The intent of the Constructor/Wormer toolbox is to give a Trojan horse the ability to spread, explains Ryan Sherstobitoff, chief corporate evangelist for Panda Security USA. Now, imagine how quickly something like this could spread from Web site to Web site, among user systems, and through network shares.
The user interface for Constructor/Wormer looks like any basic file conversion program, similar to what you'd see in a shareware app that converts video, music, or image files. From PandaLabs' advisory:
It also has advanced options to select a certain infection date, disable different options of the operating system, such as the Task Manager, the Windows Registry Editor, Folder Options, and different browsers such as Internet Explorer, Firefox, or Opera. Additionally, the worms can be configured to display a message when they are run or activate themselves when Windows is started.
And, it sports several languages including English, Spanish, Portuguese, and Catalan.
At first blush one would think a tool like this would be designed with the idea of making life easier for organized criminals to propagate their Trojans to steal credit card and financial account data, or maybe to sell for profit to wanna-be malware writers.
But in my brief call with Sherstobitoff this evening, he proffered a more sinister, yet strategic and deft motivation behind Constructor/Wormer. "They want to continue to increase the amount of malcode so that AV firms get saturated, and so that organizations get distracted with the worms and malware created by script kiddies using tools like this."
And with signature-based anti-malware tools bogged down, and security teams busy responding to, and cleaning infections, that would make it all the more easier for the serious attacks to get through.
PandaLabs' advisory is available here, including a clear shot of the Constructor/Wormer UI.