The secrecy of underground forums where financial malware and crimeware kits are traded is well guarded, to the point that few are able to penetrate them without some kind of internal sponsor. Here, criminals value their privacy as much as those from whom they steal.
That’s what makes a recent discovery from RSA Security’s FraudAction Research Lab all the more jarring. Expert Limor Kessem found this week that a new fraud service was being marketed over Facebook. The developer, an Indonesian-speaking person, was selling a customized botnet panel for the Zeus Trojan.
Kessem said the Facebook page was updated frequently with information about botnets, exploits and their version of Zeus.
“Beyond having compiled a working Zeus Trojan kit, the developer customized an attractive control panel for the admin (basic and familiar in functionality, and taken from previous Zeus versions), the developer and his team created a demo website for potential buyers—which they have no qualms about sharing publicly,” Kessem said.
While this particular criminal is an outlier, the use of social networks to market crimeware speaks to the commodity nature some of the malware used for fraud. Zeus source code was leaked online in 2011, and since then many variants have popped up, each with varying degrees of functionality. While high-end underground forums are out of reach for many, others such as this developer, might be trying to expand their reach with his own version of the banking malware and taking advantage of a market shift where some of the more professional malware dealers have been laying low. Some, such as the keepers of the Citadel Trojan, have sworn off commercially selling their kit and will trade only with current and trusted customers.
“Underground forums are fairly well protected; these folks want to keep a low profile,” said George Tubin, senior security researcher at Trusteer. “But, you can imagine that maybe some want to branch out a little and get into a new market and attract folks who are not part of this secret underground as a way to reach out. Maybe they want to reach out to a new group of folks with no access to forums or don’t know how to get to them.”
In fact, commercial versions of Zeus, SpyEye and Ice IX aren’t for sale either, another trend leading toward crimeware kits and service offerings available online.
“This case shows that the code leak, leading to the availability of the Trojan, makes for an even more diverse crimeware market, one that gives room to new offerings, especially at a time when all the major developers are staying away from the commercial arena,” Kessem said. “Marketing cybercrime in such an open and accessible manner is not something common.”
Crimeware kits and fraud services have become increasingly specialized, Tubin said, and cheaper. Criminals not only sell malware, phishing kits and botnets ready for launch, but have added features such as phone flooding capabilities for denial-of-service attacks, as well as check-forging specialists who can create counterfeit personal checks from stolen online check images. Specialization has also come to malware and botnets, to the point where compromised computers making up a botnet can be sold or rented according to geography if an attacker wants to target a particular regional financial institution.
“It’s amazing how every piece can be bought directly or as a service,” Tubin said, adding that malware writers want to make these kits sellable, therefore, easy to use.
“There are a broad range of kits out there,” he said. “Malware writers want to make them as intuitive as possible in order sell to a wide variety of folks, not just sophisticated programmers. That’s probably what is being sold on social networks and other outlets where they are reaching out to folks they have not before hoping these people just get sucked in once they realize how easy it is to do.”