MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.


Black Hole Exploits Kit. Another crimeware in addition to criminal supply

Crimeware industry continues to grow through the development and implementation of new marketing packages pre-compiled exploits add to the supply of alternatives to facilitate criminal maneuvers over the Internet.

In this case, it's Black Hole Exploits Kits, a web application developed in Russia but also incorporates for the English language interface, and the first version (beta at the moment) is trying to fit into the black market since early September 2010. Its cost is determined based on a number of features that attempt to differentiate from the rest.

Black Holes Exploits Kit statistical module
This module offers a quick view of the most relevant information for a botmaster: number of computers that are part of the network and their respective countries, exploits with higher success rates and other information processing.

Unlike many other crimeware of this style, Black Hole Exploits Kit uses a licensing system costed time. For example, purchasing this crimeware for 1 year (currently the maximum time) costs $ 1500, while a semi-annual and quarterly license, costing $ 1000 and $ 700 respectively.

Statistics on the affected operating systems
The trend marks a slight but gradual increase in committed operating systems that do not belong to the family of Microsoft. This includes crimeware *NIX based platforms such as GNU/Linux and Mac OS. Others, such as Siberia Exploit Pack and Eleonore Exploits Kit includes platforms for high-end mobile devices and gaming consoles.

It also has costs of $ 50 for the alternative of using the encryption system. This feature is a pattern for the service "extras" offered by the developers of crimeware, like the ability to verify the integrity of malware (AVChecker) spread through crimeware.

To carry out this verification, is used more often VirTest, the private service of Russian origin that has become a favorite of criminals to control the reputation not only malware but also spread exploits of the pack. There are several crimeware packages that have recently joined VirTest module, including the latest version of SpyEye.

As for the exploits, which incorporates all of the time are public and widely used by most current crimeware. However, these exploits have the highest rate of success in exploitation.

Statistics exploits
Through this module displays the statistical data on the ability of success that has every one of the exploits that are part of crimeware.

Black Hole Exploits Kit includes a TDS (Traffic Direction Script) that allows independence from another web application that allows arbitrarily manipulate web traffic, and probably this feature will catch the attention of criminals.

Also has a self-defensive module means which can block access to certain security websites by URL or IP address ranges. In the next image is set to block access to websites Kaspersky Antivirus:

Self-defense module
Through this module can also import or export a list of addresses to block.

Black Hole Exploits Kit joins the portfolio of offerings and little more than a month since its launch in underground environments no more activity In-the-Wild, perhaps due to its initial cost. However, security professionals should pay special attention to this crimeware as their characteristics and cost (probably decrease slightly for the next version) will be well accepted within the criminal community and therefore in demand by of offenders.

Related information
Jorge Mieres
Founder & Director of MalwareIntelligence
Crimeware & Intelligence Analyst Researcher

Ver más


Black Software. New affiliate business type Pay-per-Install

The business model that represent the affiliate programs through systems of the type Pay-per-Install is in full swing, being a fundamental part of criminal groups seeking to increase their economy.

In this case, we have a new affiliate program called Black Software, which promotes the discharge of malware.

Black Software Access Panel
This is a simple authentication process and conventional and password required

The program is of Russian origin and according to his IP address is based in the Netherlands. He began his business proposal in late August 2010 and has a mechanism by which each member must configure some information to get the URL needed to start the business.

Black Software Guide
This guide provides information on how to properly configure the data needed to obtain the URL, along with a brief FAQ

As usual, the registration process requires a series of information that allow to those who are behind the affiliate system, validating the potential customer and avoid potential infiltration.

It also has a statistics module whereby members check their status every 15 minutes is updated by the system administrator can view information relating to each download.

Statistical Module
Whereby the affiliate system provides the information necessary for each "customer" can check your account status

Payment is made weekly and for those accounts that have a significant revenue stream, it's optional to establish at what point do you want to be paid for criminal activities through this web application performs.

Black Software is conventional and does not have a differentiating factor from other affiliate programs to your style, and yet has a high percentage of activities, perhaps because of their status as "new" in the criminal environment and, therefore, not so known.

However, is another resource available to those who daily feed their economy through fraudulent and criminal proceedings.

Related Information
Circuit membership for the dissemination of NoAdware rogue

Ver más


Phoenix Exploit’s Kit v2.1 Inside

The crimeware is one of the most used by cyber criminals to gather intelligence enabling the identification of trends and customs around by people who use the Internet daily.

This seeks to obtain relevant information on time and complete details of the victims who, further, they allow criminals to know about which factors to emphasize their "improvements" in the web application, and botmaster think of any strategy for promoting malware.

Why? Get information processed (intelligence) is key because it provides them with real information on the different technologies used by people. This type of maneuver is widely used by criminals. Ever wondered why Koobface spread by social networks?

For example, most of this style crimeware collect data on:
  • Type and version of platforms. Let us know what operating systems used and the most vulnerable.
  • Type and version of browsers. Seeks to understand the same feature as above.
  • Countries affected. It enables computers to know the amount of victims in each country. Thus, the Botmaster could discriminate the spread of malware focusing its promotion to particular countries.
Why? Because all this information allows the developer to add and/or upgrade versions incorporating exploits "improved" the "product." Furthermore, depending on the last point for example, simplicity in terms of easy to read statistical data makes many botmaster using PEK (Phoenix Exploit's Kit) to spread malware that is used as a "bridge" to register successfully downloaded and installed to increase their economy through affiliates systems type Pay-Per-Install.

Currently PEK development is in its version 2.3r, this being a preliminary version to 2.4 and is in its stage of "testing" since mid-August 2010. The latest "stable" version is 2.3.

However, this post is about version 2.1 of Phoenix Exploit's Kit, and see that from the visual point of view has not changed in its previous or subsequent changes.

Default has 10 exploits, which are:
This version swept the feature Phoenix Triple System incorporated in version 1.4, which is basically an encryption scheme for binary executables that are disseminated. The purpose of this is hindering the process of analysis of the malware.

It consists of six modules of which 4 provide relevant information for each computer that is part of the botnet.

Simple statistics
It's an overview of data collected, through which information is displayed on browsers that have the highest percentage of successful exploitation detailing the number of visits in each of them, total number of visits and exploits that owns the package. Here is an updated version where he incorporated some exploits

Advanced statistics
Basically has a level of detail on the affected operating systems and browsers, incorporating as useful data version of each of them. In this case, committed three operating systems are Windows XP, Vista and Seven, respectively, and with a minimum compared to these, but higher than Windows ME, 2000 and 2003 platforms are Linux.

Interestingly, in terms of browsers, the three that have a higher rate of vulnerability are Firefox 3.6, InternetExplorer 8 and 7 respectively.

 Countries statistics
Information related to the countries which are the compromised computer. The detail of this information is in the number of visitors from certain countries and the number of successful exploits, also discriminated against by country.

Referers statistics
Information from reference sites to Phoenix Exploit's Kit The main feature is that the pattern followed by PEK is referencing from porn sites from which the browser operates through some of the pre-compiled exploits in the package. This module shows the list of pages, the number of visits per page and the number of exploits that have been successful with an average expressed in percentages.

The list shows the version used for this article is very long, but is complete on the following link: PEK v2.1 Referers List.

Upload .exe
This module is to allow updating to spread malicious code. Usually only change every time you submit the executable binary encryption processes Phoenix Triple System service, or when they change their strategy botmaster infection according to new targets for malware. Affiliate System change that spread their own malware for example.

In this case, PEK is used to propagate a version generated of the trojan ZeuS:
In the White paper called Phoenix Exploit's Kit. From the mythology to a criminal business can obtain more information on the different versions of this crimeware.

Información relacionada
State of the art in Phoenix Exploit's Kit [White paper]

Campaign infection through Phoenix Exploit's Pack
Phoenix Exploit's Kit and Pay-per-Install via PC Defender Antivirus
Phoenix Exploit’s Kit. Otra alternativa para el control de botnets

Jorge Mieres
Founder & Director of MalwareIntelligence
Crimeware & Intelligence Analyst Researcher

Ver más


myLoader C&C Oficla Botnet in BKCNET "SIA" IZZI with the highest infection rate in Brazil

myLoader is a web application that allows offenders to collect statistical information related to different factors and features on each of the infected computers. The crimeware is sold in the underground market at an average cost of $ 700.

The botnet Oficla started their criminal activities at the beginning of 2010 and just the executable binary detected by antivirus engines as Oficla or Sasfis and is generated by a builder who incorporates myLoader.

In early 2010, MalwareIntelligence warned activities of a botnet Oficla with recruited more than 250.000 computers, that after several days exceeded the figure of 300.000 zombies. A white paper that explains how crimeware marketing and operation of the botnet is available in the documents section.

The Latin American region has a significant development of malware, especially, no doubt, Brazil to the generation of malicious code designed to steal financial in nature through trojans usually spread by email or MSN.

However, it's unique in the region and countries such as Mexico, Peru and Argentina, the trend is also accompanied with an important flow of criminals who aspire even to copy the models of fraudulent and criminal business from across the world routinely generate new research points because of the security incidents that cause, primarily the theft of information.

Under all of this scenery, botnets play a key role in a high percentage, where I dare say almost all of the crimes committed via the Internet. That is, the role of botnets within the current scope of cybercrime, represent the key with which cyber-criminals have.

The following image is an example. This is a botnet Oficla myLoader maintained through, with a total of 9065 recruits zombies.

Statistics myLoader
Basically displays information related to the amount of compromised computers over the past 15 days, how many are online, among others

And showing what I mentioned above, the top ten of the affected countries led by Brazil with a little over 1300 zombies (almost 15%), and as regards Latin America, followed by Mexico and Argentina.

Statistics geolocation zombies
This image only shows the top ten countries concerned where the botnet has zombies

Computers affected only in Brazil
The list is long and mostly displays information on infected computers

An interesting is that this botnet is under the roof of AS6851 in IP address Known under the name of BKCNET "SIA" IZZI or SAGADE, widely popular for its relationship with the housing for criminal resources such as ZeuS, Koobface, business affiliates, among many others.

In the documents section you can download a white paper with information about criminal resources associated with a given range of IP addresses that are under the tutelage of BKCNET "SIA" IZZI.

As for the malicious code is spread through this botnets are the following binary executables:

Related information
Oficla botnet with more than 200,000 zombies recruits
myLoader. Framework for the management of botnets
myLoader. Base C&C to manage Oficla/Sasfis Botnet [Whitepaper English version]
Criminal activities from BKCNET “SIA” IZZI / ATECH-SAGADE - Part one  [Whitepaper English version]

Jorge Mieres
Founder & Director of MalwareIntelligence
Crimeware & Intelligence Analyst Researcher

Ver más

Criminal activities from BKCNET “SIA” IZZI / ATECH-SAGADE - Part one

BKCNET "SIA" IZZI, also known as or simply ATECH-SAGADE is an AS (Autonomous System) numbers in 6851, currently is one of the most active of crimeware through which are distributed daily a large amount of malicious code , besides being the control base for the accommodation of several C&C which feed the underground economy.

Your geolocation is in Latvia and, as I mentioned on another occasion, "This ASN is listed as a server of criminal activities such as spread of different families of rogue, hosting crimeware as YES Exploit System, in 2009 I host the strategies Waledac botnet (Storm successor), also to ZeuS and to have direct relationship with the criminals who are behind the botnet Koobface maneuvers".

Today, most malware that spread through the resources supported by BSI (BKCNET "SIA" IZZI) make the maneuver which supports management for affiliate systems, precisely, to increase profits for criminals through the success of successful infections.

The following evidence is left AS6851 activities in the range of IP's and chipboard from to date August 14, 2010 (in red history), responding to malicious maneuvers.

English version
Spanish version

Ver más


Circuit membership for the dissemination of NoAdware rogue

Malware hides behind a business. Without a doubt, I believe that no one denies this claim. Day by day is an important flow of malicious code that, while general purpose have a story in its activities, seeking final feedback on the business behind through fraudulent mechanisms and strategies.

One of the most popular business models is to pay a percentage of money given to those who successfully promote rogue. The model is known as affiliate programs, while the facility payment system is called Pay-Per-Install.

This is the case of rogue NoAdware, a malicious code that operates widely available for several years through different coverages.

Home NoAdware
From this website you download the official binary of "economic resource" for the system of affiliates and partners

Using common strategies imposed by this style websites, such as false certificates and testimonies that try to convey confidence in the potential victims, promote the installation of an alleged security solution that is actually malware.

Affiliate program usually provide only the executable to spread, which many criminals spread it through some  crimeware type exploit pack, and to a lesser extent, only spread by a page that is created and hosted at your own risk .

The system behind NoAdware, facilitates this issue by providing the ability to select a template and then just upload to the hosting affiliate. Thus, when a potential victim visits this site, is redirected to the homepage of NoAdware, and each member, in theory, get 75% of money for each installation. The sales of rogue (mimicked in security program) is for $47.00.

However, other values are also managed directly related to the number of licenses:
  • 2 Computers ($67.00)
  • 3 Computers ($87.00)
  • 5 Computers ($117.00)
  • 10 Computers ($197.00)
  • 25 Computers ($417.00)
  • 50 Computers ($767.00)
Site selection to propagate NoAdware
The process involves two steps: select the template and download. This web site traffic routed to the home page of NoAdware

NoAdware also promoted under the name Adware Professional 2010. It's exactly the same application to install malicious reports against the system that is behind NoAdware.

Hypothetically speaking, suppose a partner (affiliate/delinquent) successful installation per day for 30 days (one month). 75% of $47 is $35.25 (this is what would win one day and successful installation of malware). Accordingly, this partner would have a theoretical gain of $1057.5 monthly.

This affiliate program works with a payment system via the Internet, legal, called ClickBank, especially whose main trade is that a large number of rogue malware type is done through this system.

HopLink for NoAdware
This page directs traffic to the official website of NoAdware, while sending information to the payment affiliate log into your account

The address is to the URL with the following syntax:[PARTNER-NICK]

This will record the payment of a percentage of money as a commission for each of the members to serve on the circuit of this rogue.

Affiliate System Circuit
The graph shows the different stages that runs a conventional affiliate

One of the evidences that reflects the rate for ClickBank by criminal groups to secure economic transactions "safe" is the important flow of affiliate systems, many of them promote malware, which are under his roof. Some of them are:
This brief list is just a small sample, because the volume of malware that are promoted through this medium is very large.

Related  information
AntiSpy Safeguard with new social engineering approach

Ver más