By RJ Madsen –

Malware itself isn’t a new concept with the first traditional virus, the Elk Cloner from 1981 infecting the boot sector on Apple II computers. Since that time malware authors and security professionals have been constantly evolving and improving and cyber-crimes have become mainstream news. Now, similar the trend of software-as-a-service, malware-as-a-service is growing in popularity and larger companies and blogs are taking note. One of these companies is Check Point Software Technologies and they published a post about this new industry and provided some data on some exploit kits that were wreaking havoc in the wild.1 From that post we can see how dynamic the market for exploit kits and other malware-as-a-service with a particular package called Angler rose in popularity over April and May of 2016 but then abruptly dropped off causing a related service, Neutrino, to hike prices. The article also goes over the different kinds of payloads delivered by the Nuclear exploit kit with ransomware taking a staggering lead with 144,478 samples delivered. Following this are Banking Trojans at 54,403 samples delivered and finally Click Fraud and Rootkits both have sub 200 samples. Ransomware is the easiest way for criminals to profit from their actions, typically by directly extorting money from their victim instead of relying on a middle-man in the form of selling information in online marketplaces. The prevalence of crypto-currencies like bitcoin, which at the time of this blog post is at $766.80 and nearing a five-month high, also helps ransomers get their money and get away.2

From my personal research I visited the Darknet marketplace Crypto Market and was able to fairly quickly find a few samples of malware I could own for as little as $1.00. However, it is impossible to actually tell if the malware was legitimate without an actual purchase and hoping that the delivery would come through and that was not something I personally wanted to get tangled up with. The $1.00 sample was simply called ‘virus rat worms’ and came with no description and a small price tag which screamed scam.

The next sample I found was a prepackaged virus by the name of ‘Nasty Virus’, reported to affect Windows 7-8.1 it would continually install junk software until the machine was unusable. A neatly packaged executable file would only cost you $5.00 then the purchaser would have to figure out how to get an unwitting victim to launch the executable.



The most interesting sale I found was a ransomware program that came with two different options, one that had a smaller entry price of $20.00 that split profits with the distributor and another version that ran $100.00 but did not split profits. This type of service is the most prevalent with malware like CryptoLocker making headlines and Cerber being the most popular ransomware variant in the wild today there are plenty of lesser known kinds floating around the internet. This particular version advertises to work on windows and employ a popup to force the user to pay after their files have been encrypted and also claims to be ‘FUD’ or fully undetectable. The seller allows the purchaser to provide their bitcoin address to receive payment and also set the ransom amount to request from the victim.



I was also intrigued to find that there was some feedback on the page and the seller actually took time to respond to the person that posted the feedback leading me to believe that this may actually be a legitimate and supported case of malware for sale especially as it was a long listing time, two months at the time of posting this blog.


This is, of course, just a single marketplace operating within tor so there are plenty of other locations to search for other samples with the very popular malware services being offered on different forums around the world, if you know where to look or how to search.





Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s