MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.


Phoenix Exploit’s Kit v2.1 Inside

The crimeware is one of the most used by cyber criminals to gather intelligence enabling the identification of trends and customs around by people who use the Internet daily.

This seeks to obtain relevant information on time and complete details of the victims who, further, they allow criminals to know about which factors to emphasize their "improvements" in the web application, and botmaster think of any strategy for promoting malware.

Why? Get information processed (intelligence) is key because it provides them with real information on the different technologies used by people. This type of maneuver is widely used by criminals. Ever wondered why Koobface spread by social networks?

For example, most of this style crimeware collect data on:
  • Type and version of platforms. Let us know what operating systems used and the most vulnerable.
  • Type and version of browsers. Seeks to understand the same feature as above.
  • Countries affected. It enables computers to know the amount of victims in each country. Thus, the Botmaster could discriminate the spread of malware focusing its promotion to particular countries.
Why? Because all this information allows the developer to add and/or upgrade versions incorporating exploits "improved" the "product." Furthermore, depending on the last point for example, simplicity in terms of easy to read statistical data makes many botmaster using PEK (Phoenix Exploit's Kit) to spread malware that is used as a "bridge" to register successfully downloaded and installed to increase their economy through affiliates systems type Pay-Per-Install.

Currently PEK development is in its version 2.3r, this being a preliminary version to 2.4 and is in its stage of "testing" since mid-August 2010. The latest "stable" version is 2.3.

However, this post is about version 2.1 of Phoenix Exploit's Kit, and see that from the visual point of view has not changed in its previous or subsequent changes.

Default has 10 exploits, which are:
This version swept the feature Phoenix Triple System incorporated in version 1.4, which is basically an encryption scheme for binary executables that are disseminated. The purpose of this is hindering the process of analysis of the malware.

It consists of six modules of which 4 provide relevant information for each computer that is part of the botnet.

Simple statistics
It's an overview of data collected, through which information is displayed on browsers that have the highest percentage of successful exploitation detailing the number of visits in each of them, total number of visits and exploits that owns the package. Here is an updated version where he incorporated some exploits

Advanced statistics
Basically has a level of detail on the affected operating systems and browsers, incorporating as useful data version of each of them. In this case, committed three operating systems are Windows XP, Vista and Seven, respectively, and with a minimum compared to these, but higher than Windows ME, 2000 and 2003 platforms are Linux.

Interestingly, in terms of browsers, the three that have a higher rate of vulnerability are Firefox 3.6, InternetExplorer 8 and 7 respectively.

 Countries statistics
Information related to the countries which are the compromised computer. The detail of this information is in the number of visitors from certain countries and the number of successful exploits, also discriminated against by country.

Referers statistics
Information from reference sites to Phoenix Exploit's Kit The main feature is that the pattern followed by PEK is referencing from porn sites from which the browser operates through some of the pre-compiled exploits in the package. This module shows the list of pages, the number of visits per page and the number of exploits that have been successful with an average expressed in percentages.

The list shows the version used for this article is very long, but is complete on the following link: PEK v2.1 Referers List.

Upload .exe
This module is to allow updating to spread malicious code. Usually only change every time you submit the executable binary encryption processes Phoenix Triple System service, or when they change their strategy botmaster infection according to new targets for malware. Affiliate System change that spread their own malware for example.

In this case, PEK is used to propagate a version generated of the trojan ZeuS:
In the White paper called Phoenix Exploit's Kit. From the mythology to a criminal business can obtain more information on the different versions of this crimeware.

Información relacionada
State of the art in Phoenix Exploit's Kit [White paper]

Campaign infection through Phoenix Exploit's Pack
Phoenix Exploit's Kit and Pay-per-Install via PC Defender Antivirus
Phoenix Exploit’s Kit. Otra alternativa para el control de botnets

Jorge Mieres
Founder & Director of MalwareIntelligence
Crimeware & Intelligence Analyst Researcher

0 comentarios:

Post a Comment