Two suspects from Essex have been arrested as part of a joint operation between Trend Micro and the National Crime Agency (NCA) designed to root out cyber-criminals.
A 22-year-old man and a 22-year-old woman from Colchester were arrested on suspicion of running a website designed to help cyber-criminals bypass traditional malware filters with their attacks.
The site in question, reFUD.me, provided various capabilities including counter anti-virus (CAV) scanning.
This will test a piece of malware against current AV tools to show the cyber-criminal how successful it would be if released in its current form. Crucially it will hide the results of these tests from the AV companies themselves.
Another service they offered is known as “crypting” and involves modifying a piece of malware until it is no longer detectable by the major AV vendors.
At that time it is known as “FUD”—fully undetectable—although modern heuristics tools can still often spot and block malware where traditional filters fail.
The “Cryptex Reborn” service allegedly run by the two suspects was labelled as “among the most sophisticated developed in recent years.”
The arrests are the first major breakthrough for the NCA and Trend Micro following a landmark MoU which was signed in July formalizing their co-operation in the form of a ‘virtual team’ comprising members of the NCA’s NCCU (National Cybercrime Unit) and Trend Micro’s Forward Looking Threat Research team (FTR).
“As such the FTR team have been involved in the whole investigation from its inception, through identifying the workings of the alleged criminal activity, and working to identify suspects behind it,” Trend Micro FTR EMEA manager, Robert McArdle told Infosecurity.
“This mirrors other investigation work we have carried out with law enforcement in other areas of the world—albeit with a stated goal from the outside to see how closely public and private partners can work together, and how successful the outcomes can be.”
However, these arrests are likely to represent only the tip of the iceberg when it comes to alleged crypting and CAV, he added.
“However, unlike a botnet takedown which at best has a temporary impact on a single criminal group's operations, our operations aim towards core parts of the overall criminal business model—such as a crypters and CAV—as this has a more lasting effect on the wider criminal activity on the internet,” McArdle argued.
“In doing so we aim to create as much of a deterrent and effect on criminal business models as possible for the resources we put into the investigation, and ultimately push Trend Micro’s mission to make the world safe for the exchange of digital information.”
Photo © Karramba Production