Monday, September 10, 2007

Google Hacking for MPacks, Zunkers and WebAttackers

If wannabe botnet masters really wanted to hide their activities online, they would have blocked Google's crawlers from indexing their default malware kit installations, and changed the default installation settings to random directory and filename, wouldn't they? Apparently, a default deny:all rule for anyone but the botnet masters doesn't exist as a principle among botnet amateurs, which leaves us with lots of malware campaigns to assess and shut down.

The following are IPs and domain names currently or historically used to host MPack, WebAttacker and Zunker control panels, as well as live exploit URLs within the packs. Some are down, others are still accessible, the rest are publicly cached. If index.php doesn't exist, admin.php or zu.php act as the default admin panel.

MPack Malware Campaigns :

wmigra.org/mpack/index.php
64.62.137.149/~edit/
81.95.145.240/logo/
81.95.150.42/MPack091cbt/index.php
brbody.info/mpack/index.php
innaidina.info/mpack/index.php
rallyesimages.ch/liens/test/
sol.h18.ru/mpack/index.php
81.95.145.240/logo/
icqmir.iplot.ru/mpack/index.php
cordon.ru/mp/
havephun.org/mpack/index.php
xbr.ru/images/old/mpack/index.php
evil-x.org/spk2/
tyt-menia.net/mpack/index.php
rufat.info/mpack/index.php
iwiw-hosting.com/upload/
stepbystepbg.org/img/
mydulichusa.com/mpack/index.php
csextra.wz.cz/weapons/mpack/index.php
d34thnation.com/mpack/index.php
mp3fans.org/mpack084/
innaidina.info/mpack/

WebAttacker's Hosts :

secondsite2.com/cgi-bin/ie0604.cgi
lsdman.info/cgi-bin/ie0604.cgi?bug=MS05-001&SP1
telecarrier.es/cgi-bin/ie0604.cgi
stmare.info/cgi-bin/ie0604.cgi
redcrossonline.cn/cgi-bin/ie0604.cgi

Zunker's C&C :

66.148.74.7/zu/
bundeswehrzentrale.org
skilltests.org/zu/zc.php
zup.secondsite1.com/zu/index.php
stat1.realstatscollect.com/zu/
webcounterstat.info/zu/

I also find it very interesting to see VeriSign publicly admitting of hacking into the hosts behind the malware kits -- the Russian Business Network in this case -- to assess the damages done in the form of number of infected PCs and with what exactly :

"When VeriSign managed to hack into the RBN computer running the scam, it found accumulated data representing 30,000 such infections. “Every major trojan in the last year links to RBN” says a VeriSign sleuth."

Unethical penetration testing of malicious hosts to assess the damages by the malware campaign in question wouldn't result in the malware authors striking back with legal complaints, instead, they'll forward some DDoS bandwidth back at the investigating IPs, a consequence I'm sure researchers reading here have experienced before. On the other hand, the RBN themselves are getting more malicious with every new campaign, just consider for instance that Russian Business Network's IPs were behind the Massive Embedded Web Attack in Italy that took place in June, 2007, and the most recent Bank of India breach as well.