<![CDATA[[SecurityRatty] tag: kits]]>

<![CDATA[[SecurityRatty] tag: kits]]> http://securityratty.com/tag/kits Tue, 15 Jul 2008 13:18:32 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[DIY Botnet Kit Promising Eternal Updates]]> http://securityratty.com/article/c280e95d4aabb245987b5dc2c799185b http://securityratty.com/article/c280e95d4aabb245987b5dc2c799185b

Among the main differences between a professional botnet command and control kit, and one that's been originally released for free, is the quality and the clearly visible experience of the kit's programmer in the professional one.

A Chinese hacking group is offering the moon, and asking for nothing. And in times when a cybercriminal can even monetize his conversation with a potential customer by telling him he's actually consulting them and barely talking, is this for real and how come? This "Robin Hood approach" on behalf of the group could have worked an year ago, when greedy cybercriminals were still charging hundreds of thousands of dollars for their sophisticated banker malwares. Today, most of them leaked in such a surprising, and definitely not anticipated on behalf of the malware coders way, that not only they stopped offering support and abandoned their releases, but what used to be available only to those willing to open their virtual pocket and transfer some virtual currency, is available to everyone making such free botnet kits irrelevant - mostly due to their simplicity speaking for zero quality assurance we can see in professional kits.

Once the dust settles on this populist underground release, its potential users would once again return to their localized copies of web based botnet command and control kits.

]]> Tue, 19 Aug 2008 23:53:16 +0000 professional professional kits kit professional botnet command quality assurance populist underground release control kit quality robin hood approach DIY Botnet Kit Promising Eternal Updates <![CDATA[Phishers Backdooring Phishing Pages to Scam One Another]]> http://securityratty.com/article/6ccaae3434fe8c6502ba9a6fc0cfb3e0 http://securityratty.com/article/6ccaae3434fe8c6502ba9a6fc0cfb3e0

There seems to be no such thing as a free phishing page these days, with phishers scamming one another at an alarming rate according to a recently published research entitled "There is No Free Phish:An Analysis of “Free” and Live Phishing Kits".

Cybercriminals attempting to scam other cybercriminals has been happening for years, with old school cases where backdoored malware tools such as crypters and binders are offered for free, or a newly released RAT whose client is in fact infected with a third-party malware. Realizing and definitely not enjoying the fact that the lowered entry barriers into cybercrime are empowering yesterday's script kiddies will malware kits that used to be utilized by a set of people who invested time and money into the process several years ago, this unethical competitive practice is only going to get more common. Backdooring phishing pages is one thing, backdooring entire web malware exploitation kits, next to the possibility to remotely exploit a competitor's command and control server is entirely another :

"Taking a more strategic approach, a cybercriminal wanting to scam another cybercriminal would backdoor a highly expensive web malware exploitation kit, then start distributing it for free, and in fact, there have been numerous cases when such kits have been distributed in such a fraudulent manner. The result is a total outsourcing of the process of coming up with ways to infect hundreds of thousands of users though client side exploits embedded or SQL injected at legitimate sites, and basically collecting the final output - the stolen E-banking data and the botnet itself."

What's to come in the long term? Why just backdoor the phishing page, when you can embedd it with a live exploit URL in an attempt to both, infect the cybercriminal about to use and obtain all of the already stolen virtual assets has has already stolen, and also, have a third-party maintain a blended attack campaign without even knowing it.

Related posts:
Phishing Campaign Spreading Across Facebook
Phishing Pages for Every Bank are a Commodity
RBN's Phishing Activities
Inside a Botnet's Phishing Activities
Large Scale MySpace Phishing Attack
Update on the MySpace Phishing Campaign
MySpace Phishers Now Targeting Facebook
MySpace Hosting MySpace Phishing Profiles
DIY Phishing Kits
DIY Phishing Kit Goes 2.0
PayPal and Ebay Phishing Domains
Average Online Time for Phishing Sites
The Phishing Ecosystem
Assessing a Rock Phish Campaign
Taking Down Phishing Sites - A Business Model?
Take this Malicious Site Down - Processing Order..
209 Host Locked
209.1 Host Locked
66.1 Host Locked
Confirm Your Gullibility
Phishers, Spammers and Malware Authors Clearly Consolidating
The Economics of Phishing

]]> Thu, 07 Aug 2008 11:01:50 +0000 phishers myspace phishers campaign myspace rock phish campaign free phish free kits attack Phishers Backdooring Phishing Pages to Scam One Another <![CDATA[Pinch Vulnerable to Remotely Exploitable Flaw]]> http://securityratty.com/article/8cbf69361bdc83216c6de0e5e5d551a0 http://securityratty.com/article/8cbf69361bdc83216c6de0e5e5d551a0

In the very same way a cybercrime analyst is reverse engineering and sandboxing a particular piece of malware in order to get a better understanding of who's being it, and how successful the campaign is once access to the command and control interface is obtained, cybercriminals themselves are actively reverse engineering the most popular crimeware kits, looking, and actually finding remotely exploitable vulnerabilities allowing them to competely hijack someone's command and control, and consequently, their botnet. The Zeus crimeware kit, which I've been discussing and analyzing for a while, is the perfect example of how once a popular underground kit start acting as the default crimeware kit, cybercriminals themselves start looking for vulnerabilities that they could take advantage of. And those who look, usually end up finding.

A remotely exploitable flaw allowing cybercriminals to remotely inject a web shell within another cybercriminal's web command and control interface of the popular Pinch crimeware that's been around VIP underground forums since June, 2007, is starting to receive the necessary attention from script kiddies catching up with the possibility of hijacking someone's malware campaign due to misconfigured command and control servers.

With the exploit now in the wild, retro cybercriminals still taking advantege of the ubiqutous command and control interface that could be easily used by other malware rathar than Pinch, "cybercriminals are advised" to randomize the default file name of the gate, and apply the appropriate directory permissions.

Monocultural insecurities are ironically started to emerge in the IT underground with the increasing commoditization of what used to be a proprietary web exploitation malware kit or a banker malware kit, allowing easy entry into the malware industry through the unregulated use of what some would refer to as an "advanced technology" that only a few cybercriminals used to have access to an year ago. Just like legitimate software vendors, authors of crimeware kits are also trying to enforce their software licenses and forbidding any reverse engineering of their kits in order to enjoy the false feeling of security provided by the security through obscurity. The result? Cybercrime groups filing for bankruptcy unable to achieve a positive return on investment due to their intellectual property getting pirated and their inability to enforce the licenses that they issue to their customers.

We're definitely going to see more trivial, but then again, remotely exploitable vulnerabilities within popular crimeware kits, which can assist both the cybercrime analysts and naturally the cybercriminals themselves. For the time being, even the most sophisticated malware campaigns aren't fully taking advantage of the evasive and stealth tactics that the kits, or their common sense allows them to - let's see for how long.

Related posts:
Russia's FSB vs Cybercrime
Crimeware in the Middle - Zeus
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
Coding Spyware and Malware for Hire

]]> Thu, 07 Aug 2008 06:22:01 +0000 popular crimeware kits crimeware kits pinch crimeware zeus crimeware kit popular pinch crimeware malware banker malware kit default crimeware kit Pinch Vulnerable to Remotely Exploitable Flaw <![CDATA[Summarizing July's Threatscape]]> http://securityratty.com/article/2860027a1eaa69350d814429c3bf6070 http://securityratty.com/article/2860027a1eaa69350d814429c3bf6070

July's threatscape -- consider going through June's summary as well -- once again demonstrated that nothing is impossible, the impossible just takes a little longer where the incentive would be the ultimate monetization of the process.

Russian hacktivists attacking Lithuania and Georgia, several Storm Worm campaigns, a couple of new malware tools, Neosploit team abandoning support for their web malware exploitation kit, CAPTCHA for several of the most popular free email providers getting efficiently attacked in order to resell the bogus accounts registered in the process, several copycat SQL injects next to the evasion techniques applied by the copycats, botnets continuing to commit click fraud and generate revenue for those who own or have rented them, an infamous money mule recruitment service taking advantage of the fast-fluxed network provided by the ASProx botnet - pretty interesting month indeed.

01. Decrypting and Restoring GPcode Encrypted Files -
The GPcode authors read the news too, and are catching up with the major weaknesses pointed out in their previous release in order to come with a virtually unbreakable algorithm. And since more evidence of who's behind the GPcode ransomware was gathered, vendors and independent researchers realized that the latest release is also susceptible to a plain simple flaw, namely the encrypted files were basically getting deleting and not securely erased making them fairly easy to recover.

02. Chinese Bloggers Bypassing Censorship by Blogging Backward -
When you know how it works, you can either improve, abuse or destroy it in that very particular order. Chinese bloggers are always very adaptive in respect to spreading their message by obfuscating their messages in a way that common keywords filtering software wouldn't be able to pick them.

03. Gmail, Yahoo and Hotmail’s CAPTCHA Broken -
This has been an urban legend for a while, but with more services starting to offer hundreds of thousands of pre-registered accounts at these providers, it's surprising that spam and phishing emails coming from legitimate email providers is increasing. The "vendors" behind these propositions are naturally starting to "vertically integrate" by offering value-added services for extra payments, namely, scripts to automatically abuse the pre-registered accounts for automatic registration of splogs and anything else malicious or blackhat SEO related.

04. The Antivirus Industry in 2008 -
If it were anyone else but a security vendor to come up with such a realistic cartoon aiming to stimulate innovation by emphasizing on how prolific and sophisticated malware groups have become, it would have been a biased cartoon. However, this one is courtesy of a security vendor, and it's pretty objective.

05. Lithuania Attacked by Russian Hacktivists, 300 Sites Defaced -
This attack is a good example of a decent PSYOPS operation. Of course they have already build the capabilities to deface and even execute DDoS attacks against Lithuania, so why not put them in a "stay tuned" mode, by speculating on the upcoming attack and then executing it making it look like they delived what they've promised? This a lone gunman mass defacement given that the sites were all hosted on a single ISP, with no indication of any kind of coordination whatsoever. The same for the Georgia President’s web site which was under DDoS attack from Russian hackers later this month. Despite that the hacktivists behind it dedicated a separate C&C for the attack, one that hasn't been used in any type of previous attacks so far, they did a minor mistake by using a secondary command and control location that's known to have been connected with a particular "botnet on demand" service in the past. The second attack once again proves that you don't need to build capacity when you can basically outsource the process to someone else.

06. The ICANN Responds to the DNS Hijacking, Its Blog Under Attack -
The ICANN finally issued a statement concerning the DNS hijacking of some of their domains, which is in fact what Comcast.net and Photobucket.com should have done as well, next to stating it was a "glitch". The ICANN also took advantage of the moment and also pointed out that their blog has also been under attack during the month. There's no better example of how the combination of tactics can result in the hijacking of the domains of the organizations implementing procedures aiming to protect against these very same attacks. And while Photobucket.com remained silent during the entire incident, the hosting provider that was used by the Netdevilz team in the two attacks, since they were also responsible for the ICANN and IANA DNS hijackings, technological and social engineeringissued a statement.

07. The Risks of Outdated Situational Awareness -
Security vendors are often in a "catch-up mode" and if I were an average Internet user not knowing that real-time situational awareness speaks for the degree to which my vendor knows what going on online, I'd be pretty excited. However, I'm not. Prevx were catching up with a service which I covered approximately two months ago, I even had the chance to constructively confront with one of the affected sites on how despite their security measures in place, this attack was still possible. Recently Prevx have once again demonstrated an outdated situational awareness by coming across a banking malware in July 2008, whereas the malware has been around since July 2007, and earlier depending on which version you're referring to.

08. Fake Porn Sites Serving Malware - Part Two -
Yet another domain portfolio of fake porn sites serving rogue codecs and live exploit URLs, just the tip of the iceberg as usual, however their centralization is greatly assisting in tracking them down.

09. Storm Worm's U.S Invasion of Iran Campaign -
Stormy Wormy is once again making the headlines with their ability to actually make up the headlines on their own.

10. Mobile Malware Scam iSexPlayer Wants Your Money -
The best scams are the ones to which you've personally agreed to be scammed with without even knowing it. Like this one, which was tracked down and analyzed a couple of hours once a uset tipped on it.

11. The Template-ization of Malware Serving Sites -
The increase of fake porn and celebrity sites is due to the overall template-ization of these, with the people behind them basically implementing several malicious doorways to ensure that the domains get rotated on the fly. Despite that they all look the same, they all sever different type of malware, and zero porn of celebrity content at all except the thumbnails.

12. Violating OPSEC for Increasing the Probability of Malware Infection -
No better way to expose your affiliations and several unknown bad netblocks so far, by adding the netblocks and the malicious domains as trusted sites upon infecting a PC with the malware. Of course, the usual suspects lead the "trusted netblocks".

13. Monetizing Compromised Web Sites -
Several years ago, a script kiddie would install Apache on a mail server, they claim that they defaced it. Today, these amusing situations are replaced by monetization of the compromised sites, by reselling the access to them to blackhat SEO-ers, malware authors, phishers, or personally starting to manage a scammy infrastructure on them, by earning money on an affiliate based model, like this particular attack.

14. Malware and Office Documents Joining Forces -
A recent DIY malware kit, sold as a proprietary tool basically crunching out malware infected office documents, whose built-in obfuscation makes them harder to detect. It will sooner or later leak out, turning into a commodity tool, a process that's been pretty evident for web malware exploitation kits as well.

15. Are Stolen Credit Card Details Getting Cheaper? -
Depends on who you're buying them from, and whether or not they offer discounts on a volume basis, namely the more you buy the cheaper the price of a card is supposed to get. With the current oversupply of stolen credit card details, what used to be an exclusive good once where they could enjoy a higher profit-margin, is today's commodity good.

16. The Neosploit Malware Kit Updated with Snapshot ActiveX Exploit -
Since alll the web malware exploitation kits are open source, and leaked in the wild at large, their modularity allows everyone to easily embed any type of exploit that they want to, resulting in Neosploit's single most beneficial feature, the fact that certain versions include all the publicly available exploits targeting Internet Explorer, Firefox and Opera. Moreover, the open source nature of the kit is resulting in a countless number of modified versions yet to be detected and analyzed, therefore keeping track of the exploits included in a malware kit can only be realistic if you take into considered the exploits that come with the default installation.

17. Obfuscating Fast-fluxed SQL Injected Domains -
Now that's a very good example of different tactics combined to attack, ensure survivability, and apply a certain degree of evasion in between.

18. The Unbreakable CAPTCHA -
There's never been a shortage of ideas, there's always been an issue of usability.

19. The Ayyildiz Turkish Hacking Group VS Everyone -
That's a pretty inspiring mission if you are to ensure your future in the next couple of years, by targeting everyone, everywhere that has ever publicly stated their disagreement with the Turkish foreign policy.

20. Money Mule Recruiters use ASProx's Fast Fluxing Services -
A true multitasking in action with a botnet that's been crunching out phishing emails, SQL injecting and now hosting a well known money mule recruitment service.

21. SQL Injecting Malicious Doorways to Serve Malware -
Constantly switching tactics and combining different ones to achive an objective that used to be accomplished by plain simple techniques, is only starting to take place. In this case, instead of a hard coded SQL injected domain, we have the typical malicious doorways the result of the converging traffic management tools with web malware exploitation kits.

22. Impersonating StopBadware.org to Serve Fake Security Warnings -
Typosquatting popular security vendors and services is nothing new, by having HostFresh providing the hosting for the parked domains promoting the rogue security software, is a privilege and flattery for the success of the Stopbadware initiative.

23. Coding Spyware and Malware for Hire -
Customerization -- not customization -- has been taking place for a while, that's the process of tailoring your upcoming products to the needs of your future customers, compared to the product concept myopia where the malware coder would code something that he believes would be valuable to the potential customers. End user agreements, issuing licenses for the malware tool, as well as forbidding the reverse engineering of the malware so that no remotely exploitable flaws could be, are among the requirements the coder assists on.

24. Lazy Summer Days at UkrTeleGroup Ltd -
Taking a random snapshot of the current malicious activity at a well known provider of hosting services for rogue security applications, live exploit URLs and botnet command&control locations, always provides an insight into what are their customers up to. In this case, centralization of their scammy ecosystem, and parking a countless number of rogue domains on the same server.

25. Email Hacking Going Commercial -
Cybercrime is in fact getting easier to outsource, and while the number of scammers trying to offer non-existent services, or at least services where they cannot deliver the goods, the business model of this service that is that you only pay once they show you a proof that they've managed to hack the email address you game them. How are they doing it? Social engineering and enticing the user to click on live exploit URL from where they'll infect the PC and obtain the email password, of course, next to definitely abusing it for many other purposes in the process.

26. Vulnerabilities in Antivirus Software - Conflict of Interest -
You can easily twist the number of vulnerabilities found in your antivirus solution, but not recognizing them as vulnerabilities at the first place. It's all a matter of what you define as a vulnerability, or perhaps what you admit as a serious vulnerability - remote code execution through a security software, or a flaw that's allowing malware to bypass the security solution itself.

27. Counting the Bullets on the (Malware) Front -
Emphasizing on the number of malware/threats/viruses/worms/slugs your solution detects may be marketable in the short-term, but is damaging the end user's understanding of the threatscape in the long-term. So, by the time he catches up with what exactly is going on, he'll recall the moment in time where he was using the number of threats his solution was detecting as the main benchmark for its usefulness. In reality through, the number is irrelevant from a pro-active point of view, with zero day malware like the one coded for hire undermining the signatures based scanning model.

28. Smells Like a Copycat SQL Injection In the Wild -
It was pretty obvious that copycats seeing the success of SQL injections the the huge number of sites susceptible to exploitation, would also starting taking advantage of the practice. Some are, however, targeting local communities and trying to avoid detection by using targeted SQL injections.

29. Click Fraud, Botnets and Parked Domains - All Inclusive -
The scheme is nothing new, what's new is that the botnet masters are trying to limit the revenues that used to go out to affiliate networks they were participating in, and are trying to own or rent the entire infrastructure on their own.

30. Over 80 percent of Storm Worm Spam Sent by Pharmaceutical Spam Kings -
With access to Storm Worm sold and resold, and new malware introduced on Storm Worm infected hosts used as foundation for the propagation of the new malware in this case, it's questionable whether or not the Storm Worm-ers themselves are sending out the junk emails, or are they people who've rented access to the botnet doing it.

31. Neosploit Team Leaving the IT Underground -
Pretty surprising at the first place, but in reality it clearly demonstrates that when you cannot enforce the end user agreement on your crimeware kit, but continue seeing it used in a very profitable malware operations, you basically shut down the support for the public version. The team is not going to stop innovating for their own purposes, and in the long-term they may in fact re-appear with an updated malware kit that's converging different services next to the product itself.

32. Dissecting a Managed Spamming Service -
Managed spamming services using botnets as the foundation for the campaigns are starting to introduce improved metrics for the delivery, as well as experienced customer support ensuring the spam messages make it through spam filters, or at least increase the probability of making the happen. This is an example of a random service emphasizing on the improved metrics they're capable of delivering.

33. Storm Worm's Lazy Summer Campaigns -
Looks like a "cybercrime intern" launched this campaign, lacking any of the usual Storm Worm evasive practices, no exploitation of client side vulnerabilities, as well as no survivability offered by their usual fast-flux nodes.

]]> Fri, 01 Aug 2008 12:08:24 +0000 malware profitable malware operations malware authors malware tools malware coder malware kit malware infection neosploit malware kit spam Summarizing July's Threatscape <![CDATA[Dissecting a Managed Spamming Service]]> http://securityratty.com/article/a86a7c12b2395b3c5ee8667c3a4d13e0 http://securityratty.com/article/a86a7c12b2395b3c5ee8667c3a4d13e0

With cybercrime getting easier to outsource these days, and with the overall underground economy's natural maturity from products to services, "managed spamming appliances" and managed spamming services are becoming rather common. Increasingly, these "vendors" are starting to "vertically integrate", namely, start diversifying the portfolio of services they offer in order to steal market share from other "vendors" offering related services like, email database cleaning, segmentation of email databases, email servers or botnets whose hosts have a pre-checked and relatively clean IP reputation, namely they're not blacklisted yet.

How much does it cost to send 1 million spam emails these days? According to a random spamming service, $100 excluding the discounts based on the speed of sending desired, namely 10-20 per second or 20-30 per second. Let's dissect the service, and emphasize on its key differentiation factors, as well as the customerization offered in the form of a dedicated server if the customer would like to send billions of emails :

"-- High quality and percentage of spam delivery
-- Fast speed of delivery
-- Spam database on behalf of the vendor, or using your own database of harvested emails
-- Easily obtainable and segmented spam databases on per country basis
-- Randomization of the spam email's body and headers in order to achieve a higher delivery rate
-- Support for attachments, executables, and image files

The cost - $100 for a million for letters delivered spam, with the large volume of spam discounts 20% -30% -40% based on the value-added Do-it-yourself customer interfare based on a multi-user botnet command and control interface :

-- Automatic RBL verification
-- Support for many subjects, headers,
-- Total customization of the email sending process
-- Autogenerating junk content next to the spammers email/link in order to bypass filtering
-- Faking Outlook Message ID / Boundary / Content-ID
-- Interface added. Now do not necessarily understand all the features into the system to start the list.
-- Convenient management tasks.
-- A high percentage of punching, on the basis of good europe - 40-60% (For the United States - less because there aol and others).
-- Improved metrics, whether or not the emails have been sent, lost, unknown receipt, or have been RBL-ed

With the weight of a billion - even discounts and the possibility of making a personal server. "

Rather surprising, they state that European email users have a higher probability of receiving the spam message compared the U.S due to AOL. What they're actually trying to say is due to AOL's use of Domain Keys Identified Mail (DKIM). As far as localization of the spam to the email owner's native language is concerned, this segmentation concept has been take place for over an year now.

This service, like the majority of others rely entirely on malware infected hosts, which due to the multi-user nature of most of the malware command and control interfaces, allows them to easily add customers and set their privileges based on the type of service that they purchase. This leaves a countless number of opportunities for targeted spamming, and yes, spear phishing attacks made possible due to the segmentation of the emails based on a country, city, even company.

In the long term, the people behind spamming providers, web malware exploitation kits and DIY phishing kits, will inevitably start introducing built-in features which were once available through third-party services. For instance, hosting infrastructure for the spam/phishing/live exploit URLs, or even managed fast-flux infrastructure, have the potential to become widely available if such optional features get built-in phishing kits, or start getting offered by the spamming provider itself. And since the affiliate based model seems to be working just fine, the ongoing underground consolidation will converge providers of different underground goods and services, where everyone would be driving customers to one another's services and earning revenue in the process.

]]> Wed, 30 Jul 2008 01:32:44 +0000 spam spam message spam discounts spam database spam databases spam email email emails based email servers Dissecting a Managed Spamming Service <![CDATA[Neosploit Team Leaving the IT Underground]]> http://securityratty.com/article/813abe559b03df47822588023daf2295 http://securityratty.com/article/813abe559b03df47822588023daf2295

The Neosploit Team are abandoning support for their Neosploit web exploitation malware kit, citing a negative return on investment as the main reason behind their decision. However, given Neosploit's open source nature just like the majority of web malware kits, and the fact that it's slowly, but surely turning into a commodity malware kit just like MPack and Icepack did, greatly contribute to its extended "product lifecycle" :

"Let’s discuss their business model, how other cybercriminals disintermediated it thereby ruining it, and most importantly, how is it possible that such a popular web malware exploitation kit cannot seem to achieve a positive return on investment (ROI). The short answer is - piracy in the IT underground, and their over-optimistic assumption that high-profit margins can compensate the lack of long-term growth strategy, which in respect to web malware exploitation kits has do with the benefits coming from converging with traffic management tools. Let’s discuss some key points."

The end of Neosploit malware kit, doesn't mean the end of Neosploit Team, or the sudden migration to other malware kits since they're no longer providing support in the form of new obfuscations and set of exploits to their customers. Their customers have been in fact self-servicing their needs enjoying the modular nature of the kit, the result of which is an unknown number of modified Neosploit kits.

Related posts:
The Underground Economy's Supply of Goods and Services
The Dynamics of the Malware Industry - Proprietary Malware Tools
Localizing Cybercrime - Cultural Diversity on Demand
E-crime and Socioeconomic Factors
Localizing Open Source Malware
Coding Spyware and Malware for Hire
The FirePack Exploitation Kit Localized to Chinese
MPack and IcePack Localized to Chinese
The Icepack Exploitation Kit Localized to French

]]> Tue, 29 Jul 2008 12:09:25 +0000 neosploit neosploit malware kit kit icepack exploitation kit malware malware kits web malware kits commodity malware kit source malware Neosploit Team Leaving the IT Underground <![CDATA[Smells Like a Copycat SQL Injection In the Wild]]> http://securityratty.com/article/ae553b37ba0ec150b5a4c344ba27652b http://securityratty.com/article/ae553b37ba0ec150b5a4c344ba27652b

In between the massive SQL injections, that as a matter of fact remain ongoing, copycats taking advantage of the very same SQL injection tools using public search engine's indexes as a reconnaissance tools, are also starting to take advantage of localized and targeted attacks, attacking specific online communities. Among these is mx.content-type.cn /day.js using day.js to attempt multiple exploitation using publicly obtainlable exploits such as Adodb.Stream, MPS.StormPlayer, DPClient.Vod, IERPCtl.IERPCtl.1, GLIEDown.IEDown.1, and targeting primarily Chinese web communities.

Compared to a bit more sophisticated attack tactics applied by Chinese hackers, taking advantage of localized versions of the de facto web malware exploitation kits, those who don't have access to such continue using cybercrime 1.0 DIY exploit embedding tools at large. The rest of the SQL injected domains as well as the exploits themselves are parked on the same plaee - 222.216.28.25, also responding to :

down.goodnetads .org
ads.goodnetads .org
real.kav2008 .com
hk.www404 .cn
err.www404 .cn
mx.content-type .cn
sun.63afe561 .info
ads.633f94d3 .info
ads.1234214 .info
ad.50db34d5 .info
ads.50db34d5 .info
ad.8d77b42a .info
web.adsidc .info
free.idcads .info
free.cjads .info
ads.adslooks .info
list.adslooks .info
ad.5iyy .info

The SQL injected domains :
ads.633f94d3.info/day .js
ad.8d77b42a.info/day .js
ad.5iyy.info/day .js
free.idcads.info/day .js
efreesky.com/day .js
v.freefl.info/day .js

The internal structure :
free.idcads.info/f/index .htm
free.idcads.info/014 .htm
free.idcads.info/real11 .htm
free.idcads.info/real10 .htm
free.idcads.info/lz .htm
free.idcads.info/bf .htm
free.idcads.info/kong .htm
free.idcads.info/f/swfobject .js
ad.50db34d5.info//rm%5C/rm .exe

Parked domains responding to the command and control locations, 60.191.223.76 and 222.216.28.100 :
ftp.gggjjj .info
live.ads002 .net
log.goodnetads .org
dat.goodnetads .org
root.51113 .com
sun.update999 .cn
abb.633f94d3 .info
up.50db34d5 .info
web.cn3721 .org
dat.goodnetads .org
cs.rm510 .com
sb.sb941 .com
k.sb941 .com
info.sb941 .com
day.sb941 .com
post.ad9178 .com
v.91tg .net

Centralizing their scammy ecosystem always makes it easier to monitor, keep track of, and of course, expose.

Related posts:
SQL Injecting Malicious Doorways to Serve Malware
Yet Another Massive SQL Injection Spotted in the Wild
Malware Domains Used in the SQL Injection Attacks
SQL Injection Through Search Engines Reconnaissance
Google Hacking for Vulnerabilities
Fast-Fluxing SQL injection attacks executed from the Asprox botnet
Sony PlayStation's site SQL injected, redirecting to rogue security software
Redmond Magazine Successfully SQL Injected by Chinese Hacktivists

]]> Mon, 28 Jul 2008 01:51:23 +0000 sql tools sql injection tools massive sql injections attacks sql injection attacks sql injection massive sql injection site sql Smells Like a Copycat SQL Injection In the Wild <![CDATA[Coding Spyware and Malware for Hire]]> http://securityratty.com/article/1dbd4bddd9e4248009d0273ad7cae5dd http://securityratty.com/article/1dbd4bddd9e4248009d0273ad7cae5dd

What type of antivirus evasion do you want today? For the past several years, we have been witnessing the emerging customerization applied in malware and spyware for hire services. What used to be a situation where the malware authors would code and then start promoting a piece of malware including features that he thinks his potential customers would want by generalizing a cybercriminal's needs, is today's "listening to the customer" win-win situation that they've reached already.

The whole maturity from a product concept to customerization is in fact so prevalent these days, that malware authors wanting to preserve their intellectual property are forbidding their customers from reverse engineering their malware modules, presumably fearing that remotely exploitable flaws like this one in one of the most popular Ebanker malwares for the last two yers Zeus, could be discovered due to the malware author's insecure coding practices. Moreover, limiting the distribution of a single license they are given to more than three people will result in the malware author ignoring any future business relationships with the party that ruined the exclusiveness of the malware, thereby leaking it to the public, something that's been happening and will continue happening with web malware exploitation kits.

What would be the price of a custom malware module coded on demand? How much does it cost to have a built in email harvester that would sniff all the incoming and outgoing email addresses from the infected host to later on include them in upcoming spam and malware campaigns? Would the malware author also provide a managed hosting service for the command and control and the actual binaries on a revenue sharing

Here's an automatically translated, and fairly easy to understand random proposition for coding spyware and malware for hire, aiming to answer many of these questions, clearly demonstrating that today's malware is coded in exactly the same way the customer wants it to :

"As you can see in the history of its development turned directly into the combine, while almost no raspuh in weight, full-size pack аж 18 kb and minialno 5 kb, for all nampomnyu again, all descriptions below can be done as otdelnym bot, and any combination of cross except for a few restrictions. This product is targeted at mass-user and will not be all prodavatsya row. So, you can choose from:

Actually loader - is able to load a file from adminki, by country and other characteristics, such as the number of animals on board with a specific bot, a country group of countries, the availability of certain authors or Fire, sredenemu time online, etc. etc.. You can adjust the speed of shipping limits for each file, can load 1 as well as how files simultaneously
300 €

FTP and not only Graber
Analyzes user traffic and collects from the ftp acclamation, that is ftp acclamation would you regardless of how the customer uses ftp user, thus can be obtained most valuable ftp aka (even those to which the password is not saved), you can also grab other in a way not only acclamation acclamation and other tasty things more)
150 €

Assembler spam bases
Analyzes user traffic and collects from all email, snifit http pop3 smtp protocols, keeps records unikallnosti locally on each boat to reduce the burden on the server as well as globally on a server has 2 mode of operation - ie passive with only collects user to please and active - the very beginning to download the entire inet) in search of soap
220 €

Socks 4 / 5
Normal soks with competently implemented multithreading, is activated only if the user real Ip, otherwise not. And also optional, depending on the connection type and speed ineta.
70 €

Indicates
The primitive method, contamination fleshek avtoranom gives 2-3% increase in the first week and up to 7% in the next, a pleasant trifle)
35 €

Scripts
Loader supports internal scripting language - jscript, to carry out arbitrary actions on the victim machine, whether recording data in the register, setting authentic hon-Pago, opening URL in your browser (it was done so to please with 90% punching)), apload arbitrary files on a server, even theoretically possible to form and grabing inzhekty in IE) has only to write the script zaebetes, vobschem lyuboye actions soul who wish)
70 € basic functionality

Assembler passwords
Collects data such as passwords pstorage IE, MSN, etc., will be added at the request of other sources of passwords
70 €

Mini-AV
When installing loadera wheelbarrows to remove BHO shaped three, zevso-shaped, the majority of shit from all avtoranov, render most keylogerov until all) forward proposals to improve
70 €

File-default
In exe loadera program URL (in adminke) to the file which once progruzit 1 and run at first start loadera on wheelbarrows, while simultaneously helping progruzke Trojan for example, in its entire botnet that does not paired with challenges in adminke, the module operates in 20 seconds after the mini - av which excludes the removal of your Trojan bot, after progruza this exe bot continues to normal activities.
35 €

Form Graber
While in beta version, robbed IE. Sends logs in adminku, folding country. Logs are like logs agent. It consists of:

Graber certificats
On the idea is part formgrabera but could work and of itself, actually there is nothing to describe)

Injections
Literacy sold inzhekty, did not begin work after full progruza pages (as in bolshistve three) and immediately supported injection yavaskript code, which allows avtozalivy and DC inzhekty for data collection. For example not to yuzat acclamation at all is not yet introduce the necessary number of Britain, after which inzhekt ceases to operate. Вобщем mdelat can be anything and in any form) rather than the meager request field pin) And also inzhektov subspecies - a substitute for the issuance of search enginee.

Graber balances
Makes loot aka balances at the entrance to the user acclamation, detail added to the logs.

Screen
Universal method to grab information from absolutely any species and varieties klaiviatur screens, in particular html, flash, in one picture, with a drop-down fields after choosing your encrypted, as well as information such as "enter 3 yu secret letter word" etc. as well as any information which is visible a user but not seen in the logs. Screen settings of adminki, set URL where do screen as well as the type of screen: for virtual keyboard (done several small images of areas around the clique) or to "enter 3 yu secret letter words" (makes 1 full shot). With the withdrawal screen recorded in the log entry with the name of the file to the screen this position.

Antiabuznost for botneta
Feachem adminki, keep botnet enables fast, normal, bezglyuchnyh NEabuzoustoychivyh hosting, with features that you forget what abuzy, nohistory week saporta "abuzoustoychivogo" hosting inaccessibility host to half ineta etc., etc., also with the help of the supplement will be able to keep huge botnety (over SL) at 1 dedike with 512 Lake) and well on the price of hosting a savings, not $ 500 a month and 150. It may use this feature to stroronnim development, Trojans, bots, etc., actually is a separate product. And incidentally, if you do not understand the theory that nenado ask "and how does it work?" imagine that it works and point and neubivaemo in pritsnipe.
600 € +

All prices are in euros, the calculation is made at the rate of CB on the day of purchase. ps I will not disappear as most authors after months of sales, I DONT how to please you get to the assembly ftp, I DONT how many soap collects soap-graber, I DONT what otstuk from loadera, I DONT soksov how many will be from 1 to downloads, and how best To work load a file is not dead quickly, if you are confused my ignorance - that my loader so you do not need more tries)

Rules / Licence
-- Customer has no right to transfer any of his three 3 persons except options for harmonizing with me
-- Customer does not have the right to make any decompile, research, malicious modification of any three parts
-- Customer has no right where either rasprostanyat information about three and a public discussion with the exception of three entries.
-- For violating the rules - without any license denial manibekov and further conversations"

This malware coder seems to be participating in an affiliate program with a malicious ISP that is offering hosting services for the entire campaign, not just the malware binaries, so you have a rather good example that incentives and revenue-sharing models result in value-added services, a all-in-one shop for a customer to take advantage of without bothering to approach a third-party.

Cybercrime is getting even more easier to outsource these days, and with the malicious parties improving their communication and incentives model, the resulting transparency in the underground market

Related posts:
The Underground Economy's Supply of Goods and Services
The Dynamics of the Malware Industry - Proprietary Malware Tools
Using Market Forces to Disrupt Botnets
Multiple Firewalls Bypassing Verification on Demand
Managed Spamming Appliances - The Future of Spam
Localizing Cybercrime - Cultural Diversity on Demand
E-crime and Socioeconomic Factors
Russia's FSB vs Cybercrime
Malware as a Web Service
Localizing Open Source Malware
Quality and Assurance in Malware Attacks
Benchmarking and Optimising Malware

]]> Mon, 21 Jul 2008 23:52:14 +0000 malware malware author malware authors malware binaries malware attacks ftp ftp user collects malware industry Coding Spyware and Malware for Hire <![CDATA[SQL Injecting Malicious Doorways to Serve Malware]]> http://securityratty.com/article/6cec302595fea49e4d1ec4cc6e8a2a25 http://securityratty.com/article/6cec302595fea49e4d1ec4cc6e8a2a25

Abusing legitimate sites as redirectors to malicious doorways serving malware is becoming increasing common, as is the use of SQL injections in order for the malicious parties to ensure their campaigns will receive enough generic traffic to their redirectors. Excluding the use of the very same traffic management tools, web malware exploitation kits, templates for the rogue adult sites and the rogue security software, perhaps the most important thing to point out regarding all of the previously analyzed such campaigns, is that they are all related to one another, and are operated by the same people, using the very same infrastructure and live exploit URLs most of the time.

Let's expose yet another such campaign, that has been SQL injected and spammed across a couple of hundred web forums. gpamelaaandersona .info (82.103.129.98) is the typical comprehensive malicious doorway, whose galleries redirect to tds.zbestservice .info/tds/in.cgi?11 (85.255.120.45), and from there the following campaigns load on-the-fly :

porntubev20 .com/viewmovie.php?id=86 (74.50.117.84)
getmyvideonow .com/exclusive2/id/3912999/2/black/white/ - (89.149.194.188)
immenseclips .com/m6/movie1.php?id=1552&n=celebs (85.255.118.156)
movieexternal .com/download.php?id=1552 (77.91.231.201)
2008adults2008a .com/freemovie/144/0/
avwav .com/1931.htm
codecupgrade .com (74.50.117.84)
iwillseethatvideo .com (91.203.92.53)
dciman32 .com (85.255.120.45)

Naturally, these are just the tip of the iceberg, and the deeper you go, the more connections with malware gangs and previous campaigns can be established. For instance, here are some more "sleeping beauties" at 74.50.117.84 :

winantivirus2008 .org
porntubev20 .com
crack-land .com
just-tube .com
codecupgrade .com
codecupgrade .com
scanner-tool .com
surf-scanner .com
best-cracks .com
updatehost .com
updatehost .com
freemoviesdb .net
megasoftportal .net

And even more malicious doorways, and rogue software at 89.149.227.195 :

musicportalfree .com
softportalfree .com
verifiedpaymentsolutionsonline .com
my-adult-catalog .com
indafuckfuck .com
best-porncollection .com
funfuckporn .com
sanxporn .com
dolcevido .com
xiedefender .com
online-malwarescanner .com
easyvideoaccess .com
my-searchresults .com
creatonsoft .com
ihavewetfuckpussy .com

How come none of these are in a fast-flux? Pretty simple. Keeping in mind that they continue using the services of the ISPs that you rarely see in any report, survivability through fast-flux is irrelevant when emails sent to abuse@cybercrime.tolerating.isp receive a standard response two weeks later, and when your abuse emails become more persistent, a fake account suspended notice makes it to the front page, whereas the campaigns get automatically updated to redirect to an internal page, again serving the malware and the redirectors.

Related posts:
Fake Porn Sites Serving Malware - Part Two
Fake Porn Sites Serving Malware
Underground Multitasking in Action
Fake Celebrity Video Sites Serving Malware
Blackhat SEO Redirects to Malware and Rogue Software
Malicious Doorways Redirecting to Malware
A Portfolio of Fake Video Codecs

]]> Sun, 20 Jul 2008 21:45:57 +0000 malware malicious doorways sites rogue adult sites malware gangs campaigns load on-the-fly campaigns fake porn sites sql SQL Injecting Malicious Doorways to Serve Malware <![CDATA[The Neosploit Malware Kit Updated with Snapshot ActiveX Exploit]]> http://securityratty.com/article/cdb0e65d71e1f22f530bb119a6dfad61 http://securityratty.com/article/cdb0e65d71e1f22f530bb119a6dfad61

Raising Symantec's ThreatCon based on a newly introduced exploit within a (random) copy of a popular web malware exploitation kit? Now that's interesting given that there are other modified versions of the publicly available malware kit empowered with exploits as they get released, the single most logical move a administrator of such kit would do is diversity the exploits set as often as possible, keeping it up to date - like they do. ThreatCon is raised already :

"Symantec honeypots have captured further exploitation of the Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download Vulnerability (BID 30114). Before this event, this exploit was known to be used only in isolated attacks. Further analysis of these honeypot compromises has revealed that the exploit has been added to a variant of the neosploit exploit kit, it will very likely reach a larger number of victims. This version will compromise vulnerable English versions of Microsoft Windows by downloading a malicious application into the Windows Startup folder. Computers that have Microsoft Access installed are potentially affected by this vulnerability. Customers are advised to manually set the kill bit on the following CLSIDs until a vendor update is available: F0E42D50-368C-11D0-AD81-00A0C90DC8D9 F0E42D60-368C-11D0-AD81-00A0C90DC8D9 F2175210-368C-11D0-AD81-00A0C90DC8D9"

Why based on a random copy of the kit? Well, the Neosploit malware kit itself is a commodity despite it's publicly announced varying price in the thousands, it leaked for public use just like MPack and Icepack did originally, making statements on the exact type of the vulnerabilities included within a bit pointless, since it will only cover the the exploits included in a particular version only. Web malware exploitation kits are very modular, namely, anyone can introduce new exploits, and tweak them, which is what they've been doing for a while, mostly converging third party traffic management systems with the malware kits in order to improve both, the metrics, and the evasive practices used for making a particular campaign a bit more time consuming to analyze.

Just like the innovations introduced within open source malware, and their localizations to native languages, the open source nature of web malware exploitation kit can result in countless number of variants whose new features make it sometimes difficult to assess whether or not it's a modified kit or an entirely new one - depending on the sophistication of the features of course. The introduction of new exploits within a copy of a particular malware kit should be considered as something logical, and if it's that big a deal, there are many other web malware exploitation kits whose features turn Neosploit into the "outdated choice" for malicious attackers.

Related posts:
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
The Small Pack Web Malware Exploitation Kit
Crimeware in the Middle - Zeus
The Nuclear Grabber Kit
The Apophis Kit
The FirePack Exploitation Kit Localized to Chinese
MPack and IcePack Localized to Chinese
The FirePack Exploitation Kit - Part Two
The FirePack Web Malware Exploitation Kit
The WebAttacker in Action
Nuclear Malware Kit
The Random JS Malware Exploitation Kit
Metaphisher Malware Kit Spotted in the Wild
The Black Sun Bot
The Cyber Bot
Google Hacking for MPacks, Zunkers and WebAttackers
The IcePack Malware Kit in Action

]]> Tue, 15 Jul 2008 13:18:32 +0000 neosploit malware kit malware kit nuclear malware kit kit metaphisher malware kit icepack malware kit nuclear grabber kit apophis kit neosploit exploit kit The Neosploit Malware Kit Updated with Snapshot ActiveX Exploit