<![CDATA[[SecurityRatty] tag: metaphisher]]>

<![CDATA[[SecurityRatty] tag: metaphisher]]> http://securityratty.com/tag/metaphisher Wed, 20 Feb 2008 05:38:26 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[Copycat Web Malware Exploitation Kits are Faddish]]> http://securityratty.com/article/ba56aabae03bad418cbbf5ae497d3769 http://securityratty.com/article/ba56aabae03bad418cbbf5ae497d3769

For the cheap cybercriminals not wanting to invest a couple of thousand dollars into purchasing a cutting edge web malware exploitation kit -- a pirated copy of which they would ironically obtained several moths later -- with all the related and royalty free updates coming with it, there are always the copycat malware kits like this one offered for $100.

Taking into consideration the proprietary nature of some of the kits, the business model of malware kits was mostly relying on their exclusive nature next to the number, and diversity of the exploits included in order to improve the infection rate. This simplistic assumption on behalf of the coders totally ignored the possibility of their kits leaking to the general public, or copies of the kits ending up as a bargain in particular underground deal where the once highly exclusive kit was offered as a bonus.

"Me too" web malware kits were a faddish way to enjoy the popularity of web malware kits like MPack and Icepack and try to cash in on that popularity by coming up average kits lacking any significant differentiation factors in the process. But just like the original and proprietary kits, whose authors didn't envision the long term growth strategy of integrating different services into their propositions or the kits themselves, the authors of copycat malware kits didn't bother considering the lack of long-term growth strategy for their releases. Branding in respect to releasing a Firepack malware kit to compete with Icepack which was originally released to compete with Mpack, has failed to achieve the desired results as well.

And with malware kits now a commodity, and underground vendors excelling in a particular practice with the long term objective to vertically integrate in their area of expertise -- think spammers offering localization of messages into different languages and segmented email databases from a specific country -- would we witness the emergence of managed cybercrime services charging a premium for providing fresh dumps of credit card numbers, PayPal, Ebay accounts or whatever the buyer is requesting?

That may well be the case in the long term.

Related posts:
Web Based Botnet Command and Control Kit 2.0
DIY Botnet Kit Promising Eternal Updates
Pinch Vulnerable to Remotely Exploitable Flaw
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
The Small Pack Web Malware Exploitation Kit
Crimeware in the Middle - Zeus
The Nuclear Grabber Kit
The Apophis Kit
The FirePack Exploitation Kit Localized to Chinese
MPack and IcePack Localized to Chinese
The Icepack Exploitation Kit Localized to French
The FirePack Exploitation Kit - Part Two
The FirePack Web Malware Exploitation Kit
The WebAttacker in Action
Nuclear Malware Kit
The Random JS Malware Exploitation Kit
Metaphisher Malware Kit Spotted in the Wild
The Black Sun Bot
The Cyber Bot
Google Hacking for MPacks, Zunkers and WebAttackers
The IcePack Malware Kit in Action

]]> Wed, 03 Sep 2008 03:18:08 +0000 malware kits web malware kits kits copycat malware kits proprietary kits term long-term growth strategy icepack icepack exploitation kit Copycat Web Malware Exploitation Kits are Faddish <![CDATA[76Service - Cybercrime as a Service Going Mainstream]]> http://securityratty.com/article/35bdaf104e9aecf7703834d959f39050 http://securityratty.com/article/35bdaf104e9aecf7703834d959f39050

Disintermediating the intermediaries in the cybercrime ecosystem, ultimately results in more profitable operations. Controversial to the concept of outsourcing, some cybercriminals are in fact so self-sufficient, that the stereotype of a mysterious 76service server offered for rent could in fact easily cease to exist in an ecosystem so vibrant that literally everyone can partion their botnet and start offering access to it on a multi-user basis. Evil? Obviously. Extending the lifecycle of a proprietary malware tool? Definitely.

The infamous 76service, a cybercrime as a service web interface where customers basically collect the final output out of the banking malware botnet during the specific period of time for which they've purchases access to the service, is going mainstream, with 76Service's Spring Edition apparently leaking out, and cybercriminals enjoying its interoperability potential by introducing different banking trojans in their campaigns.

In this post, I'll discuss the 76service's spring.edition that has been combined with a Metaphisher banking malware, an a popular web malware exploitation kit, with two campaigns currently hosting 5.51GB of stolen banking data based on over 1 million compromised hosts 59% of which are based in Russia. Screenshots courtesy of an egocentric underground show-off.

Some general info on the 76service :

"Subscribers could log in with their assigned user name and password any time during the 30-day project. They’d be met with a screen that told them which of their bots was currently active, and a side bar of management options. For example, they could pull down the latest drops—data deposits that the Gozi-infected machines they subscribed to sent to the servers, like the 3.3 GB one Jackson had found. A project was like an investment portfolio. Individual Gozi-infected machines were like stocks and subscribers bought a group of them, betting they could gain enough personal information from their portfolio of infected machines to make a profit, mostly by turning around and selling credentials on the black market. (In some cases, subscribers would use a few of the credentials themselves). Some machines, like some stocks, would under perform and provide little private information. But others would land the subscriber a windfall of private data. The point was to subscribe to several infected machines to balance that risk, the way Wall Street fund managers invest in many stocks to offset losses in one company with gains in another."

The 76service empowers everyone who is either not willing to spend time and resources for building and maintaining a botnet, launching campaigns, and SQL injecting hundreds of thousands of sites in order to take advantage of the long tail of malware infected sites that theoretically can outpace the traffic that could come from a SQL injected high-profile site.

Next to the spring.edition, the winter edition's price starts from $1000 and goes to $2000, which is all a matter of who you're buying it from, unless of course you haven't come across leaked copies :

"Assuming that the dealer offering what he claimed was the 76service kit was correct, the profit is not only in the kit, but in selling value added services like exploitation, compromised servers/accounts, database configuration, and customization of the interface. Prices start between $1000 to $2000 and go up based on added services. The underground payment methods generally involve hard-to-track virtual currencies, whose central authority is in a jurisdiction where regulation is liberal to non-existent, and feature non-reversible transactions. The individual or group called "76service" was easy to track down on the Web, but not in person."

It's interesting to monitor how services aiming to provide specific malicious services are vertically integrating by expanding their portfolio of related services -- taka a spamming vendor that will offer the segmented email databases, the advanced metrics, and the localization of the spam messages to different languages -- or letting the buyer have full control of anything that comes out of a particular botnet for a specific period of time in which he has bought access to it. For instance, DDoS for hire matured into botnet for hire, which evolved into today's "What type of stolen data do you want?" for hire mentality I'm starting to see emerging, next to the usual interest in improving the metrics and thereby the probability for a more succesful campaign.

Ironically, this cybercrime model is so efficient that the people behind it cannot seem to be able to process all of the stolen data, which like a great deal of underground assets loses its value if not sold as fast as possible. The result of this oversupply of stolen data are the increasing number of services selling raw logs segmented based on a particular country for a specific period of time.

Time for a remotely exploitable vulnerability in yet another malware kit about to go mainstream? Definitely, unless of course backdooring it and releasing it doesn't achieve the obvious results of controlling someone else's cybercrime ecosystem.

Related posts:
The Underground Economy's Supply of Goods and Services
The Dynamics of the Malware Industry - Proprietary Malware Tools
Using Market Forces to Disrupt Botnets
Multiple Firewalls Bypassing Verification on Demand
Managed Spamming Appliances - The Future of Spam
Localizing Cybercrime - Cultural Diversity on Demand
E-crime and Socioeconomic Factors
Malware as a Web Service
Coding Spyware and Malware for Hire
Are Stolen Credit Card Details Getting Cheaper?
Neosploit Team Leaving the IT Underground
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
Pinch Vulnerable to Remotely Exploitable Flaw
Dissecting a Managed Spamming Service
Managed "Spamming Appliances" - The Future of Spam

]]> Wed, 13 Aug 2008 04:08:43 +0000 76service service malware malware kit cybercrime malware botnet botnet mysterious 76service server web service 76Service - Cybercrime as a Service Going Mainstream <![CDATA[The Neosploit Malware Kit Updated with Snapshot ActiveX Exploit]]> http://securityratty.com/article/cdb0e65d71e1f22f530bb119a6dfad61 http://securityratty.com/article/cdb0e65d71e1f22f530bb119a6dfad61

Raising Symantec's ThreatCon based on a newly introduced exploit within a (random) copy of a popular web malware exploitation kit? Now that's interesting given that there are other modified versions of the publicly available malware kit empowered with exploits as they get released, the single most logical move a administrator of such kit would do is diversity the exploits set as often as possible, keeping it up to date - like they do. ThreatCon is raised already :

"Symantec honeypots have captured further exploitation of the Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download Vulnerability (BID 30114). Before this event, this exploit was known to be used only in isolated attacks. Further analysis of these honeypot compromises has revealed that the exploit has been added to a variant of the neosploit exploit kit, it will very likely reach a larger number of victims. This version will compromise vulnerable English versions of Microsoft Windows by downloading a malicious application into the Windows Startup folder. Computers that have Microsoft Access installed are potentially affected by this vulnerability. Customers are advised to manually set the kill bit on the following CLSIDs until a vendor update is available: F0E42D50-368C-11D0-AD81-00A0C90DC8D9 F0E42D60-368C-11D0-AD81-00A0C90DC8D9 F2175210-368C-11D0-AD81-00A0C90DC8D9"

Why based on a random copy of the kit? Well, the Neosploit malware kit itself is a commodity despite it's publicly announced varying price in the thousands, it leaked for public use just like MPack and Icepack did originally, making statements on the exact type of the vulnerabilities included within a bit pointless, since it will only cover the the exploits included in a particular version only. Web malware exploitation kits are very modular, namely, anyone can introduce new exploits, and tweak them, which is what they've been doing for a while, mostly converging third party traffic management systems with the malware kits in order to improve both, the metrics, and the evasive practices used for making a particular campaign a bit more time consuming to analyze.

Just like the innovations introduced within open source malware, and their localizations to native languages, the open source nature of web malware exploitation kit can result in countless number of variants whose new features make it sometimes difficult to assess whether or not it's a modified kit or an entirely new one - depending on the sophistication of the features of course. The introduction of new exploits within a copy of a particular malware kit should be considered as something logical, and if it's that big a deal, there are many other web malware exploitation kits whose features turn Neosploit into the "outdated choice" for malicious attackers.

Related posts:
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
The Small Pack Web Malware Exploitation Kit
Crimeware in the Middle - Zeus
The Nuclear Grabber Kit
The Apophis Kit
The FirePack Exploitation Kit Localized to Chinese
MPack and IcePack Localized to Chinese
The FirePack Exploitation Kit - Part Two
The FirePack Web Malware Exploitation Kit
The WebAttacker in Action
Nuclear Malware Kit
The Random JS Malware Exploitation Kit
Metaphisher Malware Kit Spotted in the Wild
The Black Sun Bot
The Cyber Bot
Google Hacking for MPacks, Zunkers and WebAttackers
The IcePack Malware Kit in Action

]]> Tue, 15 Jul 2008 13:18:32 +0000 neosploit malware kit malware kit nuclear malware kit kit metaphisher malware kit icepack malware kit nuclear grabber kit apophis kit neosploit exploit kit The Neosploit Malware Kit Updated with Snapshot ActiveX Exploit <![CDATA[The Small Pack Web Malware Exploitation Kit]]> http://securityratty.com/article/54ab82c46ea0dd7dd334397f243fcbc8 http://securityratty.com/article/54ab82c46ea0dd7dd334397f243fcbc8

Yet another proprietary web malware exploitation kit has been released at the beginning of this month, further indicating that the efficient supply of such kits is proportional to their simplistic nature. The only differentiation factor in the Small Pack is perhaps the inclusion of all known Opera exploits up to version 9.20, however, the rest of the features are the natural ones included in the majority of already known exploitation kits :

- IE exploits included - Quick TIme Modified, PNG, MDAC, DX Media
- Firefox exploits included - Quick Time, PNG, EMBED
- Opera - all exploits up to version 9.20
- RC4 encryption
- lifetime updates
- Geolocation
- opportunity to request additional functions

Converging infection and distribution vectors, evasion and survivability, metrics and command and control in a single all-in-one web malware exploitation kits is, however, is definitely in the works considering the developments introduced in the rest of the kits currently available. For instance, despite that the ongoing waves of SQL injection attacks with multiple campaigns are injecting the malicious domains in its original form, certain attacks are starting to inject obfuscated URLs making it harder to assess the impact of the campaign using open source intelligence techniques.

The bottom line, as long as webmasters continue participating in the so called "traffic exchange" revenue models, knowingly or unknowingly embedding links that would later on ultimately redirect to a malicious site, "traffic exchange" is receiving the most attention at the strategic level, next to "traffic acquisition" at the tactical level. Basically, the traffic inventory that could be supplied is the direct result of an ongoing SQL injection attack, or malware embedded through other means, with the traffic brokers directly undermining webmaster's unethical inclusion of exploits within their domains portfolio.

One thing's for sure - web malware exploitation kits are not just getting localized, they're also being cloned.

Related posts:
The FirePack Exploitation Kit Localized to Chinese
MPack and IcePack Localized to Chinese
The FirePack Exploitation Kit - Part Two
The FirePack Web Malware Exploitation Kit
The WebAttacker in Action
Nuclear Malware Kit
The Random JS Malware Exploitation Kit
Metaphisher Malware Kit Spotted in the Wild
The Black Sun Bot
The Cyber Bot
Google Hacking for MPacks, Zunkers and WebAttackers
The IcePack Malware Kit in Action

]]> Sun, 18 May 2008 23:41:55 +0000 malware malware exploitation kit nuclear malware kit opera exploits opera metaphisher malware kit exploits firepack exploitation kit icepack malware kit The Small Pack Web Malware Exploitation Kit <![CDATA[The FirePack Exploitation Kit - Part Two]]> http://securityratty.com/article/2b527264ce72eb938dadb888eea2d8e6 http://securityratty.com/article/2b527264ce72eb938dadb888eea2d8e6

Has the web malware exploitations kits cash bubble popped already? A recently released, yet another proprietary version of the Firepack malware exploitation kit and its largely decreased price from the original one, which in February was $3000, speaks for itself. Firepack's original version was a great example of biased exclusiveness on behalf of the malicious parties, wanting to quickly cash in by pitching a new and undetected malware kit, and literally zero differentiaton factor next to now commodity web malware exploitations kits such as IcePack and MPack.

The original Firepack kit came with six exploits included within, and more to come in the scheduled updates to come. The exploits, and the current signature based detection rates are as follows :

FF5B341AC.php - MSIE 6
EF57CCF90.php - MSIE 7
EF57CCF90.php - Firefox 1
CCF45A00D.php - Firefox 2
CCF45A00D.php - Opera 7
99FFC5BA4.php - Opera 9

00FAA7CF5.php
Scanners result : 11/32 (34.38%)
HTML/MS06006.DF!exploit; Exploit-MS06-006.gen
File size: 3685 bytes
MD5...: ed71d57ddf70a5993b34e3bbcda23f2d
SHA1..: cc0eceb9e8cc3475752c959be70204b6f4d82168

99FFC5BA4.php
Scanners result : 6/32 (18.75%)
Trojan.DL.Script.JS.Agent.low; Exploit-OperaTN
File size: 1815 bytes
MD5...: 166fa42343dd59d941e24177a0da9102
SHA1..: e85701841a40c0017c06e2feb023272bff1b06f1

CCF45A00D.php
Scanners result : 15/32 (46.88%)
HTML/MS06006.BB!exploit; Exploit:JS/ShellCode.A
File size: 5861 bytes
MD5...: 9a6fe9ce8ed521ceb499954c944be812
SHA1..: 4ad63cc7ee602b2f57032b4e524064ac459df150

EF57CCF90.php
Scanners result : 18/30 (60%)
JS/MS05-054!exploit; Exp/MS06071-A
File size: 6996 bytes
MD5...: e5e3623838da4d0b7922a3cde229c7c3
SHA1..: 2d951f1368311873321b6bfc292644b090f93305

FF5B341AC.php
Scanners result : 10/32 (31.25%)
Generic.XPL.ADODB.42D1EF40; Exploit-MS06-014
File size: 2123 bytes
MD5...: bac1e03a64ba47a3005d435af8954cd6
SHA1..: e46afa408445ac5f2331119b746605a4bf8d0904

The latest release offered for $300, is entirely Internet Explorer centered, including all of the publicly available exploits for IE6 and IE7, with the natural modularity so that the buyer can include any set of exploits to serve of a large scale.

A proprietary tool or a service does not necessarily mean it outpaces a free one in terms of quality and reliability. Then again, when there's demand for web malware exploitation kits, there's also supply of what looks like commodity ones for the time being. The irony is what the sellers of these could actually be making more money from the services that they offer with the kit, than from volume based selling of the kits. What's to come? Hybrid web malware exploitation kits with all-in-one exploits set on a per OS, and software, not just browser basis, putting the emphasis on client side vulnerabilities even better.

The IcePack Malware Kit in Action

MPack and IcePack Localized to Chinese

]]> Sun, 27 Apr 2008 00:27:00 +0000 nuclear malware kit malware kit kit metaphisher malware kit icepack malware kit original firepack kit malware exploitation kit php scanners result The FirePack Exploitation Kit - Part Two <![CDATA[Crimeware in the Middle - Zeus]]> http://securityratty.com/article/7031903e13ac81d8b420bb698c242d03 http://securityratty.com/article/7031903e13ac81d8b420bb698c242d03

Virtual greed, or response rate optimization? The idea of converging phishing emails with embedded exploits and banking malware is nothing new, in fact phishers realizing that combining attack approaches can increase the chance of achieving their objective which in this case is either logging the authentication process or hijacking it, often forget that the phishing email could have succeeded without the embedded malware or exploit, which in many cases would have triggered an alarm.

Yesterday, Uriel Maimon posted an overview of the convergence of Rock Phish emails with Zeus, a crimeware kit used to deliver banking trojans :

"The Trojan that was used in this attack belonged to the "Zeus" family of malware. Zeus is a nefarious type of Trojan for multiple reasons:

1. The Zeus Trojan is a kit for sale: Anyone in the criminal community can purchase it for roughly $700. This means that the Rock group did not need to develop new skill-sets to write Trojan horses; they just purchased it on the open market. In the past 6 months RSA's Anti-Fraud Command Center has detected more than 150 different uses of the Zeus kit, each one infecting on average roughly 4,000 different computers a day.

2. Resistance to detection: The kit purchased is a binary generator. Each use creates a new binary file, and these files are radically different from each other -- making them notoriously difficult for anti-virus or security software to detect. To date very few variants have had effective anti-virus signatures against them and each use of the kit usually makes existing signatures ineffective. Just like in most cases, this particular use of the Zeus kit did not have any anti-virus detection (with the popular engines we tested) at the time of this writing.

3. Rich feature set: the Zeus Trojan has many startling capabilities. In addition to listening in on the submission of forms in the browser, the Trojan also has advanced capabilities, for instance the ability to take screenshots of a victim's machine, or control it remotely, or add additional pages to a website and monitor it, or steal passwords that have been stored by popular programs (remember when you clicked on the "Remember this password?" checkbox?)... And the features-list goes on. As I look upon this blissful union of fraud and crime technologies, I can only envy the criminals who can find such coupling. Looking forward to my next birthday, I can only hope that I will have the opportunity to find such partnership in my own life (and maybe give my mother one less reason for disappointment)."

We cannot talk about Zeus unless we compare it to another such crimeware kit serving banking trojans, in this the Metaphisher kit. Metaphisher is particularly interested because of its much more customized GUI, it's modular nature, allowing its sellers to lower or increase the price depending on which modules you'd like included, and which ones you'd like excluded, where a module means a preconfigured fakes, TANs, and phishing pages for all the banks in a country of choice. Moreover, despite that both, Zeus and Metaphisher are open source, and therefore malicious parties visionary enough to build communities around their kits in order to enjoy the innovation brought by multiple parties, Metaphisher has a bigger community next to Zeus, considered as the MPack in the web malware exploitations kits, namely a bit of an outdated commodity that is of course still capable of doing what does best - hijacking E-banking sessions and logging them to the level of impersonation.

How are the authors of Zeus describing the kit themselves? Here's a description :

"ZeuS has the following main features and properties (full list is given here, in your part of assembling this list may not):

Bot: - Written in VC + + 8.0, without the use of RTL, etc., on pure WinAPI, this is achieved at the expense of small size (10-25 Kb, depends on the assembly).

- There has its own process, through this can not be detected in the process list.
- Workaround most firewall (including the popular Outpost Firewall versions 3, 4, but suschetvuet temporary small problem with antishpionom). Not a guarantee unimpeded reception incoming connections.
- Difficult to detect finder / analysis, bot sets the victim and creates a file, the system files and arbitrary size.
- Works in limited accounts Windows (work in the guest account is not currently supported).
- Nevid ekvaristiki for antivirus, Bot body is encrypted.
- Some way creates a suspected its presence, if you do not want it. Here is the view of the fact that many authors do love spyware: unloading firewall, antivirus, the ban on their renewal, blocking Ctrl + Alt + Del, etc.
- Locking Windows Firewall (the feature is required only for the smooth reception incoming connections).
- All your settings / logs / team keeps bot / Takes / sends encrypted on HTTP (S) protocol. (ie, in text form data will see only you, everything else bot <-> server will look like garbage).
- Detecting NAT through verification of their IP through your preferred site.
- A separate configuration file that allows itself to protect against loss in cases of inaccessibility botneta main server. Plus additional (reserve) configuration files, to which the bot will apply, will not be available when the main configuration file. This system ensures the survival of your botneta in 90% of cases.
- Ability to work with any browsers / programs work through wininet.dll (Internet Explorer, AOL, Maxton, etc.):
- Intercepting POST-data + interception hitting (including inserted data from the clipboard).
- Transparent URL-redirection (at feyk sites, etc.) c task redirect the simplest terms (for example: only when GET or POST request, in the presence or absence of certain data in POST-request).
- Transparent HTTP (S) substitution content (Web inzhekt, which allows a substitute for not only HTML pages, but also any other type of data). Substitution of sets with the help of guidance masks substitute.
- Obtaining the required contents page, with the exception HTML-tags. Based on Web inzhekte.
- Customizable TAN-grabber for any country.
- Obtaining a list of questions and answers in the bank "Bank Of America" after successful authentication.
- Removing POST-needed data on the right URL.
- Ideal Virtual Keylogger solution: After a call to the requested URL, a screenshot happening in the area, where was clicking.
- Receiving certificates from the repository "MY" (certificates marked "No exports" are not exported correctly) and its clearance. Following is any imported certificate will be saved on the server.
- Intercepting ID / password protocols POP3 and FTP in the independence of the port and its record in the log only with a successful authorise.
- Changing the local DNS, removal / appendix records in the file% system32% \ drivers \ etc \ hosts, ie comparison specified domain with the IP for WinSocket.
- Keeps contents Protected Storage at first start the computer.
- Removes S ookies from the cache when Internet Explorer first run on a computer.
- Search on the logical disk files by mask or download a specific file.
- Recorded just visited the page at first start the computer. Useful when installing through sployty, if you buy a download service from the suspect, you can see that even loaded in parallel.
- Getting screenshot with the victim's computer in real time, the computer must be located outside the NAT.
- Admission commands from the server and sending reports back on the successful implementation. (There are currently launching a local / remote file an immediate update the configuration file, the destruction OS).
- Socks4-server.
- HTTP (S) PROXY-server.
- Bot Upgrading to the latest version (URL new version set in the configuration file)."

What's most important to keep in mind in regarding to these crimeware kits, is that the sellers are shifting from product-centered to service-centered propositions, and while an year ago they would have been selling the kit only, today they've realized that it's the output of the kit in terms of logged stolen accounting data that they're selling. Committing identity theft and abusing stolen E-banking accounting data is already a service, compared to the product it used to be.

Related posts:
Targeted Spamming of Bankers Malware
Localized Bankers Malware Campaign
Client Application for Secure E-banking?
Defeating Virtual Keyboards
PayPal's Security Key
Nuclear Grabber Kit
Apophis Kit

]]> Thu, 24 Apr 2008 00:37:46 +0000 zeus file remote file zeus trojan binary file file system32 drivers kit metaphisher kit configuration file Crimeware in the Middle - Zeus <![CDATA[The FirePack Web Malware Exploitation Kit]]> http://securityratty.com/article/f6824347bd1643a8cb85bc78fd5ed3da http://securityratty.com/article/f6824347bd1643a8cb85bc78fd5ed3da

In a typical tactical warfare from a marketing perspective, malicious parties are fighting for "hearth share" of their potential customers through active branding like the case with this malware kit. In a frontal competition attack aimed at IcePack, the authors of FirePack are pitching yet another "copycat" web exploitation malware kit for purchase at $3,000. Why a copycat anyway? Mainly because it lacks any major differentiation factors next to both, IcePack and MPack, except of course the different javascript obfuscation technique used. As in the majority of open source malware kits, their "modularity" namely easy for including new exploits and features within, is perhaps what makes assessing the impact of malware kits permanently outdated - a kit that you're assessing today has already been improved and new functionalities added in between.

The business strategies applied for such a hefty amount of money, are the lack of transparency means added biased exclusiveness, in order to cash-out through high-profit margins while taking advantage of the emerging malware kits cash bubble. A bargain hunter will however look for the cheapest proposition from multiple sellers, or subconsiously ignore the existence of the kit until it leaks out, and turns into a commodity just like MPack and IcePack are nowadays.

Related posts :
The WebAttacker in Action
Nuclear Malware Kit
The Random JS Malware Exploitation Kit
Metaphisher Malware Kit Spotted in the Wild
The Black Sun Bot
The Cyber Bot

]]> Wed, 20 Feb 2008 05:38:26 +0000 nuclear malware kit malware kit kit metaphisher malware kit malware exploitation kit malware kits permanently javascript obfuscation technique source malware kits major differentiation factors The FirePack Web Malware Exploitation Kit