Sunday, July 26, 2009

Software as a Service on the malware industry

Several years ago we have the ability to interact with different resources that are offered via web without using the resources at local level, our teams, for example, an operating system memory (eyeOS) that applied at the time, and applies this concept, as well as others we routinely use as Google Apps.

However, at present this concept responds to a name that is setting a trend under the name of Cloud Computing offers a wide range of services that use Internet as a central infrastructure (the cloud). Where services are offered programs, is known by the acronym SaaS (Software as a Service).

The point is that under this new phenomenon, the developers of malware were not on the sidelines and give rise to a new nomenclature that accompanies the concept of Cloud Computing, MaaS - Malware as a Service.

Some months ago I mentioned an online payment service that allows malicious code to create polymorphic capabilities based on the famous trojan PoisonIvy called PoisonIvy Polymorphic Online Builder.

Adding to this trend of offering services over the HTTP protocol, there are several alternatives as a service similar to the above, but free, called FUDSOnly Online Crypter, which channels its activity in the handling of malicious code in line with the intent to avoid detection by the antivirus companies, contributing to the cause pursued by malware developers to implement their creative processes anti-analysis.

Basically it's a Crypter. One type of program normally used to encrypt the binaries used in the distribution of malicious code. This "service" has the advantage of not needing to download or run the Crypter of locally on the PC, but the entire process is carried out via web.

At the end of the process, the application returns the following legend "Your file has been encrypted without errors, Service offered by FUDSOnly. Click HERE to download." that has the link to download the file handling.

As "extra", the "service" has the potential to insert into the encrypted file with the EOF crypter data (information server which is located at the end of file) for malicious code that doesn't support it, through a small program called ReEoF.

This service offered to handle malware, has had a previous version that demonstrates that the concept had already been adopted by cyber criminals for quite some time.

In fact, many services of this style that have been uploaded to the wave.

The malware industry adds to the notion that agglomeration online services offered by the Cloud Computing, extending the possibility of danger and threats to continue with the daily bombardment that information against environments, seeking to broaden the offering criminal .

Related Information
Creación Online de malware polimórfico basado en PoisonIvy

# Jorge Mieres

1 comment:

jonojono said...

Great post guys!

We developed a similar service at the University of Michigan called PolyPack which uses a bunch of packers and AV engines for feedback to pack your malware optimally (with respect to AV evasion):

The actual service was just one example of what we saw as a good model for certain crimeware and pen-testing services that can be deployed in a SaaS/cloud environment.

More info in our paper to be presented at WOOT next week:

Jon Oberheide