VXers slap copyright notices on malware Malware authors have lifted a page from the legit software industry's rule book and are slapping copyright notices on their Trojans. One Russian-based outfit has claimed violations of its "licensing agreement" by its underworld customers will result in samples of the knock-off code being sent to anti-virus firms. The sanction …
.....In cases of violations of the agreement and being detected, the client loses any technical support. Moreover, the binary code of your bot will be immediately sent to antivirus companies....
Also, Boris and Dmitri will make unannounced "on-site technical support visits" with an AK-47 and 4 kg of Semtex.
And you though FAST visits were intimidating....
It is considered useful to clue Symantec in to malware which is already active enough for the Russian virus writers to have themselves already spotted it?
Symantec isn't expected to be able to spot it by themselves?
I wonder how well they'd be doing if they didn't have the firm support of these Concerned Local Citizens.
Contracts made for illegal purposes such as fraud or extortion are void under common law, so good luck with that one. Also, court records are public knowledge and it would be tricky for botnet herders and their clients to remain anonymous if one decided to sue the other. Personally I'd like to see it if a case like this ever did come to court.
I suspect 'breach of contract' would have a slightly different meaning to virus creators than it does to us ordinary mortals.
Failure to observe the contract is more likely to arise from not bothering to read the End Loser Agreement that a desire to mix it with the Czars of destruction.
And I should think penalty clauses are likely to be more 'imaginative'.
"Symantec isn't expected to be able to spot it by themselves?"
Actually, they're not. No one expects Symantec as a company to detect and analyze this code, and release an update to catch it. Let alone remove the thing.
People buy Symantec AV with failure in mind. "Everyone else believes antivirus software must fail to stop some viruses — and so they build failure into their 'solutions.'" -- Rob Rosenberger
http://www.vmyths.com/column/1/2004/7/2/
This is probably about installing keyloggers and remote control services more than self-propogating code. You can buy malware to put in an email or host on a website; the goal is not to spread like a virus (thereby giving copies of itself to security firms) but to remain in use in a limited pool of interesting machines and be unlikely to be picked up.
The professional malware industry periodically seed malware into residential IP space to find out if a/v companies are hiding honeypots in them. They know if there are honeypots there, since all of a sudden the signature blocks recognize unreleased malware. (Saw a great slide illustrating a post to a malware forum on this topic a few months ago.)
This is the kind of stuff that folks pay reasonably well for, and is likely to be undetected for months after its initial release (unless there's good network reporting and someone has time to read the sensors and has time to analyze, rather than simply reimage, a compromised machine and they have time to find the original source of infection and escalate that to their a/v vendor. How many machines are you administering? How many of the above processes are automated and hence efficient at most companies? Just the reimaging one. Guess which one managent favors over forensics?)
I see malware sent to users with titles at and above director, and the a/v on server never sees it, and the a/v product on the workstation never sees it. The best stuff is the stuff embedded in word documents, since there's no way to tell the corner offices that henceforth, we're blocking .doc at the gateway. The outbound filter often does block it phoning home. Does it always? Of course not.
Samples of these targeted malware loads submitted to symantec, mcafee, etc. shortly after their purchase would cost the client who'd violated the EULA dough. It would likely lead to earlier detection of the stuff, and an awareness that the CFO's password at the payroll site was blown. Generating new malware is basically free; once you've got the tools to flip a bit in your malware, or repack it with a different packer, you're going to bypass the next signature update and be able to supply your compliant customers with a/v evading product. But if your target is now extra-suspicious, you may not get a second chance to install a keylogger on that CFO's system.
The threat of reporting to the a/v community is a pretty good one. All that a/v can do by itself is react to past threats; you buy it because you have to, and because a lot of malware is crap software that does re-use enough chunks of old attack methods that it may be picked up.
The contract may be legally null and void, but apparently the contract terms HAVE been enforced. It's in the hands of an antivirus company after all.
What *I* wonder is, how many of these types of toolkits are out that have NOT been picked up by antivirus companies (presumably because the purchaser followed the purchase agreement)?
This post has been deleted by its author
"Virus creators already have 'preferred' AV vendors, whom they bribe not to detect their products."
As much as I dislike the anti-virus industry, I have to side with them on this one. As much as the industry qualifies as a cartel, there's still fierce competition between them, and something like 'accidentally' releasing a virus is going to get pounced on.
There was speculation after September 11th 2001 whether American AV firms would avoid detecting viruses created by the American FBI. That speculation turned into a major publicity SNAFU for the industry, and AV industry supporters quickly reversed their position:
http://www.wired.com/politics/law/news/2001/11/48648
Further speculation loomed on whether the MPAA / Hollywood would ask American AV firms to avoid detecting anti-piracy viruses developed by the MPAA. Symantec's Chris Paden made their position very clear:
"Our main concern is for our customers. We don't care who has been attacking our customers. We are going to deploy all of our defenses to meet it."
So if Hollywood wants to attack US pirates, they'll have to go through the anti-virus industry to do it.
http://www.vmyths.com/column/1/2002/7/30/
The anti-virus cartel has more important things to do than take bribes from virus writers.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
