Thursday, March 19, 2009

Crimeware in the Middle - Limbo

While you were out - "Cybercrime-as-a-Service is finally taking off" and a $400 will get you in the hacking business. Such a mentality speaks for an outdated situational awareness.

Cybercrime as a service originally started in the form of "value-added" post-purchase services, the now ubiquitous lower detection rate management for a malware binary, and anti-abuse domain hosting for the command and control interface, several years ago. As far as the $400 required as an entry barrier into cybercrime no longer exists. In reality, pirated copies each and every web malware exploitation kit including the proprietary crimeware kits are becoming more widespread these days.

The cybercrime economy has not only matured into a sophisticated services-driven marketplace a long time ago, but also, nowadays we can clearly see how standardizing the exploitation approach is inevitably resulting in efficiencies -- think web malware exploitation kits with diverse exploits sets and massive SQL injection attacks. The underground economy is in fact so vibrant, that the existing monoculture on the crimeware front is already allowing cybercriminals to hijack the crimeware botnets of other cybercriminals unaware of the fact that they're running an oudated copy of their kit.

Followed by Zeus and Adrenalin, it's time to profile Limbo, an alternative crimeware kit that's been publicly available for purchase since 2007. Interestingly, none of these kits can compare to the current market share of Zeus, perhaps the most popular crimeware kit these days, a development largely driven by the community build around Zeus, and the major enhancements introduced within the kit on behalf of third-party developers.

Here's what Limbo is all about:

"It works on the principle of the add-in to Internet Explorer, not visible in the processes to make the logs being hidden from the firewall redirector, and other programs to monitor network activity. Supplied as a loader, which is removed after the launch, unpacks itself and make all necessary entries in the registry. When you first start IE it cleans Cookies, reads Protected Storage (Autosaved passwords in IE, Outlook passwords, etc.) Whenever a user visits the monitored sites, Limbo intercepts the parameters which are later on transmitted to the server once the user presses the browser key.

- Update the binary
- Launch arbitrary exe file 
- Update configurator (xml file available)
- Cleaning Cookies
- Remove Limbo
- Theft of keys for Bank of America, as well as the keys of those banks that have moved to a system of keys
- Exclude all the keys for Bank of America, as well as other banks of keys (control questions asked again, and you can intercept the answers to them)
- Add to your hosts - to block a certain site (it seems as if it does not boot at all)
- Reboot Windows
- Destroy Windows

Main features:
- Grabs data from forms, including data around forms (all in a row or a pattern described in the configuration file)
- Logging of keystrokes in the browser, at the time when the user enters something in the edit form (it is sometimes useful - for example when the entered data is encrypted after submit form)
- Logging of virtual keyboards (universal technology was developed for the Turkish and Australian banks)
- Theft of keys (Bank of America, as well as other banks, whose protection is key-based) - are in the archive, the archive is created from the user on the computer.
- Delete key (Bank of America, as well as other banks, whose protection is built based on keys) - it is useful to force the user to enter answers to security questions
- Scam page redirection (the fake of same page with the substitution of the address bar of IE and the status bar on infected hosts)
- Harvesting of emails (including the address book user) - by request includes this possibility
- Set the filter for sites that do not need to intercept
- Simple injects-based system (paste your text input field on a particular site - for example, to ask for a pin Holder)
- Smart injects system - blocking form until user input is not injected into the data fields (checking for the count-woo characters of their type - the numbers or letters)
- TANs grabbing - vital for the German sites

Paid only features: 
- A hidden transfer (transfer of command from the admin panel) - HARD-sharpen under one bank
- Autocomplete of hijacked session (eg when a user makes a transfer, useful if the transfer requires the SMS confirmation. Strictly tied to a particular bank only.

PHP based admin includes: 
- Mapping of users to the admin
- Directing teams selected users
- Delete commands and users
- Showing the status of the command
- Mapping and IP users
- Ability to delete tax
- Display the size of logs
- Search for logs
- Archiving of logs
- Filter by country
- Possibility of sending logs to email
- Statistics on infection
- View collected emails
- The giving of the notes selected users
- The last call
- Displaying a page by page (say 200 records per page)
- An opportunity to log everything in one file (optional)
- Sorting of logs according to different criteria
- Delete all logs
- Have the opportunity to log into mysql, as well as the ability to search for him there is (an order of magnitude faster search)

These commands are downloaded to the host after a certain period of time and performed in the admin panel you can see the status of commands for a specific user - download \ downloaded but not executed \ implemented."

With crimeware in the middle, no SSL/two-factor based authentication can ensure a non-transparent to the eyes of the cybercriminal transaction.

Related posts:
Crimeware in the Middle - Adrenalin
Crimeware in the Middle - Zeus
76Service - Cybercrime as a Service Going Mainstream
Zeus Crimeware as a Service Going Mainstream
Modified Zeus Crimeware Kit Gets a Performance Boost
Modified Zeus Crimeware Kit Comes With Built-in MP3 Player
Zeus Crimeware Kit Gets a Carding Layout
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw