The problem: You develop a software package that you want to sell in the underground community. However, your buyers are not the most reputable/trustworthy people. How do you prevent your product from being purchased once and then distributed freely afterwards? How do you enforce your “copyright”?
The solution: Ask the antivirus companies to help you out.
Here is a perfect example. The screen shot below is taken from a typical underground software package. Shown in the screen shot are the terms and conditions of the sale—the “licensing agreement.” Yes, that’s right; some underground packages come with a licensing agreement. The document is written in Russian, but a translation is provided below.
The terms of this licensing agreement place the following restrictions on the client (the buyer). (The below is not a word-for-word translation.)
2. The Client:
1. Does not have the right to distribute the product in any business or commercial purposes not connected with this sale.
2. May not disassemble / study the binary code of the bot builder.
3. Has no right to use the control panel as a means to control other bot nets or use it for any other purpose.
4. Does not have the right to deliberately send any portion of the product to anti-virus companies and other such institutions.
5. Commits to give the seller a fee for any update to the product that is not connected with errors in the work, as well as for adding additional functionality.
These are typical restrictions that could be applied to any software product, legitimate or not. However, the most interesting part of the agreement is the section marked in red in the above screen shot:
In cases of violations of the agreement and being detected, the client loses any technical support. Moreover, the binary code of your bot will be immediately sent to antivirus companies.
It is hard enough to enforce your copyrights in the real world, not to mention trying to enforce them in the underground. Did the author really think this ploy was going to work?
Despite the clear licensing agreement and the associated warnings, this package still ended up being traded freely in underground forums shortly after it was released. It just goes to show you just can’t trust anyone in the underground these days. ;)
P.S. > This information was taken from the help files of the malware package “Zeus,” which we detect as Infostealer.Banker.C.