Crimeware salesmen, like most e-commerce types, take a dim view when their creations are knocked-off (pirated). To protect themselves, they warn their customers (Internet criminal types) that if their products are counterfeited, they can and will be reported to the anti-virus companies.

Specifically, the verbiage used as reported on the Symantec blog is, “the binary code of your bot will be immediately sent to antivirus companies.”

The reason reporting reporting the binary code of a bot defeats the crimeware kit in question (Zeus) was mentioned in a previous post on this blog:

Known as the “Zeus kit,” in honor of the Zeus Trojan, the kit is pretty resistant to computer security programs and has the ability to mask itself using a binary generator. The binary generator sends out a unique set of numbers every time it is used, making it hard for security programs to detect since they rely on spotting what is known as a “signature.” Even if a security program recognizes one signature, the binary generator changes it the next time, and the security program will probably fail to recognize it.

Here are the details, as reported on the Symantec blog by Liam OMurchu:

Here is a perfect example. The screen shot below is taken from a typical underground software package. Shown in the screen shot are the terms and conditions of the sale—the “licensing agreement.” Yes, that’s right; some underground packages come with a licensing agreement. The document is written in Russian, but a translation is provided below.

2. The Client:
1. Does not have the right to distribute the product in any business or commercial purposes not connected with this sale.
2. May not disassemble / study the binary code of the bot builder.
3. Has no right to use the control panel as a means to control other bot nets or use it for any other purpose.
4. Does not have the right to deliberately send any portion of the product to anti-virus companies and other such institutions.
5. Commits to give the seller a fee for any update to the product that is not connected with errors in the work, as well as for adding additional functionality.

In cases of violations of the agreement and being detected, the client loses any technical support. Moreover, the binary code of your bot will be immediately sent to antivirus companies.

It should be noted that these crimeware kits, as I’ve written frequently, make it fairly easy for not very technical criminals to commit technical crimes. As noted in their licensing agreement, the criminals selling these kits in underground forums even provide technical support.

Interestingly enough, Liam noted:

Despite the clear licensing agreement and the associated warnings, this package still ended up being traded freely in underground forums shortly after it was released. It just goes to show you just can’t trust anyone in the underground these days.

Of course, in most instances, there is no honor among thieves.

Liam notes that this licensing agreement is for much talked about Zeus kit, which has “drive-by” capabilities. If you are unfamiliar with what “drive by” means on the Internet, it means that your computer only needs to visit a site to become infected.

Here is a previous post, I recently did about the “drive by” problem, which is making the Internet a more dangerous place all the time:

Nowadays, all you need to do is visit the wrong site to have your personal information stolen!

Liam’s post on the Symantec blog, here.

Be Sociable, Share!