Services for fraudsters utilizing malware are not new – AV checkers, malware encryption and malware infection services have existed in the criminal underground market for several years.
However, recent research has indicated changes in service scope and price due to service convergence and demanding buyers.
One-stop-shop – Trusteer Research came across a new group that besides offering infection services (for prices between 0.5 and 4.5 cents for each upload, depending on geography) also provides polymorphic encryption and AV checkers. This new one-stop-shop approach for malicious services is a natural evolution of the market – if the customers need to infect, then they also need to evade AV. Why not sell the whole package?
For Polymorphic encryption of malware instances they charge from $25 to $50 and for prevention of malware detection by anti-virus systems (AV checking) they charge $20 for one week and $100 for one month of service.
It’s a buyer market. Researchers also came across advertisements published by prospective buyers of infection services. The ad basically presets the buying price, how it is charged and the scope of the service:
- The advertiser pays only for unique uploads
- The calculations will be conducted according to the advertiser’s own Black Hole (exploit kit) stats module
- The advertiser will pay in advance to the sellers with recommendations, i.e. those that have 1-10 “fresh” forum messages. Otherwise, the sellers will get paid afterwards
- The domains are checked via a malware scan service website (scan4you) during the day. If the domain is recognized as blacklisted on anti-virus databases, the advertiser will automatically replace it with another.
The final paid price depends on percentage of infections:
- $4.5 for 1,000 of traffic with 3% of infections
- $6 for 1,000 of traffic with 4% of infections
- $30 for 1,000 of traffic with more than 20% of infections.
In an attempt to stay competitive we came across an ad by an Encryption Service provider that sold its service for 20$ per file, and offered a money back guarantee if it fails an AV checker.