MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.


Intelligence and operational level by Siberia Exploit Pack

Siberia Exploit Pack is a crimeware, evolution of Napoleon Exploit Pack, which we've done a brief description on another occasion. However, since the time of that description to this day, the landscape has expanded its developer.

In this regard, and while it ends up being one of the bunch, the interesting thing about this crimeware is information provided by their panel of statistics (intelligence for the attacker), by the way very similar to that provided by Eleonore Exploit Pack, which provide data regarding the success of business which has the exploit  pack for recruitment zombie, discriminating on the basis of these data:
  • Countries affected
  • Most exploited Operating Systems
  • Reference domains with the highest percentage by which vulnerabilities are exploited
  • Browsers exploited
  • Pre-compiled exploits in this version of the package
Let me stress (because it's a minor detail) with this collection of information is nothing more than to intelligence, which allows the attacker to know, at first instance:

In the former case, the population of which country is more vulnerable, perhaps because of their level of piracy, which brings to attention the lack of security updates for operating systems and applications, because as we will see to reach exploits, all these are known and have long been concerned with the patch that fixes the vulnerability.

In this case, the first five countries where this crimeware has higher infection rate include the United States, Britain, Canada, Russia and Germany.

The same approach is being pursued with the data we obtained on operating systems "vulnerable" in quotes because, as I said above, the degree of vulnerability of the OS depends directly on a number of aspects that should be covered by hardening, in which an important factor is the implementation of security patches.

For example, the vulnerability in MDAC (Microsoft Data Access Components) from the year 2006 (four years), described in Microsoft Official Bulletin MS06-014. The impact on operating systems have this version of crimeware, we can see in the picture below.

The list of operating systems is large and attacked the three with the highest vulnerability gap belongs to the family of Microsoft (which is obviously due to the massiveness of use), and other MS also.

However, the crimeware cover other non-Windows operating systems, including PlayStation consoles (GNU / Linux or Black Rhino) and Nintendo Wii (ironically a modified version of a GNU/Linux), in the case of OS used and Workstations high-end mobile phones, including:
  • Mac OS
  • GNU/Linux
  • FreeBSD
  • iPhone
  • Windows Mobile
  • Windows CE
  • Pocket PC
  • Symbian OS
Here we are beginning to recognize that criminals have broadened the scope of coverage, incorporating into its portfolio of options exploitation of vulnerabilities (through the browser) and recruitment of zombies on other operating systems used in other computer technologies.

Regarding references, involving nearly 28.000 domains where each of them redirect to another page with malicious content or at least doubtful as:
References to these sites are obtained through an application of such TDS (Traffic Distribution System), also installed on the same server, used to redirect traffic to and from the pages listed in this module of the package. The TDS are widely used for BlackHat SEO.

Moreover, the list is very large as it details the most violated browsers together with their respective versions, they are:
  • Internet Explorer since version 4 through 8
  • Firefox from version 1.0.3 to 3.6b4
  • Opera from version 6.0 to 10.0
  • Opera for Mobile
  • Safari browser
  • PlayStation (Firefox)
  • Pocket PC
  • SeaMonkey 1.1 and 2.0 (Mozilla Suite, which includes a web browser)
  • Nintendo browser
  • IPhone Browser
  • Mobile Phone Browser (Internet Explorer)
  • Chrome from version 1.0 to 6.0
Finally, what are the exploit managers exploit vulnerabilities in all of the above? Well, in principle it should be noted that it's the exploits are designed to exploit known vulnerabilities, as I mentioned above, long-standing.

The most exploited, Java GSB. Less exploited vulnerabilities are those of Adobe Reader PDF files through manipulated.

Undoubtedly the cybercriminals intelligence processes incorporate in their strategies to spread / infection, allowing them to have a comprehensive picture of the situation on the virtual field, increasing the successful outcome in their attacks.

Imagine this data to run campaigns on a "virtual guerrilla war", even to understand the variety of OS environments used in military/government and analyze well the best place to carry out DDoS attacks against critical resources of a State. The thing does not seem so trivial. 

Jorge Mieres
Founder & Director of MalwareIntelligence
Crimeware & Intelligence Analyst Researcher

Related information 
State of the art in CRiMEPACK Exploit Pack
Crimeware-as-a-Service and antivirus evasion schemes
Russian service online to check the detection of malware
Software as a Service on the malware industry
Creating Online PoisonIvy based polymorphic malware

Ver más


BlackHat SEO Campaign for the thirtieth anniversary of PAC-MAN

Recently, the legendary video game PAC-MAN has completed 30 years of existence and Google has launched a campaign in his honor by placing a banner that allows even play.

However, Google not only benefits from this but also cyber-criminals, who saw in this campaign a new opportunity to attack and have launched another campaign, but the spread of malware through BlackHat SEO (also called SEO Poisoning).

Some other search parameters may include:

pac man 30th anniversary game
pac man 30th anniversary games
pac man 30th anniversary google
pac man 30th anniversary high score
pac man 30th anniversary play
pacman free online 3d
pacman free online addicting games
pacman free online download
pacman free online game for kids
pacman free online game
pacman free online no sound
pacman free online play
pacman free online with no sound
pacman game download
pacman game flash
pacman game for kids
pacman game for wii
pacman game free download
pacman game full screen

Traffic redirected to the download of scareware. In this case, a binary md5 4c9ac21a2730a5e6d8c8018afb517d5e which has a very low detection rate: 6/41 (14.63%).

Among the domains that involves the campaign are:

To achieve massify the campaign and get a good PageRank in Google, criminals violated a server hosted on a list of web pages with the titles which make up words that are the subject of regular search. These files are located in a hidden folder, often called the ".files"

Under this scenario, taking into account that these strategies are widely used for the propagation of malware, a good practice is to verify at the root of posting the existence of hidden folders.

Related information
Estrategia BlackHat SEO propuesta por Waledac
Malware propagation through blogging sites format and BlackHat SEO
Campaña de propagación del scareware MalwareRemovalBot

Ver más


State of the art in CRiMEPACK Exploit Pack

CRiMEPACK exploit pack is a widespread and accepted in the crime scene in this area came under the slogan "Highest Lowest rates for the price".

He is currently In-the-Wild 3.0 version is being developed as alpha (the first of this version). That's, is in the middle stage of evaluation, perhaps in the next few days will go on sale in underground forums, at which time it will know your actual cost.

Like any pack exploit, it also consists of a set of pre-compiled exploits to take advantage of a number of vulnerabilities in systems with weaknesses in some of its applications, then download and run (Drive-by-Download & Execute) codes malicious and convert that system into a zombie, and therefore part of the apparatus crime.

And I mean ... "criminal" because those behind the development of this type of crimeware do for this purpose. And judging by the pictures (a washcloth, a handgun, a wallet, money and what appears to be cocaine, own scenario of all mafia) observed in the authentication interface your control panel, this definition is very evident.

The first time I found this package was in 2009, when version In-the-Wild was version 2.1 and later expressed his "great leap" to one of the most popular: version 2.8 (still active) which in early 2010 had incorporated into its portfolio of exploits CVE-2010-0188 y CVE-2010-0806; in addition to adding an iframe generator and function "Kaspersky Anti-emulation", at a cost of USD 400.

In this first stage of the evaluation version 3, CRiMEPACK incorporates a total of 14 exploits, which are:

For all the exploits incorporates a feature that can be enabled or disabled from the control panel called "Aggressive Mode", which is a JAVA Applet that emerge through a pop-up window asking the victim whether to accept potential the applet. If so, reload the payload (the malware).

Furthermore, within the constantly evolving experience this type of crimeware, incorporates self-defensive measures such as avoiding desofuscación scripts and techniques anti Wepawet and Jsunpack.

In addition to automatically check if the domain used is listed in the services:
  • Norton SafeWeb
  • My WebOfTrust
  • Malc0de
  • Google Safe Browsing
  • MDL
  • McAfee SiteAdvisor
  • HpHosts
  • MalwareURL
Brian Kreb few days ago on his blog an article about the implication that this package was in the process of propagation and exploitation of a vulnerability, so far, the type 0-Day through JAVA, and certainly was exploited vulnerability through a class.

However, it was also associated with another exploit pack called SEO Sploit Pack and although it is not the same once more evidence is in complete business processes representing crimeware has a very high demand, offering low-applications costs within a competitive business model ... and increasingly aggressive!

Related information
Siberia Exploit Pack. Another package of explois I...
RussKill. Application to perform denial of service...
JustExploit. New Exploit kit that uses vulnerabili...
DDoS Botnet. New crimeware particular purpose
T-IFRAMER. Kit for the injection of malware In-the...
Fragus. New botnet framework In-the-Wild
Liberty Exploit System. Alternatively crimeware to...
TRiAD Botnet III. Remote administration of multi-p...

Ver más


A recent tour of scareware XXII

A-Fasta Antivirus
Latvia Latvia Riga Sagade Ltd
12/40 (30.00%)
Latvia Latvia Colocation Hosting
Austria Austria Klagenfurt Anexia Internetdienstleistungs Gmbh
AS42473 - ANEXIA Internetdienstleistungs GmbH
United  Kingdom United Kingdom Pi Obodovsky Ivan Sergeevich
AS49544 - INTERACTIVE3D-AS Interactive3D
United  States United States Scranton Network Operations Center Inc
AS21788 - NOC Inc (Network Operations Center)
Malaysia Malaysia Darren Tan
Canada Canada Interweb Media
AS21793 - MAINT AS21793 Maintainer for Tenino Telephone
United  States United States Scranton Network Operations Center Inc
AS21788 - BurstNet Technologies, Inc.

Antivirus PC 2009
Kazakhstan Kazakhstan Lorer Corporation
AS48588 - QUICK-AS Quick IT Ltd
37/40 (92.50%)
United  Kingdom United Kingdom Leksim Ltd
AS5577 - ROOT SA
United  States United States Clarks Summit Volumedrive
AS46664 - VolumeDrive
Portugal Portugal Faro Worldstream
AS49981 - WorldStream = Transit Imports = -CAIW
United  States United States Arlington Heights Ecomdevel Llc
AS32181 - ASN-CQ-GIGENET ColoQuest/GigeNet ASN
United  States United States San Francisco Everydns Llc
United  States United States Orem Bluehost Inc
AS11798 - ERILAB Ericsson Cyberlab West
Netherlands Netherlands Eindhoven Web10 Ict Services
AS34305 - EUROACCESS Global Autonomous System
Moldova, Republic Of Moldova, Republic Of Chisinau Vid-tehno Srl Customers
AS31252 - STARNET-AS StarNet Moldova
Netherlands Netherlands Netrouting
AS47869 - NETROUTING-AS Netrouting Data Facilities

Related information
A recent tour of scareware XXI
A recent tour of scareware XX
A recent tour of scareware XIX
A recent tour of scareware XVIII
Una recorrida por los últimos scareware XVII
Una recorrida por los últimos scareware XVI
Una recorrida por los últimos scareware XV
Una recorrida por los últimos scareware XIV
A recent tour of scareware XIII
A recent tour of scareware XII
A recent tour of scareware X
Una recorrida por los últimos scareware X
Una recorrida por los últimos scareware IX
Una recorrida por los últimos scareware VIII
Una recorrida por los últimos scareware VII
Una recorrida por los últimos scareware VI
A recent tour of scareware V
A recent tour of scareware IV
A recent tour of scareware III
A recent tour of scareware II
A recent tour of scareware

Jorge Mieres

Ver más


Campaign phishing to Claro Argentina

Currently running a major phishing campaign aimed at users in Argentina who use the services of the mobile phone company Claro. The following image is a screenshot of the attack:

The strategy is the user trying to deposit the information in your credit card in the fraudulent when you want to buy credits on your cell phone.

When the user falls into the trap and supposedly when processing the information, a message appears, as shown in the image below, through which indicates that the operation could not be processed, thus closing the cycle of attack.

However, the attacker leaves the door open for unsuspecting users, seeing that the operation was allegedly hit by a problem between the bank and the credit card data, the transaction can try again but with another credit card.

For this campaign is hosting the servers fraudulent material infringed, but also are registering domains, to customize the type and segment the attack only to users of Argentina.

No doubt any kind of service that is offered through the Internet and involves an authentication process or request private information from users, represents a potential target for phishing strategies, as currently this attack isn't limited to obtain information such as bank.

Therefore, the recommendation for users of course in Argentina is that when accessing this service, check the web address to which they are accessing.

Related information
Besouro film website violated, PayPal phishing attacks
Web Hooters Germany committed to phishing HSBC
Dissection of a fraudulent package. Wachovia phishing attack
Jorge Mieres

Ver más