MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

29.12.09

Exploit packs and their relationship with the rogue

Fraudulent activity they related to each other through "associates" of business in which each cell officiates as an intra-organizational structure, complementing a company engaged in such illegal activities.

In this sense, the rogue (also called scareware), has a significant amount of "affiliates" who are responsible for the distribution of malicious code. In fact, a recent study by the FBI noted that the estimated losses due to rogue amount to USD 150 million.

It shows why all those old social engineering strategies that often leave a sense of triviality still very effective, and why many professionals in the criminal field, seeking to expand their criminal activities and gains, migrate their efforts merge dissemination strategies with BlackHat SEO techniques or even type, with Exploits Pack as in this case.

A case in point is the recent emergence Exploit Pack called Siberia Exploit pack within its structure that includes a file called file.exe. When the user reaches one of the domains used by crimeware, an exploit (usually through pdf files) is responsible exploit the vulnerability, download malware from a predetermined domain and execute it.

Once the malware infects your system, make a Desktop Hijack showing the warning of an infection through the message "YOUR SYSTEM IS INFECTED!".

After that, the system starts to display popups (characteristic of adware) converting the system into the nest of rogue and reference point of a botnet. However, regardless of the infection, these popups are part of the campaign of deception and psychological action of malware.

First, because the installed antivirus course far from resolving the problems, made worse by downloading malicious code or by opening more ports for accessing other threats. Furthermore, because the warnings of infection, besides being aggressive, are completely untrue, and the aim is to "scare" the end user to "buying" the fake antivirus.

Related information
Siberia Exploit Pack. Another package of explois In-the-Wild
Anti-Virus Live 2010. Talking with the enemy
A recent tour of scareware XIX
Scareware. Estrategia de engaño propuesta por Personal Antivirus
Campaña de propagación del scareware MalwareRemovalBot

Jorge Mieres

Ver más

27.12.09

Testimonials scareware and credibility strategy

One of the strategies used by the propagators of scareware (rogue) is trying to attract users' confidence through "evidence" allegedly made by people who have already acquired the "solution" and that they express through his "great satisfaction by the same".

Yet we know very well that only part of a scam that seeks to complement the overall strategy of propagation/infection, and that if we install this program we will end the system infected by a scareware. Therefore, don't you wonder who are those who assert the efficacy of this fake antivirus tool?

Depending on the image, where each phrase appears under the assumed name (incomplete) of being responsible for it, perhaps we can deduce that it's ladies and gentlemen:

• Dave C. = Dave Conficker
• Beth P. = Beth Phoenix
• Lisa W. = Lisa Waledac
• Melissa H. = Melissa Hupigon
• Paul M. = Paul Mebroot
• Jason C. = Jason Crum
• Pat J. = Pat Justexploit
• Matt E. = Matt Eleonore
• Roger F. = Roger Fragus
• Sam P. = Sam Piosonivy
• Jamie V. = Jaime Virut
• Tracey K. = Tracey Koobface
• Brian A. = Brian Adrenaline
• Sally V. = Sally Virtumonde
• John R. = John Ransomware
• Lauren R. = Lauren Rustock

Malware always taking "personality" as a strategy and coverage where they could only rave about a colleague fraudulent ;-P

Related information
Anti-Virus Live 2010. Talking with the enemy
A recent tour of scareware XIX
Disinformation campaign to spread malware
Koobface campaign spread through Blogspot

Jorge Mieres

Ver más

25.12.09

Siberia Exploit Pack. Another package of explois In-the-Wild

Siberia Exploit Pack is a new package designed to exploit vulnerabilities and recruit zombies original, as is easy to deduce from its name and as is customary in this area crimeware clandestine business in Russia. It was released almost together with RussKill, a particular purpose botnet also emerging.

For now, the sale of Siberia Exploit Pack is closed. The versions that are shared in some servers are private and fraudulent purchase is only accessible through "guarantors", ie other criminals (usually botmaster, spammers, phishers, etc.). Recommending a particular person you want to buy the package .

This will control and maintain a certain level of trust between developers and their buyers Exploit Pack. This also explains why the closed cycle in their use.

The structure of this crimeware is composed of several php files and a pack of exploits defaults. Among the php files are:
  • stat.php: the panel of administration access via http.
  • index.php: contains an item "refresh" that generates a continuous refreshment redirected to Google.
  • exe.php: contains the instructions to download a binary called file.exe default and contains a script that redirects to an exploit MDAC mdac.php contained in the file. Depending on the parameters that are passed to php also download pdf files.
  • config.php: contains the configuration parameters of the package. It's in the default folder called inc.
The files that are spread through this pack and exploit other vulnerabilities are:
In this case, both pdf files (whose names are created at random) exploit vulnerabilities CVE-2007-5659 (Adobe Collab overflow), CVE-2008-2992 (Adobe util.printf overflow), CVE-2009-0927 (Adobe getIcon). While file.exe creates another file called winlogon86.exe (md5: 4217e91f65c325c65f38034dc9496772).

The "fashion" exploit packet doesn't end and it would seem that the categorization of "fashion" because it's small.

Since I began using the mass take Exploits Pack (mid 2007), there are many alternatives to this style, both general purpose and particular purpose, which are offered through a black market in which not only feeds back the business of malware with "resources" effective and simple (in this case Siberia Exploits Pack) to suit their needs without major crime efforts, but the same development as the exploit pack crimeware, botnets conjunction with that to create and manage, provides an important link in the criminal chain fits-hardly the criminals leave aside.

This obviously gives a sufficiently concrete to understand that we are facing actions and strategies of "business" held by professionals in the field of cybercrime.

Related information
RussKill. Application to perform denial of service attacks
DDoS Botnet. New crimeware particular purpose
JustExploit. New Exploit kit that uses vulnerabili...
Fragus. New botnet framework In-the-Wild
ZeuS Botnet y su poder de reclutamiento zombi
Liberty Exploit System. Alternatively crimeware to...

Jorge Mieres

Ver más

24.12.09

Anti-Virus Live 2010. Talking with the enemy

Generally one has the false belief that malicious code is trivial that any technical problems solved by just formatting the system or acquire any of the known anti-malware market offers today.

However, on the one hand, the reality is that behind the development of malware hides a very large business in which every day must be added more "associates". Moreover, what happens when we plan to buy this antivirus is just the opposite.

This is the case of the Anti-Virus Live 2010 or what is the same, Anti-Virus Elite 2010 malware scareware type (or rogue), which makes it quite evident that the processes and mechanisms by which deceives order to steal your money are well oiled and well thought out.

At first instance, as is usual in this type of threat, the strategy is supported by a website that is used to "bait" to lure potential victims, saying all sorts of justifications to "prove" some credibility on the false antivirus, which complements a typical disinformation campaign.

So far, nothing interesting. Except for the possibility of requesting assistance via chat. Interesting. Then check if this condiment is legitimate ... Yes it's.

Consequently, communication was established through this option with the surprise that immediately got response from the other side. You can then take the short conversation via chat.

We basically said Dennis, the merchant, which among other things the course antivirus is compatible with all versions of Windows, its value is USD 27, which only supports English and no enterprise version and no problems eliminating conficker.

Let us briefly discuss these points. Obviously, the scareware must be compatible with all versions of Windows as it's this time the audience that the threat is directed. Why? Simply because more than 80% of people use Windows as the main operating system in home environments where the potential for finding a particular victim increases. This way is much more likely "to close business."

For the same reason there isn't version for GNU/Linux, even, not even version oriented businesses; because usually, the companies have a higher level of security where probably the scareware not find results.

Why English and not Russian? Because English is the third most popular language. Its cost, USD 27, represents a competitive value that's commensurate with the average cost of legitimate antivirus programs. And regarding conficker, whether by koobface wondering, the answer would have been the same.

A very interesting fact that helps to understand its true magnitude of the illegal business of malware, is the error committed by the "affiliate" Dennis when requesting the URL to buy a false solution. It gives us the url registryfix.com/purchase and time of comment that is not in question the supposed solution, offering the proviso antivirus-elite.com/purchase the corresponding url.

However, we were trying to close "business" by Anti-Virus Live 2010 and not Anti-Virus Elite 2010, making it clear that this is the same threat under different names. Even the same "partner" manages and markets various alternatives under similar mode. In this case, also offering the fraudulent sale of Registry Fix, another associated with NoAdware and scareware ErrorClean.

From a technical point of view, the domain of this threat is in the IP address 204.232.131.12, hosted by the ISP Rackspace, located in the city of Hoboken in the United States under AS27357.

According to the history of this AS, the activities generated by malicious code are important

From the website you download an executable named setup.exe (MD5: C50DC619E13345DEC2444B0DE371DFD4) which corresponds to scareware installer with a low rate of detection.

As we see, the cybercriminals don't get tired of spreading increasingly aggressive threats that accompany the infection process through marketing campaigns, even very similar to those used by many antivirus companies.

Related information
A recent tour of scareware XIX
Green IT utilizado para la propagación de scarewar...
Scareware. Repositorio de malware In-the-Wild
Scareware. Estrategia de engaño propuesta por Personal Antivirus
Campaña de propagación del scareware MalwareRemovalBot

Jorge Mieres

Ver más

23.12.09

A recent tour of scareware XIX

Doctor Alex
MD5: 4f2bdddc4b71a428ec2e964cfed9f11a
IP: 69.89.20.48
United States United States Provo Bluehost Inc
Dominios asociados
doctor-alex.com

Result: 7/40 (17.50%)

Safety Anti-Spyware

MD5: 848aea51e9d26089982c9b820c2ea4ba
IP: 212.117.177.18
Luxembourg Luxembourg Luxembourg Root Esolutions
Dominios asociados
safetyantispywareshop.com

Result: 1/41 (2.44%)


Antivirus Doctor

MD5: f43835e6ca25095afe53480d30a6181a
IP: 174.37.110.224
location
Dominios asociados
antivirusdoctor.net

Result: 1/41 (2.44%)


antikeep.com (83.233.30.66) - Sweden Stockholm Serverconnect I Norrland
iguardpc.com (83.233.30.66) - Sweden Stockholm Serverconnect I Norrland
quickscansecurity.cn, photoscansecurity.cn/antimalware.exe (193.169.234.27) - Jamaica Jamaica Titan-net Ltd
erlsoft.in (91.212.107.38) - Cyprus Cyprus Nicosia Riccom Ltd
allinoneprotection1.com/scan3/(...)MPAFM&video... (192.41.60.10) - United States Lindon Icon Developments
top2009securityf.cn/download/ (204.12.252.101) - United States Kansas City Wholesale Internet Inc
malwarebytesy0.com (96.9.180.102) - United States Scranton Network Operations Center Inc
apart-leo.com.uvirt3.active24.cz/adv/security.php?b=1003 (81.95.96.126) - Czech Republic Prague Active24-cz-servers-net
dammekro.com/webcfg/security.php?b=1003 (195.249.40.157) - Denmark Denmark Koege Teaminternet-net
siteadware.com (85.12.25.111) - Netherlands Eindhoven Web10 Ict Services
theantyspywaretool.com/index.php?affid=92800 (78.129.166.11) - Cayman Islands Cayman Islands Cayman British Islands Offshore Network
1uktimes.cn/go.php?id=2004&key=ff0057594&d=1 (91.212.226.186) - Russian Federation Artem Netd-lux-network

Información relacionada
A recent tour of scareware XVIII
Una recorrida por los últimos scareware XVII
Una recorrida por los últimos scareware XVI
Una recorrida por los últimos scareware XV
Una recorrida por los últimos scareware XIV
A recent tour of scareware XIII
A recent tour of scareware XII
A recent tour of scareware X
Una recorrida por los últimos scareware X
Una recorrida por los últimos scareware IX
Una recorrida por los últimos scareware VIII
Una recorrida por los últimos scareware VII
Una recorrida por los últimos scareware VI
A recent tour of scareware V
A recent tour of scareware IV
A recent tour of scareware III
A recent tour of scareware II
A recent tour of scareware

Jorge Mieres

Ver más

15.12.09

RussKill. Application to perform denial of service attacks

Conceptually speaking, a DoS attack (Denial of Service attack) is basically bombarded with requests for a service or computer resource to saturate and the system can not process more data, so those resources and services are inaccessible, "denying" the access to anyone who wants them.

From the standpoint of computer security, Denial of Service attacks are a major problem because many botnets are designed to automate these attacks, especially those of particular purpose, taking advantage of computational power offered by the network of zombies. In this case, the attack is called Distributed Denial of Service (DDoS).

Moreover, under the framework of the concept of cyberwarfare, this type of attack is part of the armament "war" through which virtual scenarios presented conflicts between their requirements as to neutralize a state vital services.

RussKill is a web application that is classified within these activities and that despite being extremely simple, both in functionality and in the way of use, is an attack that could be very effective and difficult to detect.

As is customary in the current crimeware, the web application is of Russian origin and has a number of fields with information about how and against whom to carry out the attack, letting you configure the packet sequence, ie the flow in amount. The option "Hide url" is a self-defensive measure designed to ensure that the server is detected.

Although several methods of DoS attacks, RussKill makes use of the attacks HTTP-flood and SYN-flood. In both cases the servers for flood victims through http requests and packets with fake source IP addresses respectively.

As I said at first, the denial of service attacks are a danger for any information system, regardless of the platform that supports services and applications such, in this case site, demonstrates the ease with which an attack of this type can run.

Related information
DDoS Botnet. New crimeware particular purpose

Jorge Mieres

Ver más

9.12.09

Fusion. A concept adopted by the current crimeware II

It's increasingly common for research processes we find that on the same server are housed, "operating" actively, several crimeware Exploit Pack type from which control and manage the zombies that are part of his fraudulent business .

A while ago we commented on ElFiesta and
ZeuS coexisting in the same environment, and meet the same objectives.

This time, the merger is between Fragus (an increasingly popular crimeware) and ElFiesta. Both packages are hosted on the same server. However, although the potential doesn't mean they are being operated by the same botmaster.

The domain in which they are staying is as follows:

Where is in Fragus http://hotgirldream.net/far/ and ElFiesta for, is hosted on another folder, the path is http://hotgirldream.net/content/. As we can see, share the server with IP address 210.51.166.233, located in Yizhuang Idc Of China Netcom, Beijing.

This demonstrates that opportunities for "business" don't go only by the sale of crimeware, malware, exploit pack and other fraudulent activities, but another alternative is to provide the infrastructure for, in terms of its computing capacity, streamline processes criminal.

Related information

Fusión. Un concepto adoptado por el crimeware actual
Fragus. New botnet framework In-the-Wild
ZeuS and power Botnet zombie recruitment
ElFiesta. Recruitment zombie across multiple threa...

Jorge Mieres

Ver más

5.12.09

Disinformation campaign to spread malware

Disinformation is basically distort or manipulate the information so that the recipient end believing something completely untrue, and which the originator obtains an advantage. For example, the rumor is a tool used in the campaigns of disinformation. In turn, misinformation is a tool that provides useful information in a timely manner (Intelligence).

Transferred this concept to the computer field, is neither more nor less than a social engineering methodology that increasingly used by developers of malicious code to try to attract the confidence of users and thus take advantage of this condition to execute the process of infection.

Usually we see on the pages scareware rate spread malware (also known as rogue), where we find pictures of certifications such as Virus Bulletin and AV-Comparatives, or some other like PC Magazine or PC World that don't fulfill the same function as the magazine formerly known as they are enjoying "trust" among the public.

Another alternative is focusing its efforts on trying to prove that this "solution" (scareware) is the best. This is done through false compare where it gets questioned the detection levels of antivirus companies widely known in the market.


Both strategies of deception appeal to what is known under the concept of authority represented by these certificates and publications in the "real" antivirus and information technology respectively.

In this regard, I recently discovered another method of deception is also directed to issue disinformation with the aim of encouraging users to believe the information and act accordingly.

It's pretending that the file is provided free of malicious code, also appealing to authority, but in this case, enabling organizations to verify the integrity of files through an online process to submit the files to antivirus solutions with greater confidence in the market. For example, services such as VirusTotal or VirScan. We then see a catch.
The domains involved are housed in the IP 213.5.64.20, located in the Netherlands (Netherlands Altushost Inc) but not all spread the threat. Among them:

safehostingsolutions.com/download.html
fileaddiction.com/download.html
freedatatransfer.com/download.html
freedownloadthanks.com/download.html
megasecuredownload.com/download.html
qualityupload.com/download.html

The files that are downloaded are the following names:
  • Hpack Generator.exe (91b31ea8c551397cd5b1d38ec1aa98dd) - Result: 8/40 (20.00%)
  • UAV Generator.exe – Idem
  • Knight Generator.exe – Idem
  • LG Generator.exe – Idem
  • Kings Generator.exe – Idem
  • DBlocks Generator.exe (53e3256bef0352caf794b641f93a32d5) - Result: 6/40 (15%)
As can be seen that besides the new proposal for cheating despite being quite trivial has a high impact on effectiveness, the level of detection in the two malicious codes is very low, representing only 15% and 25% of 41 antivirus engines.

It isn't to panic but to be vigilant.

Related information

A recent tour of scareware XVIII
Inteligencia informática, Seguridad de la Información y Ciber-Guerra
Deception techniques that do not go out of style

Jorge Mieres

Ver más

4.12.09

A brief glance inside Fragus

Fragus is a web application developed for the management of zombies, of Russian origin, who long to live has been inserted crimeware clandestine market with an affordable price (USD 800) if we consider criminal capabilities it offers.

The crimeware is basically composed of five sections: Statistics, Files, Sellers, Traffic links and Preferences. Each handles a specific task and they all complement one another.

In the Files panel is handling the executable file that will spread.

Sellers are in management exploits. In this case, corresponding to the first version of Fragus.

Regarding the Traffic links module, allows the "previous" and setting the iframe script that will be injected into the page that shall act as "driver" for the implementation of the configurator exploits the previous panel, that look for vulnerabilities on the victim machine .

However, one of the patterns identified in each of the packages of this style is the Statistical module. This module provides the intelligence necessary for the botmaster get a detailed report of the teams not only zombies but also on certain aspects needed to know in detail what should exploit to run.

Another interesting patterns we can deduce on the basis of this information is that the operating system is exploited Windows XP with Internet Explorer, the exploit more effectively, despite being very old (MS06-014) is the one that takes the vulnerability in MDAC and that among the countries with the highest rates of infection are the USA and Korea.

This represents a common scenario where perhaps the relevance factor is the inference that perhaps common situation due to the large volume of user who uses the Microsoft operating system on a non-licensed, which leads to not update .

Finally, another important factor that must not be overlooked is that cyber-criminals are not interested in the controversy surrounding the safety levels offered by one or another operating system (Windows, GNU/Linux and Mac OS) but all fall into the same category of "potential victims" because the vulnerability exploited in layer 7.

Related information
Fragus. Nueva botnet framework In-the-Wild
JustExploit. Nuevo Exploit Kit que explota Java
DDoS Botnet. Nuevo crimeware de propósito particular
T-IFRAMER. Kit para la inyección de malware In-the-Wild
ZoPAck. Nueva alternativa para la explotación de vulnerabilidades

ZeuS Botnet y su poder de reclutamiento zombi
Eleonore Exploits Pack. Nuevo crimeware In-the-Wild
Liberty Exploit System. Otra alternativa (...) para el control de botnets

Jorge Mieres

Ver más

1.12.09

Koobface campaign spread through Blogspot

A massive campaign to spread the worm is Koobface In-the-Wild using blogs as a strategy generated from the Blogspot service.

Koobface has become a nightmare for social networks and even though its propagation strategies do not change, this malware is almost two years of activity with a significant rate of infection, making it one of the largest botnets today.

Blogspot domains used as cover for the spread are:

pannullonumair.blogspot.com
haladynalatosha.blogspot.com

macdougalmuskan.blogspot.com

mailletjamaica.blogspot.com

ledrewrooney.blogspot.com

brasenoktayoktay.blogspot.com

toludestany.blogspot.com

edgarbillison.blogspot.com

piotrowiczlyanne.blogspot.com

brochoiredeedee.blogspot.com

decuyperantohny.blogspot.com

derrenpassini.blogspot.com

elsenelsenumthun.blogspot.com

elsyelsysalah.blogspot.com

fanjonappuappu.blogspot.com

fredrikadantos.blogspot.com

genelleabril.blogspot.com

gilkerharjyot.blogspot.com

hadzilashawn.blogspot.com

insalacotecwyn.blogspot.com

janitasaels.blogspot.com

jodelinscheufler.blogspot.com

jones-allentammey.blogspot.com

jurgisbooty.blogspot.com

karanjeetisoardi.blogspot.com

dralleboyeboye.blogspot.com

maidenhermann.blogspot.com

messer-bustamantetimpriss.blogspot.com

murachaniananoushka.blogspot.com

nevnevsculthorpe.blogspot.com

parrisvistisen.blogspot.com

porierkunlekunle.blogspot.com

rotermundraimon.blogspot.com

sharonyacorvil.blogspot.com

sodorabardan.blogspot.com

tendaiblunk.blogspot.com

turskeybrianna.blogspot.com

zhuochengbate-pelletier.blogspot.com

ziziziziboyter.blogspot.com

Who accesses one of these domains redirected to a page that simulates the typical YouTube screen. We then see a catch.

Immediately after, try to download a binary called "setup.exe" (md5 6d8ac41c64137c91939cced16cb5f2fe) which has a low average detection rate. This binary, in turn takes care of downloading and executing other malicious code.
Each of these files are downloaded from domains Style "homemadesandwiches.com/.sys/?getexe=ff2ie.exe".

The binary v2captcha.exe handles breaking the captcha that asks for registration blogspot blogs, creating massive randomly and the same, and then redirected to the download of Koobface through, as I mentioned at the beginning, a false YouTube page that uses the same visual social engineering approach used in other campaigns similar spread.

Undoubtedly Koobface is another malicious code that uses persistence despite many of its variants are detected by most antivirus companies.

Related information
Symbiosis malware present. Koobface

Jorge Mieres

Ver más