Tag Archives: Zeus

New IRC/HTTP based DDoS bot wipes out competing malware

Posted on by

By Dancho Danchev

Everyday, new vendors offering malicious software enter the underground marketplace. And although many will fail to differentiate their underground market proposition in market crowded with reputable, trusted and verified sellers, others will quickly build their reputation on the basis of their “innovative” work, potentially stealing some market share and becoming rich by offering the tools necessary to facilitate cybercrime.

Publicly announced in late 2012, the IRC/HTTP based DDoS bot that I’ll profile in this post has been under constant development. From its initial IRC-based version, the bot has evolved into a HTTP-based one, supporting 10 different DDoS attack techniques as well as possessing a featuring allowing it to heuristically and proactively remove competing malware on the affected hosts, such as, for instance, ZeuS, Citadel or SpyEye.

More details:

Continue reading

New ZeuS source code based rootkit available for purchase on the underground market

Posted on by

By Dancho Danchev

We have recently spotted a new underground market ad, featuring a new commercially available malware bot+rootkit based on the ZeuS crimeware’s leaked source code. According to its author, the modular nature of the bot, allows him to keep coming up with new plugins, resulting in systematic “innovation” and the introduction of new features.

What’s the long-term potential of this malware bot with rootkit functionality? Does it have the capacity to challenge the market leading malware bot families? What are some of the features that differentiate it from the rest of competing bots currently in the wild? What’s the price of the bot, and what are the prices for the separate plugins available for purchase? Let’s find out.

More details:

Continue reading

Outdated Operating System? This BlackHole Exploit Kit has you in its sights

Posted on by

By Mike Johnson

Several weeks back, I was presented with a group of snapshots from an active BlackHole Exploit Kit 1.2 Control Panel.

As with other toolkits I’ve seen in the wild, this one has all the makings of some real bad medicine. The authors have yet again gone to the trouble of making this toolkit incredibly easy to use and widely available for a price. Just a little unsavory web hosting in a country with few or no diplomatic relations and off to the races they go.

It appears this toolkit is configurable in both Russian and English, making one wonder its true origins.

I’ve slowly tracked URLs accompanying this toolkit and watched it dish out some very widely undetected malware, such as:

Information Stealing/Banking Trojans:
SpyEye
Zeus
Carberp
Mebroot Rootkit

Another more popular rootkit we’re seeing very widely on the Webroot realtime watch is: vSirefef.B/Zero-Access.

BlackHole toolkit preys on only two items in a user’s machine:

1) Unpatched operating system exploits

2) Internet browsers, add-in and plugin exploits such as Adobe and Java Software

Here are some of the known exploits the kit can execute on a victim’s machines.

Windows Operating Systems:
CVE-2010-1885 HCP (Microsoft Windows Help and Support Center in Windows XP and Windows Server 2003)

http://technet.microsoft.com/en-us/security/bulletin/MS10-042

CVE-2006-0003 IE MDAC

http://technet.microsoft.com/en-us/security/bulletin/ms06-014

Adobe Software:
CVE-2008-2992 Adobe Reader util.printf
CVE-2009-0927 Adobe Reader Collab GetIcon
CVE-2007-5659 Adobe Reader CollectEmailInfo

Java Software:
CVE-2009-1671 Java buffer overflows in the Deployment Toolkit ActiveX control in deploytk.dll
CVE-2010-0840 Java trusted Methods Chaining Remote Code Execution Vulnerability
CVE-2010-0842 Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
CVE-2010-0886 Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE
CVE-2010-1423 Java argument injection vulnerability in the URI handler in Java NPAPI plugin

The basic view the bot controller has is of the statistics page, which should indicate why I listed some of the expoits this toolkit is using. Not surprisingly, for as young as the kit is, you can see that both the Java and Adobe softwares are exploited far more than any others.

I’m sure some think they are safe using a browser other than Internet Explorer but it appears from this image there isn’t alot of difference in how this toolkit has  behaved between the three browsers it’s touched.

As the authors have made this toolkit easy to use, they have also made it easy to maintain a low detection rate on the binaries by using an antivirus scanning service which does not share any binaries collected with the AV industry.

The easy-to-read statistics page make it simple for the controller to view and monitor how well or poor the current bot is doing – how many operating systems it’s infected, what type of operating systems were infected, and in which countries they’re located.

Continue reading

A look inside the SpyEye Trojan admin console

Posted on by

By Michael Johnson

At Webroot we’ve been researching and chronicling developments with SpyEye since we first saw it in April 2010. This nasty Trojan is the successor to the Zeus Trojan, and it became essentially the main rootkit available for sale after the author of ZeuS left the underground market and sold ZeuS sources to the SpyEye team.

Over the last six months, through Webroot’s real-time watch technology and through my own adventures hunting malware proactively in my spare time, I’ve noticed an extreme escalation of SpyEye infections.

Last week I came across a URL for a password-protected site and at first didn’t think very much of it. But once I logged in, I realized I was on the administrator’s page of a SpyEye Panel, with what appeared to be full access. The administration panel was so easy to run, a fifth grader could do it.

At first glance, there were about 3,000 bots with approximately 600 active at the moment I was looking. The site was moved four days later which at that point, the number of bots was quickly approaching 10,000.

Now some of this is started to make sense. The authors of SpyEye have made it so simple to operate and  in case of any trouble, apparently provide support promptly. Their selling points are working quite effectively and a lot of the wrong type of people are able to acquire the builders, Command and Control Servers for a small amount of money.

Taking a look at some of the screenshots, it doesn’t look very nice from any view.

Continue reading

Phishers Want You to Have a Coke and a Drive-by

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

As recently as a few months ago, malware distributors went to what looked like great lengths to craft complex, sophisticated Web pages designed to trick visitors into believing they were visiting a page with an embedded video and — oops! — you need to update your copy of Adobe Flash in order to view it.

Well, those days of hard work seem to have faded into memory. All we’re left now is this.

In a recent attack that came to my attention, the guys behind the attack didn’t bother to build a sophisticated Web page. Well, nothing along the lines of pages we’ve seen before, with cool graphics, slick design, or interesting programming. In fact, they hardly built a Web page at all.

In this case, the unknown person or people created an HTML file that loads someone else’s graphic, which happens to be a warning about an outdated version of Flash, that is located elsewhere. Specifically, they load a graphic that just happens to be hosted on the Coca-Cola company‘s Web server. This isn’t a site hack against the Coke people — the graphic is probably legitimate, considering how Flash-heavy the Website is — just an example of how pathologically lazy or incompetent some malware distributors can be.

Continue reading

Keylogger Poses as Document from Spain’s Central Bank

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

An attempt to push down the Trojan-Backdoor-Zbot password thief to Spaniards may signal a new wave of attacks by a crew of attackers who spent the better part of 2009 trying to convince gullible Internet users in different countries to download and execute Zbot installers poorly disguised as transaction records or other important financial documents.

A bogus Banco de España (BdE) Web site came and went quickly last week, but not before we took a deep dive and came up with a mouthful of malware. Believe me, it tasted terrible.

The page, designed to mimic closely the appearance of the Spanish central bank’s Web site, was very much a clone of the previous fake-bank pages used to foist Zbot onto victims.

Previous campaigns of this type targeted, primarily, North American victims by spoofing the Web sites belonging to Visa, Bank of America, the FDIC, the American Bankers Association, NACHA, the IRS (and its equivalent British tax authority), as well as Amazon.com, iTunes, Facebook, MySpace, AOL, the Centers for Disease Control and Prevention, and many others.

Continue reading

“Shipping Confirmation” Malware on the Rise

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

fraudemail_cropAs autumn approaches, the world typically sees an increase in the number of online shopping trips, as people take advantage of bargains from late-year sales, and prepare for various holidays. And, right on cue, we’re also seeing an increase in the number of Trojans distributed in the guise of “shipping confirmation” email messages. And these Trojans are packing a triple threat of backdoors designed to steal logins and take command of infected PCs.

The Trojan arrives attached to a vaguely-worded email message thanking the recipient for their order of a high-ticket item. Previous versions of this same kind of message were crafted as though the message source was one of the major shippers, such as FedEx, UPS, DHL, or the US Postal Service, and the message (purportedly) contains tracking information.

fraudemail_fileBut these new versions appear to come directly from an online retailer, with attached files in the form of a zip archive containing an executable with an icon that makes it look like an Office document, such as an Excel spreadsheet. These email messages also imply that the document contains tracking information, but they give the user an extra nudge to open the file by telling the user to “print the label to get your package.”

Um, wait, what? Why would I need to print a label to receive a package? That makes no sense whatsoever. Do the malware authors think we’re dumb, or what? No, don’t answer that, because we’re not dumb. They’re using psychology against us.

Continue reading