Malware-as-a-service “Fully UnDetectable” operators busted

It’s pretty obvious what an anti-virus does.

It aims to identity and block viruses, worms, Trojans, rootkits, keyloggers, spyware, ransomware, exploit kits and so forth – malware, in other words, a portmanteau word that is short for malicious software.

Strictly speaking, a virus is a specific type of malware than can spread by itself, infecting other files and computers along the way. But you can also use the word virus unexceptionably and metaphorically – in a figure of speech known as metonymy – to refer to malware in general.

Unfortunately, as part of the arms race of computer security, there’s also an area of great interest to cybercrooks known colloquially as anti-anti-virus.

This means, quite simply, figuring out tricks to make the life of an anti-virus product harder.

One way is by using active programming measures inside the virus, often called stealth, to make things not what they seem.

An anti-virus may know exactly what to look for, but the anti-anti-virus system acts as a sort of digital disguise, so the anti-virus sees only innocent content instead.

Another anti-anti-virus technique is reactive: whenever you realise that malware X is being blocked by anti-virus Y, automatically spit out malware version X+1, mutated in the hope that Y will no longer detect it.

That’s just the sort of online service offered until recently by reFUD-dot-me, where FUD, punning on the usual meaning of fear, uncertainty and doubt, stood for Fully UnDetectable.

Loosely speaking, we’re talking about a service like Google’s VirusTotal, except that instead of helping users to draw the attention of the research community to potential new virus samples, reFUD-dot-me was intended as a service especially for other crooks.

The idea was that you could privately test new variants of Malware X – versions X+1 and X+2, say – against a raft of anti-virus products, but no one else would be told about the results.

In other words, you could get an idea of how well your new malware might do in the wild, without needing to keep pirated versions of every anti-virus product up to date for yourself.

Online checking services of this sort, including VirusTotal, are actually a fairly poor way of reviewing detection rates, because they act in something of a detection vacuum, but as a starting point for cybercrooks, reFUD-dot-me was certainly a very handy way for them to find out for free whether they were on the right track with their latest malware samples.

In addition to this underground variant of VirusTotal, reFUD-dot-me also allegedly offered tools known as packers, to help you disguise your malware to make it harder to detect.

Packers, or crypters – the one offered by reFUD-dot-me was called Cryptex – aim to create scrambled, obfuscated versions of your malware that will perform the same functions yet look completely different, a bit like gift-wrapping a handgun in the hope that it will attract less attention.

We’re using the past tense here, because the UK’s National Crime Agency recently announced the arrest of two people in England, a man and a woman, both 22 years old, on charges related to running the reFUD-dot-me service.

They’re innocent until proved guilty, of course…

…but reFUD-dot-me is off the air, thus proving itself neither undetectable nor invincible.

Leave a Reply