Notes from the underground II

AV veteran Peter Ferrie of Symantec noticed that the vx scene he has been fighting for so long has been winding down. The scene’s virus writers are beginning to post their farewellz and shoutz on the 29A forums and others.

He also points out that the trojan scene has steadily been replacing the activity of vx writers:
“We are striving to put them out of business. Once they’re all gone, those Trojans will keep us in business for a long time. Not that we want them, either.”

Even those trojan groups are beginning to disappear. The ChaseNET forums, a major international source of “Remote Administration Tool” (RAT for short, otherwise known as “Trojan Horse”) activity since 2004, are closing down as well. This shutdown curiously coincides with the Fbi arrest of longtime ChaseNET member “Digerati”. He faces up to five years in prison and a $250,000 fine if convicted of conspiracy to commit computer fraud, as we posted previously last year.
While the oldest of the groups might be drying up, unfortunately there are more growing to replace the vxers in different parts of the world. Recently released “Zines” from these newer groups publish technically sophisticated source details of password stealing, advanced rootkitting techniques, and more. These zines follow the trend away from virus writing for reputation to password stealer writing for profit. Plug in the slow cooker, cuz we’ll see more “Bot Roast” style arrests in 2008.

Unfortunately, we are also seeing more posts overseas from individuals seeking bot herding partners, looking to install more adware on victims’ systems and raise revenues for those involved. This sort of collaboration and malware should also continue throughout 2008, as we have been seeing a high level of this activity at the end of 2007.
Some of the most prevalent malware ThreatFire currently is seeing comes from the Zlob or Popuper families that are distributed in this manner. And here is one of the requests that we are seeing on an overseas forum regarding rogueware installs:
We upload adware, which in turn actively advertises antispyware! Our adware does not conflict with the botnets, or trojans, and it does not affect your own bots.”

Update: Bot Roast II resulted in another guilty plea. This time from Gregory King, indicted at the same time as “Digerati”. His deal includes a two year prison term.

This entry was posted in Online Fraud. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>