09 Nov Dark Market Vicente Diaz
18 Mar Virus Wars Episode II Eugene
02 Nov Adware or adwars? Eugene
27 Oct New Zafi, New cyberwar? Aleks
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Dark Market was one of the most famous underground forums ever, for several reasons. The most important one was that one of the administrators was an infiltrated FBI agent running a covert operation that ultimately lead to the arrest of 60 people worldwide. The forum was shut down in 2008, when Dark Market was probably the most important carding forum in the world.
We all remember last year's cyber wars between the authors of Bagle, NetSky and Mydoom. That particular war is over. But was a fluke or merely the first war between virus writers going commercial?
Just last week, when I was at CeBit, I talked about new cyber wars. What do I mean? Cyber space is limited only by the number of machines connected to the Internet: some are protected well, but some are not – they are 'infectable'. What happens when cyber criminals infect most or all potentially vulnerable machines?
For example, take a computer with a spam proxy Trojan infection. Someone is making money from this infected machine. Then imagine the same machine with 10 proxy Trojans installed. Will the Internet connection be good enough to support 10 different spammer bots? Probably not. So what will spammers do to continue making money? Exactly : they will remove competitors.
And this is happening every day now. We've just detected a new Proxy Trojan – Trojan-Proxy.Win32.Small.bi, which removes a number of exe files with Trojan like names prior to installation.
We're seeing adware controllers do the same thing. More and more of the adware samples we receive in our Virus Lab begin by removing competitor adware before installation on the system.
Two different cyber battles already. Hacker/spammer groups are fighting each other. What next?
My prediction would be that after the smaller gangs fight it out among themselves, the winners will absorb the losers and we will see several well organized and large e-gangs emerge instead of the dozens of small groups we have today. Yet another step in the direction of organized cyber crime.
First time in my life I see how different AdWares fight each other. A new 21KB Win32 executable first removes data files and registry keys which belongs to EliteBar AdWare (according to KAV anti-AdWare databases) and then opens one of two Ad URLs. It seems that the AdWare market is going to be a hot one and different AdWare coders face a lot of competition from each other. Obviously they will fight. Remember Bagle-NetSky-Mydoom war?..
We detect this adware as TrojanClicker.Win32.Agent.af.
We detected a new variant of Zafi today, Zafi.c. The first two Zafi's spread widely, so we plan to keep a close eye on how things go.
It seems that Zafi.c was written in Hungary. The difference between Zafi.a and Zafi.b is that the author decided to join the cyberwar between the Mydoom, Bagle and Netsky authors. He included the following message: