AlienVault has discovered a new sophisticated tool which is similar to malware-as-a-service
June 2012 by AlienVault
AlienVault has discovered a new sophisticated tool which is similar to malware-as-a-service but allows "clients" to manage their victims, monitor what they are doing as well as offer other services such as password stealing or remote control on the machine etc. The description below gives a real example of the service that is available with a Command and Control server in Brazil.
A big amount of the malware out there are RAT (Remote administration tool) samples. This is software created by people specialized on it, people that develop, improve and sell their tools. It has capabilities that let the attacker spy on the victims with actions like screen capturing, keylogging, password stealing, command execution and remote access and controlling.
Clients of these services usually pay to gain access to the tools and additional services like support, zero or low antivirus detection.
Below is a description of such a service that AlienVault have been observing:
Clients pay for the service and then they gain access to a web portal where they can generate personalized Trojans, manage the infected victims via the web browser and host the malware on their "cloud".
Creators promote itself as a service to remote control computers and "recover passwords". This means that clients don’t have to mess with almost any technical issues, and they don’t need special skills or knowledge. The providers supply the tools, the hosting, and the Command and Control server.
When the client logins to their personal account they can see the main menu, tutorials and shortcuts.
The control panel uses HTTPS with a valid certificate.
Then you can create a new personalized malware (Trojan Horse) that will be generated in real time.
They take care of the antivirus detections for you. Created samples have a very low antivirus detection ratio (2/42).
Then the time to host the malware comes. Clients can choose between some fake domains that seem legitimate. The administrator of the service has bought two domains to create the fake subdomains.
The domain whois data from the main website is hidden but the previous domains we mentioned are not. This way we can discover some information about the authors:
owner: Pedro Henrique
Finally, once infected, you can easily manage your victims. You can perform remote control on the machine, password stealing, and command execution. (Screenshot visit: http://labs.alienvault.com/labs/wp-...)
If they want to infect more targets, they will have to pay more for them.
Malware communication with the C&C is done using HTTP. For command execution they use other protocol from port 9000.
The C&C IP is from Brazil and always the same, which is included in our IP reputation database -> 126.96.36.199.
This example shows that this easy to use framework to monetize malware is getting more and more popular on the Internet as they let people without technical skills easily manage their victims.