Outsourcing malware development to legitimate coders may be a losing tactic for criminals – if only it could be exploited.
Searching through job postings at various coder markets was bound to turn up some interesting items. Sure enough, a search for terms like “C/C++”, “assembler”, “embedded” came up across little gems like this one.
A job to build a ring0 driver may not sound so odd, but when the sole function of the driver is to download and execute something in usermode (ring3) well, then the plot thickens and we may be in the presence of someone trying to outsource malware creation.
Further digging produced job postings for the creation of a crypter/packer/binder which should “use inject file for bypass avs on run-time”, an executable packer and a downloader. Keep in mind that these are only a few examples, extracted from just a couple of the many websites where coding projects are posted.
By splitting malware projects, job takers can reasonably claim innocence, while full ‘design knowledge’ remains with the originator. Moreover, the variety introduced by varying coding styles, compilers, languages used and so on makes analysis of the ‘finished product’ somewhat harder.
A first, easy step towards stopping such schemes would be a small extension to the reputation system already in place on outsourcing websites, whereby people looking for work might flag some posted projects as “possible black-hat work” for review by site administrators.
Given how common such schemes are, maybe the time to add it is now. Tracing the money exchanged in such projects might even yield the identities of malware outsourcers.