Skip to content
Naked Security Naked Security

Malware-as-a-service “Fully UnDetectable” operators busted

Police in the UK have arrested 2 people for allegedly offering an "anti-anti-virus" service - sort of like VirusTotal, but for crooks.

It’s pretty obvious what an anti-virus does.

It aims to identity and block viruses, worms, Trojans, rootkits, keyloggers, spyware, ransomware, exploit kits and so forth – malware, in other words, a portmanteau word that is short for malicious software.

Strictly speaking, a virus is a specific type of malware than can spread by itself, infecting other files and computers along the way. But you can also use the word virus unexceptionably and metaphorically – in a figure of speech known as metonymy – to refer to malware in general.

Unfortunately, as part of the arms race of computer security, there’s also an area of great interest to cybercrooks known colloquially as anti-anti-virus.

This means, quite simply, figuring out tricks to make the life of an anti-virus product harder.

One way is by using active programming measures inside the virus, often called stealth, to make things not what they seem.

An anti-virus may know exactly what to look for, but the anti-anti-virus system acts as a sort of digital disguise, so the anti-virus sees only innocent content instead.

Another anti-anti-virus technique is reactive: whenever you realise that malware X is being blocked by anti-virus Y, automatically spit out malware version X+1, mutated in the hope that Y will no longer detect it.

That’s just the sort of online service offered until recently by reFUD-dot-me, where FUD, punning on the usual meaning of fear, uncertainty and doubt, stood for Fully UnDetectable.

Loosely speaking, we’re talking about a service like Google’s VirusTotal, except that instead of helping users to draw the attention of the research community to potential new virus samples, reFUD-dot-me was intended as a service especially for other crooks.

The idea was that you could privately test new variants of Malware X – versions X+1 and X+2, say – against a raft of anti-virus products, but no one else would be told about the results.

In other words, you could get an idea of how well your new malware might do in the wild, without needing to keep pirated versions of every anti-virus product up to date for yourself.

Online checking services of this sort, including VirusTotal, are actually a fairly poor way of reviewing detection rates, because they act in something of a detection vacuum, but as a starting point for cybercrooks, reFUD-dot-me was certainly a very handy way for them to find out for free whether they were on the right track with their latest malware samples.

In addition to this underground variant of VirusTotal, reFUD-dot-me also allegedly offered tools known as packers, to help you disguise your malware to make it harder to detect.

Packers, or crypters – the one offered by reFUD-dot-me was called Cryptex – aim to create scrambled, obfuscated versions of your malware that will perform the same functions yet look completely different, a bit like gift-wrapping a handgun in the hope that it will attract less attention.

We’re using the past tense here, because the UK’s National Crime Agency recently announced the arrest of two people in England, a man and a woman, both 22 years old, on charges related to running the reFUD-dot-me service.

They’re innocent until proved guilty, of course…

…but reFUD-dot-me is off the air, thus proving itself neither undetectable nor invincible.

2 Comments

It’s great that the Internet has spawned, or is it pwned, so many new businesses (criminal enterprises). As I’ve commented before, not much chance of Sophos going out of business anytime soon.

I started studying hacking when I had +- 15 years old, 12 years later I got the title of Msc., and started my phd on computer and information security … On my road I hardened bank infrastructure, made tons of Poc from flaws based only in it’s description, published papers about that and this security feature, about how rootkits became more and more sophisticated, how to build a trust base to kernel modules, how to port grsecurity to that and this kernel/arch/infra, this and that anti-anti reverse/debug/vm and blablabla ….

Then I realised that what I truly love is hacking… I hate to be the sheep, I f—–g truly love to be the wolf. Be the one who is hunting, avoiding, hiding, hitting, and smiling while subverting the whole f—–g world besides me. That gives me power… power beyond the CEO, beyond the state, just power of knowledge!!

And that power pays me much… that power buys me what I want, buys me time, peace…. So I’m a f—–g phd candidate on a great and named institution worldwide, but what I truly am is the wolf.
All my friends are now enterprise hackers, bored on life, without the look in the eye that they had when we hacked our university, we hacked the pizza delivery, we hacked the hottest girls on the block!!
They are now just one piece on the table of enterprise… and I’m now they enemy … who lives on they fault, who have life in the eyes…

I’m that guy, without meetings, without papers covered of marketing and bullshit, who codes what wants, buy what wants, who is now happy :]

Come to the dark side, we have cookies and happiness o/

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?