Just how easy is it to generate an undetected piece of malware these days? Too easy to be true, largely thanks to the rise of managed crypting services, and the re-emergence of the DIY (do it yourself) trend within the entire cybercrime ecosystem.
With hundreds of thousands of new malware variants processed by the industry on a daily basis, it’s fairly logical to conclude that over the years, the bad guys have adapted to signature-based antivirus scanning protection mechanisms, and have achieved disturbing levels of automation and efficiency. How do they do that?
Let’s find out by profiling a recently spotted Web-based DIY malware cryptor, emphasize on the future potential of such underground projects, as well as provide MD5s of malware samples known to have been generated using it.
More details:
Sample screenshot of the DIY malware cryptor as a Web service:
As you can seen in the attached screenshot, the DIY Web service allows full customization of the malicious output. Thankfully, the service fails to “innovate”, and it also lacks major differentiation factors like the ones found in popular DIY malware generating tools available on the underground market. In fact, a malware as a Web service that I profiled in 2007 had a better emphasis on customization features compared to this service, publicly advertised in early 2013. What about the pricing? $7 per sample. And the service currently accepts Western Union, MoneyGram, WebMoney and Liberty Reserve.
It’s worth emphasizing on the fact that, in 2013, despite the availability and constant development of desktop based DIY malware cryptors, cybercriminals tend to rely on managed services that not only accept bulk orders, but also, anonymously pre-scan these binaries against the most popular antivirus scanners, ensuring a decent degree of QA (Quality Assurance) in these campaigns. In fact, one of the most popular services often integrated in such underground market propositions currently supports API calls for automatic domain/URL checking against public and vendor-specific blacklisting services, and even has a Tor network server address. Although the service isn’t vertically integrating just yet, it’s revenue stream from advertisements of managed and DIY malware crypting services are worth mentioning in the context of how cybercriminals tend to collaborate.
Are we going to see more Web based DIY malware cryptors? Definitely, especially for use in targeted attacks. However, for the time being, the real competition within the cybercrime ecosystem is where the bulk order processing vendors are.
Sample MD5s crypted using the service:
MD5: 6768385e25f522ea29c03b3f6480ada7
MD5: b4c26e201b23ab86a6f8063c995008bc
MD5: f01e450d49cb8ef414aaf571afe494be
MD5: 0666e1408b558ea964321d27afcd6e0f
MD5: b55c58a0c66b806e5287fed7ca91c51a
MD5: d69fe7757e15489633e989c42e0cb983
MD5: e5811b906afe071c6a99cdc1a4bdce56
MD5: 322e936e650e572fec4e37574876fc26
MD5: a637487f2c7bbea83e99f7d51ad7f090
MD5: 934fcd5cc0b923838cfe5b0f097c29d4
MD5: bb6f5218af165f2b89da8b8cec2fffa5
MD5: 09a694fec119f8a7a568808c1f6d3c23
MD5: 9df0fee51e99d8d01e17ef7d74489bfa
MD5: 9fcfdfd681ad0e9fa60a10d7a4a921b4
MD5: ffc5e63edd63c335de95ad65fd892940
MD5: fd00984c86e9ad85106eb4d725724b13
MD5: 045d588a0326ce5b57753d7a8b25eca3
MD5: cd3a156717b1fe8e787f961e2e889a27
MD5: 4e73ab5ef4bf38e59f42796df863fbda
MD5: 1168e24f7fc93cd68dce27c321fe58e5
MD5: 35a314aba8bbe2dc84d44b4d05719f97
MD5: de32a97b5b2b776c23242fc0553aa721
MD5: 940d3a844c63cd07ab124fc76cfb9967
MD5: bbc8806137c07eeb8339f9686ef28343
MD5: a1dd3c7b756f2b24299eb4b6553c78a6
MD5: 0dcd22907b0af6bdea04a62fc33dac13
MD5: bb4f497f808e541bd0d1dde499346b9f
MD5: 6dd835e8f32a7e4c8d7a9d6075db487c
MD5: 28142e39877a873084818432e36f6117
MD5: b03bafd130ee0970abe464f40efe02b4
MD5: 0ff4385d18cdf2cb42dc5e6bae9d9346
MD5: bf58fcb43c31b9c1fd4cfb144f04b505
Webroot SecureAnywhere users are proactively protected from these threats.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
The bad site you are referring to is: hxxp://germenyou[.]com/