The Shark 2 DIY Malware

The Shark2 DIY malware (screenshots, its features, checksums of the builder, and the detection rates as of Saturday, 28th of July) finally made it though the mainstream media, as yet another DIY malware builder in the wild, despite that the what’s promoted as a RAT but is actually a malware, has been around since November, 2006 :

The tool is being distributed via several underground internet forums. Software development is almost equivalent to that available from legitimate software vendors with regular updates to the code bringing the latest detected version up to version 2.3.2. Virus creation toolkits have been available for years, but have mostly been restricted to the creation of mass mailing worms and their ilk. DIY phishing kits that dumb down the process of constructing fraudulent websites began about two years ago. Shark 2 makes the process of infecting targets for phishing attacks or performing other malign actions easier than ever. It means money making malware rackets are no longer the preserve of those with at least some programming skills.

As I’ve already pointed out in numerous posts, the ongoing trend of disseminating DIY malware is mainly done in order to generate as much noise as possible thought the easy of use of such builders by the average script kiddies. And while the infamous Sub7 DIY malware had the same features within its builder without, of course, Shark2’s anti-sandboxing capabilities, back in 2003 Sub7’s mission was more of a intellectual opportunism one, compared to today’s noise generation mindset of sophisticated malware authors wanting to remain as untraceable as possible. DIY malware builders evolved proportionally with the malware authors’ needs for diversity of the way the malware “phones home” in order to get efficiently controlled and the data within the infected host efficiently abused.

Every newly configured trojan variant thought the builder is an undetected piece of malware in terms of signatures based scanning, and always in the nasty combination with malware packers and crypters. Even more interesting is the fact that the authors behind the trojan are also reading the news, and as always, periodically verifying the detecting rates of the builder, namely, the checksums of the new builder compared to the one as of 28th of July that I provided have changed, and so is the detection rate for the latest release (15th of August) :

Detection rate : 4 AVs out of 32 (12.5%) detect it
AntiVir 2007.08.15 TR/Sniffer.VB.C.2
F-Secure 2007.08.15 Backdoor.Win32.VB.bax
Kaspersky 2007.08.16 Backdoor.Win32.VB.bax
Webwasher-Gateway 2007.08.15 Trojan.Sniffer.VB.C.2

File size: 2506752 bytes
MD5: e63498f392eed84b1c8a66dbb288d459
SHA1: 5aa39b70d17d16055d8084e534806d8e26a37fda
Author: Dancho Danchev

Leave a Reply

Your email address will not be published. Required fields are marked *