Dec 19, 2010 18:05 GMT  ·  By

Security researchers from Symantec have spotted a new crimeware toolkit being sold on the underground market, which generates a trojan that is exclusively used to distribute malware.

Crimeware toolkits are programs that can be used to create customized versions of trojans along with their command and control (C&C) software.

ZeuS or SpyEye are some of the most well known examples of crimeware toolkits, but compared to this new one, which is called "Dream Loader," they are significantly more complex.

"The pack, version 0.3, is relatively new and seems to be originating from Russia; it was first found in November and is designed to be modular and load plugins," notes Symantec security researcher Andrea Lelli.

The pricing model is a bit different from that of other toolkits. Cyber criminals can buy a customized version of the trojan and associated Web interface for $550, but not the builder itself.

This allows the Dream Loader authors to charge an additional $30 for any subsequent modification required by customers. However, the trojan builder seems to have leaked it and can now be downloaded for free.

It can be used to configure two C&C domain, the gateway page which infected computers access and a password used to encrypt the communication.

The C&C software allows the botnet herders to see statistics about their bots, the countries where they are located and the commands sent to them.

The backdoor, which Symantec detects as Trojan.Karagany, can't do much except download and run executables or update itself, which suggests that it is being used in pay-per-install schemes.

In such operations, malware and scareware authors pay botnet runners to deploy their creations on as many computers as possible.

"The bot uses some known tricks in order to bypass security products and conceal its presence on the infected machine, although the end result is still a pretty basic executable which is easily detectable and removable," Lelli concludes.