MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

25.12.09

Siberia Exploit Pack. Another package of explois In-the-Wild

Siberia Exploit Pack is a new package designed to exploit vulnerabilities and recruit zombies original, as is easy to deduce from its name and as is customary in this area crimeware clandestine business in Russia. It was released almost together with RussKill, a particular purpose botnet also emerging.

For now, the sale of Siberia Exploit Pack is closed. The versions that are shared in some servers are private and fraudulent purchase is only accessible through "guarantors", ie other criminals (usually botmaster, spammers, phishers, etc.). Recommending a particular person you want to buy the package .

This will control and maintain a certain level of trust between developers and their buyers Exploit Pack. This also explains why the closed cycle in their use.

The structure of this crimeware is composed of several php files and a pack of exploits defaults. Among the php files are:
  • stat.php: the panel of administration access via http.
  • index.php: contains an item "refresh" that generates a continuous refreshment redirected to Google.
  • exe.php: contains the instructions to download a binary called file.exe default and contains a script that redirects to an exploit MDAC mdac.php contained in the file. Depending on the parameters that are passed to php also download pdf files.
  • config.php: contains the configuration parameters of the package. It's in the default folder called inc.
The files that are spread through this pack and exploit other vulnerabilities are:
In this case, both pdf files (whose names are created at random) exploit vulnerabilities CVE-2007-5659 (Adobe Collab overflow), CVE-2008-2992 (Adobe util.printf overflow), CVE-2009-0927 (Adobe getIcon). While file.exe creates another file called winlogon86.exe (md5: 4217e91f65c325c65f38034dc9496772).

The "fashion" exploit packet doesn't end and it would seem that the categorization of "fashion" because it's small.

Since I began using the mass take Exploits Pack (mid 2007), there are many alternatives to this style, both general purpose and particular purpose, which are offered through a black market in which not only feeds back the business of malware with "resources" effective and simple (in this case Siberia Exploits Pack) to suit their needs without major crime efforts, but the same development as the exploit pack crimeware, botnets conjunction with that to create and manage, provides an important link in the criminal chain fits-hardly the criminals leave aside.

This obviously gives a sufficiently concrete to understand that we are facing actions and strategies of "business" held by professionals in the field of cybercrime.

Related information
RussKill. Application to perform denial of service attacks
DDoS Botnet. New crimeware particular purpose
JustExploit. New Exploit kit that uses vulnerabili...
Fragus. New botnet framework In-the-Wild
ZeuS Botnet y su poder de reclutamiento zombi
Liberty Exploit System. Alternatively crimeware to...

Jorge Mieres

1 comentarios:

curtw said...

Hi Jorge. What do you mean by

"The "fashion" exploit packet doesn't end and it would seem that the categorization of "fashion" because it's small."

Thanks for the write-ups. These exploit+malware kits need more research & detection.

curtw

Post a Comment