MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

3.1.10

Crimeware-as-a-Service and antivirus evasion schemes

The business models offered by cloud computing are not new. Even many services currently offered under this banner have a model already established long ago in the market.

However, the Cloud Computing concept in itself that we know today responds to a sharply inclined orientation to generate business leveraging the Internet as infrastructure, which in a highly competitive market enjoys certain advantages over conventional business.

Under this scenario, the fact is that this way of creating business was also accepted and implemented by those who profit daily through a battery of programs designed for fraudulent purposes that when used over the Internet, receive the word of Crimeware-as-a-Service, or also by its acronym CaaS.

They begin to take shape fraudulent services that seek to automate the handling of malware in the process created solely to evade detection. An example of this is the service (which no longer exists), called PoisonIvy Polymorphic Online Builder, designed to encrypt malware and we talk at the time. In this case, when handling malicious code only, this service will be crowded under the term Malware-as-a-Service (MaaS).

Similarly, there are currently developed services for profit and intended to feed the crimeware business through mechanisms to verify the degree of effectiveness against malware antivirus scan engines.

These services are the antonym of other highly used by security professionals such as VirusTotal Hispasec Spanish company. On one of them also have spoken, called VirTest.

However, there are some other as Private antivirus service (established in 2008), which like VirTest is of Russian origin, and seek financial gain through a paid service, but also collaborate with the environment of cyber-crime by offering the possibility to check the malware created to meet their detection rate at a given moment, ensuring also that the binary will not be shared with antivirus companies. Thus, anonymity is assured and a longer life cycle for the threat.

The fraudulent service verifies the effectiveness of malware against 17 antivirus engines known anti-malware market, and as displayed in the first catch, there are three costs depending on the characteristic of the "hired":
  • USD 0.2 by check
  • USD 15 by 10 Chequeos limited daily
  • USD 20 for checks unlimited
Once inside the system, since the flap AV check, the binaries are uploaded to be submitted to the antivirus scan, then the report and providing a history of uploads. These options are found in the lower left corner.

An interesting aspect that offers this service of crimeware, which is the ability to schedule tasks of verification, through the second tab called Scheduler.

This option allows, first, upload a malicious file from the hard drive of the creator of malware, and on the other, select a malware that is already present in the circuit of propagation through the URL, ie that the cyber -crooks can verify and monitor and detect malicious code that already this spreading.

In this way and through the "programmer", is scheduled checkup frequency uploaded malicious code based on a set of parameters that are chosen according to a set time ranging in the range of 3, 6, 12 hours, or 1 and 3 days.

These parameters are configurable and once established can be viewed in a table shown in the same window. The third column corresponds to the time range. It also configures how display a warning to the report, which may be through email or through ICQ.

Clearly, these options are designed considering criminal maneuvering speed of propagation of malware checking, in the shortest of times, every 3 hours to check if the threat is detected by antivirus companies. This allows the malware to change whenever necessary, and to combine the service with others such as the "service" referred to above for encrypting the files.

Obviously those who are part of the criminal chain of crimeware business, working together through different alternatives, forming also a business side that also feeds on the criminal activities.

Related information
Russian service online to check the detection of malware
Software as a Service on the malware industry
Creating Online PoisonIvy based polymorphic malware

Jorge Mieres

0 comentarios:

Post a Comment