Malware writers today always try to
conceal their identities, right? Wrong – even some of today’s profit
driven cyber criminals reveal their identities. We are a bit surprised,
but here is the story of how a blackhat has revealed his identity and
is trying to ‘get compensation’ from Kaspersky for conducting research.
Recently we have been looking into a new service for malware
writers: [avtracker dot info]. This is an online service designed to
track AV vendors. The home page of [avtracker dot info] describes the
service which includes protection for malicious programs against
analysis by malware researchers and also calls for a DDoS attack
against security companies:
some of our fellow researchers shared a network request with us that
was used to report back to [avtracker dot info]. This request was used
in a special spy program which was distributed to various antivirus
labs by the owner of [avtracker dot info]. If executed, this spyware
would contact the owner and describe the environment of the infected
machine. We played around with this request, and substituted various
random strings instead of the user name and system parameters.
WHOIS listing was of no use – [avtracker dot info] was registered
anonymously. This was no surprise – cyber criminals usually do register
domains anonymously to hinder identification.
So far, nothing
out of the ordinary – a normal day in the life of an antivirus company.
And then…surprise – the owner of the malware writers’ service contacted
us and revealed his identity. Moreover, he even demanded a ransom of
2000 euro to compensate his purported losses when we attempted to ‘break’
his new toy.
At the time of writing, we have received the spy
program, which had the following message in its code pointing to the
same person who contacted us:
we have gathered all relevant data and forwarded it to our lawyer who
will now take the next steps. If all cyber criminals were as
cooperative as this one, life would be much easier for AV companies.
*This essay first appeared on Viruslist.com.