Most malware developers and botnet owners will sell their wares on underground channels. One expert called this 'a bold, bold act'
A cybercriminal has taken to selling his malware and related services on Facebook, boldly choosing a public forum to reach potential customers over the secretive world of the online underground.
RSA researchers recently discovered on the popular social network what appeared to be an Indonesian-speaking malware developer selling a customized botnet control panel programmed to work with the Zeus banking Trojan. First released in 2007, Zeus is a highly effective malware used to steal online banking and e-commerce credentials from an infected computer.
Most developers and botnet owners will sell their malware and services on invitation only forums frequented by cybercriminals. In this case, the developer and his team are apparently looking for people who don't have the technical chops to participate in the forums, but are looking for an easy way to get started in the lucrative business of cybercrime, RSA said on Friday.
The developer sold the code for his own variant of Zeus, packaged and ready for use. In addition, a person could lease a botnet and buy a beginner-friendly control panel for distributing Zeus and harvesting credentials or launching a distributed denial of service (DDoS) attack. Tutorials and support were also available.
The Facebook Page discovered by RSA advertised the malware and services and provided a link to a website where a potential buyer could see a demonstration. In addition, the page provided frequent updates and information about botnets, exploits, cybercrime and the developer's own malware, Zeus v 126.96.36.199. RSA did not know about pricing.
RSA notified Facebook about the page. Facebook did not respond on Friday to CSO's request for comment.
[Also see: Cybercriminals are just businessmen at heart]
The advertisement was the first RSA had seen on a public social network. In general, such a move would increase the risk of getting caught by international cyber police. However, RSA believes the criminal is likely living in a country with weak or nonexistent laws against such activity.
"Even if his country found out his true identity, they [probably] wouldn't go after him," said Berk Veral, senior product manager for RSA FraudAction.
Many variants of Zeus have appeared since its source code was released in the underground in 2011. Why the code was made public is not known. Some experts have speculated that the owner, who went by the name "Gribodemon" or "Harderman," wanted to devalue Zeus in order to increase sales of his hybrid SpyEye Trojan.
Cybercriminals often hijack Facebook accounts to distribute spam or to embed links to malicious sites. Whether the latest audacious move marks a trend is too soon to say, Veral said.
"That remains to be seen," he said. "This is a bold, bold act."
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.
Copyright 2009 IDG Magazines Norge AS. All rights reserved
Postboks 9090 Grønland - 0133 OSLO / Telefon 22053000
Ansvarlig redaktør Henning Meese / Utviklingsansvarlig Ulf Helland / Salgsdirektør Tore Harald Pettersen