That makes them ideal for hackers to check whether code will be detected before they release it. Raff said hackers pay to run their malware through these gray-market services to check the detection status of their code before they release it.

Carberp's use of an antivirus software profiler lets the Trojan's makers evaluate the services to give them proof that the scans are accurate. "If the service is not that good, they will probably move to another, or help to improve the antivirus test service," Raff said.

In Carberp, Raff found a report on antivirus usage that claimed products from Moscow-based Kaspersky Lab were the most-widely installed, with a 74% share. "This is probably because this botnet targets people from Russia," he said.

"This is the first time that this feature has been used in a malware kit that is being sold in the underground, and therefore is used by several different cybercrime groups," Raff said by e-mail.

has been on security firms' radar screens since last fall, when and that the Trojan attack kit was challenging the as the weapon of choice for criminals targeting bank account theft.