Friday, February 23, 2007

The RootLauncher Kit

After providing more insights on the WebAttacker Toolkit and the Nuclear Grabber, in this post I'll discuss the RootLauncher, a release courtesy of the same group behind WebAttacker. Something else worth mentioning is that a large percentage of the sites I'm monitoring are starting to use authentication, and on a trust-basis login access, perhaps it's due to the enormous coverage recent "underground" releases, namely phishing kits etc. got in the mainstream media. Therefore I'm doing my best to get as much information -- and screenshots -- before it dissapears and will blog on these releases as soon as my schedule allows me to. For instance, several months ago you could easily see over 50 publicly available control panels for the WebAttacker toolkit, now there're only several available through Google. The same goes for RootLauncher.

The RootLauncher kit is advertised -- Rusian to English automatic translation -- as follows :

"Just, we can offer you 3-version - D o w n l o a d e r-designed RootLauncher for the hidden load arbitrary WIN32 Exe-faila from a remote resource, followed by the launch of the file on the local hard disk. Obhodit all protection is not determined by any AV-Do not see fairvollah - Flexible settings - Periodic updates and supplements may download up to five exe files. Our team is not at the same point and develops all bolshe-bolshe for you dear friends services available to them closer you will be able to on our official website. We are also looking for people interested in partnership with us."

And while it's supposed to be nothing more then an average downloader, these "average downloaders" are actually starting to standardize features in respect to statistics and compatibility with other toolkits and malicious software.

In a previous post at WebSense's blog, they came across a web panel showing that the "total number of unique launchers is 155" now count these as infected PCs, but as you can see in the image attached, the sample could be much larger. This one I obtained from the following URL : http://www.inthost7.com/cgi-bin/rleadmin.cgi which is of course down, but was listing 1013 launchers already, here's an analysis of this very same URL.

IP cloaking when browing such sites and forums is important in order for you to remain as anonymous as possible. If you're on a Russian site make sure you're a Russian domain, if you're on a Chinese site make sure you're a Chinese domain, and most importantly don't directly translate through Google or Altavista, but copy and paste what's interesting to you so that you wouldn't let someone wonder why would a Russian domain translates a Russian text to English. Imagine the situation where security vendors browse them through their securityvendor.com subdomains, the results will follow shortly -- everything dissapears.

In respect to the WebAttacker, the kit is still widely used but the people using and updating it are starting to prevent Google from crawling and caching the control panels, which makes it harder to keep track of the sites in an OSINT manner -- my modest honeyfarm keeps me informed on URLs of notice though. Here's one of the very few instances of a Web-Attacker Control Panel still available at Google. Here's an analysis of the source code of the Web-Attacker kit as well -- and I thought I'm going full disclosure. More details on various newly released packers, multi-exploit infection toolkits, and standardized statistics with all the screenshots I've managed to obtain will follow next week.

Taking into consideration the big picture -- like you should -- the release and automation of phishing/exploit kits and lowering the entry barriers for script kiddies to generate enough noise to keep the real puppet masters safe, or at lease secretly pull the strings. I'd rather we operate in the time when launching a phishing attack required much more resources than it requires today.