Tag Archives: Blackshades

Businessman hackers brought down in USA and Europe

Cybercrooks run their organizations like businesses these days. They have multinational offices, marketing departments, business development, and technical support teams. Maybe they also need some security…  Malware entrepreneur sentenced to 57 months in prison One such malware entrepreneur, Alex Yucel, sold malware through a website that he operated, to other hackers. The Blackshades malware allowed […]

DroidJack RAT: A tale of how budding entrepreneurism can turn to cybercrime

See how Android.Sandorat, a multi-featured mobile crimeware tool, began life as a legitimate Android app.

Twitter Card Style: 

summary

Small-scale mobile app software entrepreneurship has been described as the cottage industry of the 21st century. It allows talented software developers to apply their skills to create new and innovative mobile apps, with the hope of becoming the next big thing and, perhaps, even attaining the trappings of wealth associated with success. However, with over 1 million apps available for download on the Google Play Store, for every success story there are countless apps that fail to deliver.

While I was researching a new Android remote administration tool (RAT) known as DroidJack (detected by Symantec as Android.Sandorat), it soon became apparent that its authors had actually started off as Android app developers. In their own words, they were “budding entrepreneurs trying to develop and apply skills that we have gained.” With limited success of their legitimate app on the Google Play Store, they soon turned their skills to creating and selling an Android crimeware tool, known as SandroRAT, on a hacker forum. In August 2014, this same tool was reported in the media to have been used in cybercriminal activity targeting Polish banking users through a phishing email. This tool has since evolved into DroidJack RAT and is now being openly sold on its own website at a cost of US$210 for a lifetime package.

Fig1DJ.png
Figure 1. DroidJack website logo

Evolution
On April 26, 2013, the Sandroid RAT was released on the Google Play Store. The authors described the app as being a free tool that lets users control their PC without advertisements.

Fig2_0.png
Figure 2. DroidJack website logo

On December 29, 2013, there was an announcement on a hacker forum of a new project called SandroRAT. The forum poster linked the project back to the Sandroid app available on the Google Play Store, referring to SandroRAT as being a kind of “vice-versa” to the Sandroid app, while also commenting on how it remains hidden on the phone.  

Fig3.png
Figure 3. SandroRAT control panel

On June 27, 2014, there was an announcement from the same poster on the same hacker forum of a next-generation Android RAT, known as DroidJack.

Fig4.png
Figure 4. DroidJack control panel

Capabilities
DroidJack has similar features to other Android RATs, such as AndroRAT and Dendroid. Some of the more than 50 features on offer include the following:

  • No root access required
  • Bind the DroidJack server APK with any other game or app
  • Install any APK and update server
  • Copy files from device to computer
  • View all messages on the device
  • Listen to call conversations made on the device
  • List all the contacts on the device
  • Listen live or record audio from the device’s microphone
  • Gain control of the camera on the device
  • Get IMEI number, Wi-Fi MAC address, and cellphone carrier details
  • Get the device’s last GPS location check in and show it in Google Maps

Fig5.png
Figure 5.  Screenshot from DroidJack marketing video, which shows GPS pinpointer location feature using Google Maps

Legality
Law enforcement is getting more aggressive in its stance against the creation and use of RATs. In May 2014, the FBI, Europol, and several other law enforcement agencies arrested dozens of individuals suspected of cybercriminal activity centered on Blackshades (detected as W32.Shadesrat), a RAT for personal computers that was sold on a dedicated website. Moreover, the recent arrest and indictment of a man in Los Angeles for allegedly conspiring to advertise and sell StealthGenie (Android.Stealthgenie), a mobile application similar to DroidJack, shows that law enforcement is continuing its campaign against any technology designed to invade an individual’s privacy.

In an attempt to distance themselves from any responsibility for illegal activity, the authors of DroidJack have included a disclaimer in their marketing material.  Similar disclaimers have been used in the past by other malware authors, such as the Mariposa botnet author, who unsuccessfully claimed on his website that the software was only for educational purposes. Whether the authors of DroidJack truly believe that this disclaimer absolves them of any responsibility is irrelevant, as naivete is not a defense in law.

Fig6.png
Figure 6. Disclaimer used in DroidJack marketing

Attribution
If the author or authors of DroidJack meant to cover up their tracks, they have not done a good job.  Some simple investigations lead back to the names and telephone numbers of several individuals initially involved in the creation of Sandroid, supposedly based out of Chennai in India. However, whether all of the initial developers are still involved in the creation of DroidJack is not clear. Their marketing video for DroidJack also clearly shows the GPS pinpointer locator function homing in on a location in India. If the authors of DroidJack are truly based out of India, cyber law in India indicates that the creation of such software would be seen as an offense.

Protection summary
Symantec offers the following protection against DroidJack.

Antivirus

DroidJack RAT: A tale of how budding entrepreneurism can turn to cybercrime

See how Android.Sandorat, a multi-featured mobile crimeware tool, began life as a legitimate Android app.

Twitter Card Style: 

summary

Small-scale mobile app software entrepreneurship has been described as the cottage industry of the 21st century. It allows talented software developers to apply their skills to create new and innovative mobile apps, with the hope of becoming the next big thing and, perhaps, even attaining the trappings of wealth associated with success. However, with over 1 million apps available for download on the Google Play Store, for every success story there are countless apps that fail to deliver.

While I was researching a new Android remote administration tool (RAT) known as DroidJack (detected by Symantec as Android.Sandorat), it soon became apparent that its authors had actually started off as Android app developers. In their own words, they were “budding entrepreneurs trying to develop and apply skills that we have gained.” With limited success of their legitimate app on the Google Play Store, they soon turned their skills to creating and selling an Android crimeware tool, known as SandroRAT, on a hacker forum. In August 2014, this same tool was reported in the media to have been used in cybercriminal activity targeting Polish banking users through a phishing email. This tool has since evolved into DroidJack RAT and is now being openly sold on its own website at a cost of US$210 for a lifetime package.

Fig1DJ.png
Figure 1. DroidJack website logo

Evolution
On April 26, 2013, the Sandroid RAT was released on the Google Play Store. The authors described the app as being a free tool that lets users control their PC without advertisements.

Fig2_0.png
Figure 2. DroidJack website logo

On December 29, 2013, there was an announcement on a hacker forum of a new project called SandroRAT. The forum poster linked the project back to the Sandroid app available on the Google Play Store, referring to SandroRAT as being a kind of “vice-versa” to the Sandroid app, while also commenting on how it remains hidden on the phone.  

Fig3.png
Figure 3. SandroRAT control panel

On June 27, 2014, there was an announcement from the same poster on the same hacker forum of a next-generation Android RAT, known as DroidJack.

Fig4.png
Figure 4. DroidJack control panel

Capabilities
DroidJack has similar features to other Android RATs, such as AndroRAT and Dendroid. Some of the more than 50 features on offer include the following:

  • No root access required
  • Bind the DroidJack server APK with any other game or app
  • Install any APK and update server
  • Copy files from device to computer
  • View all messages on the device
  • Listen to call conversations made on the device
  • List all the contacts on the device
  • Listen live or record audio from the device’s microphone
  • Gain control of the camera on the device
  • Get IMEI number, Wi-Fi MAC address, and cellphone carrier details
  • Get the device’s last GPS location check in and show it in Google Maps

Fig5.png
Figure 5.  Screenshot from DroidJack marketing video, which shows GPS pinpointer location feature using Google Maps

Legality
Law enforcement is getting more aggressive in its stance against the creation and use of RATs. In May 2014, the FBI, Europol, and several other law enforcement agencies arrested dozens of individuals suspected of cybercriminal activity centered on Blackshades (detected as W32.Shadesrat), a RAT for personal computers that was sold on a dedicated website. Moreover, the recent arrest and indictment of a man in Los Angeles for allegedly conspiring to advertise and sell StealthGenie (Android.Stealthgenie), a mobile application similar to DroidJack, shows that law enforcement is continuing its campaign against any technology designed to invade an individual’s privacy.

In an attempt to distance themselves from any responsibility for illegal activity, the authors of DroidJack have included a disclaimer in their marketing material.  Similar disclaimers have been used in the past by other malware authors, such as the Mariposa botnet author, who unsuccessfully claimed on his website that the software was only for educational purposes. Whether the authors of DroidJack truly believe that this disclaimer absolves them of any responsibility is irrelevant, as naivete is not a defense in law.

Fig6.png
Figure 6. Disclaimer used in DroidJack marketing

Attribution
If the author or authors of DroidJack meant to cover up their tracks, they have not done a good job.  Some simple investigations lead back to the names and telephone numbers of several individuals initially involved in the creation of Sandroid, supposedly based out of Chennai in India. However, whether all of the initial developers are still involved in the creation of DroidJack is not clear. Their marketing video for DroidJack also clearly shows the GPS pinpointer locator function homing in on a location in India. If the authors of DroidJack are truly based out of India, cyber law in India indicates that the creation of such software would be seen as an offense.

Protection summary
Symantec offers the following protection against DroidJack.

Antivirus

Blackshades – ?????????????

      No Comments on Blackshades – ?????????????

FBI、欧州警察組織、その他複数の法執行機関は、Blackshades(別名 W32.Shadesrat)として知られるクリープウェアに関連するサイバー犯罪活動の疑いで数十名を逮捕しました。今回の一斉摘発において、シマンテックは FBI と緊密に連携し、関与した容疑者たちを追跡するための情報を提供しました。今回の摘発作戦により、Blackshades を販売する Web サイトが閉鎖されたため、このマルウェアに関連する活動は大幅に減少すると予想されます。

Blackshades は、初心者レベルのハッカーから高度なサイバー犯罪グループにいたるまで、さまざまな攻撃者によって使用されている有名かつ強力なリモートアクセス型のトロイの木馬(RAT)です。Blackshades は、専用の Web サイト bshades.eu 上で 40 ~ 50 米ドルで販売されていました。手頃な価格で豊富な機能を備えており、攻撃者はこれを使って、侵入先のコンピュータを完全に制御することができます。クリックするだけの簡単なインターフェースから、データを盗み取る、ファイルシステムを閲覧する、スクリーンショットを撮影する、動画を録画する、インスタントメッセージアプリケーションやソーシャルネットワークを操作する、といった処理を実行することができます。

shadesrat_screenshot-650px.png
1. Blackshades のコマンド & コントロールパネル

今回の逮捕の数日前、FBI は、米国市民を標的とするサイバー犯罪に厳しく対処していくことを宣言し、近日中に捜索、逮捕、起訴を行うという約束を発表したところでした。

 blackshades_figure1.png
2. Blackshades の感染件数(2013 年~2014 年)

blackshades_figure2.png
3. Blackshades による被害の上位 5 カ国(2013 年~2014 年)

今回のおとり捜査の一環として、販売元である bshades.eu が閉鎖されたことで、Blackshades の販売と流通には大きな影響があるでしょう。2014 年の Blackshades の活動は大幅に減少すると予想されます。クラック版のビルダーやソースコードは Web 上のいくつかのフォーラムに残ってはいますが、サイバー犯罪者は他のトロイの木馬に移行し始めると予想されます。

Blackshades に対する摘発活動はこれが初めてではありません。FBI は 2012 年、Blackshades プロジェクトへ関与した疑いで、他の 20 名以上と共にマイケル・ホーグ(Michael Hogue)容疑者(別名 xVisceral)を逮捕しました。しかし、その後も販売は継続され、2013 年も Blackshades の活動は増加を続けました。

サイバー犯罪グループは、高度に組織化された攻撃によって数百万ユーロを獲得し、Blackshades に感染したコンピュータを使って巨額の資金移動を行っています。Francophone と呼ばれる最近の活動では、フランスの企業を標的とする金銭の詐取を狙った攻撃で、高度なソーシャルエンジニアリングの手口の一環として Blackshades が使われました。Blackshades 活動に関連する損害の総額を正確に算出するのは困難ですが、個々の事例から推測すると莫大な損失が出ていると考えられます。また、アラブの春においては、政治的な動機による攻撃でも Blackshades が確認されています。騒乱中にリビアとシリアでは、政治活動家を標的として Blackshades の亜種(W32.Shadesrat.C)による攻撃が行われました。

シマンテックは、今回の FBI による摘発を歓迎するとともに、今後も法執行機関および民間のパートナーと協力して、ますます高度化するサイバー犯罪活動に対処いたします。

保護対策
シマンテック製品をお使いのお客様は、以下の検出定義によって Blackshades から保護されています。

ウイルス対策検出定義

侵入防止シグネチャ

シマンテック製品をお使いでない場合に Blackshades として知られるクリープウェアに感染した疑いがあるときは、無償のノートン パワーイレイサーを使ってシステムから除去することができます。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

Blackshades – a Coordinated Takedown Leads to Multiple Arrests

The FBI, Europol and several other law enforcement agencies have arrested dozens of individuals suspected of cybercriminal activity centered around the malware known as Blackshades (a.k.a. W32.Shadesrat). Symantec worked closely with the FBI in this coordinated takedown effort, sharing information that allowed the agency to track down those suspected of involvement. As a result of this operation, the website selling Blackshades has been taken down and we expect a significant reduction in activity involving this malware. 

Blackshades is a popular and powerful remote access Trojan (RAT) that is used by a wide spectrum of threat actors, from entry level hackers right up to sophisticated cybercriminal groups. Blackshades was sold on a dedicated website, bshades.eu for US$40-$50. Competitively priced, with a rich feature list, Blackshades provides the attacker with complete control over an infected machine. A simple point and click interface allows them to steal data, browse the file system, take screenshots, record video, and interact with instant messaging applications and social networks. 

shadesrat_screenshot-650px.png
Figure 1. The Blackshades command-and-control panel

The arrests come just days after the FBI announced that it would take a more aggressive stance against cybercriminals who target American citizens, promising imminent searches, arrests and indictments

 blackshades_figure1.png
Figure 2. Computers infected with Blackshades (2013 – 2014)

blackshades_figure2.png
Figure 3. Top 10 countries affected by Blackshades activity (2013 – 2014)

As part of the sting operation, the source of this RAT – bshades.eu – has been taken offline. This will seriously affect the sale and distribution of Blackshades. Symantec expects there to be a significant decrease in activity for Blackshades in 2014. Although cracked builders and the source code for Blackshades remains online on various forums, we expect cybercriminals will begin to adopt other Trojans.  

This was not the first law enforcement action taken against Blackshades. In 2012, the FBI arrested Michael Hogue (a.k.a. xVisceral) on suspicion of involvement in the Blackshades project along with over 20 other individuals. However, the malware remained on sale and Blackshades continued to see increased activity in 2013.

Organized cybercriminal groups have netted millions of euro in well-organized attacks, transferring large sums of money using Blackshades infected computers. In a recent operation dubbed Francophone, Blackshades was used as part of a sophisticated social engineering scheme to target French companies in financially motivated attacks. Total financial losses involving Blackshades activity would be hard to accurately gauge, however individual cases indicate they are significant. Blackshades was also observed in politically motivated attacks during The Arab Spring. Political activists were targeted in Libya and Syria during the uprisings with one variant Blackshades (W32.Shadesrat.C).

Symantec welcomes the action taken by the FBI and remains committed to working with law enforcement and private industry partners in the effort to tackle these increasingly sophisticated cybercriminal operations.

Protection 
Symantec protects users against Blackshades under the following detection names.

Antivirus detections

Intrusion Prevention Signatures

If you believe you may be infected with Blackshades and are not a Symantec customer, you can use our free tool Norton Power Eraser to remove it from your system.

Blackshades – ?? ???? ??? ?? ?? ??

FBI, 유러폴(Europol)을 포함한 여러 치안 당국이 Blackshades(일명 W32.Shadesrat)라는 크리프웨어(Creepware)를 이용하여 사이버 범죄를 저지른 혐의로 수십 명을 체포했습니다. 시만텍은 이번 공동 작전에서 FBI와 긴밀하게 협조하며 정보를 공유함으로써 FBI가 혐의자를 추적하는 데 기여했습니다. 이번 작전의 성과로 Blackshades를 판매하던 웹 사이트가 폐쇄되었으며 이 악성 코드와 관련된 범죄 활동이 크게 줄어들 것으로 기대됩니다. 

Blackshades는 매우 효과적인 원격 액세스 트로이 목마(remote access Trojan, RAT)로, 초보 해커부터 전문적인 사이버 범죄 조직까지 광범위한 계층에서 애용되어 왔습니다. Blackshades는 bshades.eu라는 전문 웹 사이트에서 40 ~ 50달러의 부담 없는 가격에 판매되었습니다. 공격자는 Blackshades의 다양한 기능을 활용하여 감염된 시스템을 완전히 제어할 수 있습니다. 간단한 포인트 앤 클릭 방식의 인터페이스를 통해 데이터 유출, 파일 시스템 탐색, 스크린샷 생성, 동영상 녹화뿐 아니라 인스턴트 메시징 애플리케이션 및 소셜 네트워크와의 상호 작용도 가능합니다. 

shadesrat_screenshot-650px.png
그림 1. Blackshades의 명령 및 제어 패널

이번 검거는 FBI가 미국 시민을 노리는 사이버 범죄자에 대해 더 강경하게 대처할 것임을 밝히면서 수색, 체포, 기소가 임박했음을 예고한지 며칠 만에 이루어졌습니다.

 blackshades_figure1.png
그림 2. Blackshades에 감염된 시스템(2013 – 2014)

blackshades_figure2.png
그림 3. Blackshades 공격 최다 발생 상위 10개국(2013 – 2014)

이번 작전으로 이 RAT의 본거지였던 bshades.eu는 폐쇄되었습니다. 이는 Blackshades의 판매와 보급에 큰 타격을 줄 것입니다. 시만텍은 2014년에 Blackshades 활동이 크게 감소할 것으로 예상합니다. Blackshades의 크랙 빌더와 소스 코드가 아직 여러 온라인 포럼에서 배포되고 있으나 사이버 범죄자들은 이제 다른 트로이 목마를 선택할 것으로 보입니다.  

Blackshades의 단속에 나선 것은 이번이 처음은 아닙니다. 2012년에 FBI는 Blackshades 프로젝트에 연루된 혐의로 Michael Hogue(일명 xVisceral)를 포함하여 20여 명을 체포한 바 있습니다. 그럼에도 이 악성 코드의 판매는 계속되었고 Blackshades 활동은 2013년에 더욱 기승을 부렸습니다.

조직화된 사이버 범죄 집단들이 체계적인 공격을 통해 Blackshades에 감염된 시스템을 통해 막대한 자금을 이체하는 방법으로 수백만 유로의 순수입을 거두었습니다. Francophone이라는 별칭으로 알려진 최근 공격에서는 금전적인 동기로 프랑스 기업들을 표적으로 삼은 고도의 지능적인 사회 공학적 수법에 Blackshades가 사용되었습니다. Blackshades 공격으로 인한 경제적 손실의 총 규모를 정확하게 파악하기는 어렵지만, 개별 사례로 미루어볼 때 그 피해가 막대함을 알 수 있습니다. Blackshades는 아랍의 봄에서 정치적 동기를 지닌 공격에서도 이용된 바 있습니다. 리비아와 시리아에 봉기가 일어났던 시기에 정치 운동가들이 Blackshades 변종(W32.Shadesrat.C)의 공격을 받았습니다.

시만텍은 FBI의 이번 조치를 환영하며 앞으로도 더욱 지능화되는 사이버 범죄 활동의 퇴치를 위해 치안 기관 및 민간 업체 파트너와 협력하여 최선을 다할 것입니다.

보호
시만텍은 아래와 같이 Blackshades로부터 사용자를 보호합니다.

안티바이러스 탐지

침입 차단 시그니처

시만텍 고객이 아니더라도 Blackshades라는 크리프웨어에 감염된 것으로 의심될 경우 무료 툴인 Norton Power Eraser를 사용하여 시스템에서 이 크리프웨어를 제거할 수 있습니다.

?????????????? Blackshades RAT ???

      No Comments on ?????????????? Blackshades RAT ???
2012 年 7 月、有名なリモートアクセスツール(RAT)、Blackshades RAT に関与していた中心人物が逮捕されたと報じられました。主犯格が逮捕され、2010 年にはそのコードが漏えいしたにもかかわらず、Blackshades RAT は今もなお販売され、サイバー犯罪に使われています。それどころか、シマンテックセキュリティレスポンスは、過去 5 カ月の間に Blackshades RAT の使用が増加していることさえ確認しています。
 
Blackshades RAT(シマンテック製品では W32.Shadesrat として検出されます)は、侵入先のシステムからパスワードなどのアカウント情報を収集し、悪質なコマンド & コントロール(C&C)サーバーに送信します。最近の増加傾向を踏まえて、今回の感染活動を管理している C&C サーバーを調査したところ、Cool 悪用ツールキットとの関係が明らかになりました。Cool 悪用ツールキットは W32.Shadesrat やその他のマルウェア群の拡散に使われています。
 
Shadesrat and Cool Exploit 1.png
図 1. 2013 年 7 月以降の Shadesrat の推移
 
最近見つかった脆弱性を悪用して、産業界やシンクタンク、政府機関、一般ユーザーを狙う、Web サーバーへの攻撃がここ数年、目に見えて増加しています。どの場合でも攻撃者の目標は非常にはっきりしており、ユーザーのコンピュータ上で悪質なペイロードを実行することにあります。攻撃者がそのために使っているのが、各種の悪用ツールキットです。
 
W32.Shadesrat による感染件数の増加を調べるなか、シマンテックは感染したコンピュータからアカウント情報を収集する際に使われている数百の C&C サーバーを特定しました。W32.Shadesrat は、電子メールサービス、Web サービス、インスタントメッセージアプリケーション、FTP クライアントなどのさまざまなアカウント情報を狙っています。スパマーが新しい電子メールアカウント情報を求める場合でも、攻撃者が新しいサーバーやサービスへのアクセスを狙ってセキュリティ侵害を試み続けたり、特定の情報の抽出を狙ったりする場合でも、目的はこの手の情報です。
 
シマンテックの調査によると、ほぼすべての C&C サーバーがいずれかの時点で悪用ツールキットをホストしており、Blackhole 悪用ツールキットと Cool 悪用ツールキットの作成者が逮捕されるまでは、後者が最も有力でした。これらのツールキットは、ユーザーのコンピュータでさまざまな脆弱性を悪用し、悪質なペイロードを実行して感染を試みます。アンダーグラウンドのグループは、こうした攻撃を実行できるだけの多様なリソースを抱えています。
 
Shadesrat and Cool Exploit 2.png
図 2. 作成者逮捕までの 9 月から 10 月の間に C&C サーバーで使われた悪用ツールキット
 
また、Blackhole 悪用ツールキットと Cool 悪用ツールキットの作成者が逮捕された後で、この 2 つの悪用ツールキットがほぼ姿を消し、新たな選択肢として Neutrino が浮上したことも確認されています。
 
Shadesrat and Cool Exploit 3.png
図 3. 作成者逮捕後の 10 月から 11 月の間に C&C サーバーで使われた悪用ツールキット
 
無防備なユーザーが感染してしまうと、複数のペイロードがダウンロードされ、RAT によって制御を乗っ取られるか、ダウンローダによって別の機能を持つ後続のマルウェアがインストールされてしまいます。
 
C&C サーバーは、以下のように他のマルウェアも拡散します。
 
Shadesrat and Cool Exploit 4.png
図 4. 9 月から 10 月の間に C&C サーバーによって拡散された脅威
 
シマンテックは遠隔測定システムを使って、C&C サーバーの所在地と、W32.Shadesrat の感染が多い国や地域を特定しました。
 
Shadesrat and Cool Exploit 5.png
図 5. C&C サーバーの所在地
 
Shadesrat and Cool Exploit 6.png
図 6. W32.Shadesrat の感染状況
 
C&C サーバーのホストが最も多く置かれていたのは、リトアニアと米国です。感染件数が最も多いのはインドで、米国、英国がそれに次いでいますが、W32.Shadesrat の被害は世界中に広がっています。
 
W32.Shadesrat の感染状況を見ると、攻撃者は可能なかぎり多くのコンピュータに感染することを試みているようです。特定のユーザーや企業を標的にしている様子はありません。
 
以上のことから、W32.Shadesrat の完成度の高さと、攻撃者がふんだんに使えるリソースの豊富さがうかがえます。お使いのソフトウェアは常に最新の状態に保ち、ウイルス対策ソリューションについても最新の定義に更新するようにしてください。
 
 
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

Blackshades Rat Usage on the Rise Despite Author’s Alleged Arrest

Back in 2012, a key player involved with the prominent Remote Administration Tool (RAT) known as Blackshades RAT was reportedly arrested. Despite his alleged arrest, and with its code leaked in 2010, the tool is still being sold and used in cybercrimin…