Software engineers, just like any other professionals, are always on the lookout for a faster, better, and cheaper way of getting the job done. In the construction industry you can use pre-cast concrete and timber frames to speed up production. Likewise, in the systems engineering world you can use code generators and CASE tools (and the like) to make things easier. So, it comes as no surprise that malicious software creators have also been building tools and aids to help them become faster and better.
Many years ago, building a useful and profitable piece of malware required a fair amount of skill and knowledge of the systems being targeted for attack. The lack of handy tools, together with a limited target group for the malicious code, made it difficult to make any easy money out of writing malicious code. Unfortunately, those days are long gone. Today, it doesn’t take much skill to produce, distribute, and maintain a large collection of deployed malicious code to generate a profit. Many tools and utilities have been created by various people to help in the production of Trojans, viruses, and worms. Some of these people have created relatively simple examples of malcode, which were generally not all that effective.
Once in a while, however, a noteworthy piece of kit comes along. One such interesting piece of software, dubbed as a “basic Trojan package” and created by an outfit called RAT Systems, is a prime example of a Trojan do-it-yourself kit. The kit contains various components to facilitate the creation, distribution, and maintenance of Trojan programs. The Trojans created by this kit contain functionality to steal information from various banking and financial Web sites. They also have a back door that allows the attacker to issue commands to the Trojan at a later date. To top it off, they have built-in mechanisms to avoid detection and removal by security software. All in all, it is a pretty sophisticated piece of kit.
Contained in this kit is a Trojan executable generator, which should be run first in order to create a shiny new Trojan file. All you have to do is supply it with a few parameters concerning the features and operation of the Trojan; in turn, it spits out a Windows executable file that embodies the features that you have already requested through a build configuration file or the user interface. Next, to help the Trojan evade detection by security software vendors, there is a polymorphic code generator which will modify your Trojan and repackage it in a random form. This effectively changes the file fingerprint and makes it more difficult to recognize.
Of course, now that the Trojan has been created you will need to get it out to your “customers”. Well, the creators of this kit have thought of that too; inside the kit is a sample of exploit code that you would host on a Web site under your control. The exploit code will cause a file of your choice to be downloaded and executed on the victim’s computer and in this case, it’s the Trojan. You start by putting the Trojan and the exploit code up on your Web site, then make the Web site look legitimate, start generating the traffic, and then watch the stolen information roll in. To generate traffic to the new malicious Web site, you have many choices. You could try using a blog, search engine baiting, and various other enterprising schemes. There’s also “old faithful”—spam emails. You could try several different flavors of spam: spam with attachment, spam with an exploit, spam with a link (to the malicious Web site), etc.
Having all these tools at hand is one thing, but if you don’t know how to use them, putting it to profitable use can be quite a challenge. Once again, the creators of this kit have solved this problem by supplying detailed, step-by-step instructions on every aspect of the process. All facets of its creation and usage have been addressed, including the creation of the Trojan, deploying it, and controlling and maintaining the Trojan bot network.
There are reports that this Trojan kit is available to buy at a price of around $20. What this particular Trojan kit illustrates is just how low the bar is now set for pretty much anybody with basic computer skills wanting to enter the online crime arena. Here at Symantec, we have been detecting Trojans created by this kit and also the files in the kit itself. The kit, in this case, creates a family of back door Trojans that we call Backdoor.Nibu. What we have seen so far would suggest that there have been quite a few satisfied customers already in terms of this DIY kit.