{"id":11450,"date":"2013-06-14T00:00:48","date_gmt":"2013-06-14T07:00:48","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=11450"},"modified":"2018-10-05T16:21:46","modified_gmt":"2018-10-05T22:21:46","slug":"how-cybercriminals-apply-quality-assurance-qa-to-their-malware-campaigns-before-launching-them","status":"publish","type":"post","link":"https://www.webroot.com/blog/2013\/06\/14\/how-cybercriminals-apply-quality-assurance-qa-to-their-malware-campaigns-before-launching-them\/","title":{"rendered":"How cybercriminals apply Quality Assurance (QA) to their malware campaigns before launching them"},"content":{"rendered":"<p><strong>By Dancho\u00a0Danchev<\/strong><\/p>\n<p>In 2013, the use of basic <a href=\"http:\/\/blog.webroot.com\/tag\/quality-assurance\/\"><strong>Quality Assurance (QA)<\/strong><\/a>\u00a0practices has become standard practice\u00a0for cybercriminals\u00a0when\u00a0launching a\u00a0new\u00a0campaign. In an attempt to increase the probability of a successful outcome for their campaigns &#8212; think malware infection, increased visitor-to-malware infected conversion, improved conversion of blackhat SEO acquired traffic leading to the\u00a0purchase of counterfeit pharmaceutical items etc. &#8212; it has become a common event to observe the bad guys applying QA tactics, before, during, and after a malicious\/fraudulent campaign has reached its maturity state, all for the sake of earning as much money as possible, naturally, through fraudulent means.<\/p>\n<p>In this post\u00a0we&#8217;ll profile a recently released desktop based multi-antivirus scanning application.\u00a0It\u00a0utilizes the infrastructure of one of the (cybercrime) market leading services used exclusively by cybercriminals who want to ensure that their malicious executables aren&#8217;t detected and that their submitted samples aren&#8217;t shared between the vendors before actually launching the campaign.<\/p>\n<p>More details:<\/p>\n<p><!--more--><\/p>\n<p><strong>Sample screenshot of the desktop edition of the originally, Web-based, API-supporting cybercrime-friendly service:<\/strong><\/p>\n<p><a href=\"https:\/\/webrootblog.files.wordpress.com\/2013\/06\/cybercrime_malware_malicious_software_multiple_antivirus_scanners_desktop_scanner.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-11454\" alt=\"Cybercrime_Malware_Malicious_Software_Multiple_Antivirus_Scanners_Desktop_Scanner\" src=\"https:\/\/webrootblog.files.wordpress.com\/2013\/06\/cybercrime_malware_malicious_software_multiple_antivirus_scanners_desktop_scanner.png\" width=\"279\" height=\"166\" \/><\/a> <a href=\"https:\/\/webrootblog.files.wordpress.com\/2013\/06\/cybercrime_malware_malicious_software_multiple_antivirus_scanners_desktop_scanner_01.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-11455\" alt=\"Cybercrime_Malware_Malicious_Software_Multiple_Antivirus_Scanners_Desktop_Scanner_01\" src=\"https:\/\/webrootblog.files.wordpress.com\/2013\/06\/cybercrime_malware_malicious_software_multiple_antivirus_scanners_desktop_scanner_01.png\" width=\"532\" height=\"734\" \/><\/a><\/p>\n<p>Operating on the public Web since 2009, one of the most popular cybercrime-friendly\u00a0underground alternatives to VirusTotal has been systematically evolving throughout the years. From the periodic introduction of new antivirus scanners to the introduction of anti-blacklist URL checking against the most popular public\/commercially available databases, since 2010, its users can also take advantage of its API, and embed it within their campaigns\/<strong><a href=\"http:\/\/blog.webroot.com\/2013\/01\/08\/black-hole-exploit-kit-authors-vertical-market-integration-fuels-growth-in-malicious-web-activity\/\">Web malware exploitation kits<\/a><\/strong>.\u00a0Does the existence and public availability of the tool pose any significant threats?<\/p>\n<p>Despite the fact that the (unofficial) desktop version is aimed to be a convenient way for a cybercriminal\u00a0not wanting to access the Web interface of the service, it&#8217;s directly undermining the efficiency\/bulk centered mentality of the API, imposing service limitations to the cybercriminal using it.<\/p>\n<p>The existence of this service, and the community that&#8217;s apparently orbiting around it, greatly reminds us of <a href=\"https:\/\/blog.webroot.com\/2012\/02\/23\/why-relying-on-antivirus-signatures-is-simply-not-enough-anymore\/\"><strong>the limitations of signatures-based antivirus scanning<\/strong><\/a> in 2013. Thanks to <a href=\"https:\/\/blog.webroot.com\/2013\/02\/22\/diy-malware-cryptor-as-a-web-service-spotted-in-the-wild\/\"><strong>commercially<\/strong><\/a> available <a href=\"https:\/\/blog.webroot.com\/2013\/05\/20\/diy-malware-cryptor-as-a-web-service-spotted-in-the-wild-part-two\/\"><strong>DIY malware crypting services<\/strong><\/a>, commercially available <a href=\"https:\/\/blog.webroot.com\/2013\/01\/18\/leaked-diy-malware-generating-tool-spotted-in-the-wild\/\"><strong>undetected DIY malware generating tools<\/strong><\/a>, as well as <a href=\"https:\/\/blog.webroot.com\/2012\/09\/20\/managed-ransomware-as-a-service-spotted-in-the-wild\/\"><strong>managed malware\/ransomware services<\/strong><\/a>\u00a0taking care of the detection process, cybercriminals are perfectly positioned to capitalize on the users&#8217; false feeling of security and lack of situational awareness on the whole infection process.<\/p>\n<p>To find out more about how\u00a0Webroot is\u00a0reinventing the antivirus, consider going through <a href=\"http:\/\/www.webroot.com\/shared\/pdf\/reinventing-antivirus.pdf\"><strong>this paper<\/strong><\/a>.<\/p>\n<p><em>You can find more about Dancho\u00a0Danchev at his\u00a0<strong><a href=\"https:\/\/linkedin.com\/in\/danchodanchev\">LinkedIn Profile<\/a><\/strong>. You can also\u00a0<strong><a href=\"https:\/\/www.twitter.com\/danchodanchev\">follow him on Twitter<\/a><\/strong>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>By Dancho\u00a0Danchev In 2013, the use of basic Quality Assurance (QA)\u00a0practices has become standard practice\u00a0for cybercriminals\u00a0when\u00a0launching a\u00a0new\u00a0campaign. In an attempt to increase the probability of a successful outcome for their campaigns &#8212; think malware infection, increased visitor-to-malware infected conversion, improved conversion of blackhat SEO acquired traffic leading to the\u00a0purchase of counterfeit pharmaceutical items etc. &#8212; [&hellip;]<\/p>\n","protected":false},"author":65,"featured_media":17052,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[14735,4811,3881,10777,5411,6173,5735,8711,5733,14733,23401,3477,6669,9249,5017,14731,9803,3947,5025,4313],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/11450"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=11450"}],"version-history":[{"count":2,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/11450\/revisions"}],"predecessor-version":[{"id":26141,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/11450\/revisions\/26141"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17052"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=11450"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=11450"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=11450"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=11450"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}