Just like legitimate developers, malware makers want the best return on their investment, a researcher said on Monday.
The authors of the new information-stealing Trojan "Carberp" have added a feature that detects which antivirus program is running on victimised PCs, said Aviv Raff, the chief technology officer at Seculert, an Israeli security startup.
Raff said the criminals added security software detection to make sure they're spending their money wisely.
"Cybercriminals for quite some time have paid for 'antivirus test' services," Raff said in an instant message. "So they collect the antivirus information from the infected machines in order to check whether the tests they paid for actually work, and that they indeed evade the [software] successfully."
The test services Raff mentioned are similar to legitimate scanning services such as VirusTotal , which lets users upload suspicious files for scanning by scores of for-a-fee and free antivirus programs. Suspect samples that evade detection are shared with the anti-malware community for use in creating new signatures.
But other, less scrupulous services have popped up to serve criminals. These services, which security blogger Brian Krebs reported on as early as December 2009, do not alert security companies when a new piece of malware is detected.
That makes them ideal for hackers to check whether code will be detected before they release it. Raff said hackers pay to run their malware through these gray-market services to check the detection status of their code before they release it.
Carberp's use of an antivirus software profiler lets the Trojan's makers evaluate the services to give them proof that the scans are accurate. "If the service is not that good, they will probably move to another, or help to improve the antivirus test service," Raff said.
In Carberp, Raff found a report on antivirus usage that claimed products from Moscow-based Kaspersky Lab were the most-widely installed, with a 74% share. "This is probably because this botnet targets people from Russia," he said.
"This is the first time that this feature has been used in a malware kit that is being sold in the underground, and therefore is used by several different cybercrime groups," Raff said by e-mail.
Carberp has been on security firms' radar screens since last fall, when TrustDefender and Trend Micro reported that the Trojan attack kit was challenging the long-standing Zeus botnet as the weapon of choice for criminals targeting bank account theft.
Raff expects that Carberp will follow in the footsteps of the SpyEye and Siberia attack kits, and like them, incorporate links to a scanning service.
Last week, Raff published an analysis of Carberp that described new features other than the antivirus polling, including encryption of all communication with the hacker command-and-control server.