Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: 09/29/07

Saturday, September 29, 2007

DIY Chinese Passwords Stealer

This DIY passwords stealer courtesy of a chinese hacking group is pitched as Vista Compatible, with a server size in less than 20kb, process injection, form grabbing and password stealing capabilities for anything keyloggable, anti virus software killing capabilities, and uploading of the results to a central location, in this particular case an example is given for notification via Tencent, China's main IM network. More info :

"Backdoor.Hupigon.GEN has rootkit functionality. It injects itself into Internet Explorer causing IE to hide itself. It also logs keystrokes and sends this information to remote servers."

Detection rate of the builder: Result: 15/32 (46.88%)
File size: 267213 bytes
MD5: a4b9c9f42629865c542ac7b823982843
SHA1: 78f855843d312ab76e1f8f0b912bd475781a8864

Here are several more recent releases by Chinese hacking groups, as well as a comment on the big picture.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

A New DDoS Malware Kit in the Wild

On the majority of occasions, malware authors either put efforts into implementing a set of standard features within a malware enabling them to send out spam, use the already infected hosts as future infection and propagation vectors, or entirely outsource the features by releasing the malware as open source one. On the other hand, certain malware authors seem to avoid diversification and tend to stick to core competencies only, in this case a DDoS ready infected host as its only function, thereby decreasing the file size of the malware and sort of improving its stealthiness by putting the infected host in a passive "on demand" state compared to a situation where the host is already sending out spam and phishing emails could be much more easily identified as an infected one and its DDoS capability could turn irrelevant due the malware's multi tasking activities.

This specific DDoS malware kit currently offered for sale includes the standard firewall bypassing and rootkit capabilities, in between offering the possibility for zero day malware on demand once previous instances of the bot in question achieve a high detection rate. Moreover, in between providing custom DDoS capabilities like the ones I discussed in a previous post, it's yet another indication of the ongoing Web-ization of botnet communications which I think is about to replace the default use of the IRC command and control in the long term.

Dancho Danchev