MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

31.3.09

Monthly compendium of information. March 2009

Pistus Malware Intelligence Blog
30.03.09
Visual social engineering to spread malware

29.03.09
A recent tour of scareware V
27.03.09
Financial institutions targeted by the botnet Zeus. Part Two
26.03.09
Barracuda Bot. Botnet actively exploited
25.03.09
Financial institutions targeted by the botnet Zeus. Part One
23.03.09
Automating processes anti-analysis through of crimeware
13.03.09
Campaign scareware infection through false Windows...
11.03.09
Russian prices Crimeware
09.03.09
Strategy aggressive infection Police XP Antivirus....
07.03.09
Exploiting vulnerabilities with PDF files
06.03.09
Unique Sploits Pack. Crimeware to automate the exp...
05.03.09
Strategy aggressive infection Police XP Antivirus
03.03.09
Phishing Kit automatic spammers creator
01.03.09
Campaign Police Antivirus XP spreading through soc...

EvilFingers Blog
30.03.09 Financial institutions targeted by the botnet Zeus. Part two
27.03.09 Financial institutions targeted by the botnet Zeus. Part one
26.03.09 Automating processes through analysis of anti-crimeware
22.03.09 Campaign scareware false infection through Windows Explorer
13.03.09 Russian prices of crimeware
11.03.09 Police Aggressive Strategy of Antivirus XP infection. Second part
08.03.09 Exploitation of vulnerabilities through PDFs
06.03.09 Police Aggressive Strategy of Antivirus XP infection
04.03.09 automatic Phishing Kit Creator of fraudulent sites
02.03.09 Whitepaper. Analysis of an attack of web-based malware
01.03.09 Police Campaign through spreading XP Antivirus Visual Social Engineering

ESET Latinoamérica Blog (Spanish)
27.03.09 Download malware through cracks pages
25.03.09 ESET Presence in Central
12.03.09 Fake mails Movistar and Claro spread malware
04.03.09 Suspected malware download music sites
02.03.09 Tour starts ESET Antivirus 2009 Internet Security

Related information
Monthly compendium of information. February 2009
Monthly compendium of information. January 2009

Jorge Mieres

Ver más

30.3.09

Visual social engineering to spread malware

The methods of deception are a fundamental piece of strategies for dissemination of malicious code, above all, the trojans because they need the intervention of the human factor to meet its objectives effectively.

While the use of visual social engineering isn't an innovative method for anything, remains highly exploited by computer criminals in the hope of getting unsuspecting users to activate (double click) the malware.

Given these characteristics, the question that rings in my head immediately is, if it is not a novel method why is there a high rate of infection through this sort of cheating?

Perhaps one of the keys that allow answering the question whether the high demand of pornography over the Internet. "How well" tell a friend Central :-)

One of the main features of the visual social engineering lies in the operation of websites that promise multimedia content being pornography one of the most searched topics on the Internet and therefore, one of the most common exploit through this technique.

A concrete example pages represent the fake PornTube, which promises to display a video course, using as bait a picture of the alleged video, along with the need to install a codec that, of course, this is a malware and not a codec.

Below I discuss some of the URLs used to disseminate this strategy, but must take into account the number of domains used by the criminals behind it, is considerably longer.

watch-videos. cn
7wmv. In
alll-online.com/pl/pl. php
stumbulepon. com
video.stumbulepon. com
watch-video. info
yuotnbe. com
yuotuhe. com
world-tube. biz
hothotvideo. com
video-go. net
get-new.mee.fgu.name/sudofe. html
sandpaper-type.mee.fgu.name/qurer. html
free-avg.mee.fgu.name/qusthalyene. html

A question of supply and demand, who tend to visit pornographic sites they want to consume pornography. Never mind that the material is present in image or video format, or that in the middle of the video course requested the installation of ten "codec" who wants to pornography will do everything possible to get without measuring the potential security risks, so many sometimes implies.

Related information
Strategies of deception, spam and malicious code
Social Engineering and Waledac Valentine
Deception techniques that do not go out of style

Jorge Mieres

Ver más

29.3.09

A recent tour of scareware V

More and more malware flow rate scareware, or rogue, that plague Internet deplegable strategies increasingly elaborate deception, and which code is constantly subject to manipulation by their creators entorpedecer detection by companies AV.

Some of the scareware who met during the last month are:

Antivirus 2009 Protection
MD5: fc6d3c36579907e3234d11e45aaff32e
IP: 91.211.64.47

Russian Federation Russian Federation Ural Industrial Company Limited

Platform: Windows

Domain Associates

bestantcomputerprotection. com


VT Report: 30/ 39 (76.93%)

Filter Spyware
MD5: 43aab2992405b0aefd7f895ceb3051b6
IP: 92.62.101.123

Estonia Tallinn Estonia Starline Web Services

Platform: Windows

Domain Associates

spw-fighter.
com, spwfighter.com, spyware-fighter.com, spyware-fight.com, spywarefighter2009. com, swwfight.com, swwfight.net, scandalmature.com, searchmysites. com, sexdvds.ru, spylee. com

VT Report: 3/ 39 (7.7%)

Malware Defender 2009
MD5: afdff49097316d0a3e1b5c518c308f84
IP: 67.43.237.75

Ukraine Ukraine Olexij Khrenov

Platform: Windows

Domain Associates
malwaredefender2009.
com, systemguard2009. com, systemguard2009m. com

VT Report: 32/ 40 (80.00%)


Win PC Defender
(Cloning of Police XP Antivirus)

MD5: b6bc68b2343669779ac8097b8ab1fd21
IP: 213.163.65.10
Netherlands Netherlands Rotterdam Interactive 3d
Platform: Windows
Domain Associates
win-pc-defense.com, loyaltube.com, msjoinpayment.com, rakompoporyadkunazaryadku. com, iloveyourbrain. com, loyaltube. com, loyaltube09. com, loyaltube10. com, setupdatdownload. com, velzevuladmin. com, xp-police-09. com, xp-police-2009. com, xp-antivirus-police. com, xp-police-av. com, xp-police-engine. com

VT Report: 18/ 39 (46.15%)

Search and Destroy
MD5: 8fb526b68a826cd3c87f0bf39a22c8df
IP: 68,178,212,133

United States United States Scottsdale Godaddy.com Inc

Platform: Windows
Domain Associates
search-and-destroy. com



SysCleaner Pro
MD5: 243062dfaaa21513cee37d14351b4644
IP: 64.191.12.38
United States United States Scranton Network Operations Center Inc

Platform: Windows
Domain Associates
syscleanerpro. com, system-cleanerpro. com, totalantispyware.com, totalantispyware. net, totalantispyware2009. com

VT Report: 1/ 39 (2.57%)


Spy Fighter
IP: 74.52.155.194
United States Texas - Dallas - Theplanet.com Internet Services Inc
Platform: Windows

Domain Associates
spy-fighter. com

11ox. Com
1getcarinsurance. Info



Renus 2008
MD5: da071a820af815e85ddded315d5cd919
IP: 88.214.202.5
United Kingdom United Kingdom Real International Business Corp
Platform: Windows
Domain Associates
renus2008. com, byboard. com, Intop. name, katorga. com, rudvd.com. ru

VT Report: 23/ 39 (58.97%)

Antivirus Agent Pro
MD5: ddf7db23b6f4b4db13cfd07da733a7e7
IP: 82.146.49.35
United States Florida - Crystal River - Ispsystem At Birth
Platform: Windows
Domain Associates
avagentpro. com

VT Report: 19/ 39 (48.72%)

In each of the cases submitted, add the respective domains associated with each scareware. This information is useful for blocking malicious domains.

Related information
A recent tour of scareware IV
A recent tour of scareware III
A recent tour of scareware II
A recent tour of scareware

Jorge Mieres

Ver más

27.3.09

Financial institutions targeted by the botnet Zeus. Part two

The structure consists of ZeuS in php modules from which it controls and executes all the fraudulent and harmful for which it was conceived. For example, it's very common to find files of type s.php, sS.php, x.php or similar which would command control (C&C) of the bot.

Once infected, ZeuS download an encrypted file type. bin (usually cfg.bin) which is the file that specifies the configuration with a set of instructions that indicate the type of information to be collected and where to send.

When this file is decrypted, we can see shaping and financial institutions which carry out constant monitoring ZeuS from the zombie.

In this way, when the user accesses certain forms ZeuS intercepts the browser interaction in capturing all the information you need to realize their botmaster fraud.

The list of entities that are in the sights of ZeuS is really long, but some of them are:

myspace.com
gruposantander.es
vr-networld-ebanking.de
finanzportal.fiducia.de
bankofamerica.com
bbva.es
bancaja.es
olb2.nationet.com
online.lloydstsb.co.uk
pastornetempresas.bancopastor.es
bancopopular.es
ebay.com
us.hsbc.com
e-gold.com
online.wellsfargo.com
wellsfargo.com
paypal.com
usbank.com
citizensbankonline.com
onlinebanking.nationalcity.com
suntrust.com
53.com
web.da-us.citibank.com
bancaonline.openbank.es
extranet.banesto.es
empresas.gruposantander.es
bbvanetoffice.com
bancajaproximaempresas.com
citibank.de
probanking.procreditbank.bg
ibank.internationalbanking.barclays.com
online-offshore.lloydstsb.com
dab-bank.com
hsbc.co.uk
bancoherrero.com
intelvia.cajamurcia.es
caixasabadell.net
areasegura.banif.es
privati.internetbanking.bancaintesa.it
iwbank.it
cardsonline-consumer.com
money.yandex.ru
e-gold.com
paypal.com

These strategies represent malicious threats and make it clear that while email is still a channel used for the propagation of malware today is who works as an Internet-based attacks through various mass crimeware.

Related Information
Financial institutions targeted by the botnet Zeus...
Botnet Zeus. Mass propagation of his Trojan. Part Two
Botnet Zeus. Mass propagation of his Trojan. Part One


Jorge Mieres

Ver más

26.3.09

Barracuda Bot. Botnet actively exploited

Criminal processes carried out by cybercriminals through the exploitation of different crimeware applications designed for these purposes, are gaining notoriety because of the number of cases known at present, where malicious code spread via botnet are responsible for forming the way for further attacks and recruiting zombies.

Barracuda bot is a new alternative for offenders who also characterized by joint actions allow for any botnet, has special features which turn it into a "criminal tool" that allows "adapt to the needs of offenders".

Barracuda botnet is a bot, of Russian origin with English interface, completely modular with each module handles a specific task, offering the ability to update or add modules depending on the features you want to add to control zombies.


Thus, the offender may be buying the modules according to the criminal actions you want to commit, simply, through a control panel and administration via the web.


Moreover, it incorporates features of "security" as the encryption of the information transmitted by the bot, and the ability to restore their "business" via an emergency management system that reacts in case of a fall, allowing follow administration of the bot through IRC.


Among the most important features that incorporates this botnet are: the ability to download and run binaries. Exe and. Dll not infect previously infected machines again, encryption and polymorphism, among many others.

But undoubtedly, the striking of this, and reflecting that criminal activities conducted by the Internet is a real deal.


The crimeware is worth USD 1600 in the full version, ie all modules, but also offering a smaller version of USD 1000 that incorporates all the modules except the DDoS (Distributed Denial of Service).


Barracuda bot clients receive advice and support for free, even, also offers a licensing model atypical in these activities. The sale is limited to five (5) persons suffering updates a 60% discount with the purchase of two (2) modules accessing a 10% discount on the purchase of the next.


The modules are available at the moment are:
  • DDoS Module. By which you can do: HTTP GET/POST flood, UDP flood, ICMP flood, TCP flood, IP spoofing. Its value is USD 900.
  • Email Grabber module. Lets gather email addresses from the HD, gather email addresses from the address book from different customers, and capture real-time address each time you access the Internet. Its value is USD 600.
  • Proxy Module. Increases the number of simultaneous connections for a more "efficient" sending spam, among other activities at the statistics. Its value is USD 500.
  • PWDGRAB module. Clearly designed to steal sensitive information like passwords for websites, email accounts, FTP accounts, etc.. The value is USD 500.
  • SSLSOCKS module. This module is in its beta stage and can "build a VPN" on the same bot. Its cost is USD 500.

Ver más

25.3.09

Financial institutions targeted by the botnet Zeus. Part one

As I said in previous post, zeus is one of the networks of zombie computers more important because of the large number of nodes that make up your network, and although its origin dates back to late 2007, now malware is exploiting a active and massive, expanding its coverage of attacks and fraudulent activities, each managed node through a web interface.

So much so that its activities are, in addition to the malicious action of infection, activate a whole array of malicious scripts whose purposes are channeled into massive infection of computers through trojans exploit various known vulnerabilities, phishing attacks under the method of cloning sites of different banks and global systems that offer online payments.

Knowing this fundamental point of view to focusing zeus in a high percentage of data theft, we assume that the specific question after reading these short paragraphs is: how does zeus get the information you need equipment victim?

The answer to this mystery lies in its configuration file, which is encrypted. Once decrypted, the contents of this configuration file is similar to the following real life example that shows the information contained in the file cfg.bin (MD5: 905dfab98b33e750bf78c8b29765279b):
Config version: 1.0.3.7
Loader url: http://yourcatfree.cn/trashes/ldr.exe
Server url: http://theyourbest.cn/rssfeederd/stat1.php
Advanced config 1: http://greatyourway.cn/trashesgg2/cfg.bin
Advanced config 2: http://theyourown.cn/trashesff1/cfg.bin
Advanced config 3: http://adviceswarning.com/trashesrr5/cfg.bin
Advanced config 4: http://ispspartners.com/trashes6/cfg.bin
Advanced config 5: http://ispscenter.com/trashesrr3/cfg.bin
Advanced config 6: http://alleips.com/trashestt3/cfg.bin
Fake 1: 0 PG http://adultfriendfinder.com/go*|http://centralet.cn/1/1.php|291351|
Fake 2: 0 PG http://adultfriendfinder.com/search/g*|http://centralet.c
/1/1.php|291351|
Fake 3: 0 PG http://adultfriendfinder.com/search/p*|http://centralet.cn/1/1.php|291351|
Fake 4: 0 PG http://adultfriendfinder.com/cgi-bin/public/page.cgi?p=affiliate_multi*|http://centralet.cn/1/1.php|291351|
Fake 5: 0 PG http://staging.adultfriendfinder.com/search/g*|http://centralet.cn/1/1.php|291351|
Fake 6: 0 PG http://staging.adultfriendfinder.com/search/p*|http://centralet.cn/1/1.php|291351|
Fake 7: 0 PG http://www.adultfriendfinder.com/go*|http://centralet.cn/1/1.php|291351|
Fake 8: 0 PG http://www.adultfriendfinder.com/search/g*|http://centralet.cn/1/1.php|291351|
Fake 9: 0 PG http://www.adultfriendfinder.com/search/p*|http://centralet.cn/1/1.php|291351|
Fake 10: 0 PG http://www.adultfriendfinder.com/cgi-bin/public/page.cgi?p=affiliate_multi*|http://centralet.cn/1/1.php|291351|
Fake 11: 0 PG http://www.staging.adultfriendfinder.com/search/g*|http://centralet.cn/1/1.php|291351|
Fake 12: 0 PG http://www.staging.adultfriendfinder.com/search/p*|http://centralet.cn/1/1.php|291351|
Inject data 1: OK
Inject data 2: OK
Inject data 3: OK
Inject data 4: OK
Inject data 5: OK
Inject data 6: OK
Inject data 7: OK
Inject data 8: OK
Inject 1: https://www.e-gold.com/acct/balance.asp*|GPL|*|*
Inject 2: https://online.wellsfargo.com/das/cgi-bin/session.cgi*|GL|*|*
Inject 3: https://www.wellsfargo.com/*|G|*|*
Inject 4: https://online.wellsfargo.com/login*|GP|*|*
Inject 5: https://online.wellsfargo.com/signon*|GP|*|*
Inject 6: https://www.paypal.com/*/webscr?cmd=_account|GL|*|*
Inject 7: https://www.paypal.com/*/webscr?cmd=_login-done*|GL|*|*
Inject 8: https://www.gruposantander.es/bog/sbi*?ptns=acceso*|GP|*|*
Done!

In this way, and through the advanced configurations that exploit the victim computer, the trojan zeus obtain sensitive information.


Jorge Mieres

Ver más

23.3.09

Automating processes anti-analysis through of crimeware

The automation of malicious code is a life philosophy and a business round its creators as every day should focus their efforts on devising new "tools" that can "jump" detection methods proposed by the antivirus signatures.

Constantly appear new "proposals", increasingly professionalized, which help to delay the detection of malicious code through techniques anti-analysis and at the same time increase the profits of developers.

Polymorphic Cryptor Crum is one of many programs that are part of this category. It's a program used to encrypt malware environments; development in Russia for people who are on the mischievous side of the field to broaden the horizon of returns.


This is a new version of this crypter, just 1.1, which offers capabilities for handling polymorphic malicious code.

Among the features proposed by the polymorphic implementation are also of the same polymorphism:
  • Using random
  • Figures for imports and resources
  • 128 for each section
  • Overwriting the "Rich" and "Time / Date Stamp" on the header files
  • Provides capabilities anti-debugger
  • Avoid having to conduct a memory dump
  • Avoid performance in controlled environments
  • Change or delete the icon for the malicious binary
Here you will meet some of the functionality offered by the program, but sufficient to determine the degree of professionalism and hazardousness reached, in this case by Russian developers, the creation of malware is disturbing.

This implementation costs USD 100 on the black market. However, to complete the array of applications of this style, the same creator offers "only" a USD 50 joiner (used merging files) called Crum Joiner Polymorphic and USD 20 accessing updates same.

The interface of this program, which allows to merge several files such as a .jpg merge a binary .exe, is as follows:

In this case, some of the features that includes the application are:
  • Capacities polymorphic
  • Allows unlimited union files
  • Supports multiple file extensions like .doc, .mp3, .avi, .jpg, .bmp and .exe
  • File encryption of 256 bytes
  • Ability to carry not only files .exe files but also .dll
In both cases, the creator recommends certain "security measures" to protect the "integrity" of development as the application does not refer to services such as VirusTotal, be ordered to encrypt the files and not sharing any of the components that constitute the applications.

Related Information
Russian prices Crimeware
Creating Online PoisonIvy based polymorphic malwar...

Jorge Mieres

Ver más

13.3.09

Campaign scareware infection through false Windows Explorer

Deception strategies are the main feature that uses the scareware to create fear in the user and ensure the implementation of your installer. While the excuses that are used for the deceptions are many, some more prominent than others, increasingly are being more clearly increased efforts to design and create more sophisticated strategies.

In this case, deception is focused on online scans produce a team that always found problems with infection, offering the download of the alleged security tool that will solve the problems. All completely false.

When the user first accesses the malicious page, an alert warns of the potential possibility that our team has been the victim of malicious code.

At this time there is a simulated scans of the team that is represented by a fake windows explorer and an animated gif that shows the progress bar indicating the progress of the scan, and then displays a popup with the nomenclature of alleged threats found in the system.

This image, which offers two options ("Remove all" and "Cancel") is another layer of deception, because no matter what sector of the image is clicked, the same effect: download the installer of malware. A file called install.exe MD5 which is 8eed59709de00e8862d6ce3d5e19cb4a.

Some of the web addresses that are actively exploiting this malicious activity are:

stabilityaudit.com (209.44.126.22)

websscan.com
goscanbay.com (78.159.101.27)

goanyscan.com
goscanever.com
goscanfuse.com

goscanit.com

goscanonly.com

goscanslot.com

gowayscan.com

in4co.com

in4ik.com

megascan4.com

www.goscanonly.com

www.homescan4.com

easywinscanner17.com (209.249.222.48)

fast-antimalware-scanner.com (194.165.4.7)

fastantimalwarescan.com (78.47.91.153)


However, professionals seeking to refine their creators will try to cover as much of the "public" as possible by deploying the strategy of infection in several languages.

Even downloading malware variantsthereof. Thus, the creators of scareware try to cover the two main languages used worldwide such as English and Spanish.

Related information
Strategy aggressive infection Police XP Antivirus....
Strategy aggressive infection Police XP Antivirus
Campaign Police Antivirus XP spreading through soc...
A recent tour of scareware IV
AntiSpyware 2009 has expanded its offers malicious...
New strategy to disseminate scareware IS
Attacking Mac systems through false security tool

Jorge Mieres

Ver más