June 6, 2011

The global economy may be struggling to create new jobs, but the employment outlook for criminally-inclined computer programmers has never been brighter. I’ve spent some time lurking on shadowy, online underground forums, and lately I’ve seen a proliferation of banner ads apparently placed by criminal gangs looking for talented programmers to help make existing malware stealthier and more feature-rich.

Many of the ads highlight job openings for coders who are skilled in devising custom “crypters,” programs designed to change the appearance of known malware so that it goes undetected by anti-virus software. Anti-virus signatures are based on snippets of code found within known malware samples, and crypters can try to help hide or obfuscate the code. When anti-virus firms update their products with the ability to detect and flag files that are shrouded by this layer of obfuscation, malware writers tweak their creations in a bid to further evade the new detection mechanisms.

The composite banner ad pictured above is a solicitation from a crime gang that offers a base salary of $2,000 per month in exchange for a “long-term partnership” creating crypters that include customer support. The ads lead to a sign-up page (below) where interested coders can leave their résumé and contact information, and state why they think they are qualified for the position.

The Russian text in the above ad translates to:

“We invite you to join our team of crypto-programmers, including programmers with no experience in this field.

We offer:

* Base salary from $2,000 per month, with an increase in salary, depending on the quality and timeliness of your work.
* Payments are made ​​weekly.
* Long-term cooperation (with many programmers, we have been in business for more than two years).

Please fill in your application only if you understand what is at stake. Thank you.”

Other ads, like the one below, seek qualified candidates for similar jobs with a promise of as much as $5,000 per month for creating custom crypters and providing customer support.

There also appears to be a high demand for programmers who can code so-called “Web injects,” plug-ins for malware kits like the ZeuS and SpyEye trojans, and they’re designed to inject custom content into a Web browser when the victim browses to certain sites, such as a specific bank’s login page.

A common Web inject used with ZeuS inserts requests for the answers to the victim’s challenge questions when the user logs in to his bank account. Coding decent Web injects can be challenging because Web sites display differently in different Web browsers, and a poorly-designed inject may  alert the victim that something isn’t quite right, prompting him to contact his bank. The ad below promises enterprising coders at least $2,000 for every completed Web inject written to work with ZeuS and/or SpyEye.

These ads are priceless because they offer insights into the mechanics of the cybercrime economy today. Specifically:

  • Malware gangs are reinvesting at least some of their earnings into research and development. They understand that if they fail to innovate, they don’t get paid.
  • A lot of malware is developed not by a single person, but by teams of programmers, each of which may specialize in and maintaining one component or function of the malware.
  • Coding teams doing all this hiring know that good customer support is a major driver of sales, and that selling a product and then leaving the customer high and dry is the fastest way to drive users away from upgrading to future versions of your software and services.

So how about it? Ready to quit your day job as a code jockey at a software firm and go to work for the dark side? Okay, but you might want to sign up for those COBRA benefits first. I couldn’t find any ads for malware gangs that were offering health or dental insurance…yet.

28 thoughts on “Criminal Classifieds: Malware Writers Wanted

  1. DeborahS

    “I couldn’t find any ads for malware gangs that were offering health or dental insurance…yet.”

    And, since it’s unlikely that any of the usual medical insurers will cover these guys, you’d also better look lively if they ever do offer it. That is, unless you don’t mind getting your legs broken when you can’t afford the premiums.

    Sheesh – you’d have to be either really desperate or already crooked to seriously respond to one of these ads.

  2. Konrads

    In most exUSSR health service is free and state provided. We could argue about quality….

    As for being really crooked – soviet mentality for a very long time was “Socialism vs. Rotten capitalism” so many folks signing up don’t see the difference – for them (I imagine) it is just sticking it up to the west.

    1. Max

      You imagine right. Essentially stealing from westerners is not considered a crime. And if you stay in the way of someone who tries to do that, your life is worth nothing (check out Sergei Magnitsky’s death case for example, see: http://www.russian-untouchables.com )

  3. Abram

    Great post. But why you posted only jobs from Russia or there is no malware jobs in USA/Europe?

    1. BrianKrebs Post author

      Eh. Just don’t see a lot of banner ads for this stuff on the skiddie forums, I guess. Majority of these ads are placed on sites that act as services for the malcoder community, and so serve as a kind of virtual watering hole for various contingents from that community.

  4. kbbbb

    Malware manufacturers aren’t just being brazen about their desires to grow their grubby business, they’re rubbing the Wests’ face in it. Yes, it’s only being advertised in the underground, but regardless, the indication that they are willing to advertise shows just how comfortable they are in their industry.

    How bigger joke are law enforcement in Russia/Eastern Europe???

  5. Matt

    Last week, after all the hubbub about Silk Road and Tor, I configured the Tor browser package and checked out the open market. In the “services” section I found several hackers offering up their services for a variety of prices, with titles like “I’ll hack anything,” the modern day “will work for food.”

    I have yet verify, but apparently NY’s Senator, Chuck Schumer, was able to shut down the site within the week of it gaining notarity: http://goo.gl/Rzr1R [google news search “chuck schumer silk road”]

    1. Anonymous

      Still up and running.

      Don’t ever believe anything a politician says. Even when he admits that he’s lying all the time.

  6. Anton

    Can you give a link to the site of this vacancy?

    1. BrianKrebs Post author

      Sorry, no. For the same reason I don’t include their ICQ numbers from the ads: I’m not trying to give them free advertising.

    2. a problem with spam?

      exploit . in maybe a good place to start!

  7. Danny Goodman

    A more efficient use of their money would be to spend it on copy writers/editors for malware-spreading spam kit templates.

  8. grumpy

    I spy, with my little eye, a security hole. This has got to be the nicest gift to security services ever. It’s like if MI[56] advertized for agents at universities filled with communist sympathizers… hang on…

  9. scamreporter

    Great blog post by author..Infact cyber criminals are gaining much grip in spreading malware online but indeed they are in whole world ..


  10. Oper207

    Great write up . Keep the good work up Brian .

  11. Fred

    Your post made me LOL 😀
    between, its quite interesting to see how they cyber criminals are changing the way the things used to work in the past.

  12. Tensigh

    Interesting to show that it’s an actual business. I hope word of this gets out so people see that there are in fact people paying big money to sneak into your PC and get your financial information. It’s not just a bunch of hacker kids trying to see what they can get away with – it’s an actual criminal enterprise. I guess no one is shocked that the Russian authorities aren’t going to bust down some doors over this ad?

    I hope someone in Redmond reads this blog.

    1. Jon White

      OK – what’s next?

      (Oh, I guess you meant Steve Ballmer.)

  13. DoodsWH

    It’s just not limited to malware, Bots for games is another one.
    There is a browser game for example i play , the bots are on .ru sites with full customer support. The game company has been trying to stop it and failing miserably. But now I can see why.
    At 35$ a person and with this specific game over 100k people play, its not hard to see how much they can make with only a fraction of the people paying. its still alot. (these also are time based, you keep paying every couple of weeks). so its in there interest to bring in new talent to stay ahead of the companies.

  14. Mosha

    It is very strange how little niche in software industry perceived as an illegal business in US and “West”. Most of of that software never used in Eastern Europe itself but instead it is being sold to customers in US and Asia who actually run it. Many US companies take exactly same approach – Cisco sells network filtering hardware and software to Chinese government. Small software firms that develop back-end systems for online gambling sites right here in US sell it to companies that run sites from Antigua, Gibraltar etc… I am very certain that there is no no legal grounds on which you can go after companies that develops spyware here in US as long as they only export it. I know one that actually received R&D tax breaks while doing so 🙂

  15. Kadaboom

    $2000-$5000/mo is not bad, considering that my unemployment is far less than that and it is about to run out I may actually apply. I bet they pay hard cash … I may find good application to 20 years of C programming experience until Russians outsource that business to Bangalore too hahahaha

  16. JBL

    Great post, Brian. Interesting and scary!

  17. lisa miskovsky

    apocalypse is goooooooooooooooddddddddddddd

    Apocalypse Remote Administration Tool v1.4.4

    can you tell him please release the next version of him R AT

  18. Bangak

    haha so cool to read this! not that will be the end of the economical world, earth blast, but all electronic systems will be down soon im telling you 🙂

Comments are closed.