The UK creator of malware resources Cryptex and reFUD.me, used by thousands in the cyber-crime world, has this week pleaded guilty to charges under the Computer Misuse Act and Proceeds of Crime Act. Twenty four year old Goncalo Esteves, known on the dark web as KillaMuvz, will be sentenced in February.
This follows a joint investigation by Trend Micro's Threat Research Team and the National Crime Agency dating back to July 2015, which concluded with the arrest of Esteves later that same year.
Both Cryptex and reFUD.me were amongst the most heavily advertised resources on cyber-crime forums at the time, and amongst the most widely used. reFUD.me was a malware-scanning service in reverse, in that it checked 40 of the leading AV products to see if they could detect any given malware sample. The fewer detections, the more effective (and valuable) the malware to the author.
Cryptex, and Cryptex Reborn which followed it, would add further value to a malware sample by making it harder for those AV companies to detect: Fully UnDetectable (FUD) was the aim, hence the reFUD.me service name.
It is believed that while these services were running, between 2011 and 2015, Esteves made more than £30,000. That was just the amount made through 800 PayPal transactions, the total is almost certainly much higher as cryptocurrencies were also used along with Amazon vouchers; neither of which could be successfully tracked by investigators.
So, what does this case tell us of how sophisticated the blackhat industry has become, mimicking the kind of resources developed by security vendors?
Brian Robison, senior director of security technology at Cylance, thinks that sophistication isn't the right word "it is more commoditisation, over time specialised skills become packaged and commercialised in such a way that even the lowest skilled member can be just as effective as some of the original creators." Azeem Aleem, director of the Advanced Cyber Defence Practice EMEA at RSA Security, agrees that rather than the technologies being especially sophisticated "this reveals more about the degree to which the blackhat industry is commercialising them. We're seeing evidence of this in more and more cases, and today it's not uncommon that cyber-criminals will have just as much access to security resources as the targeted organisations themselves."
Not everyone is singing from the same hymn sheet though. Take Ed Williams, EMEA director, SpiderLabs at Trustwave who reckons that "without question the blackhat industry is ever evolving and advancing" telling SC Media UK that "the ability to bypass AV is, in reality, a technique that any good white-hat hacker would and should possess." And Caleb Fenton, Threat Team Lead at SentinelOne, suggests that there has always been an arms race between security vendors and cyber-criminals. He compares this to similar trends in biology, telling us that "whenever there's food in a system, predators are sure to move in and take advantage of it."
Graeme Park, senior consultant at Mason Advisory, throws something of a spanner in the works by suggesting that we should be looking at how Kali Linux can build an entire operating system based around penetration testing, Rapid7 can build a "semi-automated exploitation engine used by criminals the world over" in Metasploit and VirusTotal a very similar service to reFUD.me but "as they are sold as professional services they are not prosecuted..."
We will leave the last word to Chester Wisniewski, principle research scientist at Sophos, who warns that what this court case demonstrates is that "we are not going to sit on the sidelines and continue to let them operate with impunity." He argues the criminals have been more organised than the defenders for some time, adding "hopefully this sends a message that we will not tolerate this behaviour and that regardless of how they may try to use both technology and the law to hide, we will find them."