Malware Gangs Run Ads To Hire New Coders

An anonymous reader writes "Think crime doesn't pay? Think again: an increasingly common sight on underground cybercrime forums are ads paid for by malware writers who are looking to hire talented new programmers. The most common ads are for 'crypters' designed to disguise known malware, and 'Web injects,' plug-ins made to run alongside crime kits like ZeuS and SpyEye. Salaries range from $2,000 to $5,000 monthly, health benefits not included."

And why would I trust them to actually pay?

[Kenja]

I mean, the cut in salary aside, why would I trust them to not bounce my pay check and then go "hire" someone else after taking the code I wrote? Its not like they come across as all that trustworthy and I'd be in no position to pursue legal action as I was hired to do something illegal. At least with traditional crime I can just shoot people who double cross me.

Re:And why would I trust them to actually pay?

[rrossman2]

nah, I think I saw it was BitCoins...

Honeypot?

[NiteMair]

Honestly, if I was even considering writing malware, this would smell like a major sting operation.

The group recruiting for this service must expect that plenty of white hats and/or law enforcement would apply just to see who responds. It would be asinine.

This is one of those industries where I would expect recruitment to be a "don't call us, we'll call you" type of situation.

Re:Honeypot?

[Eil]

Honestly, if I was even considering writing malware, this would smell like a major sting operation.

It's not (yet) illegal to write any kind of software you like, no matter what its purpose. What's illegal is how it's used and/or distributed.

If ever it became illegal to write software which exploits security vulnerabilities in software, there would be a whole community of white-hat researchers who'd be out of a job overnight.

Re:What are the requirements???

[RobDude]

My wife has been accepted to Vet School in Ireland. Not only does that not allow me to live in Ireland with her, I'm also unable to work without 'sponsorship'. While I've had plenty of interest, as soon as I mention my inability to work without sponsorship, they drop me like a bad habit.

The time difference, distance, viable exchange rate along with other reasons all mean I don't want to continue working at my current job.

My citizenship status makes it very difficult to find a job in Dublin. There are very few legit jobs in the US that would want me in the given situation. I'm a decent developer, but I'm nothing special. I've worked as a consultant; but if you were going to bring in an expert contractor - I don't have the experience/skills. If you are going to bring in a 'pretty good dev', you'd get a local guy.

In my situation, options are limited. I don't have much exposure to malware/scammers/etc - so I don't know how much luck I'd have earning a money with my own scams. It's also relatively unlikely that I'd be able to launch some great web startup that would fund my lifestyle. People have done it, but it's rare and they tend to be smarter, more skilled, and more dedicated than I am.

I have some savings, but once I can no longer show the ability to financially support myself; Ireland will kick me out. I still have months before it comes to that; but it very likely will happen in the next 6-9 months (I haven't moved there yet). As that deadline comes closer I'd be lying if I said I wouldn't *consider* slightly less than legal methods of earning money. I mean, even if I setup a website, printed some fliers and fixed local college kid's computers for $15 an hour, I'd be breaking the law.

Re:What are the requirements???

[Black+Parrot]

I'd apply if I knew the requirements and experience??

A degree in Malware Engineering and 10 years experience with Stuxnet.

Re:Vundo and friends

[iMouse]

Doesn't delete the Start Menu shortcuts....it moves them into a hidden folder called smtemp in your user's Temp directory. They can be restored fairly easily if you haven't already blown away everything in that folder.

Some new variants are removing the registry key that shows the "Show Hidden Files and Folders" option from Folder Options. While re-importing the key is fairly trivial, you have to get rid of the malware first. Even better than that, they then associate any .exe file extensions with the Trojan Horse. If you remove the Trojan Horse, rundll32 asks what program you wish to launch program.exe with.

There is a really nice reg file that someone exported and threw on a website that addresses this issue and fixes the file association. Since reg files can be run without actually opening regedit, it will import if the file association is already jacked. This file is intended for XP, but will work with Vista and 7...it just throws an error that you can ignore.

http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip

Fun and games. If you stop/remove the Trojan, run the command below from a command prompt with admin privs (for Vista and 7 users...XP runs the command as admin as long as you are a user with admin privs). If the malware is still running, you may still have some time to get some of your stuff moved off if you're worried about losing it or just want to restore the box.

attrib -h /S /D C:\*.*

The malware is cleanable and the OS is repairable, believe me....but it takes a lot of work and time to understand what the malware has already done and what changes need to be reversed.

Hope this helps someone!

Re:Vundo and friends

[Hitokiri+Battousai]

I deal with this type of malware for a living. Once you know what it does it's quite quick to clean up a system.

Fist off, it's foolish and counterproductive to try to remove malware by using the OS that's infected. Boot to a live CD (like BartPE so you can mount the registry) and at the very least disable it from startup. From there feel free to boot to the OS and repair the damage.

The start menu is indeed moved to the user's Temp folder. In detail:
smtemp\1 is the public start menu
smtemp\2 is the user's start menu
smtemp\3 is the public desktop (I think, I've only seen this folder once)
smtemp\4 is the user's desktop
It also disables the listing of recently used programs in the start menu and un-pins everything. It's easy to turn that back on.

The following is a terrible idea:
attrib -h /S /D C:\*.*
as it will unhide everything on the computer.

It's quite easy to instead just select all the profiles under \Users\, go to properties, uncheck hidden, and apply to all sub objects. Afterwards, go into each profile and rehide only the top folder of AppData and all of the files in the root of the profile (things like ntuser.dat). In XP there are a number of other folders under the profile that are hidden by default. Reference a known good computer to see which ones.

It may also set some group policies to disable the desktop, the task manager, and disable changing the wallpaper. Delete these.

The particular malware that does this does not alter .exe associations, but if you need to fix those, there is a far more reliable free tool from Kaspersky called AVZ. The option is under File -> System Recovery. (Tip: you can rename avz.exe to something like avz.com so you can run it. Or manually fix the association for .exe and let the tool fix the rest.)

Another spot to look out for is IFEO debugger entries. Look under:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Inside you will find keys of image names (like iexplore.exe). Under each key you may see a string value called Debugger. It's data will be set to the path of the malware that's infected the computer. If such a key exists, the 'debugger' will be launched whenever you try to execute the specified image.

That about sums it up for all of the 'modern' 'viruses'. Quite pathetic. The only reason these things work is because people are tricked into letting them through UAC. The new Mac infections function nearly identically. They require that the user enter their root password for them to install, and all they do is put themselves in the Mac's startup locations, so they're even easier to remove.