MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.


Strike Botnet, another crimeware was born

As the Author says "Strike botnet is a new advanced http based botnet with which you can literally control thousands of computers at the same time, without them even noticing."

The gradual increment in botnet developing is intresting, and this time "SqUeEzEr" (Scott Van Dinter, a Young boy of 18 years old, as some of his online profiles say) comes into the scene with a botnet developed in VB6, with some inline ASM in it.

The botnet works under Ring3, something that makes the detection process easier. It was tested under Windows XP, Windows Vista and Windows 7.

Source-Code Preview. As we can see, the botnet is developed under VB6. In the Module "InitializeEngine" we can see a Function with Inline-Asm. Some of it’s functions are:

ActiveX Startup. An already well-known startup method.

Advanced Anti-Checking. -Different threads with continuous checks. 10 different methods

Attacking. As every botnet that serves to its purposes, it has a DDOS system that Works with TCP Connections and runs in the background.

Firewall Bypass. Add's itsself to the windows firewall. Unhooks ring3 firewall hooks

Process Protection. An advanced protection system will keep the process from being closed

File Protection. Strike is protected from deletion, even if the process is not running. Can't even be deleted by Rootkit Unhooker

Serial Stealing. Strike can steal the windows serial code, and more than other 200 serials.

Sockets. Strike uses API sockets to connect with the web interface (That means that it doesn’t use the well-known Winsock). It also uses the http protocol to bypass firewalls.

Spreading. Strike has the ability to spread itsself into every compressed folder (zip/rar) on the infected computer.

MSN Passwords. Strike is able to steal stored MSN passwords.

Internet Explorer. Strike is also able to steal Internet Explorer passwords.

Update. A very interesting feature, with this function Strike is also able to download a newer version and update itself.

Standard Functions
  • Exit, you can terminate strike with this command
  • Melt, Strike can be fully removed from a computer (It doesn’t match with the "common" definition of “Melting”)
  • Bsod, Strike can trigger a Blue Screen of Death
  • Kill, Strike can delete files on the computer
  • Exec, Execute files on the victims computer
  • Down, Strike can download files from the web by using the HTTP protocol and can then execute them
All these functions are called dynamical and are unhooked before being called Strike has also a builder which uses no EOF and is able to detect if strike is installed on your system.

At last, Strike is FUD (Fully Undetectable) at compile-time (so, it doesn’t use crypting). The autor says that a video demonstration will be probably up within one week.

Mariano Miguel
Malware Researcher en MalwareIntelligence

Ver más


Web Hooters Germany committed to phishing HSBC

Hooters is a restaurant chain that has branches in a number of countries. At Wikipedia you can read more about what these particular food outlets, who granted one knows what I mean, and who has not had the opportunity to visit a hooters ... don't know what is lost ***comments in parentheses * *** :-)

The point is that the website of hooters Germany was committed to a phishing attack against the HSBC bank. The first image shows the actual site and the second stay at the same phishing hosting.

Now the question is how to realize that this is a fake page. Despite being almost faithful copy of the real, the first of the highlights is that in this case, the address isn't nothing like the real thing.

Second, if we delve a little more we look at the HTML source code, at first glance, it also seems the real, however, a number of details, without going into technical content, can give the pattern that we are facing a deception.

Let's look a second a piece of code belonging to the actual page:
We note that rel="canonical" refers to the url, and that the styles of the site is located in /1/themes/HTML/hsbc_unpersonal/css/.

Now observe the same piece of code but of the false page:

Why call the style files from the full address of the actual site where it's assumed that the content is in the same posting. Mmmmmmmm, is just a detail but ... isn't it strange?

PD: the package stay at the phishing site contains, among others, a file called loginfinish.php, with the following information:

Related information
Phishing Database IV
New phishing campaign against Facebook led by Zeus
Phishing campaign aimed at players Zynga
New ZeuS phishing campaign against Google and Blogger
Facebook & VISA phishing campaign proposed by ZeuS
Dissection of a fraudulent package. Wachovia phishing attack

Alex Garcia
Crimeware Researcher
Administrator of MalwareIntelligence

Ver más

iPack y GOLOD. New on the scene crimeware criminal

The supply and demand in terms of alternatives crimeware continues to grow, and in recent months some alternatives have emerged, including iPack and GOLOD.

GOLOD charger is a resident (resident loader) written in C ++ and of Russian origin who tries to insert into the crime scene at a cost of USD 500 for their implementation in the domain of the buyer, plus USD 675 in case of acquisition with a domain and USD 60 more if it includes the cleaning of crimeware.

Upgrades are free and the developer offers 24x7 support rate. Its sale was implemented during the first days of March 2010.

It works in virtually all Microsoft operating systems and like all crimeware of this management style allows botnets through the C&C through the web.

While this type of crimeware not say much and ends up being an also-ran, it's interesting to see how criminals try to wash their hands towards the development of applications.

That is, according to the laws of each country can be a bit ambiguous think that development of applications designed simply to spread malware and also be encouraged, it's legal or illegal.

Then the author left a sentence that reflects the above:

“Программа представлена для ознакомительных и исследовательских целей. Ответственность использования ее в незаконных целях лежит на плечах того, кто ееиспользует.”

Something like:

“The program is developed for educational and research purposes. The liability for illegal use of it falls on the shoulders of his employer for these purposes.”

Moreover, in the case of iPack is an exploit pack also emerging and whose value is USD 500 per package, with the encryption option and change domains for USD 100 more.

Despite having a name and a design that is directly related to Mac OS products, far away from being a crimeware is oriented to these platforms.

Exploits that the package contains default are all for Windows platforms:

MDAC (CVE-2006-0003) – (MS06-014)
PDF collab.getIcon (CVE-2009-0927)
PDF Util.Printf (CVE-2008-2992)
PDF collab.collectEmailInfo (CVE-2008-0655)
PDF (CVE-2009-4324)

Finally, new options in the scenery of fraudulent business representing crimeware.

Related information
myLoader. Framework for the management of botnets
SpyEye. New bot on the market
State of the art in Eleonore Exploit Pack
Siberia Exploit Pack. Another package of explois In-the-Wild
RussKill. Application to perform denial of service attacks
DDoS Botnet. New crimeware particular purpose
JustExploit. New Exploit kit that uses vulnerabili...
Fragus. New botnet framework In-the-Wild
ZeuS Botnet y su poder de reclutamiento zombi
Liberty Exploit System. Alternatively crimeware to...

Jorge Mieres

Ver más


Phishing Database IV

Economically-financial and banking institutions
HSBC (;jsessionid=0000UyzfmbnkvKfK9fLILUpaTgF14et5m1u3IDV_URL=hsbc.MyHSBC_pib/


Lloyds TSB (

BMO - Bank of Montreal (

ANZ - Australia and New Zealand Banking Group Limited (

Bank of America (

Central Bank of Nigeria (

Bank of America (

Bradesco (

Electronic Commerce
PayPal (

eBay (

Online Games

Social Networks
Facebook (

Orkut (

Kijiji (

Related information
Phishing database III
Phishing database II
Phishing database I
New phishing campaign against Facebook led by Zeus
Phishing campaign aimed at players Zynga
ZeuS on IRS Scam remains actively exploited
New ZeuS phishing campaign against Google and Blogger
Facebook & VISA phishing campaign proposed by ZeuS
Dissection of a fraudulent package. Wachovia phishing attack

Jorge Mieres

Ver más


Aurora .sys file used in the attack - External file analysis

First of all, I'd like to thank MalwareIntelligence where I write as a researcher for getting me this precious file.

In the Aurura attack, 1 .sys file had been used, called : msconfig32.sys.

I was pretty curious about what does this driver do, and why no one else in the world had analyzed it.

It had been a terrible journey to get the file. No one had it. No one wanted to share it. I was pretty lucky to group up with MalwareIntelligence and they had the right connections to get this file.

Like I've told to large number of people, there are lots of reasons to use drivers in this kind of attack, but it's pretty clear the attackers weren't about to hide itself or its connections. The only thing I could have think of is writing a driver to get information about the physical status of the screen (Because the attackers used patched version of VNC, a driver could query the status of the screen, and if it's shut/stand by it's safe to work, also, this kind of driver could have saved restore points of the computer before the attacker started to look for files inside of the computer and once the screen is up, restore everything to its original state - more of this idea is on my presentation on

But it appears that this is not the case. That's what I was looking for. That what I've been trying to search for, but it had been there the whole time. The .sys file, wasn't a driver.

Let's first take a quick look at the file (.sys file is a PE):

Well? what's that? why are there 0x20 all over the file? it's supposed to be 0x00 in those areas.. It's obviously a XOR. It does have a base like a PE, but it sure does look different, XORed or some kind of anti-reverse engineering on it. That's the first look.

Let's take a look at +- same size of other, valid, Microsoft driver :

Can you notice the difference? Where's it's usually 0x00 there are 0x20. Weird. Let's look further in the msconfig32.sys file :

Wait?!@@#$ Why are there .dll files mentioned after the Resource mark? Havn't seen that in a driver before... Let's again take a look at a valid driver again :

We don't see that kind of stuff, yet we continue to see 0x20 instead of parts where there should be 0x00...

Weird. Maybe it's an exe instead? Let's not give up! Let's try to load it and see if the driver can be loaded as-is. I've chosen to use SCM (Service Control Manager) built in mechanism to load drivers, instead of writing a loader myself. Driver can be loaded in lots of ways, including replacing other sys file, quick registration in windows registry or other ways (You can find some more information in the Rootkit - Subverting The Windows Kernel book - page 40 : The quick and dirty way to load a driver, or pages 46,47. Enjoy).

I've decided to use SCM, and load the driver using SC. So let's do it :

First I've done a re-check, to see that I havn't changed the file, The file I needed was msconfig32.sys from Aurura attack with the following md5 : 7a62295f70642fedf0d5a5637feb7986), After I've done that, I've written a sc command to load the driver from : c:\msconfig32.sys.

The command and the checks are attached in the following picture :

The specified driver is invalid?! How about that? The file is certainly not a valid sys driver (as is, it might be changed a bit to be fit as a .sys file). So what is it?

Trying the regular approach of opening the file in PEExplorer/IDA/Olly/PE Parsers/... wouldn't work, as the file is quite damaged in a way the headers are totally corrupted and the way the file behave something is under there, but it's not a regular .sys file.

So... Let's try to mess with it a bit, maybe XORing again with 0x20, gave nothing. Other ideas I've tried (tried so many I can't even write them all), didn't go well. The file appeared to be curroupted.

Trying to load it as a dll, or opening it under .exe failed as-well.

I did try to play with it a bit more, and found that CERT had issued an advisory in which they have written the following stuff :

ad_1_.jpg MD5: CD36A3071A315C3BE6AC3366D80BB59C Byte Size:
Appears to be packed executable. Significant portion of file is

There's another file, with .jpg, and he's not a jpg. The file is XOR'd with 0x95. Does it ring a bell? Yes it does. I think it's the same kind of method used, but this time, they have called their file .sys instead.

Or, The file was being downloaded, step after step, and till they finish the download they first create a file, filled with 0x20s and they overwrite it with the real file. That could have explained the size of it (4kb).

So I've checked, is the file compressed? How can I check without knowing what kind of compression is used? The easiest thing is to take the payload of the PE file, and write it to another file. After I've done that, I tried to compress it again, and guess what? The file, after compression, was bigger then the original. Meaning the payload-part was compressed.

Still couldn't figure out what it contained. I will continue to research it and hopefully soon I will find something :). Too bad it wasn't a real driver though...

I hope you liked my external analysis, because I couldn't examine the file (as it was "corrupted" or at-least not in a valid format). sometimes it's all that can be done. Although, now we know that this file wasn't a real driver (but still, might have contained one within - compressed).

Itzhak Avraham
Malware Researcher in MalwareIntelligence

Ver más


New phishing campaign against Facebook led by Zeus

Updated 15.03.2010
New domains have been released and has multi-stage attack whereby you chain multiple websites with malicious content.

The last download a binary called update.exe (19d9cc4d9d512e60f61746ef4c741f09) which is a variant of the trojan ZeuS, which has a high detection rate.

The sequence is as follows:

Original 14.03.2010
At this point the "circus", no doubt, as I always say, that ZeuS is the "creme de la creme" current on crimeware.

Some time ago we warned about different campaigns where the employer, in all cases without exception, is the exploitation of social engineering to execute a fraudulent component, and the goal is the theft of sensitive information.

Cases like the previous campaign by using the image of ZeuS Facebook and phishing attacks using popular services such as primary coverage, including IRS, VISA, Google and Blogger, among many others, are concrete examples that demonstrate what is the magnitude of the business ZeuS offers computer criminals.

A few days ago, a new campaign to materialize from the hand of ZeuS, involving a large battery of malicious domains. Among them:

The folder Id735rp also contains kit phishing, ZeuS trojan, which in this case appears under the name photo.exe (19d9cc4d9d512e60f61746ef4c741f09).

Even in the same URL format strategy is being used by another known crimeware: Phoenix Exploit Pack.

Related information
Zeus and the theft of sensitive information
Facebook & VISA phishing campaign proposed by ZeuS
New ZeuS phishing campaign against Google and Blogger
ZeuS on IRS Scam remains actively exploited
Leveraging ZeuS to send spam through social networks
ZeuS Botnet y su poder de reclutamiento zombi
ZeuS, spam y certificados SSL
Eficacia de los antivirus frente a ZeuS
Special!!! ZeuS Botnet for Dummies
Botnet. Securización en la nueva versión de ZeuS
Fusión. Un concepto adoptado por el crimeware actual
ZeuS Carding World Template. (...) la cara de la botnet
Financial institutions targeted by the botnet Zeus. Part two
Financial institutions targeted by the botnet Zeus. Part one
LuckySploit, the right hand of ZeuS
Botnet Zeus. Mass propagation of his Trojan. Part two
Botnet Zeus. Mass propagation of his Trojan. Part one

Jorge Mieres

Ver más


Phishing campaign aimed at players Zynga

Zynga is a virtual game developer that has a wide repertoire of games in flash, allowing fun with them even through some social networks like Facebook, MySpace and Tagged, among others.

Recently Zynga image is being used as a phishing campaign animation using as cover some of the games that the company offers.

The domains involved in the campaign are:

The structure of each folder containing the files used during the process comprises files Fraud login_failed.php, logs.php, search.php, succes.html and two files with the .txt file in which data are recorded stolen in clear text.

The file succes.html is called from logs.php file and contains two exploits for the vulnerabilities described in CVE-2008-2463 (Office Snapshot Viewer) and CVE-2008-0015 (MsVidCtl Overflow).

On the other hand, contains a Drive-by-Download through an iframe tag that redirects to spl=pdf_ie2 from where you download a pdf file detected for 50% of the antivirus engines offered by the VirusTotal service, and whose md5 is 47ea66b43e25169e6bb256e000a16ffd. In addition, download the file load.exe (c2a41abc43dd0bcf98ae07315eb4c6f6). In this case, detected by 90%.

Both files are located In-the-Wild and part of a pack known as exploit version 1.2: Eleonore Exploit Pack.

Información relacionada
Phishing database III

Jorge Mieres

Ver más


Oficla botnet with more than 200,000 zombies recruits

In a recent investigation, we discovered a Oficla botnet, also known as Sasfis in nomenclature of some antivirus companies, with a significant amount of zombies recruited in 48 countries, demonstrating the connotation scale represents the same on stage crimeware.

The base command and control (C&C) of this botnet Oficla is maintained through crimeware myLoader (costing in the underground market is USD 700) and is in Russia, a country in which the largest number of computers infected with a total of 116.119, followed by Ukraine with 53.746.

The total number of zombies that are part of this botnet amounts to an alarming number of 210.619. This information can be verified through the following screen.

While the figure is alarming, the problem is much deeper and disturbing. That is, for a system to an active part of a botnet, means that previously was infected by malicious code (in this case, Oficla/Sasfis), which shows clearly the failure of the security mechanisms implemented to counter this threats.

Not only in terms of prevention of infection but also to detect, depending on the type of traffic TCP/IP and HTTP, the system is part of a botnet.

On the other hand, it's important to note that the recruitment of this botnet continues to rise with approximately 120 computers infected per hour.

A report with more details on the management framework and the power of the botnet recruitment Oficla/Sasfis can be downloaded from the papers section of Malware Intelligence.

Related information
myLoader. Framework for the management of botnets
SpyEye Bot. Analysis of a new alternative scenario crimeware
State of the art in Eleonore Exploit Pack
RussKill. Application to perform denial of service attacks
DDoS Botnet. New crimeware particular purpose
ZeuS Botnet y su poder de reclutamiento zombi

Jorge Mieres

Ver más


myLoader. Framework for the management of botnets

myLoader is another alternative with which cyber criminals have for the management and administration of botnets. Its lifetime is about one semester, but most activity is being managed in the last month of the first quarter of 2010.

It has a minimalist interface but with gathering data that is returned in an orderly manner through intuitive graphical whereby we obtain the state of the controlled botnet.

In this case, it's a botnet zombies early 1922 that has recruited, of which 299 were active. However, we found several that have a large amount of zombies.

Regardless of the premature activity of this crimeware, the truth is that is a clear example of the real extent of the fraudulent business at present is in hiding underground.

The crimeware is sold in the market for under $ 700.

Currently myLoader framework is being used to propagate trojan Oficla, also known as Sasfis.

Related information
SpyEye. New bot on the market
State of the art in Eleonore Exploit Pack
Siberia Exploit Pack. Another package of explois In-the-Wild
RussKill. Application to perform denial of service attacks
DDoS Botnet. New crimeware particular purpose
JustExploit. New Exploit kit that uses vulnerabili...
Fragus. New botnet framework In-the-Wild
ZeuS Botnet y su poder de reclutamiento zombi
Liberty Exploit System. Alternatively crimeware to...

Jorge Mieres

Ver más