Cracked Trojan Builder Infects Its Own Users

Cybercriminals looking to use a cracked version of a trojan creation tool called ZombieM Bot Builder can end up infected themselves, since some installers are rigged with a backdoor.

ZombieM Bot Builder is a crimeware toolkit which can be used to generate customized versions of a computer trojan, that act as botnet clients.

It was created by an Argentinian group of hackers called Arhack and is being sold on the underground market to other Spanish speaking cybercriminals for around 180 euros.

"Someone has cracked both the earlier, 1.0 version of their bot generator and the latest, 2.0 version, and posted it online for other criminals — the cheap kind, who don’t have 180 euros to spare — to use.

"The cracked version lets you use all aspects of the program to generate bots and manage the botnet without the need for a customized username and password, which you would otherwise need in order to start up the program," explains Andrew Brandt, a malware researcher from antivirus vendor Webroot.

But there's a catch. The installer is rigged with a backdoor known as PoisonIvy, which in this case connects to and listens for instructions from a server in Colombia.

This is one of the increasingly common cases of cybercriminals targeting each other. Back in July we reported about a phishing kit, which forwards stolen credentials to the original author.

Arhack claims that the malware generated by ZombieM Bot Builder can copy itself to removable drives and folders shared by P2P applications, as well as send itself to all MSN contacts of the infected user and propagate to other computers on the local network by exploiting vulnerabilities.

Fortunately, according to Mr. Brandt, the trojan's code is quite rudimentary and it is fairly easy to create a generic signature that detects all variations generated with the tool.

Chances are that most AV vendors will add similar detection routines, so make sure to keep your antivirus program up to date.