Friday, August 31, 2007

Malware as a Web Service

Popular malware tools such as binders and downloaders usually come in a typical software application form. Moreover, when I talk about malware services I mean crypting, packing and limiting the detection rate on demand, while in this case we have a DIY malware as a web service, a trend to come or a fad to dissapear, only time will show but the possibilities for porting popular malware tools in a web service form are quite disturbing.

In the first example we have a malware downloader as a web service with various diversified variables such as custom port and IP to obtain the payload from, as well as the ability to modify the extraction and execution of it. Combined with the option to choose a packer, and whether or not to melt the downloader after it delivers the payload, as well as with the opportunity to choose from a set of predefined icons or select a custom one, turn this malware web service an interesting one to monitor.

A sample of the first service :

Result: 5/32 (15.63%)
BitDefender 2007.08.31 Generic.Malware.Fdld!.D8E4DF1F
eSafe 2007.08.29 suspicious Trojan/Worm
NOD32v2 2007.08.30 probably unknown NewHeur_PE virus
Sophos 2007.08.30 Mal/Heuri-D
Webwasher-Gateway 2007.08.30 Trojan.Downloader.Win32.ModifiedUPX.gen (suspicious)

File size: 11776 bytes
MD5: e9df373f1561bed2a2899707869a7a44
SHA1: 295c6702cb19f6b20720057d61d940921602a0cd

In the second example, we have a malware binder as a web service with pretty much identical features with the first example. If traders of malware services such as the above mentioned crypting, packing and ensuring a lower detection rate, start embracing Web 2.0 in the process of efficiently construction malware, or providing their customers with a DIY experience by constantly ensuring their " web dashboard" is up to date with new services and features - it can get very ugly. So, let's hope it's just a fad.