Recently the high tech crime team (THTC) of the Dutch National Police Unit arrested a 20 year old resident of the Dutch city of Utrecht. He is suspected of large-scale production and selling of malware. The young man offered programs with names like Rubella, Cetan and Dryad, enabling the buyer to include secret code or malware in amongst others Word or Excel files. In view of the ongoing investigation, the arrest could not be disclosed earlier by police and National Prosecutor’s Office.
The suspect was active at hackers’ forums under various names. Eventually all these names could be traced to the man from Utrecht who was arrested sitting at his computer. The police were helped in tracing the man thanks to investigations of two private companies, including the cybersecurity company McAfee.
The suspect developed and supplied amongst others the macro builder Rubella, selling it for prices ranging from a couple of hundred to thousands of euros. A macro builder is a toolkit designed to include fragments of hidden code to widely used Office documents such as Excel and Word. Upon opening of such an infected document, the hidden code would be executed. This code could amongst others (surreptitiously) download malware or start a program on the device. The macro builder would design the documents in such a way that they would not usually be detected by a virus scanner.
Distribution of such malware generally takes place via an e-mail containing an infected document as an attachment. The message in the mail is designed to inspire confidence in the potential victim and to induce him to open the attachment. This is actually a kind of phishing, but it is very difficult to protect yourself against it, according to THTC and the public prosecutor of the National Public Prosecutor’s Office. In all cases the advice is not to open, view or download such files as a matter of course and to perform all updates for security software on data carriers.
Furthermore the suspect was found in possession of data concerning dozens of credit cards and manuals on carding, a type of credit card fraud. The young man also possessed access credentials for thousands of websites. It is not known what he was planning to do with these.
The suspect has collected an amount of approx. 20,000 euro in crypto currency such as bitcoins. These have been seized. The investigation into further amounts the young man may have (unlawfully) earned will continue. In due course, a confiscation order will be issued.
The public prosecutor has meanwhile decided that the suspect will have to face trial. No court date has yet been set.