Cybercrime Services Ramp up to Provide One-stop-shop to Meet Demand from Fraudsters

Anti Virus (AV) Checkers, Malware Encryption and Infection Services Feel the Heat

(06.12.11) - Services for fraudsters utilizing malware are not new - Anti Virus (AV) Checkers, Malware Encryption and Malware Infection services have existed in the criminal underground market for several years. However, recent Trusteer Research has indicated changes in service scope and price due to service convergence and demanding buyers.

So what's new?

One-stop-shop - Trusteer Research came across a new group that besides offering infection services (for prices between 0.5 and 4.5 cents for each upload, depending on geography) also provides polymorphic encryption and AV checkers. This new one-stop-shop approach for malicious services is a natural evolution of the market - if the customers need to infect, then they also need to evade AV. Why not sell the whole package?

For Polymorphic encryption of malware instances they charge from $25 to $50 and for prevention of malware detection by anti-virus systems (AV checking) they charge $20 for one week and $100 for one month of service.

It's a buyer market - Trusteer Research has also come across advertisements published by prospective buyers of infection services. The ad basically presets the buying price, how it is charged and the scope of the service:

>> The advertiser pays only for unique uploads

>> The calculations will be conducted according to the advertiser's own Black Hole (exploit kit) stats module

>> The advertiser will pay in advance to the sellers with recommendations, i.e. those that have 1-10 "fresh" forum messages. Otherwise, the sellers will get paid afterwards

>> The final paid price depends on percentage of infections:

· $4.5 for 1,000 of traffic with 3 percent of infections

· $6 for 1,000 of traffic with 4 percent of infections

· $30 for 1,000 of traffic with more than 20 percent of infections

>> The domains are checked via a malware scan service website (scan4you) during the day. If the domain is recognized as blacklisted on anti-virus databases, the advertiser will automatically replace it with another

Lastly, in an attempt to stay competitive we came across an ad by an Encryption Service provider that sold its service for 20$ per file, and offered a money back guarantee if it fails an AV checker.

Conclusion

According to Amit Klein, Trusteer's CTO, "Some malware services like AV checking and Encryption are becoming a commodity, driving cybercriminals to consolidate services to stay competitive and introduce new offerings like the Phone Service we discussed in the previous blog post. Trusteer Research is also looking into other new services on the market - stay tuned."

"Trusteer's advises banks and their online banking users to maintain constant vigilance, apply software updates, maintain an awareness of new threats", Klein said. "Trusteer strongly recommends to complement desktop hygiene solutions like Anti Virus with security controls specifically designed to protect against Financial Malware."

Background on cybercrime services

AV Checkers and Malware Encryption

There is ample evidence that Malware is poorly detected by Anti Virus software, a MRG Effitas Online Banking Security Test released in June 2011 found that the average AV detection rate for Zeus malware was less than 40 pecent in 2010. How are fraudsters pulling this off - evading AV - this is where Malware Encryption and AV checkers services come into play.

AV detection mechanisms are primarily file signature based - AV vendors obtain samples of malware files (e.g. Zeus application) and then generate from the files (which are eventually a sequence of '0's and '1's) a unique string. When AV encounters a new file through download or file scanning, it compares its signature against a database of known malicious files signatures. In cases where the file signature matches a known malware, AV removes the file or bock the download.

The signature based detection approach assumes it can keep pace with new malware. Introducing new malware variants with additional functionality takes quite a bit of time and effort to develop. So how are fraudsters effectively and consistently evading detection? Fraudsters use encryption services that can change the files signature without changing the underlining code functionality. AV checkers, that scan malware files with the up-to-date versions of the most common AV tools, are used to ensure encryption is indeed successfully evading detection.

Infection Services

After fraudsters have created an "undetected" malware file, there is still the small issue of placing the malware on the victim's host Infection services do just that. Some fraudster groups specialize in infecting hosts with malware, either by creating a botnet of hosts that could be infected at will, or by inserting exploit code to sites and routing victims to these sites to infect them using drive-by-downloads. (Trusteer: ma)