In the past, FaaS was only advertised to those who were in the know, sought in the right place, or knew the right people. But researchers at RSA’s fraud division have found that at least one FaaS offering has hit the social network, looking for customers for a customized botnet panel programmed to work with the Zeus trojan – both reworked by what appears to be an Indonesian-speaking malware developer.
The Casper Spy Facebook page (it appears ow to have been taken down) featured frequent updates and information about botnets, exploits, cybercrime, and the developer’s own product (Zeus v 1.2.10.1). The brazen author also had customized an attractive control panel for the administration of the botnet (basic and familiar in functionality, and taken from previous Zeus versions), and even created a demo website for potential buyers.
“Typical Trojan FaaS deals offer a trojan like Zeus, SpyEye, Ice or even Citadel for a few hundred dollars instead of the full kit price going for a few thousands,” explained Limor Kessem, cybercrime and online fraud communications specialist at RSA, in a blog. “FaaS deals sweeten the pot with bulletproof hosting at a discount, free set-up services, hands-on tutoring and malware-campaign help wrapped into affordable combos.”
Marketing cybercrime in such an open and accessible manner is not common, Kessem stresses. “Cybercriminals usually fear for their freedom and will not expose their endeavors online to potential undercover cyber-police officers and security research,” he said. “Those who would take such a chance, in favor of selling their wares to a larger audience, do so because they trust the anti-digital crime laws in their counties are more forgiving or downright absent.”
Laws, international investigation efforts and actual punishments – the arrests of numerous cybercriminals, botnet operators, fraudsters and online gangs – have been the driver for malware developers to minimize their publicly-available operations and find a hiding place to continue their illicit activities, Kessem noted. But since the Zeus code leak in mid-2011, the development of new breeds of the malware are also breeding new models.
“This case shows that the code leak, leading to the availability of the trojan, makes for an even more diverse crimeware market, one that gives room to new offerings, especially at a time when all the major developers are staying away from the commercial arena,” said Kessem.
A quick search of Facebook by Infosecurity turned up a few pages devoted to cybercrime, including one that seemed to be a platform for openly trading download links for crimeware kits.