Dmitri Alperovitch CipherTrust Inc.
Previous works have focused on analysis and reverse-engineering of malware payloads, such as worms, keyloggers, destructive viruses and spyware. Phishing trojan creation toolkits represent the latest advancements of some of the most resourceful and profitable online criminal enterprises. These highly sophisticated and customizable trojans are hugely popular in the underground carding community and are a key part of numerous online identity and financial theft crimes. They are produced by teams of international software developers and selling for substantial amounts of money.
In this paper we present an analysis and reverse-engineering results of five of the most popular and sophisticated trojan toolkits. We show that these are substantial software engineering products that include a vast array of features, advanced detection evasion capabilities and effective targeted countermeasures to anti-fraud technologies that are in place at most of the major banks and other financial institutions.
The paper demonstrates that phishing trojan development is nowadays a highly profitable business with the software being actively distributed and marketed through a well-developed underground business channel and reseller network that provide both the cloak of anonymity as well as relative safety and plausible deniability for the malware developers. This represents a new change on the malware scene - the creation of a services industry dedicated to the creation of high-quality malware with a well organized and developed distribution channel.
Lastly, we discuss how these toolkit trends and changes in criminal collaborations affect current defence approaches and suggest alternative models to advancing the community's defences.