populating the cybercrime ecosystem on a daily basis, but fail to result in any widespread damage or introduce potential ecosystem disrupting features. Despite these observations, the novice cybercriminals behind them continue earning revenue from fellow cybercriminals, continue generating and maintaining their botnets, and, just like small businesses in a legitimate economy model, continue to collectively occupy a significant market share within the cybercrime ecosystem.
In this post, I’ll profile a self-service type of boutique iFrame crypting cybercrime-friendly operation and discuss why its perceived short product/service life cycle is still a profitable cybercrime ecosystem monetization tactic, despite these services’/products’ inability to differentiate their proposition from the market leading competitors whose ‘releases’ remain a major driving force behind the mature state of the underground market in 2013.
Sample screenshot of the iFrame crypting service:
Basically, what the service offers is DIY (do-it-youself) iFrame obfuscation, relying on a newly developed obfuscation algorithm. However, taking into consideration the fact that it doesn’t have the capacity to obfuscate iFrames in bulk orders or obfuscate them on the fly through an API — now an accepted standard for delivering a service/product in the cybercrime ecosystem — it’s product life cycle is prone to be a short one. Interestingly, this will not prevent the cybercriminal operating the service from earning revenue in the short term, with the service’s life cycle prone to be rebooted every once in a while by publicly advertising it at yet another cybercrime-friendly communitiy primarily populated by novice cybercriminals.
In comparison, known, trusted and respected cybercriminals continue causing widespread damage through standard business/ecosystem practices such as standardization, compatibility, real-timeliness, APIs, outsourcing and managed services. Case in point is Paunch’s (author of the Black Hole Exploit Kit) vertical underground market integration, taking into consideration the fact that in addition to the Black Hole Exploit kit, he also operates an on-the-fly malicious script obfuscating service that is well known and respected among cybercriminals. Co-branding it within the Black Hole Exploit kit since the beginning, he’s managed to attract the attention of other sophisticated cybercriminals whose releases are truly disrupting the ecosystem as we know it – by successfully achieving the so called ‘malicious economies of scale’. Not only is his malicious script obfuscation service widely used within the cybercrime ecosystem, sophisticated and newly released automatic exploitation platforms prefer the service to the point where they’d integrate it within their platforms.
Sample MD5 for an obfuscated iFrame using the service: MD5: 1ec320b6d83c5bb5a07ed92eb1722797 – detected by 4 out of 46 antivirus scanners as JS/Crypted.PD.gen; Trojan.JS.ObfJS.ba (v).
We’ll continue monitoring the emerging ’boutique cybercrime enterprise’ trend, and post updates as soon as we spot new services/products.