Monday, October 29, 2007

Multiple Firewalls Bypassing Verification on Demand

Next to the proprietary malware tools, malware as a web service, Shark2's built-in VirusTotal submission, the numerous malware crypting on demand services, the complete outsourcing of spam in the form of a "managed spamming appliance", and the built-in firewall and anti virus killing capabilities in commodity DIY malware droppers, all indicate that the dynamics of the malware industry are once again shifting towards a service based economy with a recently offered multiple firewall bypassing verification on demand service. The following is an automatically translated excerpt :

"Here are a new feature-check your files against popular firewalls. You send us a file, we run it in each individual fayrvole, after full you personal checking account. The cost of single use service is $3. A special service for developers, we check your software and your otpisyvaemsya subject to the results of the verification. File of our service to circumvent firewalls. The cost of the service so far is no different from the usual check. Testing takes about 30/40 minutes, the countdown begins once you responded Support "Doc passed ordering" Every fifth-free ordering. When paying full use prepaid services. Do not worry about sending stay online, with a corresponding demand will be organized kurglosutochnaya work 24/7/365! List of our firewalls at the moment: ZoneAlarm Pro v7.0; Sygate Personal Firewall 5.5; Ashampoo FireWall PRO; Sunbelt Personal Firewall; Outpost Internet Security 2008; Filseclab Personal Firewall Professional Edition; F-Secure Internet Security 2008; Comodo Firewall Pro.

Every feature is installed on a separate Windows XP Service PAck2, with all the critical updates for September 2007. All default. After each check all operatsionki regress back to the condition it was prior to the launch your executable file. None of the transferred files, we will not be forwarded to third parties, including anti-virus companies, to study the existence of malicious code. After verifying the files removed. Now the service does not work in the automatic mode, not around the clock, with breaks. We would be happy to cooperate and permanent clients."

Basically, they're testing whether or not a malware will "phone back home" by running it against the popular firewall products, and giving it a green or red light if it does, or if it does not pass the test. QA is vital to reliable and bug-free software, but when QA as a concept starts getting abused to improve the quality of a malware campaign itself it would improve its chances for success, and actually achive it given a bypassing confirmation is already anticipated.

Is this malware QA a trend, or is it a fad? I think it's a trend mostly because malware authors seem to have realized the potential of launching "quality assured malware", take storm worm for instance, and the possibility for crunching out DIY malware through commodity kits in enormous quantities in the form of a managed malware provider.