MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

29.8.09

Hybrid Botnet Control System. Development http bot in perl

The development of crimeware is increasingly open. Its creators are constantly searching for malware implement in the evasive mechanisms increasingly effective with minimal resource impact on the team not only arbitrary but also controlled the servers that host them, and there are now a range of alternatives ranging from really important "products" payments to free.

In this sense, at some point mentioned by the Open Source development of crimeware where told about the creation of two parallel projects, and while not seeking to complex applications have two striking features.

First, download is free, which means that the concept adopted in the application can be extended (or "improved" its author would say) for other developers by adding more complex functionalities.

On the other hand, doesn't fall (first instance) in the clandestine market cycle crimeware marketing and, in the particular case of Hybrid Botnet Control System and unlike web applications this way, the bot is written in Perl something unusual (in fact I think if it's not the first one).

Furthermore, it's basically similar to any of the alternatives available on the black market. That is, the administration panel is via the web, written in PHP and the database is stored in a MySQL.

Another common feature is that generally the development and marketing of solutions designed for the control and management (C&C) of botnets has its birthplace in countries like Russia, and though the control panel via Hybrid web is based on one of the first applications of Russian origin who introduced the concept of administration via http called Black Energy (who owns the capture showing the authentication system), it seems that your database development isn't Eastern Europe.

Anyway, whatever the origin of their development, these activities do nothing to help increase the income of cyber-criminals and feed the cycle entrenched criminal under the concept of crimeware, marking a trend difficult to stop due to range of alternatives that can be implemented and implemented through such initiatives.

Related information this Blog
Desarrollo de crimeware Open Source para controlar y...
TRiAD Botnet III. Administración remota de zombis multi...
TRiAD Botnet II. Administración remota de zombis multi...
TRiAD Botnet. Administración remota de zombis en Linux

Jorge Mieres

Ver más

24.8.09

A recent tour of scareware XIII

More domains, IP addresses and related hosting malicious code type scareware (rogue) that during this month are spreading threats. As always, the recommendation is to block these addresses and domains.

Antivirus Security
MD5: db924706a824c5c43feebbe6a781d1ba
IP: 84.16.237.52
Germany Germany Berlin Netdirekt E.k
Domains associated
best-antivirus-security .com

Result: 29/41 (70.73%)



Malware Remobal Tool

MD5: 72b06c550ccbd110be2a4ce66b7bd7c1
IP: 174.132.250.194
United States United States Dallas Theplanet.com Internet Services Inc
Domains associated
malwarebot.org
malwaree.com
malwaree.org
remove-a360.com
remove-antivirus-360.com
remove-antivirus-system-pro.com
remove-antivirusbest.com
remove-av360.com, remove-ie-security.com, remove-malware-defender.com, remove-malware-doctor.com, remove-ms-antispyware.com, remove-personal-antivirus.com, remove-personal-defender.com, remove-spyware-guard.com, remove-spyware-protect-2009.com, remove-spyware-protect.com, remove-system-guard.com, remove-ultra-antivir-2009.com, remove-ultra-antivirus-2009.com, remove-virus-alarm.com, remove-virus-melt.com, remove, winpc-antivirus.com, remove-winpc-defender.com, smitfraudfixtool.com, vundofix.org, vundofixtool.com, www-malware.org, www.av360removaltool.com, www.malwarebot.org, www.malwaree.com, www.malwaree.org, www.remove-ms-antispyware.com, antivirus360remover.com, av360removaltool.com

Result: 9/41 (21.95%)

akaysu.cn, ajowah.cn/installer_1.exe, atiqad.cn/video.php?wm=70157&n=15, atiqad.cn/installer_70157.exe, akaysu.cn/video.php?wm=70157&n=15 (195.95.151.174), getavplusnow .com/se.exe, antivirusplus-ok.com/redirect.php, getavplusnow .com/install/InternetExplorer.dll (195.95.151.176) - Ukraine Ukraine Kiev Eastnet-ua-net
mirmuzappar .net/setup.exe (210.51.181.129) - China China Beijing Cnc Idc Customer
rondo-trips.cn/go.php?id=2010-10&key=b8c7c33ca&p=1 (83.133.123.113) - Germany Germany Lncde-greatnet-newmedia
kahold.info/download/install.php (204.27.57.227) - United States United States Kansas City Aarons.net
downloadxxtube .com/download/setup.exe (78.159.98.70) - Germany Germany Berlin Netdirekt E.k
www.antispyware.com, adwarealert.com/install.php (75.125.200.226), regsweep.com/install.php (75.125.241.58) - United States United States Dallas Theplanet.com Internet Services Inc
pluspromooffer.com/srm/adv/142, showpromooffer.com/srm/adv/142 (212.95.53.143) - Lithuania Lithuania Kaunas Netdirect-uab-retrogarsas
microwaresoftware.com/download.php (89.149.207.120) - Germany Germany Berlin Netdirekt E.k
guardlab2009 .net/InstallerWF.exe (76.76.103.164) - Malaysia Malaysia Ronn Chang
online-defenderv9.com (94.102.51.26) - Netherlands Netherlands Amsterdam As29073 Ecatel Ltd

Error Repair Tool
IP: 75.125.61.163
United States United States Dallas Theplanet.com Internet Services Inc
Domains associated
errorrepairtool .com, errorsrepair .com
errorstool .com, www.errorstool .com


Antivirus System Pro = System Guard 2009
IP: 91.206.201.8
Ukraine Ukraine Pe Sergey Demin
Domains associated
oemantivir.com
avir-guardian.com
avir-protect.com
aviremover.com, aviremover2009.com, avirguardian.com, avirprotect.com, avremoverpro.com, awareprotect.com, esysprotect.com, esysprotector.com, intsecurepro.com, intsecureprof.com, osguardpro.com, ossecure2009.com, scanforspywarenow.com, www.avir-guardian.com, www.avir-protect.com, www.esysprotector.com

Save Soldier
MD5: 71f3f5fa2d4d5a48aaecde6cc926c28a
IP: 194.54.81.18
Ukraine Ukraine Realon Service Llc
Domains associated
savesoldier .com
wersincast .com
winbluesoft.net
winishield .com

Result: 6/41 (14.64%)

Related information this Blog
Una recorrida por los últimos scareware XII
Una recorrida por los últimos scareware XI
Una recorrida por los últimos scareware X
Una recorrida por los últimos scareware IX
Una recorrida por los últimos scareware VIII
Una recorrida por los últimos scareware VII
Una recorrida por los últimos scareware VI
Una recorrida por los últimos scareware V
Una recorrida por los últimos scareware IV
Una recorrida por los últimos scareware III
Una recorrida por los últimos scareware II
Una recorrida por los últimos scareware

Jorge Mieres

Ver más

17.8.09

Open Source Development crimeware to control and manage botnets

The development of web applications-oriented botnets control and management through the http protocol, is at an advanced level by the underground community of Eastern Europe, particularly from Russia, where cyber criminals constantly flood the market crimeware clandestine marketing packages as Eleonore, ZeuS, ElFiesta, Adrenaline, and many others.

However, this business model that is already implanted, it expands into other territories where cyber-crooks ambition is mirrored by the trend difficult to stop, but with other philosophies: Crimeware Open Source. That is, development of open source software designed to be used for criminal purposes via the Internet.

In this case, it's a family of crimeware designed for control and administration of zombie networks.

This is a series of projects that seek, as the author (whose nickname is "cross"), make clear that the development of botnets in Perl is possible. Under the slogan "x1Machine Remote Administration System" available to the cyber crime organized two projects aimed at manipulation of botnets called Hybrid and TRiAD.

Hybrid Project
The "Hybrid" is the most ambitious. It's written in Perl, runs only on GNU/Linux platforms and allows, as is common in most of the style current crimeware, botnets manage http. While the author states that it was designed for malicious purposes, the legend that is at the interface of version 1 (the image shown below) said Botnet Control System, which is contradictory.

Configuration is done through a small panel which is accessed through the file HyGen.pl.

Version 2 (screenshot) maintains the same features as its predecessor. For the moment, is in a state of "Proof of Concept (PoC). However, it can be manipulated by any cyber-crooks to make it fully functional and add more components to abuse of the undead.

An interesting detail is that its interface is based on BlackEnergy, one of the first botnet-based administration via http designed to perform DDoS (Distributed Denial of Service).


TRiAD Project
About this crimeware already been discussed. This is a side project whose first version (screenshot) is designed, like the Hybrid project, to operate under GNU/Linux environment.

This first version was born in early 2009 and now has three versions that incorporate some more features. It's written in C and through it can carry out three activities harmful: doing attacks Distributed Denial of Service (DDoS), Bindshell (execution of a shell and opening ports) and ReverseShell (notice a zombie connection).

TRIAD HTTP Control System v2 is the second version of the project that evolved into a multiplatform crimeware can be implemented on Windows and GNU/Linux.

This version, in addition to the features present in version 1, it has new features: elimination of the bot, shut down and restart the computer remotely. The following screenshot is for the download page.

Like the second version, TRIAD HTTP Control System v3 is written in C, compiled with GCC and runs under Windows and GNU/Linux. Its features are:

In GNU/Linux: 

Syn Flood con source IP spoofing: [SynStorm]-[Host]-[Port]-[Nr of Packets]-[Delay]
Small HTTP Server: [HTTP Server]-[Port]-[Time(minutes)]
Bind Shell: [Bind Shell]-[Port]-[Allowed IP Address]

While the version for Windows platform offers: 

UDP Flood: [Reverse Shell]-[Host]-[Port]
Small Proxy Server: [UdpStorm]-[Target IP]-[Target Port]-[Nr of Packets]-[Delay]
Reverse Shell: [Proxy Server]-[Port]-[Time(minutes)]


Regardless of the platform, both have in common the ability to:

Sleep
Reboot remote machine
Shutdown remote machine
Delete bot from remote machine


      Clearly, this situation is aggravating a number of aspects that make this type of "initiatives" sources ideal for aspiring script kiddies to cyber-criminals for their free status, as for professional developers can tailor their code to add functionality that is adapted to the needs of each buyer (usually botmasters) depending on the platform that you want to explode.

      Related information this Blog
      TRiAD Botnet III. Administración remota de zombis multi...
      TRiAD Botnet II. Administración remota de zombis multi...
      TRiAD Botnet. Administración remota de zombis en Linux

      Jorge Mieres

      Ver más

      15.8.09

      Fragus. New botnet framework In-the-Wild

      A new web application written in php and developed as a delivery system exploits, malware and control spread of botnets, has entered the illegal market in crimeware promising to be one of the most exploited.

      This is Fragus v1.0, which has joined from July 2009 to the long list of applications of this kind that seek to corner the black market. Its development is originated in Russia and is attached to the market at a cost sufficiently "competitive."


      In recent months there has been new framework for the control and administration of botnets to make this a simple task like Liberty Exploit System and Eleonora Exploit Pack, among some other much older who have upgraded their capabilities to YES Exploit System and ElFiesta.

      However, the finding of increasingly malicious applications of this style In-the-Wild isn't a casual situation, but responds to a business model that lies behind the development of crimeware and feeds itself with the marketing of a wide range of options.

      From a general standpoint, Fragus has an attractive interface, support for English and Russian, and a simple statistical system that allows to obtain and compare information relating to browsers, operating systems (including their versions) and countries in which zombies have been recruited as part of the network (which is the same: a strategy that permits relating intelligence information in a timely manner). The following screenshot shows the statistical control.


      It also has other features like:  

      Ability to quickly check the data through a summary of which is accessed without loading the page. 
      Manage the upload of files from the same admin panel.  
      Allows you to specify a binary file name will be uploaded to the system.  
      Ability to distinguish the traffic handled by a "client" to keep each metric independently.  
      Lets you choose the file to upload from the admin panel or do a load of random.  
      Allows you to "clients" maintain their own exploits kit by selecting from a list.  
      Also allows you to control the statistical information from a separate domain to the administration panel, allowing access to information without performing the authentication process.  
      Lets clear the statistical information in general or particular level of each "customer".  
      All configuration options offered Fragus for the administration and control of botnets can be performed easily from the Framework.  
      It has an internal search system that lets you search and find quick links to iframe in open traffic. Also in general or in particular for each "customer". 


        In addition, it also allows Fragus exploit vulnerabilities in high quality pictures, edit the number of domains needed to perform a migration of information without losing traffic, edit a URL in which packages exploit visits twice or more, ie downloaded from the same page several binaries, pdf, swf depending on the exploit.

        Examples of malware spread by Fragus are:

        Manual.pdf 
        Patch.exe

          Another aspect that stands out, and what crimeware unlike classic of its kind that has an instruction is designed to avoid detection of the domain used by searchbots (the domain associated with default when Fragus crimeware is released fragus.cn) and the installation process is cumbersome and needs to touch a configuration file manually, since it has a help assistant that lets have it installed in minutes.

          Among the exploits that have preinstalled are:

          MDAC 
          PDF printf() 
          PDF collectEmailInfo() 
          PDF getIcon() 
          MS DirectShow 
          MS09-002 - for IE7 
          MS Spreadsheet 
          AOL IWinAmp 
          MS Snapshot MS COM

          As we can see, this new crimeware that is inserted into the crime scene promises to be very competitive. In addition, the default malware is ready for dissemination has an alarmingly low rate of detection, which transforms the web application in a serious threat. 

          Related information this Blog
          Liberty Exploit System. Otra alternativa crimeware para el control de botnets
          Los precios del crimeware ruso. Parte 2
          Eleonore Exploits Pack. Nuevo crimeware In-the-Wild

          Jorge Mieres

          Ver más

          14.8.09

          Liberty Exploit System. Alternatively crimeware to control botnets

          The black market controlled by cyber-criminals continues to create products 'competitive' in a business where the low cost of crimeware mark and justify its widespread use. In this sense, botnets are benefited by the development of web applications designed to make his administration an easy and intuitive; also constantly feed the criminal process to which they belong.

          Another alternative is to sum this clandestine business is Liberty Exploit System, whose author recently made available to the cyber-crime a new version, 1.0.5, and which states that has an excellent value "price/ quality".

          Its value is USD 500. For USD 20 more will get the "advantage" to access a vault, and other USD 50 is offered by the domain change when the user has been blocked, demonstrating the type of services it offers crimeware in general. Moreover, the system of payment is only via WebMoney.

          Unlike its predecessor, version 1.0.4, built by default doesn't bring the exploitation of vulnerabilities in Sun Java JRE/JDK, but can be requested. Furthermore added an exploit for MS DirectShow. The package consists of the following exploits preinstalled:

          MS06-014 Internet Explorer (MDAC) Remote Code Execution Exploit
          PDF util.printf()
          PDF collab.collectEmailInfo()
          PDF collab.getIcon()
          Flash 9
          MS DirectShow

          Some features to highlight the web application (malicious) is reacceso block the page, that is, only you can access the page that has the exploit once, after that, the crashes, the database is managed with MySQL, enhancements like to operate with large flows of information is interesting, very simple setup allows anti-analysis techniques include, among others.

          With regard to the administration panel (incidentally simple, minimalist), through this detailed tracked statistically to the type and version of browser exploits, countries where zombies have the kind of traffic between others. Also, one thing that differentiates this crimeware, since not everyone possesses, is a graphical statistics system, in which cakes are generated important information on the above aspects. In the screenshot is an example.

          This statistical system and collection of information is what draws attention, in general, in all crimeware of this style, because regardless of the perspective that we should look, not only to obtain information produced, which in other settings known as intelligence.

          This leads to understand and begin to consider their just due, that the botnets, as we know them today, represent a serious security problem globally, not only by the spread of malware but also because they are used to perform other maneuvers to attack where the goals go beyond the home users.

          Related information this Blog
          Los precios del crimeware ruso. Parte 2
          TRiAD Botnet III. Administración remota de zombis multiplataforma
          Eleonore Exploits Pack. Nuevo crimeware In-the-Wild
          Mirando de cerca la estructura de Unique Sploits Pack
          Adrenaline botnet: zona de comando. El crimeware ruso...
          YES Exploit System. Otro crimeware made in Rusia

          Jorge Mieres

          Ver más

          12.8.09

          Prices of Russian crimeware. Part 2

          Criminal activities of which are fed daily cyber criminals through a business model implemented by themselves, are channeled through the underground market that offer "services" more professionals to suit the needs of cyber -organized crime.

          Consequently, every day there are new crimeware applications to enhance the economics of cyber-criminals, whatever the role in the criminal chain. Some of these crimeware is reflected below, highlighting the costs are within the illegal market.

          CRUM Cryptor Polymorphic v2.6
          This is an application type crypter. Its main feature is the ability to generate polymorphic malware encrypts every file created with a random key of 256 bytes. It also offers the possibility of the anti-malware analysis processes such as the detection of virtual machines. Your cost is USD 200 and includes updates for free.

          CRUM Joiner Polymorphic v3.1
          In this case, the main function is the ability to merge files without any limit on the amount. Like the previous binary can refer to a 256-byte encryption, polymorphic and detection capabilities of virtual machines. The price is USD 100 and upgrades are free.

          More information about this family of crimeware

          Eleonore Exploits Pack v1.2
          Eleonore is a package of exploiting vulnerabilities and network control zombies. The cost of the latest version is USD 700. For an additional cost of USD 50 provides access to their crypter.

          By default, the crimeware is linked to a number of domains, but there is the possibility of leaving it disconnected but its value is free to USD 1500, including Crypter. It's designed to exploit the following vulnerabilities: MDAC, MS009-02, Telnet - Opera, Font tags - FireFox, PDF collab.getIcon, PDF Util.Printf, PDF collab.collectEmailInfo, DirectX DirectShow and Spreadsheet.

          Eleonore Exploits Pack v1.1
          The previous version has a cost of USD 500 and unlike the version 1.2, the module hasn't exploit Spreadsheet.

          More information about Eleonore Exploits Pack

          Unique Sploits Pack v2.1
          One of the botnets applications designed for managing web via HTTP. Current value is USD 750 and includes free updates and Crypter. For those who have older versions, the upgrade to this version has an aggregate value of USD 200.

          The ability to exploit vulnerabilities that are: MDAC for IE 6, PDF exploit for IE 7, Opera and Firefox, PDF exploit for Adobe Acrobat 9, PDF Doble. Download simultaneously two exploits in PDF, MS Office Snapshot for IE 6 y 7, IE 7 XML SPL, Firefox Embed, IE 7 Uninitialized Memory Corruption Exploit, SPL Amaya 11, Foxit Reader 3.0. PDF Buffer Overflow Exploit.

          More information about Unique Sploits Pack

          Adrenaline
          Another of the many crimeware designed to exploit vulnerabilities and to control botnets via http. Among the features that has highlighted the possibility of using local pharming, keylogging, theft of digital certificates, encryption of information, anti-detection techniques, cleaning of fingerprints, injection of viral code, among others. Its value is USD 3000.

          More on Adrenaline Pack

          YES Exploit System v2.0.1
          One of the most used operating kits. Has an interface that resembles that of an operating system with a "Start" menu from which you access the various features of it. The cost of the latest version to date (August 2009) is USD 800.

          YES Exploit System v1.2.0
          Some packages of the first generation, still very active, the price varies depending on the versions. In the case of version 1.2.0, the cost is around USD 700.

          More information about Exploit System YES

          Barracuda Botnet v3.0
          Latest version of this web application that, despite having several years of existence, it still has a relatively high cost compared to their peers. This is a crimeware with two versions of marketing, the Full version at a cost of USD 1600 and the Lite version at USD 1000.

          In addition, this package is modular, meaning that you can add modules to meet the needs of the botmaster buy or rent. Modules that can be acquired are:

          • Module DDoS (HTTP GET / POST flood, UDP flood, ICMP flood, TCP flood, IP Spoofing) at a cost of USD 900.
          • Email Grabber module that collects email addresses stored on the zombie. Its value is USD 600.
          • Proxy Module, allows to increase the number of simultaneous connections for a more "efficient" sending spam. Its value is USD 500.
          • Module PWDGRAB. Clearly oriented to the theft of private information. The value is USD 500.
          • Module SSLSOCKS. This module is in its beta stage and can build a VPN "through the botnet. The price is USD 500.
          With respect to previous versions, the 2.2 is sold for USD 600 and USD 300 to version 2.0.

          More information on this crimeware

          ZeuEsta Exploit Pack v7.0
          This is an "adaptation" which consists of private combination of two very active crimeware: ZeuS v1.2.4.6 and SPack Kit. The cost is USD 600 and USD 100 per month to access a more hosting. Originally composed by the merger between Zeus and ElFiesta up during April this year (2009) was updated replacing ElFiesta by SPack Kit

          While this fusion of crimeware isn't an original creation developed entirely by Russians, the different versions of it are ZeuS and therefore was considered to reflect its cost.

          ZeuEsta Exploit Pack v5.0
          This version is obtained in the illegal market at a cost of USD 150 the "unofficial", ie sold by third parties and not by the author himself. This version is composed by ZeuS v1.1.2.2 and ElFiesta.

          ElFiesta v3
          One of the most exploited by crimeware botmasters. In this case it's version 3 at a cost of USD 800. The application has modules that exploit vulnerabilities over twenty of which those with higher levels of efficiency are the exploits to PDF and SWF.

          More information about ElFiesta

          Liberty Exploit System v1.0.5
          A new crimeware package that has recently emerged a number of characteristics that make it according to its author, an ideal application for its price/quality.

          Preinstalled by default has the following exploits: MS06-014 Internet Explorer (MDAC) Remote Code Execution Exploit, PDF util.printf(), PDF collab.collectEmailInfo(), PDF collab.getIcon(), Flash 9 y MS DirectShow. Its cost is USD 500.

          Neon Exploit System v2.0.5
          Neon suffered a slight cut of USD 100. Now, the cost is USD 400 and USD 500 no. Among the modules of exploits that are preinstalled and preconfigured include: IE7 MC, PDF collab, PDF util.printf, PDF foxit reader, MDAC, Snapshot and Flash 9.

          Limbo Trojan Kit
          Limbo is one of the least popular crimeware illegal market in Russian market. However, this does not mean that your risk is lower. At a cost below other crimeware much more popular, their cost is USD 300.

          Among its features are the binary update, cleaning of tracks (cache, cookies, etc..), Reboot the operating system (Windows) and destruction if necessary. It also has ability to capture keyloggin all passwords are accessed through Internet Explorer and that are stored in the browser, among others.

          Fragus v1.0
          A very new Web applications that access the crimeware industry at a cost of USD 800. Its characteristics are that the multilingual support (english and russian), statistical system on the browser and operating systems (including versions) and countries, the ability to customize modules exploits and incorporate new injection of iframe tags, file encryption, Crypter is a part of that package, however, you can add a personal.


          As we can see, the malicious process automation, services and offerings relevant to making the purchase, sale and rental of effective "weapon" software designed purely for criminal purposes and profit.

          In this sense, the costs generated from crimeware Russia moves depending on what the market dictates, even creating alternative business models such as loss of focus on providing technical support through professional services and maintenance and custom Update crimeware, feedback and the black market. 

          Related information this Blog
          Los precios del Crimeware ruso
          Comercio Ruso de versiones privadas de crimeware...
          Automatización de procesos anti-análisis II
          Eleonore Exploits Pack. Nuevo crimeware In-the-Wild
          Mirando de cerca la estructura de Unique Sploits Pack
          Adrenaline botnet: zona de comando. El crimeware ruso...
          YES Exploit System. Otro crimeware made in Rusia
          Barracuda Bot. Botnet activamente explotada
          ElFiesta. Reclutamiento zombi a través de múltiples amenazas

          Jorge Mieres

          Ver más

          8.8.09

          TRiAD Botnet III. Remote administration of multi-platform zombies

          TRIAD is a web application designed to monitor and manage botnets by using GNU/Linux and MS Windows via the http protocol and of which we have discussed recently. It's part of an even more ambitious project by its author (who calls himself "cross"), called Hybrid Remote Administration System and which we will talk soon ;P

          This time, it's version 3 TRIAD botnet. This web application is still in "infancy" but that nevertheless is in constant development and from version 2 has become a multi-platform crimeware. His full name is actually TRIAD HTTP Control System v0.3.

          This latest version of crimeware has slight differences (improvements would say the creator) with respect to its predecessor. At first glance, highlights in its new interface, something we might say, characterizes the application.

          Like its predecessors, is written in C ++ and compiled with GCC.

          While no statistics as if they have features found in more sophisticated crimeware applications, has a number of options that makes it a danger. For now, its features are:

          In GNU/Linux system: 

            Syn Flood con source IP spoofing: [SynStorm]-[Host]-[Port]-[Nr of Packets]-[Delay]   
            Small HTTP Server: [HTTP Server]-[Port]-[Time(minutes)]   
            Bind Shell: [Bind Shell]-[Port]-[Allowed IP Address]

            While the version for Windows platforms includes: 
              UDP Flood: [Reverse Shell]-[Host]-[Port] 
              Small Proxy Server: [UdpStorm]-[Target IP]-[Target Port]-[Nr of Packets]-[Delay] 
              Reverse Shell: [Proxy Server]-[Port]-[Time(minutes)]

              Regardless of the platform, the two have in common the ability to: 
              Sleep  
              Reboot remote machine  
              Shutdown remote machine  
              Delete bot from remote machine

                Through a recent update for now, only the version that runs on GNU/Linux provides the ability to generate the configuration file through a GUI, this way, the process is much simpler.

                The configuration file is generated then compiled to create the bot and getting a new crimeware through some simple steps.

                However, this creates a counter that has to do with an issue of optimization and that when you upgrade the bots, it would make an individual, which is annoying for a botmaster advanced.

                The crimeware this trend has created a style of hard braking, which marks a turning point on the control and administration of botnets represents a major effort by the security community in the fight against organized cyber crime which are in the current state of criminal activities committed through the Internet. 

                Related information this Blog
                TRiAD Botnet II. Administración remota de zombis...
                TRiAD Botnet. Administración remota de zombis en Linux
                Eleonore Exploits Pack. Nuevo crimeware In-the-Wild
                Especial!! ZeuS Botnet for Dummies
                ElFiesta. Reclutamiento zombi a través de múltiples amenazas
                Adrenalin botnet: zona de comando. El crimeware ruso marca...
                Chamaleon botnet. Administración y monitoreo de descargas
                YES Exploit System. Otro crimeware made in Rusia
                Barracuda Bot. Botnet activamente explotada
                Unique Sploits Pack. Crimeware para automatizar...

                Activities botnets
                Fusión. Un concepto adoptado por el crimeware actual
                ZeuS Carding World Template. Jugando a cambiar la cara...
                Unique Sploits Pack. Manipulando la seguridad del atacante...
                Scripting attack II. Conjunción de crimeware para obtener...
                Zeus Botnet. Masiva propagación de su troyano. Segunda parte
                Danmec Bot, redes Fast-Flux y reclutamiento de Zombies PCs

                Jorge Mieres

                Ver más

                7.8.09

                A recent tour of scareware XII

                Considering that the best way to prevent threats is to know them, we provide this new set of domains, along with their respective IP addresses, committed to spread malicious code scareware type, also called rogue.

                As always, the aim of showing these addresses is to be able to block them through mechanisms that are ordinarily used.

                It should be noted that this list represents only a very small proportion of the total volume of malware of this kind that daily bombard the web.


                PC Security 2009
                IP: 72.52.210.131, 72.52.210.132, 72.52.210.133
                United States United States Lansing Liquid Web Inc
                Domains associated
                pcsecurity09.com, pc-security09.com, pcsecurity-09.com, pcsecurity09.com, pcsecurity-2009.com



                Home Antivirus 2010
                MD5: 30d09989020fcb8f12a1aa3f87b4efa9
                IP: 72.52.210.131, 72.52.210.132, 72.52.210.133
                United States United States Lansing Liquid Web Inc
                Domains associated
                homeantivirus2010.com, home-anti-virus2010.com, homeantivirus-2010.com, home-antivirus-2010.com, homeanti-virus-2010.com, home-anti-virus-2010.com, homeav2010.com, home-av2010.com, homeav-2010.com, home-av-2010.com

                Result: 22/41 (53.66%)

                hotlife.us/mediastream/components/SecureLiveVideo.exe (67.212.162.250) - United States Singlehop Inc
                rundaqimao.com/1/installer/Installer.exe?u=1025&...t=2 (74.222.134.20) - United States Orange Vpls Inc. D/b/a Krypt Technologies
                od32qjx6meqos.cn/ue.php (220.196.59.23) - China United Network Communications Corporation Limited
                nextantivirusplus.com/install/AntivirusPlus.grn (195.95.151.176) - Ukraine Kiev Eastnet-ua-net
                explorersecurityhelper.com/block.php (83.133.123.113) - Germany Lncde-greatnet-newmedia
                http://downloadsoftwareserver4.com/xpdeluxe.exe (89.248.168.79) - Netherlands As29073 Ecatel Ltd

                antivirus-quickscanv5.com, antivirusonlinescanv9.com, antivirusscannerv9.com, fastvirusscanv6.com, firstspywarescannerv1.com, folder-antivirus-scanv1.com, mysafecomputerscan.com, onlineantispywarescanv6.com, onlineantivirusscanv4.com, personalfolderscanv2.com, personalonlinescanv3.com, privatevirusscannerv8.com, securefolderscannerv6.com, t370.hc-server.com, totalsecurityscannerv3.com (83.133.126.155) - Germany Lncde-greatnet-newmedia

                212.117.174.14/racing.exe, clean-pc-now.net, clean-pc-now.org, fast-spyware-cleaner.com, fast-spyware-cleaner.net, fast-spyware-cleaner.org, free-spyware-checker.org, free-spyware-cleaner.com, free-spyware-cleaner.net, kill-spyware-now.org, scan-pc-now.com, scan-pc-now.org, spyware-killer.biz, spyware-scaner.com, spyware-scaner.net, spyware-scaner.org (212.117.160.18) Result: 4/41 (9.76%) - Luxembourg Root Esolutions
                core2623.racingmoney-0110.com/d_program_all.cgi?host=host&id=0 (95.169.190.147) Descarga el binario PC_Protect.exe - Russian Federation Keyweb Online Limited Ip Network

                PC Antispyware 2010
                MD5: 30d09989020fcb8f12a1aa3f87b4efa9
                IP: 174.139.243.46, 174.139.5.51, 216.86.144.130, 174.139.243.42, 174.139.243.43, 174.139.243.45, 209.31.180.232, 209.31.180.233, 209.31.180.235, 209.31.180.234, 209.31.180.237, 209.31.180.240
                United States United States Chicago Nozone Inc
                United States United States Orange Vpls Inc. D/b/a Krypt Technologies
                United States United States Austin Supporting Act Technologies Llc
                Domains associated
                pc-anti-spyware-20-10.com, pcantispyware2010.com, pc-antispyware-2010.com, pcanti-spyware-2010.com, pc-anti-spyware-2010.com, pcantispyware20-10.com, pc-antispyware20-10.com, pcantispyware-20-10.com, pcantispyware-2010.com, pc-antispyware-20-10.com, pc-anti-spyware2010.com, pc-anti-spyware20-10.com, pc-antispy2010.com, p-c-anti-spyware-2010.com

                Result: 22/41 (53.66%)

                Windows System Suite
                IP: 64.213.140.69
                United States United States Global Crossing
                Domains associated
                fastantivirpro.com, malwarecatcher.net, mykeepplace.net, pay2.malwarecatcher.net, pay2.malwaresdestructor.com, prestotuneup.com, safe-pay-vault.com, trustshields.cn, update2.virusshieldpro.com, update2.windowspcsuite.com, update2.windowssystemsuite.com, virussweeper-scan.net
                websystemsec.info, windowsprotectionsuite.com, windowssystemsuite.com, www.fastantivirpro.com, www.malwarecatcher.net, www.prestotuneup.com, www.protectsystem.info, www.virussweeper-scan.net

                UnVirex
                MD5: c20478d4f1b10d40831dd3d4cf9ba7a0
                IP: 195.2.253.43
                Russian Federation Russian Federation Madet Ltd
                Domains associated
                unvirex.com



                Result: 30/41 (73.17%) 

                Related information this Blog
                Una recorrida por los últimos scareware XI
                Una recorrida por los últimos scareware X
                Una recorrida por los últimos scareware IX
                Una recorrida por los últimos scareware VIII
                Una recorrida por los últimos scareware VII
                Una recorrida por los últimos scareware VI
                Una recorrida por los últimos scareware V
                Una recorrida por los últimos scareware IV
                Una recorrida por los últimos scareware III
                Una recorrida por los últimos scareware II
                Una recorrida por los últimos scareware

                Jorge Mieres

                Ver más