Google Hacking for MPacks, Zunkers and WebAttackers

If wannabe botnet masters really wanted to hide their activities online, they would have blocked Google's crawlers from indexing their default malware kit installations, and changed the default installation settings to random directory and filename, wouldn't they? Apparently, a default deny:all rule for anyone but the botnet masters doesn't exist as a principle among botnet amateurs, which leaves us with lots of malware campaigns to assess and shut down.

The following are IPs and domain names currently or historically used to host MPack, WebAttacker and Zunker control panels, as well as live exploit URLs within the packs. Some are down, others are still accessible, the rest are publicly cached. If index.php doesn't exist, admin.php or zu.php act as the default admin panel.

MPack Malware Campaigns :

wmigra.org/mpack/index.php
64.62.137.149/~edit/
81.95.145.240/logo/
81.95.150.42/MPack091cbt/index.php
brbody.info/mpack/index.php
innaidina.info/mpack/index.php
rallyesimages.ch/liens/test/
sol.h18.ru/mpack/index.php
81.95.145.240/logo/
icqmir.iplot.ru/mpack/index.php
cordon.ru/mp/
havephun.org/mpack/index.php
xbr.ru/images/old/mpack/index.php
evil-x.org/spk2/
tyt-menia.net/mpack/index.php
rufat.info/mpack/index.php
iwiw-hosting.com/upload/
stepbystepbg.org/img/
mydulichusa.com/mpack/index.php
csextra.wz.cz/weapons/mpack/index.php
d34thnation.com/mpack/index.php
mp3fans.org/mpack084/
innaidina.info/mpack/

WebAttacker's Hosts :

secondsite2.com/cgi-bin/ie0604.cgi
lsdman.info/cgi-bin/ie0604.cgi?bug=MS05-001&SP1
telecarrier.es/cgi-bin/ie0604.cgi
stmare.info/cgi-bin/ie0604.cgi
redcrossonline.cn/cgi-bin/ie0604.cgi

Zunker's C&C :

66.148.74.7/zu/
bundeswehrzentrale.org
skilltests.org/zu/zc.php
zup.secondsite1.com/zu/index.php
stat1.realstatscollect.com/zu/
webcounterstat.info/zu/

I also find it very interesting to see VeriSign publicly admitting of hacking into the hosts behind the malware kits -- the Russian Business Network in this case -- to assess the damages done in the form of number of infected PCs and with what exactly :

"When VeriSign managed to hack into the RBN computer running the scam, it found accumulated data representing 30,000 such infections. “Every major trojan in the last year links to RBN” says a VeriSign sleuth."

Unethical penetration testing of malicious hosts to assess the damages by the malware campaign in question wouldn't result in the malware authors striking back with legal complaints, instead, they'll forward some DDoS bandwidth back at the investigating IPs, a consequence I'm sure researchers reading here have experienced before. On the other hand, the RBN themselves are getting more malicious with every new campaign, just consider for instance that Russian Business Network's IPs were behind the Massive Embedded Web Attack in Italy that took place in June, 2007, and the most recent Bank of India breach as well.

Popular Web Malware Exploitation Techniques

Who needs zero day vulnerabilities to achieve a widescale malware infection these days? Obviously the lack of this popular in the past prerequisite for a successful client side vulnerability exploitation, is no longer needed, but how come? Rather simple and that's the disturbing part - malicious parties stopped falling victims into the common perception that the end user is so fully patched, that zero day vulnerabilities are needed to break thought his thought to be complex use of security measures, instead, whether an event-study or plain simple common sense on their part, they've realized that an unpatched and obfuscated vulnerability is just as dangerous as a zero day, and the results have been evident ever since.

Going through the screenshots of the infected population of a certain malware kit, you can clearly see the diversity of the outdated vulnerabilities used. Multi-browser vulnerabilities IFRAME-ed all-in-one to achive the highest possible efficiency rate as there's a slight chance a visitor will return to a site they've managed to embedd the malware at, twice. The success of the these kits therefore has nothing to do with malicious innovations, but rather a successful tactical warfare against reactive security response. If perimeter defense cannot be breached, it will get either ignored or bypassed, precisely why client side vulnerabilities are back in the game with full speed.

Evidence showcasing this KISS (Keep it Simple Stupid) principle :

- IcePack, MPack, WebAttacker, the Nuclear Malware Kit, and pretty much every popular malware kit is taking advantage of outdated vulnerabilities, whether obfuscated or not depends on the pack's version and the malicious party's understanding of the concept

- The Massive Embedded Web Attack in Italy was using MPack's outdated arsenal of obfuscated vulnerabilities and despite that it achieved its objectives and infected thousands of hosts

- The recent Bank of India breach was using a modified version of the popular malware kits mentioned above, in between syndicating the hack with another campaign using a multi-IFRAME-ing techniques, again taking advantage of outdated vulnerabilities

- Storm Worm's success is mostly due to the fact that the end user is still living in the "malicious attachment" world, and so outdated vulnerabilities are again successfully used again her

Exploit Prevention Labs's recent stats on common vulnerabilities used as an infection vector can come very handy in terms of demonstrating the mass use of these malware kits. The bottom line is that their modularity combined with features and add-ons for them available either though a purchase or on demand, is an emerging trend by itself, one whether you cannot tell is it a script kiddie or sophisticated malicious party you're dealing with. And even if it's the second, the KISS principle has its own ugly applicability in the malware world.