[SecurityRatty] tag: supplement

Coding Spyware and Malware for Hire

Mon, 21 Jul 2008 23:52:14 +0000

What type of antivirus evasion do you want today? For the past several years, we have been witnessing the emerging customerization applied in malware and spyware for hire services. What used to be a situation where the malware authors would code and then start promoting a piece of malware including features that he thinks his potential customers would want by generalizing a cybercriminal's needs, is today's "listening to the customer" win-win situation that they've reached already.

The whole maturity from a product concept to customerization is in fact so prevalent these days, that malware authors wanting to preserve their intellectual property are forbidding their customers from reverse engineering their malware modules, presumably fearing that remotely exploitable flaws like this one in one of the most popular Ebanker malwares for the last two yers Zeus, could be discovered due to the malware author's insecure coding practices. Moreover, limiting the distribution of a single license they are given to more than three people will result in the malware author ignoring any future business relationships with the party that ruined the exclusiveness of the malware, thereby leaking it to the public, something that's been happening and will continue happening with web malware exploitation kits.

What would be the price of a custom malware module coded on demand? How much does it cost to have a built in email harvester that would sniff all the incoming and outgoing email addresses from the infected host to later on include them in upcoming spam and malware campaigns? Would the malware author also provide a managed hosting service for the command and control and the actual binaries on a revenue sharing

Here's an automatically translated, and fairly easy to understand random proposition for coding spyware and malware for hire, aiming to answer many of these questions, clearly demonstrating that today's malware is coded in exactly the same way the customer wants it to :

"As you can see in the history of its development turned directly into the combine, while almost no raspuh in weight, full-size pack аж 18 kb and minialno 5 kb, for all nampomnyu again, all descriptions below can be done as otdelnym bot, and any combination of cross except for a few restrictions. This product is targeted at mass-user and will not be all prodavatsya row. So, you can choose from:

Actually loader - is able to load a file from adminki, by country and other characteristics, such as the number of animals on board with a specific bot, a country group of countries, the availability of certain authors or Fire, sredenemu time online, etc. etc.. You can adjust the speed of shipping limits for each file, can load 1 as well as how files simultaneously
300 €

FTP and not only Graber
Analyzes user traffic and collects from the ftp acclamation, that is ftp acclamation would you regardless of how the customer uses ftp user, thus can be obtained most valuable ftp aka (even those to which the password is not saved), you can also grab other in a way not only acclamation acclamation and other tasty things more)
150 €

Assembler spam bases
Analyzes user traffic and collects from all email, snifit http pop3 smtp protocols, keeps records unikallnosti locally on each boat to reduce the burden on the server as well as globally on a server has 2 mode of operation - ie passive with only collects user to please and active - the very beginning to download the entire inet) in search of soap
220 €

Socks 4 / 5
Normal soks with competently implemented multithreading, is activated only if the user real Ip, otherwise not. And also optional, depending on the connection type and speed ineta.
70 €

Indicates
The primitive method, contamination fleshek avtoranom gives 2-3% increase in the first week and up to 7% in the next, a pleasant trifle)
35 €

Scripts
Loader supports internal scripting language - jscript, to carry out arbitrary actions on the victim machine, whether recording data in the register, setting authentic hon-Pago, opening URL in your browser (it was done so to please with 90% punching)), apload arbitrary files on a server, even theoretically possible to form and grabing inzhekty in IE) has only to write the script zaebetes, vobschem lyuboye actions soul who wish)
70 € basic functionality

Assembler passwords
Collects data such as passwords pstorage IE, MSN, etc., will be added at the request of other sources of passwords
70 €

Mini-AV
When installing loadera wheelbarrows to remove BHO shaped three, zevso-shaped, the majority of shit from all avtoranov, render most keylogerov until all) forward proposals to improve
70 €

File-default
In exe loadera program URL (in adminke) to the file which once progruzit 1 and run at first start loadera on wheelbarrows, while simultaneously helping progruzke Trojan for example, in its entire botnet that does not paired with challenges in adminke, the module operates in 20 seconds after the mini - av which excludes the removal of your Trojan bot, after progruza this exe bot continues to normal activities.
35 €

Form Graber
While in beta version, robbed IE. Sends logs in adminku, folding country. Logs are like logs agent. It consists of:

Graber certificats
On the idea is part formgrabera but could work and of itself, actually there is nothing to describe)

Injections
Literacy sold inzhekty, did not begin work after full progruza pages (as in bolshistve three) and immediately supported injection yavaskript code, which allows avtozalivy and DC inzhekty for data collection. For example not to yuzat acclamation at all is not yet introduce the necessary number of Britain, after which inzhekt ceases to operate. Вобщем mdelat can be anything and in any form) rather than the meager request field pin) And also inzhektov subspecies - a substitute for the issuance of search enginee.

Graber balances
Makes loot aka balances at the entrance to the user acclamation, detail added to the logs.

Screen
Universal method to grab information from absolutely any species and varieties klaiviatur screens, in particular html, flash, in one picture, with a drop-down fields after choosing your encrypted, as well as information such as "enter 3 yu secret letter word" etc. as well as any information which is visible a user but not seen in the logs. Screen settings of adminki, set URL where do screen as well as the type of screen: for virtual keyboard (done several small images of areas around the clique) or to "enter 3 yu secret letter words" (makes 1 full shot). With the withdrawal screen recorded in the log entry with the name of the file to the screen this position.

Antiabuznost for botneta
Feachem adminki, keep botnet enables fast, normal, bezglyuchnyh NEabuzoustoychivyh hosting, with features that you forget what abuzy, nohistory week saporta "abuzoustoychivogo" hosting inaccessibility host to half ineta etc., etc., also with the help of the supplement will be able to keep huge botnety (over SL) at 1 dedike with 512 Lake) and well on the price of hosting a savings, not $ 500 a month and 150. It may use this feature to stroronnim development, Trojans, bots, etc., actually is a separate product. And incidentally, if you do not understand the theory that nenado ask "and how does it work?" imagine that it works and point and neubivaemo in pritsnipe.
600 € +

All prices are in euros, the calculation is made at the rate of CB on the day of purchase. ps I will not disappear as most authors after months of sales, I DONT how to please you get to the assembly ftp, I DONT how many soap collects soap-graber, I DONT what otstuk from loadera, I DONT soksov how many will be from 1 to downloads, and how best To work load a file is not dead quickly, if you are confused my ignorance - that my loader so you do not need more tries)

Rules / Licence
-- Customer has no right to transfer any of his three 3 persons except options for harmonizing with me
-- Customer does not have the right to make any decompile, research, malicious modification of any three parts
-- Customer has no right where either rasprostanyat information about three and a public discussion with the exception of three entries.
-- For violating the rules - without any license denial manibekov and further conversations"

This malware coder seems to be participating in an affiliate program with a malicious ISP that is offering hosting services for the entire campaign, not just the malware binaries, so you have a rather good example that incentives and revenue-sharing models result in value-added services, a all-in-one shop for a customer to take advantage of without bothering to approach a third-party.

Cybercrime is getting even more easier to outsource these days, and with the malicious parties improving their communication and incentives model, the resulting transparency in the underground market

Related posts:
The Underground Economy's Supply of Goods and Services
The Dynamics of the Malware Industry - Proprietary Malware Tools
Using Market Forces to Disrupt Botnets
Multiple Firewalls Bypassing Verification on Demand
Managed Spamming Appliances - The Future of Spam
Localizing Cybercrime - Cultural Diversity on Demand
E-crime and Socioeconomic Factors
Russia's FSB vs Cybercrime
Malware as a Web Service
Localizing Open Source Malware
Quality and Assurance in Malware Attacks
Benchmarking and Optimising Malware

Weight-loss supplement dealer settles spam charges

Mon, 14 Jul 2008 20:00:00 +0000

The marketers of supposed weight-loss supplements have settled charges by the U.S. Federal Trade Commission that they used illegal spam e-mail to market their products.

Symantec's Network-Based NAC

Sun, 29 Jun 2008 23:33:00 +0000

Yes, you read it right- Symantec (as in the software vendor) has a network-based (as in the hardware) NAC. Once you get over the title, keep reading.

If you read my blog, or know me, you probably know I do NOT like software (and it usually doesn’t like me). So, I’d be the first to jump on the ‘anti-software-peer-based-NAC’ train, but I think we have to be informed before we jump to conclusions and hop on any trains.

Mirage’s recent blog post on Symantec’s ‘Silly SNAC’ was certainly a result of a mis- (or un-) informed person. Tim did a much better job on his mention of SNAC in the NWW blog, but all the dots still aren’t connected. It proves the point that sometimes we (as bloggers) tend to write based on a feeling and sometimes don’t dig for the fact.

So, in an effort to make sure I understood this new peer-based NAC, I reached out to Patrick Wheeler, Symantec’s Senior Product Manager for Network and Endpoint Security. Based on my conversations with him, and a pretty detailed investigation into the options and configurations of their NAC products, I have some slightly more informed opinion to share with you now.

Symantec has a variety of NAC enforcement components and options. I’m going to keep all the software-type-stuff out of this conversation for the time being. They have (among other things) the NAC Enforcer, an appliance similar to the other NAC controllers we see from traditional hardware vendors. Just like it’s counterparts, Symantec’s NAC Enforcer can be configured for DHCP, inline or 802.1X based enforcement.

The piece that’s different is the integration of the NAC Enforcer with Symantec’s Endpoint Protection Manager server that hosts the policies for the NAC. It’s similar to the management-enforcement configuration we see from other vendors, only the management piece is housed on a server instead of another appliance.

And, just as other vendors offer some type of endpoint integrity agent, the Symantec agent comes in the form of the Symantec NAC Client, which can be used by itself, or integrated with the Symantec Endpoint Protection Client for an even more robust feature-set. (The Endpoint Protection Client offers some additional host-based firewall features that the NAC can leverage).

So, what about the Peer-Based NAC? Ah, well that’s just the first iteration of a ‘vision’ to address mobile corporate users. If employees have laptops in an ad-hoc situation outside of the enterprise infrastructure (and therefore, outside of enterprise enforcement), then the peer-based NAC can port the enforcement rules set at the ‘mothership’ and enforce them individually. The peer-based NAC can protect mobile assets in their most vulnerable situation, outside the security of the corporate network. But, the rules are still set centrally and the peer-based NAC was designed to be just one step towards an added layer of protection, not as a replacement for network-based NAC.

For now, I’ll stay off the hate train, since the peer-based NAC is more of a supplement to a more robust traditional NAC solution. If they move to a fully-host-enforced product, I’ll buy my tickets…

Image shown is copyright of Symantec Corporation.

# # #

New Global Refurbishment Programs

Mon, 16 Jun 2008 15:13:58 +0000

A new program is starting in Uganda to refurbish and resell old computers the first world no longer wants, funded by Microsoft and the United Nations Industrial Development Organization. From Ars Technica:

The center will have the capacity to handle 10,000 computers a year, and the machines that are salvageable will be resold for the local equivalent of $175, about a third of the cost of new computers there. When a computer is deemed past the point of rescue, the centers are capable of recycling the components. RAM chips will be reused, metal and other valuable components recycled, and toxic substances handled safely.

Neat, this sounds like a good alternative and supplement to programs like the OLPC. There is a lot of toxic waste out there, but a lot of computers that we get rid of because they’re no longer good enough for our datacenters can still be useful to others, especially in the third world.

Wee-Fi: It's Catchup Time: O2 Adds Wi-Fi for iPhone Plan, SanDisk Buys MusicGremlin, Zyxel Offers Phone-Home Wi-Fi Camera

Wed, 11 Jun 2008 10:34:38 +0000

I apologize for the following deluge of Wi-Fi items, but I'm catching up after Apple's major product announcement on Monday: I was in San Francisco for the day, a neat trick from Seattle, and was able to see the Wi-Fi signal at one station on BART ride from SFO to the Moscone Center in the SoMa district of San Francisco. A loaner EVDO modem from Sprint came through during my keynote note taking and reporter with a consistent Internet connection and very little battery drain on my MacBook. Here's what I missed during my trip, recovery, and catch-up these last three days.

O2 will offer iPhone 3G for free along with extensive Wi-Fi coverage: AT&T may still be sorting out how Wi-Fi service will be included in its cell plans, but O2 had already provided free Wi-Fi to supplement scanty EDGE service in the UK. The new iPhone 3G will be offered fully subsidized to subscribers of £45 or higher tariffed services, along with 9,500 hotspots through BT OpenZone and The Cloud.

SanDisk buys MusicGremlin: The innovative Wi-Fi-enabled music player was and remains far in advance of the features found in the iPod touch, iPhone, and Zune, but the company behind the product couldn't get a fire lit under it. Sales figures were never disclosed, but it's never been on the list of top-selling players in the market. SanDisk's acquisition will shut down the product and its music service, but it will absorb the people and technology. I met with the founders of the company many years ago, and were impressed by how far ahead they were of everyone in the industry.

Zyxel introduces VOIP-connected Wi-Fi camera: I think they threw a bunch of buzzwords into a blender, but it's rather clever. The camera connects to a network via Wi-Fi, and has SIP (Session Initiation Protocol) embedded. SIP is used for VoIP and as part of gatewaying Internet telephony. The V750W gets its own phone number, and can be controlled remotely through either a real phone using the public telephone network, or a soft phone using SIP. It's being resold, not sold to consumers directly, as a monitoring tool. It includes two-way audio. The camera can also place a phone call if an intruder monitor is tripped. Why not just give it an IP address like other such cameras? SIP, if implemented correctly, can traverse private networks' NAT (Network Address Translation) gateway limits.

Dynamic vulnerability assessment

Mon, 09 Jun 2008 08:38:11 +0000

A few weekes ago I wrote about the current state of vulnerability assessment being like a parody of an Obama/Hillary commerical. Who answers the phone at 3am? For vulnerability assessment, the results are only as good as who answers the scan. This has been a problem for security managers and vulnerability assessors for some time. Balancing scanning during prime time and impacting network performance versus scanning during down times when the devices you need to scan may not be available.

Today StillSecure announced our reponse to ending this problem. We call it Dynamic Vulnerability Assessment (DVA). With DVA you will have vulnerability and compliance data as of at least the last time a device logged on the network. This closes the loophole and gives organizations a much more comprehensive and secure assessment of who is on the network and what they look like.

To accomplish this we are using some of our NAC technology from Safe Access. This allows us to detect devices as they come on the network. We can also use the purpose built Safe Access testing engine to deep compliance checks to supplement the tradtional vulnerability checks. We think this is a big step up in vulnerability assessment and management. Am interested in what others think.

Dynamic vulnerability assessment

Mon, 09 Jun 2008 07:38:11 +0000

Wee-Fi: Fon Founder Profiled; Creative No-Fi; Inspiair Physics-Fi; Foster City-Fi

Tue, 27 May 2008 09:17:25 +0000

Profile of Fon founder and his plans for future in the New York Times: The head Fonero, Martin Varsavsky, gets a write-up from a confab he put together and hosted at his vacation home on Menorca. Varsavsky is nothing but interesting, something I've heard from everyone who has met or had business dealings with him, and this article partly details his upstart challenge and the shifting focus at Fon. I've been saying for a long time that Fon locations may be numerous and require no coordination for their growth, but only locations convenient to frequent use would have a real impact, such as in retail locations. John Markoff notes that Fon has simplified its roaming model--non-Foneros pay, Foneros don't--and that Varsavsky is now focused on bigger wins, like Fon's Time-Warmer and BT deals. Markoff also gets the detail that Fon is losing €500,000 a month down from €1m per month. Varsavsky is interested in WiMax to supplement Wi-Fi, but I can't see any model in which the frequencies useful for WiMax will be widely available enough for this kind of roaming system.

Creative drops Wi-Fi music player: The formerly leading portable music player firm, before Apple and Microsoft entered the biz, confirmed a report that the Zen Share existed, but that the company chose to drop that Wi-Fi-enabled player. An under-wraps player may appear in about two months that could include Wi-Fi--the name Zen X-Fi could be revealing or not, as X-Fi is an audio-processing technology.

Inspiair's physics-defying technology sold, relabeled Max-Fi: I express my doubts about the combination of marketing promises, including area covered, low latency, and speed, and the collision of those promises with the laws of physics as well as regulatory issues. The lack of sales, noted in the article, tends to confirm my opinion, which is precisely what happened with Vivato after early positive response led to devices being built that couldn't meet the mark. Current claims are 30 sq km with 14 access points for outdoor coverage at the port of Antwerp, a network that's in a test. I wrote about Inspiair back in 2006.

Foster City, Calif., turns down MetroFi equipment offer: The city decided against paying $200,000 for MetroFi's gear, which serves about 1,500 people a month, partly because yearly operations would top $125,000.

Are current vulnerability and compliance testing tools like answering the phone at 3am?

Mon, 19 May 2008 19:16:18 +0000

I was at a meeting for a potentially large customer engagement for vulnerability assessment and compliance testing last week. The requirements for this customer was not unusual. They wanted to test for conventional CVE type vulnerabilities. Additionally, they also wanted to test for configuration compliance. Hotfixes, patch level, AV, etc. This direction is where a lot of the traditional vulnerability management solutions have been heading. Whether adding a separate compliance module or audit and local check capability, most of the traditional vulnerability scanning solutions offer some coverage in this area. However, in speaking to this potential customer and in thinking about their needs, an inherent problem with this solution is that it is only as good as the devices that are available on the network when the scan takes place.

In traditional vulnerability scanning, when the scan takes place was not as much of an issue, usually you are scanning servers and other devices that are on the network 24/7. In fact doing the scans during off hours was usually preferred. Too many of the network based vulnerability scanners took up too much bandwidth and other resources to accomplish during the prime time hours of the day. In compliance scanning though, you need the status of laptops, desktops and other devices that may not be connected to the network 24/7. Therefore it is important to reach and test these devices when they are on the network. That is the rub. How do you really make sure the devices connecting to your network are compliant if you are only testing them at a point in time and that usually at an off hour?

This problem reminded me of the Clinton-Obama flap over who answers the phone at the White House at 3am. That is an important question for who is president, but for compliance answering the phone when someone is there to talk to is more important. I think this is where NAC provides an advantage. By utilizing NAC to detect devices coming on the network and than using a low impact compliance test as well as traditional vulnerability scanning, you get a picture of vulnerability posture and compliance status as of the last time they accessed the network. You can still do follow on tests at any time you desire, but at least when a device is logging on you are sure of a test.

Will NAC supplement vulnerability testing in this manner? I think so. Many customers we have spoken to about this like the idea of "scan on connect" and we have already enabled our own NAC product Safe Access and vulnerability management platform VAM to do this. What do you think?

PCI 6.6 clarified

Tue, 22 Apr 2008 12:47:40 +0000

Trey Ford has a good roundup of the new PCI 6.6 clarification in PCI 6.6 Information Supplement Released. All I have to say is well done to the PCI council! From my first pass it seems like it is pretty clear AND they understand the issues organizations are facing. I have a few nits, here and there but it is 1000% better than it was before.

No related posts

Post from: Grumpy Security Guy

PCI 6.6 clarified