![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimsrPCRdtVWkXLANRcJGLo1xc0CVT4roCdwhDhcaCZjjMy9kwJ8kp5MpUBV632kI9-w672wkcetM1BswbVPtPt3mY-i6dXBsBKn8DGqk_L8meCF1vbTEckEZaKPuHNFARDSIu0iQ/s200/rootkit_launcher.jpg)
The RootLauncher kit is advertised -- Rusian to English automatic translation -- as follows :
"Just, we can offer you 3-version - D o w n l o a d e r-designed RootLauncher for the hidden load arbitrary WIN32 Exe-faila from a remote resource, followed by the launch of the file on the local hard disk. Obhodit all protection is not determined by any AV-Do not see fairvollah - Flexible settings - Periodic updates and supplements may download up to five exe files. Our team is not at the same point and develops all bolshe-bolshe for you dear friends services available to them closer you will be able to on our official website. We are also looking for people interested in partnership with us."
And while it's supposed to be nothing more then an average downloader, these "average downloaders" are actually starting to standardize features in respect to statistics and compatibility with other toolkits and malicious software.
In a previous post at WebSense's blog, they came across a web panel showing that the "total number of unique launchers is 155" now count these as infected PCs, but as you can see in the image attached, the sample could be much larger. This one I obtained from the following URL : http://www.inthost7.com/cgi-bin/rleadmin.cgi which is of course down, but was listing 1013 launchers already, here's an analysis of this very same URL.
IP cloaking when browing such sites and forums is important in order for you to remain as anonymous as possible. If you're on a Russian site make sure you're a Russian domain, if you're on a Chinese site make sure you're a Chinese domain, and most importantly don't directly translate through Google or Altavista, but copy and paste what's interesting to you so that you wouldn't let someone wonder why would a Russian domain translates a Russian text to English. Imagine the situation where security vendors browse them through their securityvendor.com subdomains, the results will follow shortly -- everything dissapears.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKDS5EGCfYhPON1F8_Si9hEDJms4X24z20SZnAqDwvsHhS2ghp_1QkQjFZU85TbIegNkUled2SofBMuXoaArq8-zKLVYvGgRi03Z9Ided6-eCzIjt4X_ull4vAuLeeml-rxnhLLQ/s200/webattacker.jpg)
Taking into consideration the big picture -- like you should -- the release and automation of phishing/exploit kits and lowering the entry barriers for script kiddies to generate enough noise to keep the real puppet masters safe, or at lease secretly pull the strings. I'd rather we operate in the time when launching a phishing attack required much more resources than it requires today.
No comments:
Post a Comment