A security firm has uncovered an easy-to-use, affordable tool for making a variety of customized Trojans—from downloaders to password stealers—on sale at several online forums.
The tool, discovered by PandaLabs, is called Pinch, a tool that allows cybercriminals to specify what type of password they want their Trojans to steal—be it for e-mail or system tools.
Pinch also has encryption capabilities to ensure that nobody intercepts stolen data. Pinchs interface also has a SPY tab that lets criminals turn Trojans into keyloggers. In addition, the tool can design Trojans that snap screenshots from infected computers, steal browser data and look for specific files on the target system.
Pinch is impressive, but its just one sample of the array of crimeware for sale in malware markets and covered in a recent report from PandaLabs titled “The Price of Malware.”
Malware has, in fact, increased 172 percent over the past years, according to the security firm. PandaLabs credits customized Trojans for the bulk of this increase, where malware is customized to infect a specific user or group of users.
PandaLabs has tracked several instances of the use of malware in the past few months: One example is a variant of the Briz Trojan, called Briz.X, that had already stolen over 14,000 users bank account information by the time it was detected.
“As occurs in legitimate businesses, this illegitimate activity has caused a very active black market,” PandaLabs said in a release about the report.
That malware market can be found completely online, with most sites hosted in Eastern European countries, but a percentage found worldwide thanks to mafias that have extended their networks.
“Although it may look difficult to find Web pages where these tools are sold, it is not. All you have to do is search in browsers for forums where hacking services are rented or where Trojans are sold,” said Luis Corrons, technical director for PandaLabs, in the release.
PandaLabs research shows malware selling on underground forums between $350 and $700. Trojans that install software to steal passwords to access online banks, known as snatch or Limbo Trojans, cost $500 – $600. Other malware on sale can hide Trojans, encrypt stolen data or turn infected computers into zombies for bot networks.
Prices too steep? Special deals abound. The first 100 cybercriminals to respond to one listing for a $500 Trojan that captures pay-service accounts—such as Webmoney—get 20 percent knocked off.
For the true bargain hunter, there are Trojan logs. A 50MB Trojans log, with stolen accounts, e-mail passwords, bank details and the like, can be had for as little as $30. The Trojan authors even guarantee a “profitable” data percentage.
Wondering whether purchasing malware at these prices can be profitable? PandaLabs ran a few calculations to find out. Say a cyber-crook were to purchase a Trojan for $500, a 1 million-address mailing list for about $100, a $20 encryption program, and a $500 spamming server. The total outlay would be $1,120.
Given a 10 percent success rate, which PandaLabs said is “really low,” hackers could infect 100,000 people. If the criminals managed to steal bank details from 10 percent of infected systems, that means access to 10,000 bank accounts and funds therein.
“Just imagine the money a normal person could keep in the bank and multiply it by 10,000 to calculate the cybercrooks profits,” said the report.
Stealth, of course, is important. Crooks tend to siphon off small amounts from cracked bank accounts as opposed to draining them completely, which would alert users.
Next Page: Getting around anti-virus programs.
Getting Around Anti
-Virus Programs”>
Therefore, crooks take only a few hundred from each account. If the crook in the previous example were to steal $100 from each of his 10,000 breached bank accounts, he would become a millionaire in short order, all from an initial investment of only $1,120.
Here are some sample prices for purchasing mailing lists, from PandaLabs report:
| No. of addresses | United States | Germany | Russia | Ukraine |
| 1,000,000 | $100 | $100 | $100 | $100 |
| 3,000,000 | $200 | $200 | $200 | $200 |
| 5,000,000 | $300 | $300 | $300 | — |
| 8,000,000 | $500 | $500 | $500 | — |
| 16,000,000 | $900 | — | — | — |
| 32,000,000 | $1,500 | — | — | — |
After crooks have a Trojan and a list of target addresses, the next step is to make sure anti-virus programs dont detect the malicious code. For this purpose, criminals can rent a service to protect malware against specific security tools, for a price that ranges between $1 and $5 per hidden executable. Also for sale is do-it-yourself polymorphic encryption software, called Polaris, that sells for a mere $20.
After that, a crook merely has to sit back and wait for the filched data to start coming in. Storing it, however, presents a problem, given that criminals dont want to store stolen confidential data on their personal PCs. They can, however, turn to the malware market to get an FTP client account or a hosting service, such as RapidShare, to store data anonymously. Prices range from $1 for an FTP account to $28 for renting a Premium account in RapidShare. Discovery on either will mean that an accounts legitimate owner will be blamed.
The preferred method of payment for these items is generally online payment systems, such as WebMoney, which leave few tracks for authorities to sniff out the crooks.
Other things for sale on the malware market include DDoS (distributed denial of service) attacks, which are priced depending on their duration: $10 for a 1-hour attack on up to $100 for a day-long attack. Vendors offer to let you take a DDoS attack for a spin, as well: Name a server and theyll shut it down for 10 minutes to demonstrate the services quality.
Blackmail is the name of the game with DDoS attacks.
Other wares on the malware market include: Up-to-date programs that exploit the latest vulnerabilities to infect computers such as MPack (around $700); software to collapse servers and cause DDoS ($500); online shopping accounts from which to buy a fake profile ($50 each).
As for the custom Trojan maker, Pinch, other abilities include a feature called NET that lets attacks turn an infected computer into a proxy so that it can be used to perform malicious or criminal activities without leaving a trace. Trojans can also be turned into downloaders that download other executable files onto the compromised computer, PandaLabs said.
Pinch also has a BD tab that allows criminals to specify the ports that the Trojan will open on the infected computer, thus providing backdoors. A tab labeled ETC also allows the Trojans to be hidden through techniques including rootkits.
But one of the most dangerous features in Pinch can be found on the WORM tab, PandaLabs said. This allows users to add worm features to their Trojans, thus allowing the malware to replicate and spread via e-mail.
Other goodies Pinch can deliver: turning infected computers into zombie PCs; packing Trojans to make detection more difficult; and killing certain system processes, particularly those of security solutions.
Pinch also lets users define how stolen data will be sent: via SMTP, HTTP or by leaving stolen data in a file on the infected computer to retrieve it later through a port opened by the Trojan itself.
Pinch is powerful—scary powerful. But whats even more scary than its powerful features is that its so easy to use.
“Pinchs main danger is that it is very easy to use, so any malicious user with basic computer knowledge could create a Trojan in a very short time for very little money”, said Corrons.
PandaLabs instructs those who think their system might be infected to scan it for free at www.infectedornot.com.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
