<![CDATA[[SecurityRatty] tag: rootkits]]> http://securityratty.com/tag/rootkits Mon, 14 Jul 2008 20:00:00 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[Yet Another Web Malware Exploitation Kit in the Wild]]> http://securityratty.com/article/5caa05f53942f1ddb87a74f20c2c3599 http://securityratty.com/article/5caa05f53942f1ddb87a74f20c2c3599
With business-minded malicious attackers embracing basic marketing practices like branding, it is becoming increasingly harder, if not pointless to keep track of all XYZ-Packs currently in circulation. How come? Due to their open source nature allowing modifications, claiming copyright over the modified and re-branded kit, the source code of core web malware exploitation kits continue representing the foundation source code for each and every newly released kit.

In fact, the practice is becoming so evident, that anecdotal evidence in the form of monitoring ongoing communications between sellers and buyers reveals actual attempts of intellectual property enforcement in the form of  exchange of flames between an author of a original kit, and a newly born author who seems to have copied over 80% of his source code, changed the layout, re-branded it, added several more exploits and started pitching it as the most exclusive kit there is available in the underground marketplace.

What's new about this particular kit anyway? Changed iframe and js obfuscation techniques, doesn't require MySQL to run, with several modified Adobe Acrobat and Flash exploits - all patched and publicly obtainable. This is precisely where the marketing pitch ends for the majority of malware kits released during the last quarter.

As always, there are noticable exceptions to the common wisdom that time-to-underground market isn't allowing them to innovate, but thankfully, these exceptions aren't yet going mainstream. What is going to change in the upcoming 2009? Web malware exploitation kits are slowly maturing into multi-user cybercrime platforms, where traffic management coming from the SQL injected or malware embedded sites is automatically exploited with access to the infected hosts or to the traffic volume in general offered for sale under a flat rate, or on a volume basis.

Converging traffic management with drive-by exploitation and offering the output for sale, all from a single web interface, is precisely what malicious economies of scale is all about.

Related posts:
Cybercriminals release Christmas themed web malware exploitation kit
New Web Malware Exploitation Kit in the Wild
Modified Zeus Crimeware Kit Gets a Performance Boost 
Zeus Crimeware Kit Gets a Carding Layout
Web Based Malware Emphasizes on Anti-Debugging Features
Copycat Web Malware Exploitation Kit Comes with Disclaimer
Web Based Malware Eradicates Rootkits and Competing Malware
Two Copycat Web Malware Exploitation Kits in the Wild
Copycat Web Malware Exploitation Kits are Faddish
Web Based Botnet Command and Control Kit 2.0
BlackEnergy DDoS Bot Web Based
A New DDoS Malware Kit in the Wild
The Small Pack Web Malware Exploitation Kit
The Nuclear Grabber Kit
The Apophis Kit
Nuclear Malware Kit
The Random JS Malware Exploitation Kit
Metaphisher Malware Kit Spotted in the Wild
]]> Tue, 02 Dec 2008 03:24:43 +0000 kit malware exploitation kit nuclear malware kit zeus crimeware kit malware exclusive kit nuclear grabber kit apophis kit ddos malware kit Yet Another Web Malware Exploitation Kit in the Wild <![CDATA[MS AV Out and Free ... Uh-Oh]]> http://securityratty.com/article/c11f864ccd2c2dd9f5e1fa6ef8d8a18d http://securityratty.com/article/c11f864ccd2c2dd9f5e1fa6ef8d8a18d MS Destroys the Consumer AV Market," the news hit ... well, hit the fan like the proverbial... well, you know what :-)

Is it really "Good-bye Big Yellow and Little Red?" Probably not, as this new offering is aimed at consumers and lower-end SMBs; large orgs will still pay ransom ... eh, subscription fees for their AV. It was also interesting to read some of the comments, like "OMG, I so hate paying for AV... and now I won't have to." If such sentiment is indeed widespread, maybe MS choose a really, really good moment to come out with this!

The most fun comments are found on the OneCare team blog here. Esp. see this one: "a majority of consumers around the world do not have up-to-date antivirus, antispyware and antimalware protection" (now they will, thanks to MS! :-)) and "this new offering will focus on getting the majority of consumers the essential protection they need by providing comprehensive, real-time anti-malware protection, covering such threats as viruses, spyware, rootkits, trojans, and other emerging threats, in a single [FREE!], focused solution."
About me: http://www.chuvakin.org
]]> Wed, 19 Nov 2008 10:44:00 +0000 fun comments comments real-time anti-malware protection hit onecare team blog news hit consumers essential protection single free MS AV Out and Free ... Uh-Oh <![CDATA[New Web Malware Exploitation Kit in the Wild]]> http://securityratty.com/article/b14bf267debe94a6c65be57f5460b9a5 http://securityratty.com/article/b14bf267debe94a6c65be57f5460b9a5
Oops, they keep doing it, again and again - trying to cash-in on the biased exclusiveness of web malware exploitation kits in general, which when combined with active branding is supposed to make them rich. However, despite the low price of $300 in this particular case, this copycat kit is once again lacking any signification differentiation factors besides perhaps the 20+ exploits targeting Opera and Internet Explorer included within.

Marketed for novice users, despite lacking any key features worth being worried about, it's still managing to maintain a steady infection rate of unpatched Opera browsers. Such statistics obtained in an OSINT fashion always provide a realistic perspective on publicly known facts, like the one where millions of end users continue getting exploited due to their overall misunderstanding of today's threatscape driven by the ubiquitous web exploitation kits. 

Related posts:
Modified Zeus Crimeware Kit Gets a Performance Boost 
Zeus Crimeware Kit Gets a Carding Layout
Web Based Malware Emphasizes on Anti-Debugging Features
Copycat Web Malware Exploitation Kit Comes with Disclaimer
Web Based Malware Eradicates Rootkits and Competing Malware
Two Copycat Web Malware Exploitation Kits in the Wild
Copycat Web Malware Exploitation Kits are Faddish
Web Based Botnet Command and Control Kit 2.0
BlackEnergy DDoS Bot Web Based
A New DDoS Malware Kit in the Wild
The Small Pack Web Malware Exploitation Kit
The Nuclear Grabber Kit
The Apophis Kit
Nuclear Malware Kit
The Random JS Malware Exploitation Kit
Metaphisher Malware Kit Spotted in the Wild
]]> Wed, 19 Nov 2008 01:15:01 +0000 malware malware exploitation kit web based malware nuclear malware kit ddos malware kit zeus crimeware kit wild key features worth metaphisher malware kit New Web Malware Exploitation Kit in the Wild <![CDATA[Web Based Malware Eradicates Rootkits and Competing Malware]]> http://securityratty.com/article/ab3faf956826a6c7466d7d83fa5572f5 http://securityratty.com/article/ab3faf956826a6c7466d7d83fa5572f5
A tiny 20kb antivirus module within "yet another web based malware in the wild", promises to get rid of all Zeus variants, and also, detect and remove rootkits found on the infected system in order to ensure that it's the only malware the victim remains infected with. What's really special about its command and control interface is that it's AJAX based, with the seller pitching the feature as "you no longer have to hit F5 in order to see how's your malware campaign doing".

Here's a brief (translated) description :

- Simultaneously execute different campaigns, allocate specific bots for specific countries only, set time and data for automatic update with the new binaries
- Firewalls and antivirus bypassing capabilities, Anti-tracing, anti-reverse engineering
- Self defense mechanism for harder removal
- ICQ notifications for finished tasks, newly infected hosts, graphical statistics

Exactly how it removes rootkits remains yet unknown due to its proprietary nature and brief description, but resetting the hosts file and taking advantage of updated BHO list of known malware are among the ways it removes competing malware.
]]> Wed, 01 Oct 2008 14:08:43 +0000 malware web based malware malware campaign removes rootkits remains removes hosts hosts file unknown due remove rootkits Web Based Malware Eradicates Rootkits and Competing Malware <![CDATA[Hacked Texas National Guard site serves up malware]]> http://securityratty.com/article/e01cfeb12d844da5e9a6522f7ea2e458 http://securityratty.com/article/e01cfeb12d844da5e9a6522f7ea2e458 Thu, 18 Sep 2008 20:00:00 +0000 texas national guard fake security software web site security researcher plant rootkits serve attackers offers thursday Hacked Texas National Guard site serves up malware <![CDATA[Hacked Texas National Guard site serves up malware]]> http://securityratty.com/article/92304c99b180dbd9b7c7e61353f66bd9 http://securityratty.com/article/92304c99b180dbd9b7c7e61353f66bd9 Add to digg Add to StumbleUpon Add to Twitter Add to Slashdot
]]> Thu, 18 Sep 2008 09:00:00 +0000 texas national guard fake security software web site security researcher plant rootkits serve offers pcs hackers Hacked Texas National Guard site serves up malware <![CDATA[Defeating the Botnets of the Future]]> http://securityratty.com/article/dd3c6acb30bc9f9eb97db337408f134c http://securityratty.com/article/dd3c6acb30bc9f9eb97db337408f134c (Source: WatchGuard) Botnet code carries almost every conceivable form of malware, from spyware to downloaders, rootkits, spam engines, and more. See how WatchGuard can reduce the likelihood of a bot infection operating from your network using practical, easy to deploy, strategies to defend against the ever evolving threat botnets pose.
Add to digg Add to StumbleUpon Add to Twitter Add to Slashdot
]]> Tue, 16 Sep 2008 09:00:00 +0000 botnet code carries threat botnets pose watchguard bot infection spam engines conceivable form rootkits source deploy Defeating the Botnets of the Future <![CDATA[If This Isn't 'Semantic Hacking', I Don't Know What Is...]]> http://securityratty.com/article/3dbfd73fd4e7b2a4b44919222ac0ee18 http://securityratty.com/article/3dbfd73fd4e7b2a4b44919222ac0ee18 Shares of UAL Corp. went from $12.16 to $0.01 [A.C. - the number is actually not true; they dropped to about $3, but still] when a 2002 Chicago Tribune article with the headline “United Files For Bankruptcy” appeared today. With today’s date." (more coverage)

Think about it...

Worms? RBN? Bots? Rootkits? DLP? NAC? For kids.
About me: http://www.chuvakin.org
]]> Wed, 10 Sep 2008 11:29:00 +0000 chicago tribune article ual corp rootkits coverage shares bankruptcy files dlp true If This Isn't 'Semantic Hacking', I Don't Know What Is... <![CDATA[Rootkit Evolution]]> http://securityratty.com/article/353ad0019219b756519dd8543a1bed81 http://securityratty.com/article/353ad0019219b756519dd8543a1bed81 Mon, 01 Sep 2008 05:21:06 +0000 rookie virus analyst rootkit vague knowledge rootkits windows executable day Rootkit Evolution <![CDATA[Hunt for the elusive rootkit 'Rustock.C' revealed ]]> http://securityratty.com/article/085fbded0b0d3d73a4f7c84f69cce584 http://securityratty.com/article/085fbded0b0d3d73a4f7c84f69cce584 Mon, 14 Jul 2008 20:00:00 +0000 rustock rootkit reads sherlock holmes story kaspersky lab view hide tale Hunt for the elusive rootkit 'Rustock.C' revealed