<![CDATA[[SecurityRatty] tag: pinch-ing]]> http://securityratty.com/tag/pinch-ing Fri, 14 Mar 2008 03:00:00 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[Modified Zeus Crimeware Kit Gets a Performance Boost]]> http://securityratty.com/article/206d70045cec21b7f158d2fdc041b855 http://securityratty.com/article/206d70045cec21b7f158d2fdc041b855
Oops, they did it again - modifying an open source crimeware kit like Zeus in order to improve its performance, fix previously known bugs, and release the improved administration script for free at the end of October.

It's important to point out that both of these modifications haven't been released by the original author of Zeus, but by third parties filling in the gaps he has left open. The very nature of open source web based malware exploitation kits is one of the key factors for the ongoing convergence of traffic management, exploits serving, ddos, and cybercrime as a service features into a simplified cybercrime platform available on demand.

Following the discovery of a remotely exploitable flaw within Zeus in June -- a flaw affecting Pinch leaked out two months later -- allowing cyberciminals to inject their own credentials and hijack the botnet of other cybercriminals, this modified version claims to have fixed three vulnerabilities within the original Zeus release, namely, a remote file inclusion flaw and two SQL injections within the administration panel. Here's the new CHANGELOG :

"- code improvements and optimizations
- internal data checkings added
- exit() function instead of die()
- echo() function instead of print()
- mysql_affected_rows () changed to mysql_num_rows () everywhere
- all queries are fixed in system or mod .php files
- no text password in the database and clear text password in $_SESSION, cookies authentication is gone and md5 hashes are everywhere
- Geo IP support has been added
- umask () bug fixed, the file has been created (chmoded) with different permissions
- language improvements and pre-installation checks
- checking for php version/safe_mod/open_basedir as you're required to run php 5.1.0 or higher to run it successfully
- fixed sql injection in credentials checking
- GetUserData () function has been rewritten - possible sql injection fixed
- possible remote file inclusion fixed
- socket error definition changed
- gcnt () function has been rewritten so you can use geolication - GeoIP which is free and GeoIPCity which is paid
- ip address checking improved through validIP() function improvement
- all queries are now fixed, input data has been sanitized
- fs () function has been fixed in order to improve the quality of the log names
- formatFilePath () function has been added for file upload purposes
- arbitrary file upload bug has been fixed so that you can now upload only images with original names
- the Log2SQL () function has been changed and stricter data checking/sanitizing is added
- internal file sorting mechanism is improved so that files/dirs are sorted by file modification time"

As it's becoming increasingly clear that what once used to be a proprietary crimeware kits whose business model got undermined by their open source nature and the fact that they've started leaking for average cybercriminals and script kiddies to take advantage of, are today's "open source projects" - and therefore maintaining static lists of exploits and features included within a particular kit is getting even more irrelevant these days. In the long term, the quality assurance processes applied within crimeware kits courtesy of third party cybercriminals, is prone to shift from performance to improving the infection rates.
]]> Mon, 03 Nov 2008 11:12:30 +0000 fixed sql injection fixed zeus fixed sql injection upload file upload purposes file function improvement function Modified Zeus Crimeware Kit Gets a Performance Boost <![CDATA[Modified Zeus Crimeware Kit Comes With Built-in MP3 Player]]> http://securityratty.com/article/b4e5929a51488e98a9fe58b74de94b94 http://securityratty.com/article/b4e5929a51488e98a9fe58b74de94b94
Modified versions of popular open source crimeware kits rarely make the headlines due to the fact that anyone can hijack a crimeware kit's brand, build and innovate using its foundations, and claim it's a new version released by the original authors. That's of course in between the tiny time frame until he's exposed as the fake author of Zeus that may have in fact came up with a unique feature that the original authors didn't include.

This modified version of Zeus is yet another example of how cybercriminals are actively modifying crimeware kits, literally making such practices as keeping version numbers irrelevant. While the administrator is managing his botnet, he can load local, or tunein the built-in online radio stations the author of this modification included, next to changing Zeus entire graphical layout.

Let's take into consideration another example, the infamous Pinch DIY malware builder, that's been around for over 4 years. With the populist arrest of its authors in 2007, cybercriminals are still innovating on the foundations offered by Pinch, and thanks to its publicly obtainable source code. It's also worth pointing out that these two Zeus and Pinch modifications are courtesy of a single individual, that in between modifications of popular crimeware kits, seems to be busy porting different modules on different malware kits and web based malware, knowingly or unknowingly contributing to the convergence of spamming, DDoS, web based malware, and botnet management kits.

From a sarcastic perspective - what's next? Perhaps a built-in slideshow of random screenshots taken from malware infected desktops in the botnet, or even a pink layout modification for female botnet masters. Customerization, and customer tailored services can make anything happen, and naturally enjoy the higher profit margins.
]]> Mon, 29 Sep 2008 13:55:03 +0000 malware web based malware botnet female botnet masters popular crimeware kits zeus crimeware kits authors original authors Modified Zeus Crimeware Kit Comes With Built-in MP3 Player <![CDATA[Two Copycat Web Malware Exploitation Kits in the Wild]]> http://securityratty.com/article/59660edd6ee56561c03dbddbfcbaac92 http://securityratty.com/article/59660edd6ee56561c03dbddbfcbaac92
We're slowly entering into "can you find the ten similarities" stage in respect to web malware exploitation kits, and their coders continuous supply of copycat malware kits under different names, taking advantage of different exploits combination. Copycat web malware exploitation kits are faddish, however, from a strategic perspective, releasing exploits kits like this one covered by Trustedsource, consisting entirely of PDF exploits, can greatly increase the exploitability level of Adobe vulnerabilities in general.

A similar web malware exploitation kit, once again using only Adobe related exploits is Zopa. Have you seen this layout before? That's the very same layout MPack and IcePack were using, were in the sense of cybercriminals preferring to use much mode modular alternatives these days. Ironically, Zopa is more expensive than MPack and IcePack, with the coder trying to cash-in on its biased exclusiveness and introduction stage buzz generated around it.

The second web malware exploitation kit is relying on a mix of exploits targeting patched vulnerabilities affecting IE, Firefox and Opera, with its authors asking for $50 for monthly updates, updates of what yet remains unknown. Both of these kits once again demonstrate the current  mentality of the kit's coders having to do with -- thankfully -- zero innovation, fast cash and no long-term value.

However, modularity, convergence with traffic management kits, vertical integration with cybercrime services and bullet proof hosting providers, advanced metrics, evasive practices, improved OPSEC (operational security), and dedicated cybercrime campaign optimizing staff, are all in the works.

Related posts:
Web Based Botnet Command and Control Kit 2.0
DIY Botnet Kit Promising Eternal Updates
Pinch Vulnerable to Remotely Exploitable Flaw
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
The Small Pack Web Malware Exploitation Kit
Crimeware in the Middle - Zeus
The Nuclear Grabber Kit
The Apophis Kit
The FirePack Exploitation Kit Localized to Chinese
MPack and IcePack Localized to Chinese
The Icepack Exploitation Kit Localized to French
The FirePack Exploitation Kit - Part Two
The FirePack Web Malware Exploitation Kit
The WebAttacker in Action
Nuclear Malware Kit
The Random JS Malware Exploitation Kit
Metaphisher Malware Kit Spotted in the Wild
The Black Sun Bot
The Cyber Bot
Google Hacking for MPacks, Zunkers and WebAttackers
The IcePack Malware Kit in Action
]]> Wed, 24 Sep 2008 10:28:37 +0000 diy botnet kit kit nuclear malware kit icepack exploitation kit nuclear grabber kit apophis kit malware exploitation kit kits control kit Two Copycat Web Malware Exploitation Kits in the Wild <![CDATA[Summarizing August's Threatscape]]> http://securityratty.com/article/01c05fcd5f209b7515be2cee57a93c9b http://securityratty.com/article/01c05fcd5f209b7515be2cee57a93c9b
Following the previous summaries of June's and July's threatscape based on all the research published during the month, it's time to summarize August's threatscape.

August's threatscape was dominated by a huge increase of rogue security software domains made possible due to the easily obtainable templates for the sites, several malware campaigns targeting popular social networking sites, Russian's organized cyberattack against Georgia with evidence on who's behind it pointing to "everyone" and a few botnets dedicated to the attack making the whole process easy to outsource and turn responsibility into an "open topic", several new web based botnet management kits and tools found in the wild, evidence that the 76service may in fact be going mainstream since the concept of cybercrime as a service is already emerging, and, of course, a peek at India's CAPTCHA solving economy, where the best comment I've received so far is that every site should embrace reCAPTCHA, so that while solving CAPTCHAs and participating in the abuse of these services in question, they would be also digitizing books. As usual, August was a pretty dynamic month for the middle of summer, with everyone excelling in their own malicious field.

01. McAfee's Site Advisor Blocking n.runs AG - "for starters"
False positives are rather common, especially when you're aiming to protect the end user from himself and not let him gain access to "hacking tools", but you're flagging security tools as badware and missing over half the SQL injected domains currently in the wild due to the fact that SiteAdvisor's community still haven't reviewed them - that's not good

02. The Twitter Malware Campaign Wants to Bank With You
Twitter, just like every Web 2.0 application, isn't and shouldn't be treated as a unique platform for dissemination of malware, since it's dissemination of malware "as usual". This particular malware campaign was not just executed by a lone gunman, but also, was taking advantage of a flaw allowing the author to add new followers potentially exposing them to the malicious links serving banker malware. For the the time being, MySpace, Facebook and Twitter accounts are the very last thing a malicious attacker is interesting in puchasing accounting data for, but how come? It's all due to the oversupply of automatically registered accounts at other popular services, whose ecosystem of Internet properties empower cybercriminals with the ability to launch, host and distribute malware in between abusing the very same company's services for the blackhat SEO campaign and redirection services. Theoretically, a distributed network build upon the services provided by a single company is faily easy to accomplish due to the single login authentication applied everywhere. A singly bogus Gmail account results in a blackhat SEO hosting blogspot account, flash based redirector hosted at Picasa, and a couple of thousands of spam emails sent automatically sent through Gmail in order to abuse it's trusted email reputation
 
03. Compromised Web Servers Serving Fake Flash Players
If aggressiveness matter, this campaign consisting of remotely injected redirection scripts at legitimate sites next to on purposely introduced malware oriented domains, was perhaps the most aggressive one during the month. Fake flash players, fake windows media players and fake youtube players are prone to increase as a social engineering tactic of choice due to the template-ization of malware serving sites for the sake of efficiency

04. Pinch Vulnerable to Remotely Exploitable Flaw
With Zeus vulnerable to a remotely exploitable flaw allowing cybercriminals to hijack other cybercriminal's Zeus botnet, private exploits targeting the still rather popular at least in respect to usefulness Pinch malware are leaking, allowing everyone including security researchers to take a peek at a particular campaign running unpatched Pinch gateway

05. Phishers Backdooring Phishing Pages to Scam One Another
Backdooring phishing pages is perhaps the most minimalistic approach a cybercriminal wanting to scam another cybercriminal is going to take. The far more beneficial approach that I've encountered on a couple of occassions so far, would be to backdoor a proprietary web malware exploitation kit, release it in the wild, let them put the time and efforts into launching the campaigns, then hijack their botnet. In fact, the possibilities for backdooring copycat web malware exploitation kits in order to take advantage of the momentum while introducing a non-existent kit has always been there at the disposal of malicious attackers. One thing's for sure - there's no such thing as a free web malware exploitation kit, just like there isn't such thing as a free phishing page

06. Email Hacking Going Commercial - Part Two
In between the scammers promising the Moon and asking for anything between $20 to $250 to hack into an email account, there are "legitimate" services taking advantage of web email hacking kits consisting of each and every known XSS vulnerability for a particular service in an attempt to increase the chances of the attacker. And given that the majority of these have been patched a long time ago, social engineering comes into play. Do these services have a future? Definitely as more and more people are in fact looking for and requesting such services, in fact, they're willing to pay a bonus considering how exotic it is for them to have any email that they provide hacked into and the accounting data sent back to them

07. The Russia vs Georgia Cyber Attack
Event of the month? Could be, but just like every "event of the moth" everyone seems to be once again restating their "selective retention" preferences. What is selective retention anyway? Selective retention is basically a situation where once Russian is attacking another country's infrastructure, you would automatically conclude that it's Russian FSB behind the attacks and consciously and subconsciously ignore all the research and articles telling you otherwise, namely that the FSB wouldn't even bother acknowledging Georgia's online presence, at least not directly. Moreover, talking about the FSB as the agency behind the cyberattacks indicates "selective retention", talking about FAPSI indicates better understanding of the subject.

In times when cybercrime is getting ever easier to outsource, anyone following the news could basically orchestrate a large scale DDoS attack against a particular country in order to forward the responsibility to any country that they want to. In Russia vs Georgia, you have a combination of a collectivist society that's possessing the capabilities to launch DDoS attacks, knows where and how to order them, and that in times when your country is engaged in a war conflict drinking beer instead of DDoS-sing the major government sites of the adversary is not an option.

Selective retention when combined with a typical mainstream media's mentality to "slice the threat on pieces" instead of turning the page as soon as possible, is perhaps the worst possible combination. Furthermore, coming up with Social Network analysis of the cyberattacks would produce nothing more but a few fancy graphs of over enthusiastic Russian netizen's distributing the static list of the targets. The real conversations, as always, are happening in the "Dark Web" limiting the possibilities for open source intelligence using a data mining software. Things changed, OPSEC is slowly emerging as a concept among malicious parties, whenever some of the "calls for action" in the DDoS attacks were posted at mainstream forums, they were immediately removed so that they don't show up in such academic initiatives

08. 76Service - Cybercrime as a Service Going Mainstream
The reappearance of the 76Service allowing everyone to log into a web based interface and collect all the accounting and financial data coming from malware infected hosts across the globe for the period of time for which they've bought access, indicates that what used to be proprietary services which were supposedly no longer available, are now being operated in a do-it-yourself fashion. Goods and products mature into services, so from a cost-benefit analysis perspective, outsourcing is naturally most beneficial even when it comes to cybercrime

09. Who's Behind the Georgia Cyber Attacks?
If it's the botnets used in the attacks, they are known, if it's about who's providing the hosting for the command and control, it's the "usual suspects", but just like previous discussion of the Russian Business Network, it remains questionable on whether or not they work on a revenue-sharing basis, are simply providing the anti-abuse hosting, or are the shady conspirators that every newly born RBN expert is positioning them to be.

Cheap conversation regarding the RBN ultimately serves the RBN, and just for the record, there's a RBN alternative in every country, but the only thing that remains the same are the customers, tracking the customers means exposing the RBN and the international franchises of their services, making it harder to identify their international operations. And given that the "tip of the iceberg", namely RBN's U.S operations remain in tact, talking about taking actions against their international operations in countries where cybercrime law is still pending, is yet another quality research into the topic building up the pile of research into the very same segments of the very same ISPs.

Just for the record - these "very same ISPs" are regular readers of my blog, and if you analyze their activities, they're definitely reading yours too, ironically, surfing through gateways residing within their netblock that are so heavily blacklisted due to the guestbook and forum spamming activities that their bad reputation usually ends up in another massive blackhat SEO campaign exposed.

10. Guerilla Marketing for a Conspiracy Site
Conspiracy theorists may in fact have a new wallpaper to show off with

11. Banker Malware Targeting Brazilian Banks in the Wild
When misinformed and not knowing anything about a particular underground segment, a potential cybercriminal would stick to using such primitive compared to the sophisticated banker malware kits currently in the wild. These sophisticated banker malware kits are often coming in a customer-tailored proposition, with their price increasing or decreasing based on the specific module to be included or excluded. For instance, a module targeting all the U.S banks that has been put in a "learning mode" long before it was made available to the customers can be requested and is often available with the business model build around the customer's wants 

12. Compromised Cpanel Accounts For Sale
Despite the massive SQL injection attacks, accounting data for Cpanel accounts coming from malware infected hosts seems to be once again coming into play, which isn't surprising given the filtering capabilities and log parsing tools today's botnet masters are empowered with. These very same compromised Cpanel accounts and the associated domains often end up so heavility abused that it's tactics like these that are driving the underground multitasking mentality, namely, abusing a single compromised account for each and every malicious online activity you can think of - even hosting banners for their blackhat SEO services

13. A Diverse Portfolio of Fake Security Software - Part Two
In August we saw a peek of fake security software, neatly typosquatted domains whose authors earn revenue each and every time someone installs the software. The vendors behind this software are forwarding the entire process of driving traffic to those excelling in aggregating traffic and abusing it. As anticipated, underground multitasking started taking place within the fake security software domains, with the people behind them introducing client-side exploits in order to improve the monetization of the traffic coming to the sites

14. DIY Botnet Kit Promising Eternal Updates
There's no such thing as a (quality) free botnet kit. What's for free is often the leftovers from a single feature of a more sophisticated proprietary botnet kit. This one in particular is however trying to demonstrate that even a plain simple GUI botnet command and control software can achieve the results desired by an average script kiddie, and not necessarily satisfy the needs of the experienced botnet master

15. A Diverse Portfolio of Fake Security Software - Part Three
As far as trends and fads are concerned, the majority of the domains are currently parked at up to four different IPs, with most of them going into a stand by mode once they get detected and reappear back couple of weeks later

16. Fake Celebrity Video Sites Serving Malware - Part Two
Due to the template-ization of fake celebrity video sites, and simple traffic management tools combined with blackhat SEO tactics, these sites are also prone to increase in the next couple of months

17. Web Based Botnet Command and Control Kit 2.0
It's releases like these that remind us of the amount of time, efforts and personal touch that a malicious attacker would put into such a management kit, currently acting as a personal benchmark as far as complexity and features indicating the coder's experience with botnets is concerned. What's he's failing to anticipate is that this kit is sooner or later going to turn into the "MPack of botnet management"

18. A Diverse Portfolio of Fake Security Software - Part Four
Keep it coming, we'll keep it exposing until we end up getting down to the "fake software vendor" itself

19. Automatic Email Harvesting 2.0
Email harvesting is slowly maturing into a vertically integrated service provided by vendors of managed spamming services. This email harvesting module is aiming to close the page on text obfuscation in respect to fighting spam, and is successfully recognizing and collecting such publicly available emails. From a psychological perspective though, the end users who bothered to obfuscate their emails are less likely to fall victims into phishing scams, with the obfuscation speaking for a relatively decent situational awareness on how they emails end up in a spammer's campaign

20. Fake Porn Sites Serving Malware - Part Three
As a firm believer in sampling in order to draw conclusions on the big picture, an approach that has proven highly accurate in modeling historical and upcoming tactics and behavior, a single fake porn site serving malware campaign usually exposes a dozen of misconfigured redirectors, which thanks to their misconfiguration despite the evasive features available within the kits, expose another dozen of malware campaigns

21. Facebook Malware Campaigns Rotating Tactics
With no particular flaw exploited other than the social engineering tactic of using already compromised Facebook accounts who would automatically spam all their friends with links to flash files hosted at legitimate services, the more persistent the campaign is, the higher the chance that it will scale enough. This campaign in particular is mainly relying on rotation of tactics, namely different messages, different services and file extensions used in order to trick someone's friend into visiting the URL. With the number of users increasing, the most popular social networking sites are naturally going to be permanently under attacks from cybercriminals

22. Fake Security Software Domains Serving Exploits
Despite that it's a single brand, namely the International Virus Research Lab that's introducing client-side exploits within it's portfolio of domains, the opportunity for abuse may be noticed by the rest of the brands pretty fast

23. Exposing India’s CAPTCHA Solving Economy
Taking into consideration the mentality surrounding a particular country's cybercriminals, how they think, how they operate, what do they define as an opportunity, and how much personal efforts are they willing to put into their campaigns, I wouldn't be surpised if a Russian vendor offering 100,000 bogus Gmail accounts for sale has in fact outsourcing the account registration process to Indian workers, paid them pocket change and is then reselling them ten to twenty times higher than the price he originally paid for them.

The text based CAPTCHAs used at the major Internet portals and services, are so efficiently abused by this approach that continuing to use is directly undermining the trust these email providers and services often come with as granted
]]> Wed, 10 Sep 2008 02:57:32 +0000 malware facebook malware campaigns usefulness pinch malware banker malware kits malware campaigns botnet diy botnet kit distribute malware banker malware Summarizing August's Threatscape <![CDATA[Copycat Web Malware Exploitation Kits are Faddish]]> http://securityratty.com/article/ba56aabae03bad418cbbf5ae497d3769 http://securityratty.com/article/ba56aabae03bad418cbbf5ae497d3769
For the cheap cybercriminals not wanting to invest a couple of thousand dollars into purchasing a cutting edge web malware exploitation kit -- a pirated copy of which they would ironically obtained several moths later -- with all the related and royalty free updates coming with it, there are always the copycat malware kits like this one offered for $100.

Taking into consideration the proprietary nature of some of the kits, the business model of malware kits was mostly relying on their exclusive nature next to the number, and diversity of the exploits included in order to improve the infection rate. This simplistic assumption on behalf of the coders totally ignored the possibility of their kits leaking to the general public, or copies of the kits ending up as a bargain in particular underground deal where the once highly exclusive kit was offered as a bonus.

"Me too" web malware kits were a faddish way to enjoy the popularity of web malware kits like MPack and Icepack and try to cash in on that popularity by coming up average kits lacking any significant differentiation factors in the process. But just like the original and proprietary kits, whose authors didn't envision the long term growth strategy of integrating different services into their propositions or the kits themselves, the authors of copycat malware kits didn't bother considering the lack of long-term growth strategy for their releases. Branding in respect to releasing a Firepack malware kit to compete with Icepack which was originally released to compete with Mpack, has failed to achieve the desired results as well.

And with malware kits now a commodity, and underground vendors excelling in a particular practice with the long term objective to vertically integrate in their area of expertise -- think spammers offering localization of messages into different languages and segmented email databases from a specific country -- would we witness the emergence of managed cybercrime services charging a premium for providing fresh dumps of credit card numbers, PayPal, Ebay accounts or whatever the buyer is requesting?

That may well be the case in the long term.

Related posts:
Web Based Botnet Command and Control Kit 2.0
DIY Botnet Kit Promising Eternal Updates
Pinch Vulnerable to Remotely Exploitable Flaw
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
The Small Pack Web Malware Exploitation Kit
Crimeware in the Middle - Zeus
The Nuclear Grabber Kit
The Apophis Kit
The FirePack Exploitation Kit Localized to Chinese
MPack and IcePack Localized to Chinese
The Icepack Exploitation Kit Localized to French
The FirePack Exploitation Kit - Part Two
The FirePack Web Malware Exploitation Kit
The WebAttacker in Action
Nuclear Malware Kit
The Random JS Malware Exploitation Kit
Metaphisher Malware Kit Spotted in the Wild
The Black Sun Bot
The Cyber Bot
Google Hacking for MPacks, Zunkers and WebAttackers
The IcePack Malware Kit in Action
]]> Wed, 03 Sep 2008 03:18:08 +0000 malware kits web malware kits kits copycat malware kits proprietary kits term long-term growth strategy icepack icepack exploitation kit Copycat Web Malware Exploitation Kits are Faddish <![CDATA[Banker Malware Targeting Brazilian Banks in the Wild]]> http://securityratty.com/article/4c146364a5e5366271bb42a4f795af8d http://securityratty.com/article/4c146364a5e5366271bb42a4f795af8d
Despite the ongoing customerization of malware, and the malware coding for hire customer tailored services, certain malware authors still believe in the product concept, namely, they build it and wait for someone to come. In this underground proposition for a proprietary banker malware targeting primarily Brazillian bank, the author is relying on the localized value added to his malware forgetting a simply fact - that the most popular banker malware is generalizing E-banking transactions in such a way that it's successfully able to hijack the sessions of banks it hasn't originally be coded to target in general.

Banks targetted in this banker malware :
Bank Equifax
Bank Itau
Bank Check
Bank Vivo
Bank Banrisul
Tim Bank Brazil
Bank Nossa Caixa
Bank Santander Banespa
Bank Infoseg
Bank Paypal
Bank Caixa Economica Federal
Bank Bradesco
Bank Northeast
Royal Bank
Bank Itau Personnalite
Bank PagSeguro
Australia Bank
Credicard Citi Bank
Credicard Bank Itau
Rural Bank

Taking into consideration the fact that not everyone would be willing to pay a couple of thousand dollars for a banker malware kit targeting banks the customer isn't interested in at the first place, malware authors have long been tailoring their propositions on the basis of modules. Adding an additional module for stealtness increases the prices, as well as an additional module forwarding the process of updating the malware binary to the "customer support desk". Moreover, stripping the banker kit from modules in which the customer doesn't have interest, like for instance exclude all Asian banks the kit has already built-in capabilities to hijack and log transactions from, decreases its price.

In a truly globalized IT underground, Brazillian cybercriminals tend to prefer using the market leading tools courtesy of Russian malware authors, so this localized banker malware with its basic session screenshot taking capabilities and accounting data logging has a very long way to go before it starts getting embraced by the local underground.

Related posts:
The Twitter Malware Campaign Wants to Bank With You
Targeted Spamming of Bankers Malware
A Localized Bankers Malware Campaign
76Service - Cybercrime as a Service Going Mainstream
The Underground Economy's Supply of Goods and Services
The Dynamics of the Malware Industry - Proprietary Malware Tools
Using Market Forces to Disrupt Botnets
Multiple Firewalls Bypassing Verification on Demand
Managed Spamming Appliances - The Future of Spam
Localizing Cybercrime - Cultural Diversity on Demand
E-crime and Socioeconomic Factors 
Malware as a Web Service 
Coding Spyware and Malware for Hire
Are Stolen Credit Card Details Getting Cheaper?
Neosploit Team Leaving the IT Underground
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
Pinch Vulnerable to Remotely Exploitable Flaw
Dissecting a Managed Spamming Service
Managed "Spamming Appliances" - The Future of Spam
]]> Mon, 18 Aug 2008 03:01:03 +0000 banker malware banker malware kit kit popular banker malware malware bank itau personnalite bank itau malware authors russian malware authors Banker Malware Targeting Brazilian Banks in the Wild <![CDATA[76Service - Cybercrime as a Service Going Mainstream]]> http://securityratty.com/article/35bdaf104e9aecf7703834d959f39050 http://securityratty.com/article/35bdaf104e9aecf7703834d959f39050
Disintermediating the intermediaries in the cybercrime ecosystem, ultimately results in more profitable operations. Controversial to the concept of outsourcing, some cybercriminals are in fact so self-sufficient, that the stereotype of a mysterious 76service server offered for rent could in fact easily cease to exist in an ecosystem so vibrant that literally everyone can partion their botnet and start offering access to it on a multi-user basis. Evil? Obviously. Extending the lifecycle of a proprietary malware tool? Definitely.

The infamous 76service, a cybercrime as a service web interface where customers basically collect the final output out of the banking malware botnet during the specific period of time for which they've purchases access to the service, is going mainstream, with 76Service's Spring Edition apparently leaking out, and cybercriminals enjoying its interoperability potential by introducing different banking trojans in their campaigns.

In this post, I'll discuss the 76service's spring.edition that has been combined with a Metaphisher banking malware, an a popular web malware exploitation kit, with two campaigns currently hosting 5.51GB of stolen banking data based on over 1 million compromised hosts 59% of which are based in Russia. Screenshots courtesy of an egocentric underground show-off.

Some general info on the 76service :

"Subscribers could log in with their assigned user name and password any time during the 30-day project. They’d be met with a screen that told them which of their bots was currently active, and a side bar of management options. For example, they could pull down the latest drops—data deposits that the Gozi-infected machines they subscribed to sent to the servers, like the 3.3 GB one Jackson had found. A project was like an investment portfolio. Individual Gozi-infected machines were like stocks and subscribers bought a group of them, betting they could gain enough personal information from their portfolio of infected machines to make a profit, mostly by turning around and selling credentials on the black market. (In some cases, subscribers would use a few of the credentials themselves). Some machines, like some stocks, would under perform and provide little private information. But others would land the subscriber a windfall of private data. The point was to subscribe to several infected machines to balance that risk, the way Wall Street fund managers invest in many stocks to offset losses in one company with gains in another."

The 76service empowers everyone who is either not willing to spend time and resources for building and maintaining a botnet, launching campaigns, and SQL injecting hundreds of thousands of sites in order to take advantage of the long tail of malware infected sites that theoretically can outpace the traffic that could come from a SQL injected high-profile site.

Next to the spring.edition, the winter edition's price starts from $1000 and goes to $2000, which is all a matter of who you're buying it from, unless of course you haven't come across leaked copies :

"Assuming that the dealer offering what he claimed was the 76service kit was correct, the profit is not only in the kit, but in selling value added services like exploitation, compromised servers/accounts, database configuration, and customization of the interface. Prices start between $1000 to $2000 and go up based on added services. The underground payment methods generally involve hard-to-track virtual currencies, whose central authority is in a jurisdiction where regulation is liberal to non-existent, and feature non-reversible transactions. The individual or group called "76service" was easy to track down on the Web, but not in person."

It's interesting to monitor how services aiming to provide specific malicious services are vertically integrating by expanding their portfolio of related services -- taka a spamming vendor that will offer the segmented email databases, the advanced metrics, and the localization of the spam messages to different languages -- or letting the buyer have full control of anything that comes out of a particular botnet for a specific period of time in which he has bought access to it. For instance, DDoS for hire matured into botnet for hire, which evolved into today's "What type of stolen data do you want?" for hire mentality I'm starting to see emerging, next to the usual interest in improving the metrics and thereby the probability for a more succesful campaign.

Ironically, this cybercrime model is so efficient that the people behind it cannot seem to be able to process all of the stolen data, which like a great deal of underground assets loses its value if not sold as fast as possible. The result of this oversupply of stolen data are the increasing number of services selling raw logs segmented based on a particular country for a specific period of time.

Time for a remotely exploitable vulnerability in yet another malware kit about to go mainstream? Definitely, unless of course backdooring it and releasing it doesn't achieve the obvious results of controlling someone else's cybercrime ecosystem.

Related posts:
The Underground Economy's Supply of Goods and Services
The Dynamics of the Malware Industry - Proprietary Malware Tools
Using Market Forces to Disrupt Botnets
Multiple Firewalls Bypassing Verification on Demand
Managed Spamming Appliances - The Future of Spam
Localizing Cybercrime - Cultural Diversity on Demand
E-crime and Socioeconomic Factors 
Malware as a Web Service 
Coding Spyware and Malware for Hire
Are Stolen Credit Card Details Getting Cheaper?
Neosploit Team Leaving the IT Underground
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
Pinch Vulnerable to Remotely Exploitable Flaw
Dissecting a Managed Spamming Service
Managed "Spamming Appliances" - The Future of Spam

]]> Wed, 13 Aug 2008 04:08:43 +0000 76service service malware malware kit cybercrime malware botnet botnet mysterious 76service server web service 76Service - Cybercrime as a Service Going Mainstream <![CDATA[Pinch Vulnerable to Remotely Exploitable Flaw]]> http://securityratty.com/article/8cbf69361bdc83216c6de0e5e5d551a0 http://securityratty.com/article/8cbf69361bdc83216c6de0e5e5d551a0
In the very same way a cybercrime analyst is reverse engineering and sandboxing a particular piece of malware in order to get a better understanding of who's being it, and how successful the campaign is once access to the command and control interface is obtained, cybercriminals themselves are actively reverse engineering the most popular crimeware kits, looking, and actually finding remotely exploitable vulnerabilities allowing them to competely hijack someone's command and control, and consequently, their botnet. The Zeus crimeware kit, which I've been discussing and analyzing for a while, is the perfect example of how once a popular underground kit start acting as the default crimeware kit, cybercriminals themselves start looking for vulnerabilities that they could take advantage of. And those who look, usually end up finding.

A remotely exploitable flaw allowing cybercriminals to remotely inject a web shell within another cybercriminal's web command and control interface of the popular Pinch crimeware that's been around VIP underground forums since June, 2007, is starting to receive the necessary attention from script kiddies catching up with the possibility of hijacking someone's malware campaign due to misconfigured command and control servers.

With the exploit now in the wild, retro cybercriminals still taking advantege of the ubiqutous command and control interface that could be easily used by other malware rathar than Pinch, "cybercriminals are advised" to randomize the default file name of the gate, and apply the appropriate directory permissions.
 
Monocultural insecurities are ironically started to emerge in the IT underground with the increasing commoditization of what used to be a proprietary web exploitation malware kit or a banker malware kit, allowing easy entry into the malware industry through the unregulated use of what some would refer to as an "advanced technology" that only a few cybercriminals used to have access to an year ago.  Just like legitimate software vendors, authors of crimeware kits are also trying to enforce their software licenses and forbidding any reverse engineering of their kits in order to enjoy the false feeling of security provided by the security through obscurity. The result? Cybercrime groups filing for bankruptcy unable to achieve a positive return on investment due to their intellectual property getting pirated and their inability to enforce the licenses that they issue to their customers.

We're definitely going to see more trivial, but then again, remotely exploitable vulnerabilities within popular crimeware kits, which can assist both the cybercrime analysts and naturally the cybercriminals themselves. For the time being, even the most sophisticated malware campaigns aren't fully taking advantage of the evasive and stealth tactics that the kits, or their common sense allows them to - let's see for how long.

Related posts:
Russia's FSB vs Cybercrime
Crimeware in the Middle - Zeus
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
Coding Spyware and Malware for Hire

]]> Thu, 07 Aug 2008 06:22:01 +0000 popular crimeware kits crimeware kits pinch crimeware zeus crimeware kit popular pinch crimeware malware banker malware kit default crimeware kit Pinch Vulnerable to Remotely Exploitable Flaw <![CDATA[HACKED BY THE RBN!]]> http://securityratty.com/article/14894413156ade1ed1214fcfffa39a2d http://securityratty.com/article/14894413156ade1ed1214fcfffa39a2d The RBN 0wnZ 7th1$ Bl0g! April 1st, 2008, St.Petersburg, Russia. The Russian Business Network, an internationally renowned cyber crime powerhouse is proud to present its very latest malware cocktail by embedding live exploit URLs within one of the top ten blogs to be malware embedded due to their overall negative attitude regarding the RBN's operational activities. A negative attitude that's been nailing down the RBN's cyber coffin as early 2007, prompting us to hire extra personel, thereby increasing our operational costs.

Hijacked readers of this blog, executing the harmless to a VMware backed up PC setup files below, will not just strengten our relationship by having your computer contact ours, but will also help us pay for the infrastructure we use to host these, and let us continue maintaining our 99% uptime even in times of negative attitude on a large scale against our business services.

How can you too, support the RBN, just like hundreds of thousands customers whose computers keep on connecting to ours already did? Do the following :

- Execute our very latest, small sized executable files and let them do their job

58.65.239.42/jdk7dx/ inst250.exe
58.65.239.42/jdk7dx/ alexey.exe
58.65.239.42/jdk7dx/ 6.exe
58.65.239.42/jdk7dx/ 1103.exe
58.65.239.42/jdk7dx/ eagle.exe
58.65.239.42/jdk7dx/ krab.exe
58.65.239.42/jdk7dx/ win32.exe
58.65.239.42/jdk7dx/ pinch.exe
58.65.239.42/jdk7dx/ ldig0031242.exe
58.65.239.42/jdk7dx/ 64.exe
58.65.239.42/jdk7dx/ system.exe
58.65.239.42/jdk7dx/ bhos.exe
58.65.239.42/jdk7dx/ bho.exe

- Once you've executed them, make sure you initiate an E-banking transaction right way. Do not worry, you don't to give us your banking details for the donation, we already have them, and will equally distribute your income by meeting our financial objectives

- Now that you're done transfering money, authenticate yourself at each every web service that you've ever been using. Trust is vital, and so that we've trusted you by providing you with our latest small sized executable files, it's your turn to trust us when asking you to do so

- Don't forget to plug-in any kind of writeble removable media once you've executed the files above as well, as we'd really like to deepen our relationship by storing them, and having them automatically execute themselves the next time you plug-in your removable media

- Sharing is what drives our business. Just like the way we've shared and trusted with by providing you with direct links to our executables, in exchange we know you wouldn't mind sharing some of that free hard disk space you have for our own distributed hosting purposes

Stop hating and start participating, join our botnet TODAY! Don't forget, diamonds degrade their quality, hosting services courtesy of the RBN are forever!

Sincerely yours,
"HostFresh" - RBN's Hong Kong subsidiary
]]> Tue, 01 Apr 2008 11:52:09 +0000 42jdk7dx 42jdk7dx pinch 42jdk7dx system 42jdk7dx ldig0031242 42jdk7dx inst250 42jdk7dx bhos 42jdk7dx win32 exe 42jdk7dx bho HACKED BY THE RBN! <![CDATA[Malware still the biggest threat]]> http://securityratty.com/article/c1d37162f77a861d040079b63775416f http://securityratty.com/article/c1d37162f77a861d040079b63775416f Kaspersky in an article in the latest edition of Information Week. While the numbers are shockingly high, they are not in my opinion representative of where the real threat and the greatest risk lies; so long as we continue to deploy multi-layered defences - Network IPS at the perimeter, Host IPS and anti-virus on the desktop, proxy devices for scanning incoming web traffic and so on. It's expensive but essential controls. The greatest risk is from the targeted malware. specifically designed to attack your network and your data. I was reading about the Russian Business Network. They have a Wiki entry here.
The RBN has been described as "the baddest of the bad". It offers web hosting services and internet access to all kinds of criminal and objectionable activities, with individual activities earning up to $150 000 000 in one year. Businesses that take active stands against such attacks are sometimes targeted by denial of service attacks originating in the RBN network. RBN has been known to sell its services to these operations for $600 per month
One of their alleged principle operations is writing custom exploits, paid for by clients, designed to attack specific networks. It's apparently a very profitable operation - although I'm taking the figure quoted on the Wiki with a pinch of salt. More worrying still are reports that virus writers are attempting to infiltrate AV vendors (as described in the aforementioned Information Week article) and that legitimate AV employees are being "approached by virus writers hoping to suppress signatures for particular - highly profitable - Trojans." What's clear is that long gone are the days when malware was mostly nuisance stuff created by hobbyists. These days there is a well organised and profitable underground business in operation creating malware that our defences don't block and we don't find. My own anti-malware strategy is based on the defences I mentioned earlier but also security awareness messages and a strong stand against non-company equipment connecting up to the network. But I doubt if all that would be enough if there were to be a targeted attack. So this is where we have to focus also on strong authenitcation, making sure that private data is encrypted, limiting access using the principles of least privilege and so on. Each control on it's own will reduce some degree of the risk. Taking all of the controls together reduces the risk much more. Enough? Arguable. Because that only covers off the data that's on the networks under my policy control. Do all our partners have controls equally as good? I'm going to be finding out! ]]> Fri, 14 Mar 2008 03:00:00 +0000 malware network rbn network network ips rbn attack specific networks information week article networks article Malware still the biggest threat