MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.


VertexNet Loader crimeware timeline, popular functions and marketing schene

This is a known crimeware package whose the first version was released in March 2011 and which is used to create automated malware with antivirus evasion functions, allowing managing data, and also stolen through malware created by a web application. That is, designed to create HTTP-Based Botnets.

While crimeware is a general purpose, the highest percentage of malicious focus is based on the arbitrary collection of sensitive data from each of the computers infected by a keylogger component. Your name  (VertexNet) corresponds to the fusion of the words Vertex, referring to the concept that describes the point in geometry where two or more rays that form an angle; and NET, referring to the creation of computer networks.


The information obtained from each infected computer is stored in the database automated crimeware then be visualized in a simple and readable through the panel of statistics. These data are comprised of the following parameters:

          uid: Unic user identifier = HWID + first drive serial.
          lan: IP adress local area network.
          cmpname: Computer name.
          country: Computer country.
          idle: Last user activity in seconds.
          cc: Country Code #FR, #US, #DE, etc.
          ver: Loader version.

VertexNet basically consists of four modules. Each is responsible for specific tasks ranging from opening a remote shell (backdoor) to record activities on infected systems (keylogger). The modules are:

          Modules list.
          Keylogger logs.
          Read file.
          Remote shell.

VertexNet has a series of commands that run automatically with each report that is made from the infected computer to the C&C, each update the bot and depending on the settings from the control panel designed for the future attack and infection process . The commands list is as follows:

          msg:: = This function send a sample messagebox to the target computers.
          exec:: = Equivalent to the "execute" dialogue of Windows.
          close = Close the loader of selected computers.
          urldl:: = Download and execute a binary file in selected computers.
          getproc = Process list from selected computers.
          getmodules:: = List process ID.
          setkeylogger:: = Active or unactive the keylogger module.
          getklogs = Retrieve the logs from selected machines.
          readfile:: = Retrieve the content of a file in text format.
          uninstall = Close the loader and uninstall the startup key.
          httpflood:: = DDoS attack.
          remoteshell:: = Execute a shell.
          visitpage:: = Simulate a website visit during few seconds.
          update:: = Unistall the current user and update it by downloading the new one.

Marketing no-improvised and mismanaged egocentrism 
In the "footer" of the main panel of VertexNet you can read the following legend related to the development of crimeware:

VertexNet - Loader coded by DarkCoderSc (PHP/C++)
DarkCoderSc Software © since 2006

Of course DarkCoderSc is the "under" nickname by which the developer makes known crimeware, but the year 2006 (as noted above) not the creation of VertexNet year but the year from which this person came to develop applications to facilitate the creation of malware, theft of sensitive information, antivirus evasion and unauthorized remote control of infected computers. While the original website is out of operation, there are other commonly used mirrors to download VertexNet Loader.

In recent years, crimeware developers have expanded the advertising will start to use public channels and social networks to spread crimeware created. Concrete examples have also been the first to use this methodology, so far not so common in the cybercrime environment were Unique Sploits Pack and YES Exploit System.

In this sense VertexNet is no exception and in fact the author seems to possess a high level of self-centeredness and well made. VertexNet has its own website which is basically the same template used for the crimeware.

The VertexNet marketing campaigns are carried out through various social networks all under the same "under" nickname, including: Google+, Facebook, Twitter and a YouTube.

But ... Who is DarkCoderSc? Besides being the developer of another utility designed as malware: DarkCometRAT. A RAT (Remote Administrator Tool) that has several features such as control equipment, including Linux and MacOS running a Windows emulator like Wine, violating the privacy of victims taking screenshots of the desktop, enabling the webcam or run DDoS attacks, among others.

Since February 2012 it's also admin in OpenSC, a popular cybercrime community and according to public information extracted from one of its websites, the real DarkcoderSc name's would "Jean-Pierre LESUEUR, i’m born in 1990 London and living since 1993 in Paris suburb" with the next contact information: Skype ID: DarkCoderSc / email: / Phone: +336 52805884 and +339 72320273.

Will real data? This is your LinkeIn profile:

And this your CV:

Yes, the data are real. However, Jean-Pierre is a software developer and had to deal with anticipated problems and serious consequence of these developments, for which earlier this year was forced to suspend the maintenance and updating of these programs, in the words of his own: programs classified as malware.

Hopefully now use his good knowledge for the constructive development of software for the Security Community. 

All data are public because maybe, unlike professional cybercriminals who hide under the protection of specific forums, it seems that Jean-Pierre had nothing to hide. The truth is that their developments are widely used in the cybercrime scene to generate DDoS attacks and steal information from users all around the world.

Some simple intelligence for identification of this crimeware
/imgs/saria.png: you can see a fine image.
/imgs/vabout.png & /imgs/logo.png: you can see the VertexNet logo.

** This information changes depending on the crimeware version.
/css/style.css: you can download the VertexNet website style. This file has the next MD5 hash A889B28CE62AF463A7B7FEFFA191442D

More simple and advanced intelligence about this crimeware in CASCrimewareAttack Services -, a private service of MalwareIntelligence.


Ver más


Hierarchy Exploit Pack. New crimeware for the cybercriminal gangs

The term "hierarchy" refers to an entity pyramidal action. Judging by the name of this new Exploit Pack of Russian origin, it seems that the author seeks to find its place within the criminal ecosystem, but all point to the feelings behind this is, above all, a beginner who seeks criminal more.

However, despite being a package of more criminal exploitation within a vast range of alternatives, it remains a real risk for any information system. Even considering that Hierarchy Exploit Pack criminal market reaches a stage where the circuit is ripe with a range of crimeware "vip" found not only among the list of "best crimeware" for criminals but also in the center of the storm-crime.

Under the nickname "Angelolog" hides its author. A nickname striking since according to their semantics, refers to "a branch of theology that deals with the study of angels". A rather obvious contradiction.

As usual, when an offender is "started in the business", does registering a domain that includes the same name as crimeware. Although clearly not the only domain that has been in the first instance. In this case, the data are as follows:

Владелец: Private Person
Телефон: +380933900884
Регистратор: REGRU-REG-RIPN
Создан: 2011.03.01
Оплачен до: 2012.03.01

The AS6876 (TENET-AS TeNeT Autonomous System TeNeT Telecommunication Company) found in Ukraine, isn't classified as malicious which suggests that "angelolog", a spammer menial, does not take long in the area of ​​crime.

While at first glance the design of the control panel is similar to the old Siberia Exploit Pack, it's actually a modification of Eleonore Exploit Pack. The evidence is very clear.

 Its structure is similar:

Hierarchy Exploit Pack contains the following exploits:

Office OCX
OpenWebFile Office OCX OpenWebFile arbitrary program execution BID-33243

Arbitrary file download via the Microsoft Data Access Components (MDAC) CVE-2006-0003

AppStream LaunchObj
Symantec AppStream LaunchObj ActiveX control vulnerable to arbitrary code download and execution CVE-2008-4388

Hummingbird PerformUpdateAsync
Hummingbird Deployment Wizard ActiveX Control Insecure Methods (PerformUpdateAsync) CVE-2008-4728

Peachtree ExecutePreferredApplication
Peachtree insecure ExecutePreferredApplication method allows the execution of arbitrary programs CVE-2008-4699

C6 propDownloadUrl
C6 Messenger insecure method propDownloadUrl allows the execution of arbitrary programs CVE-2008-2551

Adobe getIcon
Stack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab object CVE-2009-0927

Adobe Libtiff
Libtiff integer overflow in Adobe Reader and Acrobat CVE-2010-0188

Help Center URL Validation Vulnerability CVE-2010-1885

IE iepeers.dll
Internet Explorer iepeers.dll use-after-free CVE-2010-0806

Sun Java Runtime RMIConnectionImpl
Privileged Context Remote Code Execution Vulnerability CVE-2010-0094

Sun Java Runtime Environment MixerSequencer
Invalid Array Index Remote Code Execution Vulnerability CVE-2010-0842

AFP Server Mac OS X v10.6.5
Remote attacker AFP Server to unexpectedly shutdown CVE-2010-1297

Sun Java Web Start BasicServiceImpl
Remote Code Execution Vulnerability CVE-2010-3563

Adobe Flash Player
SWF Memory Corruption Vulnerability CVE-2011-0611

Oracle Java SE
Rhino Script Engine Remote Code Execution Vulnerability CVE-2011-3544

It also incorporates the following malware:
payload.ser [F6795195968795C535EF6932A843E969] – 16/42

Exploit$1.class [625B6B915327D352E437B34D85FB67E2] – 1/44

Exploit$1.class [DD49FADD9372CBDEF709BB9F0B1105C7] – 2/43

Link.class [3013C223A80371BCA0798E1C21683305] – 11/44

Exploit.class [77E8E1CFCC6F0894015D8CA271BBBEF5] – 12/43

BasicServiceExploit.class [A63C9DB17FE7F60370B4FFD659B61B36] – 3/43

Exploit$1$1.class [21F2312A9D50F72810E242F72E751243] – 1/43

swf.swf [6EFD1CE8DC61C68BAD3B85A949709DD2] – 24/43

Exploit$.class [452CD049CE83E72F5C642F7457F4AA93] – 2/43

Gallery_Viewer.class [03497E41A5A5A6A6F92E2950AA087C06] – 8/44

Exploit.class [334EC1071B85D52A3DA4223ED7DC6D74] – 4/43

PayloadClassLoader.class [8563342ADD46F7EADC8745BB10267B2A] – 14/43

Gallery_Viewer.jar [1C73218F0CAF238400EB86E635862279] – 13/43

Gallery_Viewer.jar [2C4DF43924D237B56DB4096E6AF524B1] – 13/43

1.txt [CF7A4C337F3DA524350AC794B589F804] – 8/43

pdf.pdf [60CADBD724A6BF0527B5E731492D8A0F] – 16/43

Exploit.jar [69767793D644D6060A060133A6014CB9] – 21/42

1.exe [8321D8B973CE649252DF9C560B875647] – 9/43

Payload.class [EEB9BA7FB4F752E1249E696B638D4732] - 13/43

Exploit.jar [19A512A3CCBA3FCDEAA5262E82F0DECE] - 26/43

pdf5.pdf [2AD31CABE2527C5F94B2C351F6529F17] - 9/43

pdf4.pdf [48C583A82A004EC1B17688215E173EFB] - 11/43

swf.swf [4666A447105B483533B2BBD0AB316480] - 19/43

bot.exe [7AB9E8AC261D2A49D87EF304ADE03BA3] – 26/43

Regarding the exploits offer presented by this crimeware, it seems it is a "salad of exploits" which leads to assume, considering also that is a mod that the author could be a "collector Exploit Pack", performing their own development (without effort) through a "grout" of exploits of old Exploits Packs which is easily available in most underground forums.

On the other hand, the level of detection in almost all cases is on average less than 50%, which represents a critical aspect of any information system. Thus, no matter it's a crimeware without much representation in the criminal environment without a lot of creativity and without effective exploitation rate for the offender, it remains a latent threat. Especially when experience shows that old exploits as MDAC described in CVE-2006-0003, have a strong impact even after nearly six years to fix the bug that was exploited.

Related Information

Ale Cantis, Senior Crimeware Researcher
Cybercrime Research Team
Crimeware Working Group & CrimewareAttack Service | MalwareIntelligence

Ver más


Money Racing AV. Tracking a scareware affiliate

Since October 2011 we watch this affiliate system. Money Racing AV, a private PPS (Pay-Per-Sale) affiliate who spread actively fake antispywares (rogue). We have already seen this gang active in August 2009: A recent tour of scareware XII.Advertising can be found on various russian underground communities:

First contact with FTL (6 October 2011):

[14:29:33] Load4sales: hello
[14:30:02] mr: привет
[14:30:03] Load4sales: i'm late but just see your post on antichat about Money racing av v2
[14:30:25] mr: sorry bro
[14:30:26] mr: only for russians
[14:30:31] Load4sales: ah :/
[14:30:37] Load4sales: okay, thanks anyway
[14:30:46] mr: ok

The money racing gang operate from And are know to for spread scarewares who have this type of graphical user interface:

Money Racing website login:

The fish image is the logo of G-Loomis (a company, makers of fishing rods, reels, rod blanks and accessories), and probably a coincidence but during the 19th century there was the Loomis Gang.
A notorious family of outlaws that operated in central New York.

I've etablished the following structure of money racing site: - <- Malicious (Standard) (Standard) (Standard) <- iframe (Guessed) (Guessed) (Standard) (Standard)

From all these directories, some are interestings. Like the folder /back/

<img src="image.jpg" border="0" align="baseline" />
Last-Modified: Wed, 15 Jun 2011 10:19:41 GMT

English translation:

Step 1.
Domain parking.
For starting the work you need park with us your domain on which all traffic will go.
For this setup your domain registar account DNS
After this, add domain for our parking in the Links section.
You can add few domains in same time, this will create a queue and if your domains goes banned it will be automatically replaced with new.
You can use request for automatic acquisition of fresh domain and replacing it in our TDS if you are using it.
**Domains which are banned removes from our DNS automatically.

Step 2.
Traffic Back URL
You should set URL "Traffic Back"
We will return surfer to you for to the indicated "Traffic Back" URL if
A. His OS and Browser does not match to us or if he was here in last 7 days.
B. Surfer went through our website and we redirects him back to yours "Traffic Back" URL
For non Adult traffic, average percent Exploited 18-20%, callhome 55-60%.
You earn 100% from 1000 USA installs. At the same time getting all your traffic back.
We accept only USA, WinXP, Vista, Win7, IE, FF.
All other traffic will be returned to your Back URL even before getting to our page.

And if we go back in 2009 we can see that these scarewares connect directly to
Malware MD5: E1EEDEEF721D6F87FFB0E1EC9CEE9F95

urls found inside:

Scareware GUI:

Now if we do a simple brain reflexion on 'Racing Money'
Money... Alright!
Racing... hmm what.. racing = cars
And if we check the old IP used in years 200..
we found a forum about cars, maybe it's just a coincidence.

Back about the domain, we have also this 'test.php' a malicious page detected as Blackhole Exploit Kit, (probably very old)
Obfuscated code lead to

Now, what's the IP of money racing can told us:

The 302/403 responses of DNS are interesting because they return the name of machines
for example, on the money racing network: was used as billing machine.

Machine name:

And as report machine:

Machine name:

I've recontacted the owner of money racing on 09 December 2011:

Out of business apparently and according to him.
He told me to search on undergrounds forum a guys with the nick: 'бомбе'
But i've never find a 'Bomb' or someone else affiliated with money racing, so i've again contacted him, 18 December 2011:

Even with attractive USA traffics and all the requierement, he keep to tell me to search 'бомбе'
But it's more probable that he don't want partners for the moment due to the exposure of  Vyacheslav Zakorzhevsky made in October 27.

Now more recently, in January, a colleague detected the domain as malicious download, but the domain in question is from the money racing network.

• dns: 1 » ip: - adresse: CORE6575.OPENSOURCEAVPRO.COM
Domain name:             OPENSOURCEAVPRO.COM
Name Server:
Name Server:
Creation Date:           2011.10.18
Updated Date:            2011.12.01
Expiration Date:         2012.10.18

Status:                  DELEGATED

Registrant ID:           GDZ6YAX-RU
Registrant Name:         Oleg Stoyanov
Registrant Organization: Oleg Stoyanov
Registrant Street1:      Botanicheskaya 8
Registrant City:         Moscow
Registrant Postal Code:  127276
Registrant Country:      RU

Administrative, Technical Contact
Contact ID:              GDZ6YAX-RU
Contact Name:            Oleg Stoyanov
Contact Organization:    Oleg Stoyanov
Contact Street1:         Botanicheskaya 8
Contact City:            Moscow
Contact Postal Code:     127276
Contact Country:         RU
Contact Phone:           +7 495 5468308
Contact E-mail:

Registrar:               Regional Network Information Center, JSC dba RU-CENTER

By searching infos and urls we can determine the following syntax:
This domain was used as landing page for money racing partners.

A screenshot of the site:

From the cascading style sheets of the site I've found also an image who is absolutely not related with the usual scareware landing:

But i've found nothing related to a 'Youtube Studio' landing page on the server
but with Google i get this:

Downloaded file is legit:

MD5: D3A748372338841FCD4366307F3EE657

The graph of is interesting:

Detail for
Pharma domains, payment processors...

And if i click on contact: Another landing page, this time 'Monstocloud':

The company adress is the same a Registry Fixer (

Now for return to, there is just a scareware hosted 'setup.exe' (AV Protection Online).

Malware MD5: 45BFC0DE3C78454B8C80623B7DE965B0

As usual we can have the machines name with 302 or 403 requests. and as "". and as "".

Also note that this '360 Security' was never found as 'executable version' have also a fake purchase page online
Even the captcha is a fake (a static GIF image) and not verified:

When we do a wrong billing order, the following text is displayed:

Sorry, please contact as by email:

CCBill, is a payment processing service, mostly used for Adult.

We have also this url from, once again related with the money racing network:
• dns: 1 » ip: - adresse: AVSECURECS.COM
Domain name:             AVSECURECS.COM
Name Server:
Name Server:
Creation Date:           2011.08.03
Updated Date:            2011.12.18
Expiration Date:         2012.08.03

Status:                  DELEGATED

Registrant ID:           PBU1LTD-RU
Registrant Name:         Cyprus company
Registrant Organization: Cyprus company
Registrant Street1:      6 Karaiskakis Street
Registrant City:         Limassol
Registrant Postal Code:  53034
Registrant Country:      CY

Administrative, Technical Contact
Contact ID:              PBU1LTD-RU
Contact Name:            Cyprus company
Contact Organization:    Cyprus company
Contact Street1:         6 Karaiskakis Street
Contact City:            Limassol
Contact Postal Code:     53034
Contact Country:         CY
Contact Phone:           +357 25555000
Contact E-mail:

Registrar:               Regional Network Information Center, JSC dba RU-CENTER

Screenshot of

Customer area:

On the "About Us" page they claim to be at 392 Potrero Avenue, Sunnyvale.

But 360 Security LP don't exist:

We have also found a phpinfo file on the server.

And get interesting informations:

System Linux #2 SMP Thu Aug 25 16:40:22 UTC 2011 x86_64
SCRIPT_FILENAME /home/sites/st2/html/chat/php.php
SCRIPT_URL /chat/php.php

Actual domain of money racing is, mrwrk stand probably for "Money racing workers"

Domain name:             MRWRK.COM
Name Server:
Name Server:
Creation Date:           2011.05.18
Updated Date:            2011.11.01
Expiration Date:         2012.05.18

Status:                  DELEGATED

Registrant ID:           YWAAUUH-RU
Registrant Name:         Kiborg Solutions LLC
Registrant Organization: Kiborg Solutions LLC
Registrant Street1:      shevchenko 12
Registrant City:         Kiev
Registrant Postal Code:  30015
Registrant Country:      UA

Administrative, Technical Contact
Contact ID:              YWAAUUH-RU
Contact Name:            Kiborg Solutions LLC
Contact Organization:    Kiborg Solutions LLC
Contact Street1:         shevchenko 12
Contact City:            Kiev
Contact Postal Code:     30015
Contact Country:         UA
Contact Phone:           +380 44 4907681
Contact E-mail:

Registrar:               Regional Network Information Center, JSC dba RU-CENTER

mrwrk and SSH connections was under brute force (pure and with wordlists) but that have done nothing. This gang continue to make errors and we will continue to keep an eye on.

Steven K (Xylitol)
Malware Research

Ver más


Inside Phoenix Exploit’s Kit 2.8 mini version

Phoenix Exploit's Kit is a package with more continuity in crime scene crimeware. After all this tour is currently in the wild version 2.8 that, despite having a low activity since the last half of this year, remains one of the many Exploit Pack with greater preference for cyber-criminals.

Perhaps this "slack time" to have your response in high demand now has another crimeware of this style, which is arguably one of the players today: Black Hole Exploit Pack  .

However, PEK has a similar licensing model, where the last version was released with an "alternative" to buy. This is Phoenix Exploit's Kit 2.8 mini. Let us look briefly this alternative to crime which we could access through our Offensive Security Service CrimewareAttack.

The licensing model consists in the version Simple domain closed at a cost of USD 2.200, another version Multithreaded domain also closed to USD 2.700 and an extra-encryption service USD 40 (ReFUDing), already present from several versions back as part of the "added value".

PEK Access Panel 2.8. Like previous versions, respects its policy of authentication through a single factor defined by a password that checks its integrity through its MD5 hash.

Basically this new version does not change its characteristics, at least in regards to its graphical interface and functionality in relation to previous versions. Each section shows the same flow crimeware and type of statistical information, minimalist yet concise, this being, though trivial, one of the main reasons for the adoption of Phoenix by cyber-criminals. Simply find the information they need to increase the level of success and attack strategies, and merge the functionality of this Exploit Pack with some Malware Kit as SpyEye or ZeuS.

What is the difference between full version and the mini version?
Basically, the business around licensing model above. In the case of the mini version, the model is subject to a domain under the simple mode, while the full version allows multitasking.

Perhaps this model does not say much in this way, but the reason for their existence is based on the possibility of using different business affiliates with different profiles from the full licensing model. In this way, criminals can expand its business coverage. While with the mini version is limited to a single user profile.

What is new about the exploits?
Basically not much. Everything happens for optimizing the code for exploits a success rate effective in the process of exploitation, adding the exploit for Java Runtime Environment to Trusted.

Also removed were the following exploits pre-compiled in version 2.7:
  • Windows Help and Support Center Protocol Handler Vulnerability – CVE-2010-1885  
  • Integer overflow in the AVM2 abcFile parser in Adobe Flash Player – CVE-2009-1869  
  • Integer overflow in Adobe Flash Player 9 – CVE-2007-0071  
  • IEPeers Remote Code Execution – CVE-2009-0806  
  • Internet Explorer Recursive CSS Import Vulnerability – CVE-2010-3971   
From M86 Security Lab have published this summer "Phoenix Exploit Kit (2.7) Continues to be updated", describing the methodology of obfuscation that had already been using earlier versions. With this modification, the author sought to prevent monitoring of components of PEK and discover its structure, for example, during the research process.

Although it’s basically the same exploits (similar in all cases, including those incorporating other Exploits Pack in the wild), the author's optimized for each version. In this case, includes the following exploits:
Despite the optimization of the components for each version exploits, is striking and interesting that chain optimization and updating MDAC exploit remains the most domination, not only in this Exploit Pack it in any of the existing. What is the reason? Just a lack of maturity on the users (application, customers around the basic procedures update) that transforms him into a potential target and highly drinkable through this old, but effective vulnerability.

More information about Inside Phoenix Exploit’s Pack in other versions:

The graph shows some of the domains that the creators of Phoenix Exploit's Kit used in 2011.

Review of the components that are part of Phoenix Exploit's Kit 2.8 mini version

Simple statistics. The typical first screen displayed when accessing PEK. Display data of interest to cybercriminals uqe groups are behind its management: Browser (and version) most exploited, the number of compromised machines and exploits with the highest rate of success.

Advanced statistics. Information with a broader level of detail regarding compromised browsers and operating systems, along with information on the rate of success for each one of them.

Countries statistics. Information similar to the panels above but relevant data on the countries concerned.

Referer statistics. Information from reference sites to Phoenix Exploit's Kit.

Upload. Exe files. Panel which is updated by the malware spread.

White Paper  
State of the art in Phoenix Exploit's Kit (to 18/08/2010)  
Includes up version 2.3r of Phoenix Exploit's Kit v2.3r

Although some aspects of "subtle", the truth is that virtually PEK changes in each version, and perhaps its simplicity of use is the key for which is still alive in a criminal environment where demand and competition is very strong. As in conventional business, but... the criminal side.

Crimeware Research Team

Ver más