Tuesday, February 03, 2009

Crimeware in the Middle - Adrenalin

What is Adrenalin? Adrenalin is an alternative to the Zeus crimeware kit that never actually managed to scale the way Zeus did. Following recently leaked copies of what is originally costing a hefty $3000, crimeware kit Adrenalin, it's time to profile the kit, discuss its key differentiation factors from Zeus, and emphasize on why despite the fact that it leaked, the kit is not going to take any of Zeus-es market share. At least not in its current form.

In the spirit of the emerging copycat web malware exploitation kits, Adrenalin too, isn't coded from scratch, but appears that -- at least according to cybercriminals questioning its authenticity on their way to secure a bargain deal when purchasing it -- Adrenalin is using portions of Corpse's original A-311 release.

Adrenalin's description and features :
"Injections system - inserting html / javascript code in the page / files / javascript or substitution of one code by another injection occurs in the stream mode, ie the modified page is loaded at once!
(not as in the other BHO based trojans with insertions only after the full load the page (causing javascript problems) or limiting the impact (if for instance the user is on a mobile device connection). In our implementation, all works quickly and efficiently!

- The collection of pieces of text from the html pages, as one of the modes of operation injector (balance, etc ..)

- Ftp grabbing - sniffer handles traffic and rip out from access to FTP. All of this is going in an easy to read and process the form

- Collector of certificates. Pulling out of all installed certificates including attempts to commit, and certificates that are marked as uncrackable. Certificates neatly stored for each individual bot.

- Page redirector. allows you to replace a page or separate framing in the network. everything is done completely unnoticed. substitution of the content occurs in the interior windsurfing, and even then the browser and any special lotion can be confident that is what you want.

- Domain redirector. forwards all requests from the original site on the fake. address bar, and all references point to the original course can also be used to block access to certain sites

- Universal form grabbing puller forms, can strip the data from the virtual keyboard these forms can rip off, even with not fully loaded pages. As distinguished from the other crimeware kits working through the tracking of users clicking buttons / links it intercepts the data has already been formed, which can be seen in the log. Data can be collected all the running, and keyword (filter)
to delete the logs; noise over debris to chat and not necessary for the work sites.

All data are transmitted in encrypted form, which is important to bypass the protection, like for instance ZoneAlarm's ID Lock. Undoubted advantage is also that the logs are sent instantly - in parallel with the data sent to the original site. No need to worry that the victim will go into an offline and accumulated locally log form grabbing are not able to send.

- Screenshots at the address
- TAN grabbing. The technology allows to effectively collect workers TANs
- Periodic cleaning of cookies/flashcookie.
- Grabbing around-the-forms words (without adjustment - Adrenalin defines its own algorithm that it must be collected. algorithm Improved!)
- The collection of passwords,  for instance Protected Storage (IE auto complete, protected sites, outlook)
- Classic keylogger
- Cleaning system from BHO trojans, advertising panels and other debris. As is well known - are less vulnerable machines, and want to put on something more. Cleaning system greatly increases the chances of survival
- Anti-Anti Rootkit mechanisms
- Work on the system without the EXE file
- User-friendly format logs! Forget the piles of files stupid!
- Socks4 / 5 + http (s) proxy server enabled on the infected host
- Shell + Backshell enabled on the infected host
- Socks admin
- Management of each bot individually, or simultaneously (Downloading files, updating settings, etc.)
- Requires PHP on the web based command and control host
- Ability to output commands (including downloads), taking into account the country's bot (function as a resident loader statistically for programs) - and other small pleasures"

Without the web injection and the TAN grabbing ability, Adrenalin is your typical malware kit, whose only differentiation factor would have been the customer support in the form of the managed undetected malware binaries that naturally comes with it. However, it's TAN grabbing ability, proprietary collection of data "around the forms", stripping content from virtual keyboards and automatic certificates collection on per host basis, and its ability to clean the system from competing BHO-based trojans, make it special.

How do you actually measure the popularity of crimeware kit? Based on the the market share of the crime kit, or based on another benchmark? It's all a matter a perspective and a quantitative/qualitative approach. For instance, I can easily argue that if the very same community was build around Adrenalin the way it was built around Zeus making the original Zeus release looks like an amateur-ish release, perhaps Adrenalin would have scaled pretty fast. Some of the community improvements include :

- Modified Zeus Crimeware Kit Comes With Built-in MP3 Player
- Modified Zeus Crimeware Kit Gets a Performance Boost
- Zeus Crimeware Kit Gets a Carding Layout

For the time being, the innovation or user-friendly features boosting the popularity of Zeus come from the third-party coders improving the original Zeus release. Moreover, not only are they improving it, they're also looking for vulnerabilities within the different releases, and actually finding some. What does this mean? It means that we have clear evidence of crimeware monoculture, with a single kit maintaining the largest market share.

With the cybercrime ecosystem clearly embracing the outsourcing concept for a while, it shouldn't come as a surprise, that botnets running the Zeus crimeware are offered for rent at such cheap rates that purchasing the kit and putting efforts into aggregating the botnet may seem a pointless endeavor in the eyes of a prospective cybercriminal, even an experienced one interested in milking inexperienced cybercriminals not knowing the real value of what they're doing.

Moreover, speaking of monetization, the attached screenshots represent a very decent example of monetizing the reconaissance process of E-banking authentication that cybercriminals or vendors of crimeware services undertake in order to come up with the modules targeting the financial institutions of a particular country. Is this monetization just "monetization of what used to be a commodity good/service" as usual taking into consideration this overall trend, or perhaps there's another reason for monetizing snapshots of E-banking authentication activities in order to later on achieve efficiency in the process of abusing them? But of course there is, and in that case it's the fact that no matter that a potential cybercriminal has obtained access to a crimeware kit, its database of injects is outdated and therefore a new one has to be either built or purchased.

With Adrenalin now leaked to the general script kiddies and wannabe cybercriminals, it's only a matter of time until a community is build around it, one that would inevitably increase is popularity and prompt others to introduce new features within the kit.

Related posts:
Targeted Spamming of Bankers Malware
Localized Bankers Malware Campaign
Client Application for Secure E-banking?
Defeating Virtual Keyboards
PayPal's Security Key