Welcome on board,
XzifT!
...some moment in late December,
I had also seen a (supposedly) scrambler meant especially for Zeus samples...
I say 'supposedly',because I hadn't really managed to test it:
executable itself was that much badly packed,that no matter my efforts,
I couldn't get it to run at all,lol...
Pretty much most of the infamous skiddie tools gathered in a single thread...
hxxps://forum.zloy.org/showthread.php?t=7951
...what REALLY makes me wonder is:
why in the world it takes that long for some AV companies,
in order to spot/detect variants of this kind of stuff/builders...
when they can be found simply by monitoring 6-7 widely known 'haxor' forums.
Kind of funny attitude actually...from the one hand,
you have serious and hard-working AV researchers/employees taking down infected hosts,
and on the other hand,AV companies' general policy,
towards the widely known to the public "main" distribution forums/sites,
is to either ignore them,or even worse,to leave them completely 'untouched'...
No need for 'dark' speculations and assumptions here,just my 2 cents towards this situation:
when at this moment,even the most non-technical aware end-user,
can find point-and-click botnet builders within a few minutes of googling...
then it's also at least ridiculous afterwards to see AV companies complain,
because a large majority of end-users claims that AVs generate malware themselves,
in order to make money...
If they don't want to hear such ridiculous statements,well,it's their responsibility:
advertisements regarding 'improved intrusion prevention' modules,bla-blah etc...
All these are nice and well,and obviously no one disagrees:
end-users also don't like the view of tons of vx/skiddie forums,
where automated botnet/trojan builders and rest of crap gets exchanged...
Even say from a strictly commercial respective,
trust gets builded exactly from these common daily facts - simple as that.
