Malware Gangs Run Ads To Hire New Coders

An anonymous reader writes "Think crime doesn't pay? Think again: an increasingly common sight on underground cybercrime forums are ads paid for by malware writers who are looking to hire talented new programmers. The most common ads are for 'crypters' designed to disguise known malware, and 'Web injects,' plug-ins made to run alongside crime kits like ZeuS and SpyEye. Salaries range from $2,000 to $5,000 monthly, health benefits not included."

What are the requirements???

[madhatter256]

I'd apply if I knew the requirements and experience??

Re:What are the requirements???

If you are willing to post on a public forum that is likely tied to your personal email, or additionally in this case; one which can be subpoenaed for your IP address, you do not meet the requirements.

Re:What are the requirements???

[RobDude]

My wife has been accepted to Vet School in Ireland. Not only does that not allow me to live in Ireland with her, I'm also unable to work without 'sponsorship'. While I've had plenty of interest, as soon as I mention my inability to work without sponsorship, they drop me like a bad habit.

The time difference, distance, viable exchange rate along with other reasons all mean I don't want to continue working at my current job.

My citizenship status makes it very difficult to find a job in Dublin. There are very few legit jobs in the US that would want me in the given situation. I'm a decent developer, but I'm nothing special. I've worked as a consultant; but if you were going to bring in an expert contractor - I don't have the experience/skills. If you are going to bring in a 'pretty good dev', you'd get a local guy.

In my situation, options are limited. I don't have much exposure to malware/scammers/etc - so I don't know how much luck I'd have earning a money with my own scams. It's also relatively unlikely that I'd be able to launch some great web startup that would fund my lifestyle. People have done it, but it's rare and they tend to be smarter, more skilled, and more dedicated than I am.

I have some savings, but once I can no longer show the ability to financially support myself; Ireland will kick me out. I still have months before it comes to that; but it very likely will happen in the next 6-9 months (I haven't moved there yet). As that deadline comes closer I'd be lying if I said I wouldn't *consider* slightly less than legal methods of earning money. I mean, even if I setup a website, printed some fliers and fixed local college kid's computers for $15 an hour, I'd be breaking the law.

Re:What are the requirements???

[Black+Parrot]

I'd apply if I knew the requirements and experience??

A degree in Malware Engineering and 10 years experience with Stuxnet.

Re:What are the requirements???

[c0lo]

I'm a decent developer, but I'm nothing special.

I still have months before it comes to that;

As that deadline comes closer I'd be lying if I said I wouldn't *consider* slightly less than legal methods of earning money. I mean, even if I setup a website, printed some fliers and fixed local college kid's computers for $15 an hour, I'd be breaking the law.

Get a bank account, a Visa debit linked to it and look at the freelancing sites (elance.com and the like). 6-9 months may be long enough to bump your credit as a decent developer.

Re:What are the requirements???

[Opportunist]

Well, in Europe salaries do not fluctuate that much between toilet cleaner and C-level exec. And with our progressive tax system (I pay about 50% for tax, healthcare and whatever else mandatory "we don't even ask you whether you want to have it" insurances and state ordered "goodies" there are) the difference gets even lower. Even at my level, salaries don't really push the 100k annually too much.

It might surprise you, but I'm happy with it. Yes, my job would probably pay me at the very least twice the money in the US. But it's the fringe benefits that count. I can leave my house and not worry about someone breaking in because our police force is still on my side and does care about it when someone hauls out a lot of stuff. If I get sick, I know I'll have a doc for whatever health problem I might have, no matter that I'm in more than just one risk group. If I feel like a break, I have 4 weeks of paid vacation (well, law dictates 4, I got 5, plus 13 national holidays). And I know I will retire at 65 and I will have enough money at my disposal to sustain myself. Plus, should I get fired before that, I will continue to be able to keep my standard of living for at least half a year, usually plenty to find a new job in a similar environment, there's no haste to take whatever crap job is offered. In the meantime, I can use a very clean, efficient and safe public transport system to get to and from work (and to and from entertainment afterwards), enjoy fairly cheap and well funded cultural facilities and benefit from a fairly cheap infrastructure where I don't pay half my wage for rent, gas and power. Together they cost me about 500 bucks a month. For a flat in the center of our capital.

That's worth the "lower" salary in my opinion. I know it's anathema to many people in the US, but I like our socialist overlords.

Re:What are the requirements???

[formfeed]

If you're really good wouldn't you work for the people who CATCH those guys?

Only 25% would. ;)

And why would I trust them to actually pay?

[Kenja]

I mean, the cut in salary aside, why would I trust them to not bounce my pay check and then go "hire" someone else after taking the code I wrote? Its not like they come across as all that trustworthy and I'd be in no position to pursue legal action as I was hired to do something illegal. At least with traditional crime I can just shoot people who double cross me.

Re:And why would I trust them to actually pay?

[hedwards]

To be honest, the bigger issue would be getting busted while they get off free. I doubt very much that they'd fail to pay the money that they promise for work. They're criminals, but that doesn't mean that they'd be dumb enough to short change the person writing their code.

Plus, what makes you think that cybercriminals are any less apt to violence than regular ones? If they're able to pay you, they're able to find you, and if they can find you then they could hire somebody to dispatch you if you so chose. Organized crime is organized crime, the internetiness of it all doesn't change that.

Re:And why would I trust them to actually pay?

[rrossman2]

nah, I think I saw it was BitCoins...

Re:And why would I trust them to actually pay?

[mentil]

A malware coder is less likely than your average drone to agree to let Thuggy hand him a sack of cash in a back alley that corpses are regularly found in. He'd require payment in Bitcoins, or a wire transfer to an offshore account belonging to an off-the-shelf bank that bounces around a dozen more shell banks (which mysteriously go bankrupt the following day). Even if their employer is an FBI informant they're unlikely to get caught.

Re:And why would I trust them to actually pay?

[Sulphur]

Re:And why would I trust them to actually pay?

By establishing who funds them.

We're Crime, and Crime doesn't pay.

Honeypot?

[NiteMair]

Honestly, if I was even considering writing malware, this would smell like a major sting operation.

The group recruiting for this service must expect that plenty of white hats and/or law enforcement would apply just to see who responds. It would be asinine.

This is one of those industries where I would expect recruitment to be a "don't call us, we'll call you" type of situation.

Re:Honeypot?

[TubeSteak]

The group recruiting for this service must expect that plenty of white hats and/or law enforcement would apply just to see who responds. It would be asinine.

The problem isn't tracking down the people running these botnets, it is getting [random former soviet state] to give a shit and do something about it.
You can't even count on the fact that their country has a law on the books relevant to the 'crimes' they're committing.

Re:Honeypot?

[Eil]

Honestly, if I was even considering writing malware, this would smell like a major sting operation.

It's not (yet) illegal to write any kind of software you like, no matter what its purpose. What's illegal is how it's used and/or distributed.

If ever it became illegal to write software which exploits security vulnerabilities in software, there would be a whole community of white-hat researchers who'd be out of a job overnight.

Re:Honeypot?

[Ron+Bennett]

A big myth!

Asking whether one is a police officer, FBI agent, special investigator, etc is NO guarantee of anything.

Nor is them legally breaking the law - it's standard operating procedure for investigators in stings, such as during undercover drug operations and investigating massage parlors.

The authorities, which include all sorts of agencies, can, and often do, lie during the course of an investigation, as well as other times, such as during interrogation.

And yet, lying to the authorities is often a crime. Hence, the importance of remaining silent and having an attorney present.

Though, to digress a bit, there are various instances in which one can potentially be forced to speak and/or denied an attorney.

Bottom line is "entrapment" is very difficult to utilize as a defense - very rarely will it work, especially against the Feds.

Ron

New plan

[artor3]

1) Put up ads to hire malware writers
2) Set wages low specifically to attract stupid kids
3) Convince kids to download your toolset to work off of while developing the malware
4) Toolset is a trojan, steal their parents credit card
5) Profit
6) Get away with it every time, 'cause no kid is going to cop to trying to get a job working for hackers

Alternative explanation - it's entrapment by those 25% of hackers who work for the Feds.

Re:New plan

[RobDude]

Actually - I've often wondered why we don't hear about more low tech cases of identify theft/credit card fraud. Maybe it's just so easy to do it with malware nobody cares.

Post real positions on Criagslist and others for legitimate sounding work. Be selective, post realistic requirements and pay, do a phone interview. I'd even explain that, 'Hey, since this is a work from home job/telecommute job - we're going to need your college transcripts'. That makes it seem more legit. Of course, a legit job needs your SSN. I've done real work from home (software development) and they need my SSN. It was a real company, and they paid me.

Not only would you get all of their SSN and personal info....the transcript would be worth a lot of money too. Yeah, you can open some credit cards and what not with the SSN; but have you seen how easy it is to get money for school these days? My wife barely makes over minimum wage and she was approved for SEVENTY THOUSAND DOLLARS for her first year of school. Stop and read that again. Now, granted, say half of that is tuition. That still leaves THIRTY FIVE THOUSAND DOLLARS. And it's pretty easy to get into a lot of graduate programs.....I'm doing my Master's right now and they didn't even need my GRE scores (they did require transcripts though). With relative ease and someone's information, I could apply on their behalf to a school, get accepted, get student loans, and get a LOT OF MONEY.

Maybe there is more about this I don't know; but it seems like it would work. In this economy, I'm sure you'd get a lot of bites from your job post; for a start date 2 months in the future. After you get the info you wait, and keep collecting it from others. At the end of the two months, you apologize to everyone and say the economic downturn has caused the project to be cancelled. You have the info but haven't done anything illegal yet. Repeat 4-5 times with different information.

Then, move, and start with the identify theft. Cha-ching. Do it in the order you collected the info; so by the time you open your first CC card, it's been 9-12 months before you got their info. They'd have a lot of trouble tracking you down. And, if the student loan thing worked out - oh man - that's a lot of money.

Just don't get caught.

Re:New plan

[RobDude]

Even in the US - 5k a month is good money. Without benefits it's not great; but I know entry level developers who make less. And, if you live outside of a big city, tech jobs tend to pay less anyway.

Re:New plan

[edremy]

Actually, you'd be surprised how little crime actually pays. (Unless you work for a Wall Street firm)

Check out some of Sudhir Venkatesh's stuff. He's done some close sociological work with gangs, and the results are quite surprising. The rank and file drug dealers on street corners would be better off at McDonalds: the pay is about the same, and you have a lot less chance of being shot. It's only a few of the serious kingpins who bring in a good income, and at that point you're working so hard keeping all the balls in the air you'd again be better off trying to go legit- anyone who can manage that many people in a high-risk environment could probably do very well in management.

Money is about right...

[TiggertheMad]

At those prices they are going to get crappy developers. To get a good developer who is willing to check his morals at the door, they would probably need to pay closer to ten times that.

I suspect that most really skilled developers would pass simply because I don't generally see really the psychology matching up. The really good devs aren't in it for money (at least as the primary motivation), they enjoy building things and not destroying the systems of uninformed n00bs or stealing their credit card numbers. Good luck buying a 'hacktivist type' since their motivation is idealistic to start with. They are fishing for young, low skilled programmers. You don't need to offer the 'malicious skript kiddie' archtype a lot of money, because they aren't going to have the skills or CS knowledge to get the 100k+ dev jobs. And any unscrupulous programmer with real talent won't wast their time subcontracting, they will just write their own maleware.

Re:Vundo and friends

[iMouse]

Doesn't delete the Start Menu shortcuts....it moves them into a hidden folder called smtemp in your user's Temp directory. They can be restored fairly easily if you haven't already blown away everything in that folder.

Some new variants are removing the registry key that shows the "Show Hidden Files and Folders" option from Folder Options. While re-importing the key is fairly trivial, you have to get rid of the malware first. Even better than that, they then associate any .exe file extensions with the Trojan Horse. If you remove the Trojan Horse, rundll32 asks what program you wish to launch program.exe with.

There is a really nice reg file that someone exported and threw on a website that addresses this issue and fixes the file association. Since reg files can be run without actually opening regedit, it will import if the file association is already jacked. This file is intended for XP, but will work with Vista and 7...it just throws an error that you can ignore.

http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip

Fun and games. If you stop/remove the Trojan, run the command below from a command prompt with admin privs (for Vista and 7 users...XP runs the command as admin as long as you are a user with admin privs). If the malware is still running, you may still have some time to get some of your stuff moved off if you're worried about losing it or just want to restore the box.

attrib -h /S /D C:\*.*

The malware is cleanable and the OS is repairable, believe me....but it takes a lot of work and time to understand what the malware has already done and what changes need to be reversed.

Hope this helps someone!

Re:If someone gets caught...

[c0lo]

, what kind of prison will they go to?

Depending on the skills, they may end in Siberia, in a highly comfortable cell with broadband optical fiber, doing same work for another (state) employer and possibly without pay.

A better political system

[Dainsanefh]

That is why anarchy is the best form of democracy. You have your own laws and turfs. No some bullshit feds and/or LE around you.

Re:Vundo and friends

[Hitokiri+Battousai]

I deal with this type of malware for a living. Once you know what it does it's quite quick to clean up a system.

Fist off, it's foolish and counterproductive to try to remove malware by using the OS that's infected. Boot to a live CD (like BartPE so you can mount the registry) and at the very least disable it from startup. From there feel free to boot to the OS and repair the damage.

The start menu is indeed moved to the user's Temp folder. In detail:
smtemp\1 is the public start menu
smtemp\2 is the user's start menu
smtemp\3 is the public desktop (I think, I've only seen this folder once)
smtemp\4 is the user's desktop
It also disables the listing of recently used programs in the start menu and un-pins everything. It's easy to turn that back on.

The following is a terrible idea:
attrib -h /S /D C:\*.*
as it will unhide everything on the computer.

It's quite easy to instead just select all the profiles under \Users\, go to properties, uncheck hidden, and apply to all sub objects. Afterwards, go into each profile and rehide only the top folder of AppData and all of the files in the root of the profile (things like ntuser.dat). In XP there are a number of other folders under the profile that are hidden by default. Reference a known good computer to see which ones.

It may also set some group policies to disable the desktop, the task manager, and disable changing the wallpaper. Delete these.

The particular malware that does this does not alter .exe associations, but if you need to fix those, there is a far more reliable free tool from Kaspersky called AVZ. The option is under File -> System Recovery. (Tip: you can rename avz.exe to something like avz.com so you can run it. Or manually fix the association for .exe and let the tool fix the rest.)

Another spot to look out for is IFEO debugger entries. Look under:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Inside you will find keys of image names (like iexplore.exe). Under each key you may see a string value called Debugger. It's data will be set to the path of the malware that's infected the computer. If such a key exists, the 'debugger' will be launched whenever you try to execute the specified image.

That about sums it up for all of the 'modern' 'viruses'. Quite pathetic. The only reason these things work is because people are tricked into letting them through UAC. The new Mac infections function nearly identically. They require that the user enter their root password for them to install, and all they do is put themselves in the Mac's startup locations, so they're even easier to remove.