The global economy may be struggling to create new jobs, but the employment outlook for criminally-inclined computer programmers has never been brighter. I’ve spent some time lurking on shadowy, online underground forums, and lately I’ve seen a proliferation of banner ads apparently placed by criminal gangs looking for talented programmers to help make existing malware stealthier and more feature-rich.
Many of the ads highlight job openings for coders who are skilled in devising custom “crypters,” programs designed to change the appearance of known malware so that it goes undetected by anti-virus software. Anti-virus signatures are based on snippets of code found within known malware samples, and crypters can try to help hide or obfuscate the code. When anti-virus firms update their products with the ability to detect and flag files that are shrouded by this layer of obfuscation, malware writers tweak their creations in a bid to further evade the new detection mechanisms.
The composite banner ad pictured above is a solicitation from a crime gang that offers a base salary of $2,000 per month in exchange for a “long-term partnership” creating crypters that include customer support. The ads lead to a sign-up page (below) where interested coders can leave their résumé and contact information, and state why they think they are qualified for the position.
The Russian text in the above ad translates to:
“We invite you to join our team of crypto-programmers, including programmers with no experience in this field.
* Base salary from $2,000 per month, with an increase in salary, depending on the quality and timeliness of your work.
* Payments are made weekly.
* Long-term cooperation (with many programmers, we have been in business for more than two years).
Please fill in your application only if you understand what is at stake. Thank you.”
Other ads, like the one below, seek qualified candidates for similar jobs with a promise of as much as $5,000 per month for creating custom crypters and providing customer support.
There also appears to be a high demand for programmers who can code so-called “Web injects,” plug-ins for malware kits like the ZeuS and SpyEye trojans, and they’re designed to inject custom content into a Web browser when the victim browses to certain sites, such as a specific bank’s login page.
A common Web inject used with ZeuS inserts requests for the answers to the victim’s challenge questions when the user logs in to his bank account. Coding decent Web injects can be challenging because Web sites display differently in different Web browsers, and a poorly-designed inject may alert the victim that something isn’t quite right, prompting him to contact his bank. The ad below promises enterprising coders at least $2,000 for every completed Web inject written to work with ZeuS and/or SpyEye.
- Malware gangs are reinvesting at least some of their earnings into research and development. They understand that if they fail to innovate, they don’t get paid.
- A lot of malware is developed not by a single person, but by teams of programmers, each of which may specialize in and maintaining one component or function of the malware.
- Coding teams doing all this hiring know that good customer support is a major driver of sales, and that selling a product and then leaving the customer high and dry is the fastest way to drive users away from upgrading to future versions of your software and services.
So how about it? Ready to quit your day job as a code jockey at a software firm and go to work for the dark side? Okay, but you might want to sign up for those COBRA benefits first. I couldn’t find any ads for malware gangs that were offering health or dental insurance…yet.