Malware author greets Microsoft’s Windows Defender team

Zlob malware familyA Russian malware author with involvement in the Zlob malware family, one of the most prolific malware families in 2008 thanks to its successful mimicking of video codecs, has left a message for the Windows Defender team inside a sample analyzed by French researchers. The message is a follow-up to a previous note left in October, and is basically greeting Microsoft in respect to their improving detection rates for this malware family.

For Windows Defender’s Team:
I saw your post in the blog (10-Oct-2008) about my previous message. Just want to say ‘Hello’ from Russia. You are really good guys. It was a surprise for me that Microsoft can respond on threats so fast. I can’t sign here now (he-he, sorry), how it was some years ago for more seriously vulnerability for all Windows ;) Happy New Year, guys, and good luck! P.S. BTW, we are closing soon. Not because of your work. :-)) So, you will not see some of my great ;) ideas in that family of software. Try to search in exploits/shellcodes and rootkits. Also, it is funny (probably for you), but Microsoft offered me a job to help improve some of Vista’s protection. It’s not interesting for me, just a life’s irony.

Who’s this guy? The malware author claims that has coded a critical vulnerability affecting Windows a couple of years ago, and that Microsoft has once offered him a job presumably as a researcher. This message clearly indicates the ongoing multitasking mode of cybercriminals. Moreover, even though the author is trying to distance himself from future Zlob releases, the malware family is not going away anytime soon despite that his campaigns have been somehow affected by Microsoft and, of course, the community as a whole.

The reason for that is the affiliation-based model (Inside an affiliate spam program for pharmaceuticals; Botnets committing click fraud observed) cybercriminals have been developing throughout the entire 2008, forwarding the process of dissemination and coming up with lower detection rates to the binaries to third-parties who earn money in the process as long as the infected hosts phone back to desired location. This affiliation-based model is the main factor for the growth of the Zlob malware, now an inseparable part of the underground ecosystem as one of the key promotional tools for fake security software.

[Source: zdnet]