MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

30.7.09

A recent tour of scareware XI

Malware type scareware are increasing and have attained a high level of spread and infection globally, combining different methods of deception to the propagation process and using new domains.

Below are some of them so they can be frozen and thus minimize the potential risk of infection. However, it's clear that this list represents only a small percentage of the huge volume of daily scareware that appears. 


XP Deluxe Protector
MD5: 8df5930924c6ba659033554764beed67
IP: 85.10.194.157, 213.182.197.46
Germany Germany Gunzenhausen Hetzner-rz-nbg-net
Domains associated
xp-deluxeprotector .com
xpdeluxeprotector .com
antispy2009 .net
antispy2009 .net/onlinescan/index.php
butterflysearch .net

Result: 24/41 (58.54%)

retulahertomanof.com/2/installer/Installer.exe?u=1025&s=e8f4f9a25ccda16144f11cd34e2528ff&t=2 (98.126.38.28) - United States Orange Vpls Inc. D/b/a Krypt Technologies
wertabulionsedaf .com/2/installer/Installer.exe?u=1025&s=e8f4f9a25ccda16144f11cd34e2528ff&t=2 (174.37.235.106) - United States Softlayer Technologies Inc
download.sttcounter.cn (211.95.78.98) Install.exe - China United Telecommunications Corporation
securedvirusproscanner.com (94.102.48.29)
personalfolderscanv2 .com (78.46.251.41) - Germany Siarhei Shandrokha
bestdomus .com/Klitecodec.exe (216.39.57.104) - United States Sunnyvale Altavista Company
downloadsoftwareserver3 .com/xpdeluxe.exe (213.182.197.46) - Latvia Riga Real_host_net
exereload .com (95.211.8.20) - Netherlands Netherlands Leaseweb

scanworldwideweb .com/download.php?affid=18911, securityscanavailable .com/hitin.php?land=20&affid=20100 (209.44.126.22), scanriteweb .com/hitin.php?land=98&affid=16100 (209.44.126.36), namearra.info (209.44.126.152), totalsecuritysite.com/scan.php?affid=20900 (209.44.126.81) - Canada Laval Netelligent Hosting Services Inc

goscaniron .com, goscanslim .com, goslimscan.com (38.105.19.27) - United States Psinet Inc
pornotube915 .com/scan (78.46.88.142) - Germany Gunzenhausen Hetzner-rz-nbg-net

befynru .cn/?wm=70106, dakbesy .cn/?wm=70106, atoylev .cn/?wm=70321 (195.95.151.174) - Ukraine Kiev Eastnet-ua-net

ancom1 .ru/tds/go.php?sid=&sref= (87.118.84.124) - Germany Erfurt Keyweb Ag Ip Network
genantivirus .com (188.40.52.180) - Germany Hetzner
zocleaner .com/download.php?affid=00000, sucupdate.com/download.php?affid=00000, ircleaner .com (89.149.250.12) - install.exe - Poland Netdirect-net-dediserv

sprut-cluster .info (174.142.113.206), anti-virus-best.com (174.142.113.202) - Canada Iweb Technologies Inc

Home Antivirus 2010
MD5: 28b293e5556cd6490c6bd50e762711e0
IP: 72.52.210.131
Germany Germany Gunzenhausen Hetzner-rz-nbg-net
Domains associated
home-anti-virus2010 .com
homeantivirus2010 .com
homeav2010 .com

Result: 14/40 (35%)

Related information this Blog
Una recorrida por los últimos scareware X
Una recorrida por los últimos scareware IX
Una recorrida por los últimos scareware VIII
Una recorrida por los últimos scareware VII
Una recorrida por los últimos scareware VI
Una recorrida por los últimos scareware V
Una recorrida por los últimos scareware IV
Una recorrida por los últimos scareware III
Una recorrida por los últimos scareware II
Una recorrida por los últimos scareware

Jorge Mieres

Ver más

25.7.09

TRIAD Botnet. Remote administration of Linux zombies

The ability to manage botnets through http protocol appears to be a fundamental requirement for the developers of these web applications that work actively with the current crimeware.

In this sense, another alternative is called TRiAD Botnet Control System, a remote control system for Linux platforms. While this web application has a life span still too early (his first release dated 18 February 2009), and three versions are available with each possessing some interesting differences.

But making a break for the moment on the technical aspects that has TRiAD botnet, one of the most striking factors that particularly presents this application (and in general his style) is made up of showy design, where the thought that lurks behind it would seem to mark the "style" of the author.

Even the same approach appears to be present also in more sophisticated crimeware applications in terms of features and options proposed, that the above. Case ZeuS for example.

Moreover, another feature that is perceived in the current development of crimeware of this style is the greater emphasis on optimizing the processes involved in the implementation of botnets, zombies control and administration. Where, without losing that first raised feature (design) of the application makes more "friendly" also presents simplicity with a minimalist style.

But either way in terms of design, in the types of features they have or the cost of purchase, botnets and the army of zombie computers that have botmaster under his command are a potential danger and a heart attack via web difficult to stop at this time.

In this case, it's the first version of a family of web applications, TRiAD Botnet (written in C), designed as botnets control systems that has an older brother named Hybrid, with the particularity of being designed to control zombies in Linux distributions.

Although this version of TRiAD runs only on Linux, its later versions are multi-platform (Linux and Windows). Lets run only three basic functions of any botnet management: implementation of DDoS attacks, executing a shell and opening ports (BindShell), and notice the connection of a zombie (ReverseShell).

From a structural standpoint, the magnitude of attack Distributed Denial of Service is concentrated in a file called dos.php whose information is stored in the file dos.txt.



if ($action){
$file = fopen("dos.txt","w+"); fwrite($file,$cmd); fseek($file,0); $line = fread($file,100);echo "Command:

$line";
fclose($file);
With respect to the BindShell through six commands only set you need to run a shell and leave a door open for botmaster available. These commands are displayed in the screenshot that represents the module in question, which takes information from the file cmd.php reflecting the result in cmd.txt.


if ($action){
$file = fopen("cmd.txt","w+"); fwrite($file,$cmd); fseek($file,0); $line = fread($file,100); echo "Command:

$line";
0 fclose($file);

The module ReverseShell reports every time a zombie is recruited and each time you establish your Internet connection. This information is stored on a small table showing number of active zombies, host IP address under attack and the command executed.



$machines = new Online(); if ($machines->count() == 1) {
echo "--> " . $machines->count() . " bot ";
} else {

echo "--> " . $machines->count() . " bots ";
}

$ddos = fopen("dos.txt","r"); $line = fread($ddos,100);
echo "

$line";
fclose($ddos);

$plik = fopen("cmd.txt","r"); $linia = fread($plik,100);
echo "

$linia";
fclose($plik);

Botnets are a serious problem for the security of any information environment connected to the Internet and the development of crimeware applications is increasingly high. Even in this case where the source code is free, there is a problem: any person with the knowledge necessary to manipulate the code and adapt/add functionality to the botnet.

Still, although the development of crimeware not represent a deal for the creators of these applications, it does work in an industry with malicious objectives by expanding the range of alternatives designed to thicken other related businesses.  

Related information this Blog
Especial!! ZeuS Botnet for Dummies
ElFiesta. Reclutamiento zombi a través de múltiples amenazas
Mirando de cerca la estructura de Unique Sploits Pack
Adrenalin botnet. El crimeware ruso marca la tendencia
Chamaleon botnet. Administración y monitoreo de descargas
YES Exploit System. Otro crimeware made in Rusia
Barracuda Bot. Botnet activamente explotada
Unique Sploits Pack. Crimeware para automatizar la explotación...

Jorge Mieres

Ver más

15.7.09

Software as a Service on the malware industry

Several years ago we have the ability to interact with different resources that are offered via web without using the resources at local level, our teams, for example, an operating system memory (eyeOS) that applied at the time, and applies this concept, as well as others we routinely use as Google Apps.

However, at present this concept responds to a name that is setting a trend under the name of Cloud Computing offers a wide range of services that use Internet as a central infrastructure (the cloud). Where services are offered programs, is known by the acronym SaaS (Software as a Service).

The point is that under this new phenomenon, the developers of malware were not on the sidelines and give rise to a new nomenclature that accompanies the concept of Cloud Computing, MaaS - Malware as a Service.

Some months ago I mentioned an online payment service that allows malicious code to create polymorphic capabilities based on the famous trojan PoisonIvy called PoisonIvy Polymorphic Online Builder.

Adding to this trend of offering services over the HTTP protocol, there are several alternatives as a service similar to the above, but free, called FUDSOnly Online Crypter, which channels its activity in the handling of malicious code in line with the intent to avoid detection by the antivirus companies, contributing to the cause pursued by malware developers to implement their creative processes anti-analysis.

Basically it's a crypter. One type of program normally used to encrypt the binaries used in the distribution of malicious code. This "service" has the advantage of not needing to download or run the crypter of locally on the PC, but the entire process is carried out via web.

At the end of the process, the application returns the following legend "Your file has been encrypted without errors, Service offered by FUDSOnly. Click HERE to download." that has the link to download the file handling.

As "extra", the "service" has the potential to insert into the encrypted file with the EOF crypter data (information server which is located at the end of file) for malicious code that doesn't support it, through a small program called ReEoF.

This service offered to handle malware, has had a previous version that demonstrates that the concept had already been adopted by cyber criminals for quite some time.

In fact, many services of this style that have been uploaded to the wave.

The malware industry adds to the notion that agglomeration online services offered by the Cloud Computing, extending the possibility of danger and threats to continue with the daily bombardment that information against environments, seeking to broaden the offering criminal . 

Related information this Blog
Creación Online de malware polimórfico basado en PoisonIvy

Jorge Mieres

Ver más

11.7.09

Special!!! ZeuS Botnet for Dummies

After dealing with some emphasis on the activities of the most active botnets now, ZeuS, let's see a more detailed description of their crime.

If we talk about malware and botnets, no doubt ZeuS has a particular advantage due to the amount of zombies that are part of its campus. ZeuS is designed to steal any information that is stored on the computers of victims remotely and carry out other attacks aimed at stealing information such as phishing.

Therefore, we could say that ZeuS is a spyware, but also has capabilities for other types of malware such as backdoors, trojans and viruses. However, the author mentions in the installation manual that you don't like to call any of these forms in this crimeware, but will refer to it as a "bot software".

Although we know the external face of ZeuS (the web interface management and control of zombies), has certain features that are constantly evolving and professionalize achieving greater flexibility and adaptability to ensure operation on different versions of Windows. This makes ZeuS a latent threat and very dangerous for any information system.

In this sense, ZeuS also ensures performance "working" on the privilege level 3 (where the applications are) the operating system to avoid incompatibilities between the implementation of equipment and devices (which operate at lower levels). Though it may seem an irrelevant fact, this allows greater flexibility and hence a higher yield at the time of the fraudulent and criminal activities for which it was conceived.

The latest version of ZeuS is written with version 9 of the C + + language, and among the features that have this web application (malicious), we can mention: 

Monitor network traffic (sniffer) TCP.  
Intercepts the FTP and POP3 connections from any port. 
Intercepts HTTP and HTTPS requests from all applications that work with the library wininet.dll (eg IE). This demystifies the myth in which ZeuS uses a BHO to intercept applications through IE. 
Functions server (socks4/4a/5). 
Backconnect for all of the infected computer services (RDP, Socks, FTP, etc.). 
Get screenshots in real time. 
Ability to conduct phishing attacks. 
Incorporates anti-analysis mechanisms. 
Constructor of the trojan that spreads and configuration file. 
Polymorphic encryption.

Another technical detail is that all communication is done by ZeuS through a symmetric encryption algorithm (RC4).

The server is the heart of ZeuS, and any botnet, and who is to obtain all records of infected computers that are part of the botnet and execute commands remotely.

On the other hand, many botnets using virtual servers to their criminal operations. However, this plays against the botnet when is very large, if ZeuS, as usually, the virtual servers don't have too many resources, so it's customary for botmaster using dedicated servers to host the bot. This is an important fact to keep in mind during the research side.

Accordingly, and as every application requires a minimum of resources to run satisfactorily, in the case of this botnet, the requirements are just to have 2GB of RAM and 2x frequency of 2 GHz CPU. As we see, the minimum requirements aren't at all a constraint VIP. Anyone can implement ZeuS, even without these minimum requirements.

Furthermore, it's assumed that the computer is running an HTTP server with PHP (the language is generally develop these crimeware) and MySQL (to create the database with statistical information that shows your activity). Another requirement is Zend Optimizer, which is necessary to protect and optimize the scripts.

With regard to updates, ZeuS is also can be "groomed" by newer versions without too much effort. During the last six months have been released five versions (based on each one approx. 35 days) with correction of errors, changes and new features, not the versions with smaller arrangements.


After looking at the diagram, many wonder what the number of each version. A teaching mode could say that if we have the "A.B.C.D" ...

A means a complete package of crimeware.
B represents changes that cause total or partial incompatibility with earlier versions.
C specifies error correction, added functionality, improvements, etc..
D is the number of refuds (changes) to the current version.

This is just a screenshot of what can and ZeuS represents in terms of skills and maneuvers that have an environment within which criminal crimeware applications are the main actors. 

Related information this Blog
Botnet. Securización en la nueva versión de ZeuS
ZeuS Carding World Template. Jugando a cambiar la cara de la botnet
Entidades financieras en la mira de la botnet ZeuS. Segunda parte
Entidades financieras en la mira de la botnet ZeuS. Primera parte
ZeuS Botnet. Masiva propagación de su troyano. Segunda parte
ZeuS Botnet. Masiva propagación de su troyano. Primera parte
LuckySploit, la mano derecha de ZeuS

Jorge Mieres

Ver más

8.7.09

Waledac/Storm. Past and present a threat

At the beginning of 2007 jumped from the darkness to begin a malicious code to be a source of important news because of their particular strategies of deception and a major campaign at the global level of infection that still remain a subject of research by the community security.

This is Storm, aka Nuwar or Zhelatin depending on the identity assigned by the antivirus companies, although it's known as "storm", perhaps alluding to the manner in which systems ravaged by which he transformed into zombies, recruiting teams under the command of the botnet.

At present, the threat posed Storm hasn't been to one side, but transferred to its twin brother, Waledac, which remains essentially the characteristic of trying to innovate in terms of apology necessary for the spread and recently has awakened after a period of hibernation.

    Some features of this threat are:

    The spread is through the unwanted e-mail (spam) 
    Uses deception strategies (Social Engineering) different for each campaign to spread 
    Through a link embedded in the body of a message routed to a site where malware is downloaded 
    The infected computers are part of a botnet 
    To complete the cycle of infection through the spread of spam 
    Fast-Flux networks 
    They have polymorphic capabilities at the server level

    During virtually the entire 2007, Storm (the first appearances as a strategy of deception used to display a video on a storm unleashed in Europe) used as a means of propagation/infection e-mail with questions and topics varied inciting to click on a link embedded in the message body, which in some cases direction of a page (some of them also tried to spread Storm exploit vulnerabilities using iframe tags as resources) and others directed to the download of a binary in Storm both cases.

    Already for next year (2008), Storm joined the "surprise effect" linking the e-mail link provided to a web site that accompanied the excuse presented in the case of mail with an image alluding also to the theme that, the as in 2007, rotating with each major event (Valentine's Day, Independence of the USA, Christmas, etc). In addition, some variants spread through blogs.

    After several months of inactivity in terms of the spread of the threat, in January of this year appears Waledac, a trojan that uses the same mechanisms used by Storm and many security professionals are beginning to see the similarity between them.

    After several investigations, says that Waledac is, one might say, the twin brother of Storm. Using the same methodologies of Social Engineering with a broad portfolio of images and themes used as an excuse to capture users' attention. Passing through images rather the typical "love" for the month of Valentine Cases of alleged terrorist attacks, among others, to the recent course on a video on YouTube.

    There are, among others, two very interesting features in both Waledac Storm: the use of Fast-Flux networks and polymorphic capabilities on the server.

    The first of these threats were allowed to spread across different IP addresses and using different domain names that constantly rotate between each other with the name resolution. This causes, through a certain time to live (TTL) pre-configured every x amount of jumps between nodes (infected computers) from the same domain, you download a different prototype of malware.

    This leads to the second feature, the polymorphism. In this way, each time the package (malware) is established TTL attempt to download a different version of the malicious code to be "changes" every certain amount of time (also predetermined by the attacker) establishing capacity polymorphic.

    The diagram below provides the direct relationship, over time, the threat was used as a strategy of deception.

    Each of the zombies that are part of the botnet created by Waledac, focus your intentions in sending spam. In this sense, a very interesting extract from a report that says Waledac has the ability to send about 150,000 spam emails per day.

    Perhaps, then you know that Storm/Waledac are running campaigns with high rates of spread of infection globally and overcrowded, it's clear that their creators are continuing their criminal operations for a financial issue, which is nothing new for malware today. 

    Related information this Blog
    Masiva campaña de propagación/infección lanzada por Waledac utilizando como excusa el día de la Independencia de EEUU
    Estrategia BlackHat SEO propuesta por Waledac
    Waledac. Seguimiento detallado de una amenaza latente
    Más Waledac en acción ¿Puedes adivinar cuánto te amo gano?
    Waledac más amoroso que nunca
    Waledac e Ingeniería Social en San Valentín

    Jorge Mieres

    Ver más

    5.7.09

    Process Automation anti-analysis II

    Malicious mechanisms used in both the propagation process and the methods of infection gradually evolve through crimeware developers are constantly tweaking their creations in order to increase their economy.

    This reality clearly realizes that the development of malware is a business where many "entrepreneurs" take the post on the subject releasing new viral market alternatives that actively participate in the automated generation of malicious code embedded self-defensive processes that cause a negative effect research and analysis of malware.

    Some time ago we talked about one of the crimeware applications of Russian origin so fierce was added to the portfolio of offerings that show, and represents, the underground trade of malware: malicious software family with polymorphic features of CRUM.

    Earlier this month, officially launched its creators, with fireworks, new version of its two stars crimeware applications CRUM Cryptor Polymorphic (v2.6) and CRUM Polymorphic Joiner (v3.1), both written in Delphi and ASM.

    The first is a "crypto" polymorphic, a program whose goal is to encrypt each file processed. In this case, encryption is through a random key of 256 bytes. At the same time, the malicious file is also subject to polymorphism in which each process is obtained in a separate file, which is equal to say ... a different malware.

    With a value of USD 200, this crimeware promises, among many others, the following features:

    Windows 2000, Windows XP SP3, Windows Server 2003 and Windows Vista
    Encryption polymorphic
    Encryption with 256-byte random key in previous versions of encryption is 128 bytes
    By default, the entry point is always in the first section of the binary, but can be configured to be random
    Anti-VM. Avoids binary implementation of virtual machines
    Anti-dump. Prevent dumping of memory
    Replacement of pixels icon Random
    Ability to change or delete icon
    Allows encrypted under command line


    Perhaps this crimeware seem a bit trivial but polymorphism functionality makes it a very dangerous threat as the mutation that occurs in each of the files isn't superficial, doesn't change any time stamp but makes important changes in the modified binary completely its structure, forming in each process a new type of malware.

    As the younger brother of the family, CRUM Joiner Polymorphic, is designed, as its name implies, to merge (a concept adopted by the current crimeware) files regardless of extension and is in MASM32.

    It's priced between USD 100 and its features include that:

    Like the older brother, has polymorphic capacities
    Allow merge an unlimited number of files with any extension (mp3, avi, doc, bmp, jpg, exe)
    Set options of functionality in the final file (folder housing, attributes, etc.).
    Allows selection of the iconography. By default, the software brings 40 images
    Encrypt the binary with 256-byte random key
    Supports Drag & Drop
    Ability to select the final file extension
    Removing file icons
    Ability anti-analysis. Prevents execution of the binary in virtual machines


    With respect to conditions of sale and use of crimeware, the author claims not to share the crypto and its components (this goes against the "business"), for commercial purposes (a clear contradiction) or submit it to analysis through online sites as VirusTotal (this increases the detection rate of binary). Requirements seem to be rather childish.

    The objective behind the development of these applications is to increase the life cycle of the malicious codes that are subject to malicious processes proposed by the application, adding anti-analysis features that hinder its detection and subsequent analysis by the antivirus companies. 

    Related information this Blog
    Los precios del crimeware ruso
    Comercio Ruso de versiones privadas de crimeware ¡Aproveche la oferta!
    Automatización de procesos anti-análisis a través de crimeware

    Jorge Mieres

    Ver más

    4.7.09

    Massive campaign to spread/infection Waledac launched by using as excuse the Independence Day of USA

    After a long period of inactivity, the creator (or creators) of the trojan Waledac, executed yesterday July 4 (U.S. Independence Day), a new campaign to spread using the same mechanism that characterizes Waledac and characterized Nuwar in time; Social Engineering.

    This time the excuse is Independence Day which is celebrated in the U.S. and the mechanism of propagation is the simulation of a video showing the alleged fireworks for the celebration of the special day.

    It's likely that this massive campaign to spread/infection ends with a fairly high rate of infection because the vector by which the threat is spreading is the email that respecting a characteristic of spam, massive, reaching millions users utilizing the computational power of the botnet comprising Waledac.

    We don't currently have any relevant characteristic that differentiates the mechanism of spread used on this occasion in relation to the above, perhaps the activity period is extended for a good while.

    Still, there are obvious analogies. For example, continues to make use of BlackHat SEO techniques in the composition of domain names alluding to the excuse used by (firework, 4th, independence, happy, july, movies, video).

    Among the domain names created from these words are (an active spreading waledac):

    videoindependence .com
    video4thjuly .com
    outdoorindependence .com
    moviesindependence .com
    movieindependence .com
    moviesfireworks .com
    moviefireworks .com
    movies4thjuly .com
    movie4thjuly .com
    interactiveindependence .com
    holifireworks .com
    holidaysfirework .com
    happyindependence .com
    4thfirework .com
    freeindependence .com
    4thfirework .com


    The names of binaries used by Waledac to date are:

    install.exe 885ac83376824a152f2422249cf4d7e5, b5f3d0150fb4b7e30e7a64d788e779e0 or 424a85c096ce6d9cbbe8deb35a042fda

    movie.exe 74c3b53958527b8469efa6e6d8bccaf9, 2740cee619deccad6ed49ff6a23ebd14, a45d0405518ad2c294ed1b151e808f55, 426e031049675c8136c6739530057ba5, 395b1d4a68f435416cbb69cae0c220c7 or 28de1675b2694927c16d34eacdafbc56

    run.exe 30a6e0e3bdb000ce85dc8d754582f107, b14c93fb2cf91d2a03e20f7165101f5e or 3083b6bc236121e6150f13f3d0560635

    fireworks.exe c62c388472695589bd5e0f4989d93ab0, ae2fc409bd054047f9582fb9f76eb1aa or 1b21e77b08c31bf99e5cc3f6cfd11954

    setup.exe 3c067587383d3c26a3b656f25c54ea47, f2589d96b7f6838ae322e4c6739efd07, 543630de475994ce778fa35ce45984f4 or 9fa07157ee1e1c1b86a27df816596d13

    patch.exe dcde62f021146696100d87b9c741be73, 6811725f3cdda17ba5f8877f02a796d4, d655566ba4911fc0ff60d197d54dff2c or 395b1d4a68f435416cbb69cae0c220c7

    video.exe 499db7f0870ce5de80193996179445e5, c1a3ef240be48fb500167aaedb72bdcf or 02ed2300a349a0c20c5b15b06130ba1f

    Through the monitoring carried out this threat sudosecure.net since he was born under the name Nuwar can see this information graphically.


    Similarly, we can visualize a lot of graphic information such as IP addresses involved in the dissemination of Waledac. In this case, the Top 10 and, considering that the campaign is focused in the U.S. (although this does not mean that the number of people infected is limited to the U.S.), it's logical to believe that the majority of infections are given in first instance in this country.

    On the other hand, continues to implement Waledac masking technique as Fast-flux techniques, using different IP addresses for the same domain.

    videoindependence .com
    98.211.105.230 > United States
    76.106.189.169 > United States
    201.213.72.205 > Argentina
    201.21.134.78 > Brazil
    201.6.212.62 > Brazil
    201.212.3.94 > Argentina
    69.148.172.231 > United States
    99.141.124.192 > United States


    video4thjuly .com
    72.225.252.27 > United States
    71.193.54.175 > United States
    84.109.243.13 > Israel
    200.108.196.153 > Uruguay
    201.241.106.65 > Chile
    200.26.178.12 > Paraguay
    201.213.101.148 > Argentina
    81.97.116.82 > United Kingdom
    76.103.252.191 > United States
    201.6.229.122 > Brazil
    68.56.57.51 > United States
    200.112.184.67 > Argentina
    67.242.8.170 > United States
    82.162.25.19 > Russian Federation
    84.253.71.15 > Russian Federation

    Waledac has emerged from the shadows once again turning its classic strategy that will continue to spread its campaign to spread/expand their botnet infection with the recruitment of more zombies. 

    Related information this Blog
    Estrategia BlackHat SEO propuesta por Waledac
    Waledac. Seguimiento detallado de una amenaza latente
    Más Waledac en acción ¿Puedes adivinar cuánto te amo gano?
    Waledac más amoroso que nunca
    Waledac e Ingeniería Social en San Valentín

    Jorge Mieres

    Ver más

    3.7.09

    Malware propagation through blogging sites format and BlackHat SEO

    We have seen and mentioned at one point that the strategies used during the processes of malicious code spread more and more involved BackHat SEO techniques to achieve different vectors for access to download the file you are looking to spread malicious.

    Combined with Social Engineering and domain names with high demand keywords through search engines that refer to websites with a large and massive flow of use as Rapidshare, Megaupload and other related music, games, movies, etc., make as a whole, a very effective method of propagation.

    Currently it's carrying out a major propaganda campaign through websites that simulate the whole structure of blogging and use words much sought after and combined together to form the domain name to download malware using flashy BlackHat SEO techniques to achieve good search engine positioning. Among the words used are: rapidshare, megaupload, free, games, soft, warez, ftp, music, full house, pub, movies, cat, catalog, download.

    Among the domains created from the combination of these words are:



    freesoftcat .com (78.109.22.131)
    movie-rapidshare .com
    music-rapidshare .com
    warez-catalog .com
    games-rapidshare .com
    www.downloads-rapidshare .com
    www.freesoftcat .com
    www.movie-megaupload.com
    www.movie-rapidshare .com
    www.music-rapidshare .com
    www.warez-catalog .com

    free-full .com (213.155.3.240)
    moviesrapidshare .org
    musicrapidshare .org
    softrapidshare .com
    softrapidshare .org
    www.free-full .com
    www.musicrapidshare .org
    www.softrapidshare .com

    free-full-rapidshare .com (78.109.22.135)
    www.free-full-rapidshare .com

    cpmusicpub .com (213.155.3.250)
    ftp-warez .org
    soft-rapidshare .net
    www.ftp-warez .org
    www.soft-rapidshare .net

    free-games-rapidshare .com (78.109.22.140)
    tsautah .org
    www.free-games-rapidshare .com
    www.soft-warez .org
    www.tsautah .org

     
    The search engine words or subjects that are part of the pages have a very powerful position, appearing, as in the example in the top positions.


    From the different places a battery is discharged malware important not only in quantity but in variety. Some of the malicious files are:

    SoftwareAngular.Momentum.-.Chromium.45094.exe - 2/41 (4.88%)
    Keygen.OJOsoft.Total.Video.Converter.v2.6.1.0106.-.For.MKV!.exe - 24/40 (60.00%)
    Setup.exe - 26/40 (65.00%)

    BackHat SEO techniques present a new approach to spreading malware that malware writers don't let the side, marking a trend and effective campaign and aggressive infection difficult to control through conventional mechanisms.



    Related information this Blog
    Estrategia BackHat SEO propuesta por Waledac

    Jorge Mieres

    Ver más