RSA researchers recently discovered on the popular social network what appeared to be an Indonesian-speaking malware developer selling a customised botnet control panel programmed to work with the Zeus banking Trojan. First released in 2007, Zeus is a highly effective malware used to steal online banking and e-commerce credentials from an infected computer.
Most developers and botnet owners will sell their malware and services on invitation-only forums frequented by cybercriminals. In this case, the developer and his team are apparently looking for people who don’t have the technical chops to participate in the forums, but are looking for an easy way to get started in the lucrative business of cybercrime, RSA said on Friday.
The developer sold the code for his own variant of Zeus, packaged and ready for use. In addition, a person could lease a botnet and buy a beginner-friendly control panel for distributing Zeus and harvesting credentials or launching a distributed denial of service (DDoS) attack. Tutorials and support were also available.
The Facebook Page discovered by RSA advertised the malware and services and provided a link to a website where a potential buyer could see a demonstration. In addition, the page provided frequent updates and information about botnets, exploits, cybercrime and the developer’s own malware, Zeus v 126.96.36.199. RSA did not know about pricing.
RSA notified Facebook about the page. Facebook did not respond on Friday to request for comment.
The advertisement was the first RSA had seen on a public social network. In general, such a move would increase the risk of getting caught by international cyber police. However, RSA believes the criminal is likely living in a country with weak or non-existent laws against such activity.
“Even if his country found out his true identity, they [probably] wouldn’t go after him,” said Berk Veral, senior product manager for RSA FraudAction.
Many variants of Zeus have appeared since its source code was released in the underground in 2011. Why the code was made public is not known. Some experts have speculated that the owner, who went by the name “Gribodemon” or “Harderman,” wanted to devalue Zeus in order to increase sales of his hybrid SpyEye Trojan.
Cybercriminals often hijack Facebook accounts to distribute spam or to embed links to malicious sites. Whether the latest audacious move marks a trend is too soon to say, Veral said.
“That remains to be seen,” he said. “This is a bold, bold act.”