The global economy may be struggling to create new jobs, but the employment outlook for criminally-inclined computer programmers has never been brighter. I’ve spent some time lurking on shadowy, online underground forums, and lately I’ve seen a proliferation of banner ads apparently placed by criminal gangs looking for talented programmers to help make existing malware stealthier and more feature-rich.
Many of the ads highlight job openings for coders who are skilled in devising custom “crypters,” programs designed to change the appearance of known malware so that it goes undetected by anti-virus software. Anti-virus signatures are based on snippets of code found within known malware samples, and crypters can try to help hide or obfuscate the code. When anti-virus firms update their products with the ability to detect and flag files that are shrouded by this layer of obfuscation, malware writers tweak their creations in a bid to further evade the new detection mechanisms.
The composite banner ad pictured above is a solicitation from a crime gang that offers a base salary of $2,000 per month in exchange for a “long-term partnership” creating crypters that include customer support. The ads lead to a sign-up page (below) where interested coders can leave their résumé and contact information, and state why they think they are qualified for the position.
The Russian text in the above ad translates to:
“We invite you to join our team of crypto-programmers, including programmers with no experience in this field.
* Base salary from $2,000 per month, with an increase in salary, depending on the quality and timeliness of your work.
* Payments are made weekly.
* Long-term cooperation (with many programmers, we have been in business for more than two years).
Please fill in your application only if you understand what is at stake. Thank you.”
Other ads, like the one below, seek qualified candidates for similar jobs with a promise of as much as $5,000 per month for creating custom crypters and providing customer support.
There also appears to be a high demand for programmers who can code so-called “Web injects,” plug-ins for malware kits like the ZeuS and SpyEye trojans, and they’re designed to inject custom content into a Web browser when the victim browses to certain sites, such as a specific bank’s login page.
Continue reading →