New DIY Malware in the Wild

Tuesday, April 29, 2008

New DIY Malware in the Wild

Yet another do-it-yourself malware is getting pitched as one with low detection rate due to its proprietary nature, following the logic that based on the fact that few people will have it, it would somehow remain undetected for a longer period of time. The applied logic is however, excluding the possibility of used to recently purchased good as a bargain to obtain or improve the chances of obtaining access to another good or a service in the face of access to a closed for the public forum where exclusive tools and incidents are actively discussed.

How is a seller of yet another DIY malware going to differentiate her market proposition? Adding a service in the form of managing and verifying the buyer's undetected binaries is slowly maturing into what 24/7 customer support service is for most market propositions - a commodity and something that's often taken for granted. In the case of this DIY malware, the author is aiming to differentiate the proposition by also offering the source code of the malware, thus, embracing the open source mentality just like many other malware authors are, believing that innovation will come on behalf of those adding extra features and fixing bugs within the malware - and they are sadly right about the innovation belief. Some features of this malware :

- Stealing an Uploading to a specific FTP ( ICQ, FireFox, WinXP Keys, CD Keys )
- HTTP Get Flooding
- Syn Flooding and IP Spoofing
- Process Hiding without Register Service
- Hides from any kind of Taskmanager : Windows Taskmanager, Security Taskmanager )
- Settings can be changed all time. ( in running bots as well )
- Melting
- Mutexes Checking
- Anti VMware, Anti VPC, Anti Sandboxing, Anti Norman Sandbox
- Settings encrypted with RC-4
- Doesn't need .ocx
- Killing Windows Firewall

It looks and sounds, as a novice malware coder integrating publicly obtainble malware modules, hoping to cash in. Moreover, in regard to open source malware, questioning "Which is the latest version of the MPack web exploitation kit?" is slowly becoming pointless mainly because of the kits' open source nature, and besides localizing them to different languages, their effectiveness is also acting as the foundation for malware kits to come.

Related posts:
DIY Exploit Embedding Tool - A Proprietary Release
DIY Exploits Embedding Tools - a Retrospective
DIY German Malware Dropper
DIY Fake MSN Client Stealing Passwords
A Malware Loader for Sale
Yet Another Malware Cryptor In the Wild
DIY Malware Droppers in the Wild
More Malware Crypters for Sale
A Multi-Feature Malware Crypter

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Tuesday, April 29, 2008

New DIY Malware in the Wild

No comments:

Post a Comment