Malware coders clearing the scene...
If you're deep inside the world of information security, you surely work with people who speak to you about banking Trojans almost every day. I do.
I am just wondering who else has been noticing the sweeping effect recent law enforcement efforts have been having on the malware coding community of blackhats... Notice how one by one they are 'clearing the scene' and either going deeper underground or disappearing althogether?
Let's go as far back as Zeus' coder... Slavik, his alias in the venues he frequented. As soon as law enforcement was getting all too interested in Zeus and arresting botmasters that deployed this Trojan, Slavik made the brave decision to let go of his creation and take a leave from crimeware-land. Of course this does not by any way mean that Slavik went away, it only means he made sure to look like he did.
Then Gribodemon (Harderman) -- the coder of the SpyEye Trojan... after getting famous enough, and burdened enough with the immense need for support with his Trojan, he too decided to say goodbye. 'Gribo' first went deeper underground and then simply stopped selling SpyEye. Many underground dwellers wondered about his whereabouts, realizing SpyEye vendors were no more. Rumors then had it that 'Gribo' escaped from East Europe and was out in Malaysia, still working on SpyEye. Even more recent rumors say that there is a new version of the Trojan and that 'Gribo' only sells it to thoe he knows, allowing them exclusive access to his Trojan and to a special forum he put up for that purpose... (hmmm, I always said that Citadel smells of SpyEye to me...)
And apropos Citadel -- that team has also been feeling a little more heat and already thinking of taking their sales to the vouched-members level.These are moves that stem from the fear of prosecution.
Lastest and greatest? DarkCoderSC, the author of "DarkComet RAT". Although this individual goes as a whitehat by day, he went on to programming his RAT in the same way malware is coded. No wonder it was used maliciously in Syria. As soon as that happened, this gentleman decided to retire his "malware-resembling" projects, putting a few other tasks aside when he realized very well that he could be prosecuted for his part as an accessory to crime.
If malware coders had a shadow of a doubt that "writing code is not a crime," now their actions show how well aware of that fact they truly are.
So far this year it feels like malware coders have realized that the hand of law enforcement is far-reaching and will eventually find them. The crimeware scene has fallen more silent than ever and I believe we are going to see more vendors applying great care to their activities, only selling Trojans to those they know or can trust.
I am just wondering who else has been noticing the sweeping effect recent law enforcement efforts have been having on the malware coding community of blackhats... Notice how one by one they are 'clearing the scene' and either going deeper underground or disappearing althogether?
Let's go as far back as Zeus' coder... Slavik, his alias in the venues he frequented. As soon as law enforcement was getting all too interested in Zeus and arresting botmasters that deployed this Trojan, Slavik made the brave decision to let go of his creation and take a leave from crimeware-land. Of course this does not by any way mean that Slavik went away, it only means he made sure to look like he did.
Then Gribodemon (Harderman) -- the coder of the SpyEye Trojan... after getting famous enough, and burdened enough with the immense need for support with his Trojan, he too decided to say goodbye. 'Gribo' first went deeper underground and then simply stopped selling SpyEye. Many underground dwellers wondered about his whereabouts, realizing SpyEye vendors were no more. Rumors then had it that 'Gribo' escaped from East Europe and was out in Malaysia, still working on SpyEye. Even more recent rumors say that there is a new version of the Trojan and that 'Gribo' only sells it to thoe he knows, allowing them exclusive access to his Trojan and to a special forum he put up for that purpose... (hmmm, I always said that Citadel smells of SpyEye to me...)
And apropos Citadel -- that team has also been feeling a little more heat and already thinking of taking their sales to the vouched-members level.These are moves that stem from the fear of prosecution.
Lastest and greatest? DarkCoderSC, the author of "DarkComet RAT". Although this individual goes as a whitehat by day, he went on to programming his RAT in the same way malware is coded. No wonder it was used maliciously in Syria. As soon as that happened, this gentleman decided to retire his "malware-resembling" projects, putting a few other tasks aside when he realized very well that he could be prosecuted for his part as an accessory to crime.
If malware coders had a shadow of a doubt that "writing code is not a crime," now their actions show how well aware of that fact they truly are.
So far this year it feels like malware coders have realized that the hand of law enforcement is far-reaching and will eventually find them. The crimeware scene has fallen more silent than ever and I believe we are going to see more vendors applying great care to their activities, only selling Trojans to those they know or can trust.
Comments
Post a Comment