MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

22.2.11

See you soon Jorge Mieres!

As many readers know, this means of information read at this time, was founded by Jorge Mieres in 2006. What you may not know is that several months ago, Jorge has decided to move away from the front of MalwareIntelligence, leaving us with complete confidence (one of the many qualities and characteristics of Jorge) the command of his legacy.

For this reason, and through these few words, we want to thank not only the possibility of allowing us to continue with its philosophy that is the essence of MalwareIntelligence, which no doubt has become a means of informing local and uncontested global on everything related to crimeware and botnets activities, but also by the amount of information who selflessly shared with the community safety through this forever your blog :D, its quality as a person and, above all things, for his admirable humility.

Surely Jorge will continue to share things from their personal blog or catharsis as he always called :D, so I'm sure you will find it there :)

Thank you Jorge!
MalwareIntelligence Team

Ver más

18.2.11

Inside Carberp Botnet

In early 2010, from MalwareIntelligence started researching a new botnet designed to agglutination of sensitive information relating to bank accounts, and theft of credentials to exploit a disturbing list of programs.

NOTE: At the bottom of this article may find the link to download the complete white paper, called "Inside Carberp Botnet", which describes the various internal components that make up Carberp.

Carberp, unlike SpyEye and ZeuS, was not (and neither is today) a crimeware mass marketed, but rather to a small group of people. Proof of this were (and are) a few C&C to operate the botnet. Also, to implement, require use licenses to use the constructor and the administration panel.

After a while with high levels of activity through these C&C, we are surprised when we noticed that gradually disappeared and even more so when the vast majority upgraded to the new version for less than two months. Still had a few C&C refused to disappear, although we believe that in fact the operating botmaster refused to set aside this malware.

During January this year Seculert published an article which talks about the new version of Carberp, with an entirely new panel and developments in the bot.

In MalwareIntelligence found only one C&C with these features, and we have several indications for which we believe is not an "official" version of Carberp, but a modification of the bot original interface and some features of crimeware.

These unique signs also be evidence of a possible breakup of the group behind the development, commercialization and exploitation of crimeware.

In recent weeks we have begun to notice an increased activity of new C&C Carberp. However, these do not correspond to the earlier version discussed in "Inside Carberp Botnet" but they are the same crimeware activity ceased in December 2010. This reinforces our theory that in fact the administration panel referenced by Seculert, it is not really the new Carberp.

Decided to resume research for more information about this "resurrection" of Carberp and, based on the knowledge we had of this botnet, publish our internal report. But also exposed through this the first results of the second part of the investigation.

Carberp has begun to be announced from the crimeware community, which until now had not happened and no doubt this is precisely why this has again become popular in the media.

Change of business model? Actually we can not guarantee yet, but it may be that this botnet is beginning to be marketed to expand coverage of the bid, or that some other criminal group (perhaps made by any member of the original group Carberp developer) has taken the opportunity to take a new version inspired by the original and try to commercialize it.

The following text corresponds to the notice by which this new variant of Carberp is trying to be marketed (plain text):

Carberp. Multi-banking Trojan
Works on any system: Windows XP/Vista/7 with limited accounts.
The bot contains:

  • Loader
  • FTP Grabber
  • Password Grabber
  • Forms Grabber
  • FTP Sniffer 
  • Backconnect (Supports up to 500 connections)
  • Delete cookies in IE and Firefox.
  • Injections in IE and Firefox.
  • Ability to take screenshots directly from the js.
  • % user_id% html insert in the uid.
  • The constructor
  • A sample injection and much more.
  • System plugins. 
  • Command multidownload can simultaneously lose 20 exe
MiniAV
Detects and removes the following malware:
ZeuS, Limbo, Barracuda, Adrenalin, MyLoader, BlackEnergy, SpyEye.



NOTE: Unlike the previous version, this features a "Kill SpyEye" whereby also tries to get rid of this crimeware.

Lock antivirus updates:
vg8, avg9, arca2009, arca2008, avast5, ESET NOD32 Antivirus 3.x/4.x, ESET Smart Security 3.x/4.x, Avira Premium Security Suite, Avira AntiVir Premium, Avira AntiVir Professional, BitDefender Antivirus 2010, McAfee AntiVirus Plus 10, Microsoft Security Essentials, DrWeb     .

Grabber program list:
Messengers, Miranda, ICQ2003, RQ, Trillian, ICQ99b, MSN, Yahoo, AIM, Gaim, QIP, Odigo, IM2, SIM, GTalk, PSI, Faim, LiveMessenger, PalTalk, Excite, Gizmo, Pidgin, AIMPRO, MySpace, Pandion, QIPOnline, JAJC, Digsby, Astra, Post clients, Becky, The_Bat, Outlook, Eudora, Gmail, MRA, IncrediMail, GroupMailFree, VypressAuvis, PocoMail, ForteAgent, Scribe, POPPeeper, MailCommander, Windows_Mail_Live, Windows_Mail_Vista.

FTP Clients:
TotalCommander, Far Manager, WS_FTP, CuteFtp, FlashFXP, FileZilla, FTP Commander, FTP Navigator, BulletProof, SmartFTP, TurboFTP, FFFTP, CoffeCup, CoreFTP, FTP Explorer, Frigate3, UltraFXP, FTPRush, SecureFX, WebPublisher, BitKinex, ExpanDrive, Classic FTP DC, Fling, SoftX FTP Client, Directory Opus, FTP Uploader, Free FTP, DirectFTP, LeapFTP, WinSCP.

Browsers:
Firefox, Safari, Opera, IE, Chrome.

Others:
SysInfo, WinVNC, ScreenSaver, ASPNET, RDP, FreeCall, CamFrog, PCRemoteControl, NetCache, CiscoVPN, Credentials.

Backconnect system:

  • For receipt of bots used win32-appendix.
  • Allows you to use the bots as SOCKS5-Proxy.
  • There are options to configure the ports to stop, number of bots, times, etc.
  • Possibility of authentication proxies.
  • You can disconnect a bot mandatory when required.
    Injections:
    • The injections work in IE and Firefox.
    • A program to configure the injections.
    Builder:
    • Ability to configure 3 domains. 
    • Requires a license.
      Autocrypt system: 
      There is a metamorph cryptor to be checking with the antivirus.
        Browser:
        • Works with the user's session, bot, even if it is unprivileged (limited account).
        • You can get screenshots of the user and other parts of the system.
        • dormant mode, the user will not notice anything strange.
        • The browser is entirely invisible to the user.
        • The browser is not or when filling a form.
        • You can hijack a user's browser and work with. 
        • Look bot files as well as download them.
          License:
          • The license takes a panel + builder.
          • Restrictions on the number of servers under license.
          • To operate more than one botnet requires a second license.
          • It is forbidden to reorient the botnet to another server than the one provided.
          • We looked carefully at all the licenses, any violation will result in the loss of license and a DDoS on the servers and domains offenders.
          • The panel is protected with IonCube.
          • The bot is protected by our security system. In each update changes the way the bot, making it difficult the task that is listed.
          • resale is prohibited.
          Upcoming updates:
          • Bilder (60%).
          • Module DDoS (90%).
          • Shots chrome (50%).
          • Module fakes (70%).
          • p2p (10%).
          • Opera formgrabber (90%)
          • Chrome formgrabber (40%)
          • Grabber for Basic Auth in Firefox and IE (90%).
          Updates:
          • Updates the current modules and small changes are free.
          • Updates on new modules and major changes, require an extra fee.
          Price:
          • Price module browser bot 5k wmz
          • Price with browser module: 8k wmz.
          • Autocrypt System: wmz 1k/month

          Undoubtedly, since the present keep you informed of our progress Carberp and around his botnet.

          Download full whitepaper Inside Carberp Botnet

          Francisco Ruiz
          Crimeware Research of MalwareIntelligence

          Ver más

          16.2.11

          MalwareIntelligence whitepapers

          Botnets Administration. A real case - ZeuS & SpyEye
          Malware networks continue to grow and parallel to, the potential risk of becoming victims of their criminal activities. Gone are those days where the main vector for malicious code distribution was made up of pages that promote pornographic and warez type programs.

          Today, malware is distributed through any kind of website as a key used to feedback a crime far more comprehensive and ambitious, mainly led by botnets. Also incorporating self-defense mechanisms and more complex evasion. To understand this diversity, this paper describes a real example, which was part of a complex investigation, about how a given botmaster their botnets through SpyEye and ZeuS crimeware.
          Download

          Criminal activities from BKCNET “SIA” IZZI / ATECH-SAGADE [Part one]
          BKCNET "SIA" IZZI, also known as or simply ATECH-SAGADE is an AS (Autonomous System) numbers in 6851, currently is one of the most active of crimeware through which are distributed daily a large amount of malicious code , besides being the control base for the accommodation of several C&C which feed the underground economy.

          Your geolocation is in Latvia and, as I mentioned on another occasion, "This ASN is listed as a server of criminal activities such as spread of different families of rogue, hosting crimeware as YES Exploit System, in 2009 I host the strategies Waledac botnet (Storm successor), also to ZeuS and to have direct relationship with the criminals who are behind the botnet Koobface maneuvers". The following evidence is left AS6851 activities in the range of IP's and chipboard from 91.188.59.9 to 91.188.59.249.
          Download

          Computer Attacks. Security weaknesses that are commonly exploited
          Over time, the advancement of media and communication technology has led to the emergence of new attack vectors and new types of crimes that have become Internet and computer technologies in areas most hostile to any kind of organization, and person you have computers connected to the World Wide Web.

          Unlike what happened years ago, where people with broad skills in the computer field enjoyed researching these issues with the aim of incorporating more knowledge, at present has completely distorted giving rise to new characters using computer resources and knowledge its functioning as a resource for crime and economic benefits.
          Download

          Phoenix Exploit’s Kit. From the mythology to a criminal business
          Criminal alternatives grow very fast in an ecosystem where day to day business opportunities are conceived through fraudulent processes. In this sense, the demand for resources for the cyber criminal isn’t expected and is constantly growing.

          Generally I find new crimeware looking to get a place and a good acceptance in the virtual streets of the world underground, trying to reflect a balance on the cost/benefit of the "product" promoted, that allows criminals to enter the market as quickly as possible. This paper presents a series of data on criminal activities and fraud carried out using Phoenix Exploit's Kit as channel management, how often the cycle of criminal business on this crimeware and what are the exploits found in its different versions.
          Download

          myLoader. Base C&C to manage Oficla/Sasfis Botnet
          Criminal activities are increasingly unfair. Currently, no one denies that the malicious code is an unethical business and criminal whereby cybercriminals steal lots of money.

          This also responds to the why of professionalism and sophistication in the development of malware, and associated components of spread and infection strategies, transforming them into increasingly aggressive threats.

          Under this scenario, a new threat crimeware designed for fraudulent purposes is In-the-Wild. MyLoader is a particular purpose framework developed to manage the activities of a botnet.
          Download

          SpyEye Bot [Part two]. Conversations with the creator of crimeware [English only]
          In recent weeks, SpyEye (a new financial trojan) has been popular in the news and underground and well received. The cheap cost of the software relavtive to its competition combined with an easy to use interface has increased its popularity. The ability to remove the competition with the product with a built-in ZeuS Killer has also raised eyebrows.

          Our previous report, "SpyEye. Analysis of a new crimeware alternative scenario", addressed known technical issues involving the activities of this threat. In this second part we present the exclusive interview by Ben Koehl, Crimeware Research of MalwareIntelligence.
          Download

          SpyEye Bot [Part one]. Analysis of a new alternative scenario crimeware
          Earlier this year saw the light in the underground black market that moves the axes of crimeware, a new application designed to provide feedback for criminal and fraudulent business.

          This application, called SpyEye, is aimed at facilitating the recruitment of zombies and managing your network (C&C – Command and Control) through management panel via the web, from which it is possible to process the information obtained (intelligence) and stored in statistics, a regular feature of criminal packages today. This document describes the activities of SpyEye from the stage of infection giving relevant information about their purpose.
          Download

          Annual compendium of information. Crimeware in 2009 [Spanish only]
          Undoubtedly, the current status of the global criminal activities are channeled through the web is a great business and is growing in dark underground as the different environments offered by the Internet, stealing private information through different "bugs"...

          ... that spread running different "plans" strategically designed, including developing applications designed to automate the process of crime that are marketed in the same environment underground, then transform all cash.
          Download

          Analysis of an attack of malware web-based
          Internet has become an ally platform of attack for malware creators, who through the use of different techniques such as Drive-by-Download, Drive-by-Update, scripting, exploit, among others, and combining them seek to recruit an army of computers that respond only to their malicious instructions.

          These attacks, using the Internet as a basis for implementing a direct damaging loads on the victim, in parallel, almost instantaneous and transparent view of the less experienced users, has become a latent and dangerous risk of infection by the simple act of accessing a website.

          The following document sets out a concrete example that uses the above actions to exploit and infect a victim, describing also several extra features that enhance the damage of malware.

          Alejandro Cantis
          Crimeware Research

          Ver más