MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.


JustExploit. New Exploit kit that uses vulnerabilities in Java

Crimeware industry still rising, and just as illegal marketing of web applications that seek to automate the process of infection through the exploitation of vulnerabilities.

This time, the proposal called JustExploit. This is a new Exploit Pack of Russian origin who has a seasoning that is increasingly being taken into account most heavily crimeware developers: the exploitation of vulnerabilities in Java. That is, in addition to exploit known vulnerabilities for MDAC and PDF files, exploits Java in all those computers that have installed the runtime.

The catch statistics for the module (Intelligence) which clearly shows that from this application you are controlling a large number of computers using different browsers and different operating systems, among which is the famous Windows Seven.

Another interesting fact which emerges from this module is the high rate of effectiveness which has the exploitation of the vulnerability in Java, with even a greater success rate with respect to two other vulnerabilities (MDAC and PDF).

Through a file "index.php" script that has a dull, JustExploit try to run three exploits for vulnerabilities CVE-2008-2992, CVE-2009-0927 and CVE-2008-5353. Here we see part of the script.

Among the files that are downloaded, is the operator of Java, called "sdfg.jar", with a low detection rate. According to VirusTotal, only 15 of 41 antivirus engines.

In addition, the kit includes the following downloading malicious files (which for the moment, also have a very poor detection rate):
This activity is In-the-Wild relatively short time ago and is a dangerous attack vector that is actively being used by botmasters, as we have seen, with striking effectiveness.

Thank you very much to the people of MDL for the information

Related information
DDoS Botnet. Nuevo crimeware de propósito particul...
T-IFRAMER. Kit para la inyección de malware In-the...
ZoPAck. Nueva alternativa para la explotación de v...
ZeuS Botnet y su poder de reclutamiento zombi
Eleonore Exploits Pack. Nuevo crimeware In-the-Wild
Mirando de cerca la estructura de Unique Sploits Pack
Adrenaline botnet: zona de comando. El crimeware ruso...
YES Exploit System. Otro crimeware made in Rusia
Barracuda Bot. Botnet activamente explotada
ElFiesta. Reclutamiento zombi a través de múltiples amenazas
Malware Domain List

Jorge Mieres

Ver más


Russian service online to check the detection of malware

One thing of concern to the creators/distributors of malware is whether the virus is able to detect their binary and thus ruin their economic plans.

One possible way to test the detection capability of these binary antivirus is up to sites like VirusTotal, which to date, using 41 different antivirus engines.The big problem is that these sites often work in collaboration with antivirus companies, providing feedback on the samples. Therefore, although at the time of analysis it's possible that only a few of the antivirus (or none at worst) are able to identify the evil qualities of the binary in question, most likely the detection rate will increase to full speed in a short space of time.

This has opened a niche business, and in May this year appeared posts in various forums in announcing a new service (then free) to analyze the level of detection without alerting the antivirus houses. VirTest born.

Currently this page, of Russian origin (although it has its English version) offers 26 different antivirus engines, with the possibility to choose what you want them to be used to check the sample. Here you can see a list of antivirus engines and their respective versions. On the website specified in detail how often is updated each virus, depending on each company's policy to continue to publish new signatures.
The analysis of binary display a table that is why antivirus recognizes the malicious code and which not. Clicking the link to the file name will open a box where we can see information about the file type and size, different hashes of the same information on its structure (if an .exe), among others.

If we then click on the link "See file" will display the file itself a fragment of 1000 bytes in size.

However, the added feature that makes this service a differentiator with respect to similar services is the ability to analyze a type crimeware Exploit Pack, giving the url that is hosted.
FAQ In the words of the service, don't really check the script, but the resulting code will be received by the different types of browsers. The tests are performed with Firefox, IE6, IE7, IE8, Opera and Chrome.

Clicking on any of the links we can see the box before extending the analysis information.

To perform one of these tests is necessary to create an account and have cash in it, as it has become a paid service with the following prices:

The payment of contributions is done exclusively via WebMoney. There is at least one other similar service is free and is currently in beta enuentra. We suppose that soon will be a toll too.

In summary, further evidence that not only the exploitation of malware generates profits but also moves parallel money on services to this industry. And in some cases like the present one, have to see if you can consider this service as a criminal act or not.

Related information
Software as a Service on the malware industry
Creating Online PoisonIvy based polymorphic malwar...
Panorama actual del negocio originado por crimewar...
Prices of Russian crimeware. Part 2

Ernesto Martín
Malware Research
Pistus Malware Intelligence

Ver más


Espionage by malware

During this month remember having breakfast with a piece of news for many media seem to be new or exclusively connected with some Hollywood films, giving it a connotation of "amazing." I refer to espionage through computerized means.

Then leave a screenshot of the news, in which it's evident that the malicious code are also part of the operations of intelligence in different contexts, both from a viewpoint clearly fraudulent (in the case of computer criminals) as which shields under the "flag" to protect and safeguard the interests of a State (for many intelligence services), which seek to take advantage and/or neutralize the potential actions framed within the context of hostility.

Indeed, in many cases, touching the legality of actions.

According to the information that appears in the article, the most important intelligence service of Israel (Mossad) has used a type of malicious code trojan to obtain confidential information and critiques on nuclear facilities in Syria.

The fact that Mossad used a program to spy isn't a novelty because, like its American counterpart (CIA) and many other formerly used Promis as a resource for spying.

(Someday maybe encourage me to write something about the programs used by intelligence services around the world ;P)

The point is that regardless of the impact of the news, malicious code are without doubt one of the most used for obtaining information, including at government and military, even among companies seeking to obtain confidential data that enable disclose their activities and win competition advantages.

Now, any organization or government entity may be a victim of espionage, and these activities must also be addressed by Information Security. So what can be done to counteract or neutralize these activities, which in most cases are handled on the edge of illegality, the truth isn't easy. However, implementing a strategy of misinformation can be a good practice of counterintelligence.

Ultimately it's easy to deduce that such maneuvers aren't only stock listed as "ghosts" or within the genre "science fiction" films themselves, but every day we are potential victims of the persistent attempts of malware writers seeking to break our security frameworks to obtain secret information.

Related information
Computer Intelligence, Information Security and Cyber-War
CYBINT in the business of Russian cyber-crooks

Jorge Mieres

Ver más


DDoS Botnet. New crimeware particular purpose

An attack by Denial of Service (DoS) consists basically of abuse of a service or resource by successive requests, either intentional or negligent, which eventually break the availability of such service or resource temporarily or completely.

When this type of attack is performed using the processing power of an important set of computers carrying out the abuse of requests synchronously, we are witnessing an attack Distributed Denial of Service (DDoS).

DDoS attacks aren't new at present (such as Blaster malicious code designed for this kind of attacks against Microsoft in 2003, is a classic example) and their use is a resource of any malicious activity connotation, even mafia.

In this sense, most botnets general purpose contemplated as part of its bid criminal attacks distributed denial of service by taking advantage of benefits offered by the zombies that are part of the network, and the particular purpose to perform a type specific attack against a specific target also, is typical of today.

From a perspective on cyber war, the DDoS also plays a fundamental role in the offensive mode used in this digital war also known as Cyber-Warfare, and is a resource that is part of a strategy involved in the attack analysis CYBINT (Cyber Intelligence).

However, under this scenario the attack may also be used defensively in an analytical strategy to assess the constraints outlined critical services of a State.

But whatever purposes they hide behind the attack, cyber-criminals (especially those of Russian origin) constantly seek to facilitate the issue by offering crimeware developed for use exclusively with criminal minds.

The point is that a new web application for controlling botnets, is In-the-Wild, marketed in the Russian black market at a "competitive", USD 350.

The crimeware is designed to recruit and train a botnet zombies (particular purpose) intended exclusively for attacks of the type of DDoS SYN Flood, ICMP Flood, UDP, HTTP and HTTPS. In the following screenshot shows part of the configuration of the application written in PHP.

Among its outstanding features are the ability to run as a service (which is part of its defense strategy), control and administration (C&C) is done through HTTP, integration with other crimeware of his style, recording of activities (logs) with information processed on each attack (Intelligence), among many others.

I believe that research of this type of criminal activity must have the touch method that offers the activities of intelligence, as though for a home user this type of attack may matter little, not true when what is at stake are assets of the companies. As security professionals should be aware of the state of the art of crimeware, and incorporate measures of intelligence in their work.

Information related to crimeware
Russian crimeware prices. Part 2
Russian Trade crimeware private versions ...
ZeuS and power Botnet zombie recruitment
Process Automation anti-analysis II
Eleonore Exploits Pack. New Crimeware In-the-Wild
Looking closely at the structure of Unique Sploits Pack
Adrenaline botnet: command area. The Russian crimeware ...
YES Exploit System. Another crimeware Made in Russia
Barracuda Bot. Botnet actively exploited
ElFiesta. Recruitment zombie across multiple threats

Information related to Cyber-Warfare
Computer Intelligence, Information Security and Cyber-War
CYBINT in the business of Russian cyber-crooks
Kremlin Kids: We Launched the Estonian Cyber War
Kremlin-backed youths launched Estonian Cyberwar, says Russian official
Digital Fears Emerge After Data Siege in Estonia
Cyberattack in Estonia - what it really means

Jorge Mieres

Ver más


A recent tour of scareware XVIII

Virus Protector = AntiAID, SystemVeteran, BlockProtector, SystemWarrior
Netherlands Netherlands Eindhoven Web10 Ict Services
Sweden Sweden Stockholm Serverconnect I Norrland
Dominios asociados
Pope Green Defender
United States United States Chicago Singlehop Inc
Dominios asociados

Spyware Defender 2009
United States United States Chicago Singlehop Inc
Dominios asociados

Pro Defender 2008
United States United States Chicago Singlehop Inc
Dominios asociados

Proof Defender

United States United States Portland Donald Wildes
Dominios asociados ( United States Herndon Beyond The Network America ( Jamaica Jamaica Titan-net Ltd ( Ukraine Ukraine Kiev Singhajeet3 - Singh Ajeet ( Ukraine Ukraine Czech Republic Of Rays ( Russian Federation Russian Federation Baltic Center Of Innovations Techprominvest Ltd, ( Israel Israel Haifa Loads

Información relacionada
Una recorrida por los últimos scareware XVII
Una recorrida por los últimos scareware XVI
Una recorrida por los últimos scareware XV
Una recorrida por los últimos scareware XIV
Una recorrida por los últimos scareware XIII
Una recorrida por los últimos scareware XII
Una recorrida por los últimos scareware XI
Una recorrida por los últimos scareware X
Una recorrida por los últimos scareware IX
Una recorrida por los últimos scareware VIII
Una recorrida por los últimos scareware VII
Una recorrida por los últimos scareware VI
Una recorrida por los últimos scareware V
Una recorrida por los últimos scareware IV
Una recorrida por los últimos scareware III
Una recorrida por los últimos scareware II
Una recorrida por los últimos scareware I

Jorge Mieres

Ver más


T-IFRAMER. Kit for the injection of malware In-the-Wild

T-IFRAMER is a package that allows you to automate, centralize and manage via http the spread of malicious code via code injection sites violated viral techniques using iframe, and feed a botnet. We then see a screen capture of authentication.

While there is a complex kit allows computer criminals manage the spread of malware via the http protocol type attacks using Drive-by-Download and Drive-by-Injection by inserting iframe tags in web pages violated.

The four key modules: Stats, Manager, Iframes and Injector, and each has the main function to optimize the spread of malware.

The first one (Stats) to manage FTP accounts violated having control over them with the ability to upload files. Thus begins one of the cycles of propagation of malicious code.

The management module has several categories, among which are:
  • Iframe accounts. These are pages that have been injected malicious scripts through the iframe tag.
  • Not Iframe. FTP accounts are basically violated. In this case, stored until several ftp accounts:
ftp://distribs:softXP @
ftp://distribs:softXP @

ftp://tools:softXP @
ftp://tools :

ftp://tools:softXP @

ftp://distribs:softXP @

ftp://NST:124 @ 80.
ftp://NST:124 @

ftp://NST:124 @

ftp://NST:124 @

  • Good accounts. Allows you to set which violated ftp accounts are useful or are still active.
  • Freehosts accounts. It lists all the ftp violated websites that are hosted on free hosting.
  • Unchecked accounts. Accounts that haven't yet been reviewed.
The following screenshots show two of the ftp violated. In each of these can store any kind of information (warez, cracks, pornography, phishing, pedophile material, any type of malware). The first software houses and the second is a mirror to download * NIX based distributions.

Module Manager is itself a panel that allows the administration of each of the above categories, including the ability to directly remove the FTP record.

To this end, these first modules are concerned with everything related to the management of accounts. However, it doesn't end with these and the following modules are more aggressive.

One is the form Iframes. This allows you to set the strategy of attack through iframe tags, hiding it (as usual) in a script. In this case, the script has used as the url information

In turn, this url contains reference to another url, but in this case, contains a rough script that contains multiple exploits and malware automatically downloaded.

In this instance, after trying to run the exploit, it redirects the domain, which seems manipulates the return of the searches.

Exploits that have are the following:
Malicious code that are downloaded are:
  • ehkruz1.exe. This is a Trojan designed to capture information related to the service WebMoney and to date has a low rate of detection, antivirus detected only 6 engines of 41. The filename is random.
  • egiz.pdf. Contains exploit (CVE-2007-5659, CVE-2008-2992 and CVE-2009-0927) with a low detection rate, 7 / 41 (17.08%). Download the binary.
  • manual.swf. Contains exploit. Its detection rate is medium-low, 15/41 (36.59%).
  • sdfg.jar. Troyan is a downloader with exploit. Its detection rate is meda-low, 14/41 (34.15%).
  • ghknpxds.jpg. It contains an exploit. Its detection rate is very low, 4 / 41 (9.76%).
The module Injector is responsible for the actions iframe code injection through the module created earlier, letting you configure a number of parameters to optimize attack, for example, allows you to control PageRank, inject code, clean it if necessary, check the country's hosting and ftp accounts, establish which domains attack (1st and 2nd level, both configurable), configure regular expressions with the names of folders and files common to find in a web server, among others.

Investigating a little more domains involved, obvious that this application is being used as a tool of "support" for a known crimeware and of which we have spoken on this blog, this is the latest Fragus.

That is, the domain "hidden" between the labels iframe redirects to a new URL from which to exploit a battery of artillery trying to achieve with its potentially vulnerable computers, and download the malware responsible for recruiting the zombie.

T-IFRAMER has two distinct groups. On one hand the administration and on the other the attack in addition to obviously continue to fuel the botnet, with which it's clear that those behind this type of crimeware really know what they want and, although the development of the application is very simple, is effective enough to be used by a des botnets more effective today as it's fragus.

Finally, these actions are very similar to those performed by Gumblar (who according to some sources would be of Chinese origin, though I doubt it), and although I can not say that in this case concerned the mechanisms for disseminating Gumblar, especially because in the first instance this kit is of Russian origin (as fragus), there is no doubt that the strategy (together) is very similar.

s it what many call today Gumble?

Related information
Fragus. New botnet framework In-the-Wild
ZoPAck. New alternative for the exploitation of v. ..
ZeuS and power Botnet zombie recruitment
DDBot. More Botnets management via web
Phoenix Exploit's Kit Another alternative for controlling botnets
INF `[LOADER]. Control of botnets, malware and spread (...)
Liberty Exploit System. (...) Another alternative for controlling botnets
Eleonore Exploits Pack. New Crimeware In-the-Wild
Russian crimeware prices. Part 2

Jorge Mieres

Ver más