Mysterious, yet familiar
Convenience is the key
To further assure quality service, the site claims to check the detection rate of its 3 cryptors and supposedly modifies the cryptor when it can be detected by more than a few AV software. However, the detection rate displayed on the site is suspiciously low when compared to the actual result I got from VirusTotal.
The obfuscation process can also be automated via an online API: This makes maintaining a large number of compromised websites much easier, as seen in the fake AV site mentioned above.
The site also provides account management features, such as changing password/contact info, replenishing account with WebMoney, and even a log of all the data previously obfuscated.
This site is apparently operated by Paunch, the author of the very popular Blackhole Exploit Kit (EK) and its successor, the Cool Exploit Kit. Both EKs are available for rent or purchase as well. A rented Blackhole server has been reported to cost $500 a month, where an annual license costs $1500. The newer Cool EK reportedly costs $10,000 a month to rent. Looks like Paunch is taking advantage of the reputation he built with these popular EKs and expanding business into other parts of the cybercrime ecosystem.
The website advertised in the banner of crypt.am, doitquick.net, is yet another of Paunch’s service to make the life of the cyber-criminals easier. It batch registered domains that can be used for both white and black/gray purposes, and also comes with blacklist detection features.
Long gone are the days when a cyber-criminal needs to hand-craft his own little exploit kit and cryptors, or buy from some other underground sources with questionable reputation. With the market domination Paunch enjoys, he can afford to purchase or custom build the best exploits/cryptors out there and offer them at a very competitive price.
Many happy customers
The majority of the compromised sites are redirecting to either Blackhole or Cool EK. Blackhole EK was reported to have a conversion rate of about 8%. Conversion rate for Cool EK is a bit lower at 7%. That means 7% to 8% of the visitors to the thousands of compromised websites would end up getting malware installed on their computers.
Assuming obfuscation with crypt.am keeps a compromised site undetected for 2 extra days, and the sites gets only 50 visitors per day, at least 2 * 50 * 7% = 7 extra visitors will get infected. Armed with an arsenal of ransomware(min $50, usually $100), scareware ($50-$200) and bank trojans (whatever amount in your bank account), a cyber-criminal can easily recover the cost of a whole month of unlimited crypt.am service ($50) with this website alone.
Google search of “visited_uq” also returned about 270,000 results, many of which are labelled by Google as “This site may harm your computer.”
Although it’s hard to establish a solid association between these “Cookie Bomb” sites and the use of crypt.am, a quick look at some of these websites indicates at least some of the plain text “Cookie Bombs” (second line in the picture below) have been replaced by (or complemented with) an obfuscated version (first line below), possibly with the help of crypt.am.
Leave a reply