Thursday, February 26, 2009

Inside a DIY Image Spam Generating Traffic Management Kit

Whatever the spammer/pharma master or plain simple cybercriminal requires - the spamware vendors deliver so that a win-win-win scenario takes place for the buyer, the seller, and the enabler, in this case the affiliate network allowing image-based spam compared to Web 1.0's link based performance measurement.

That's the main objective of one of the very latest traffic management kit is once again quality assurance in the process of managing image-spam based campaigns.

Here's a translated description of the traffic management kit:
"As you know, now many pay per click networks offer within their ad scripts the so called graphic feeds.Any site allowing the use of the IMG tag can serve them, that includes popular free web based services. The problem so far has been the lack of quality measurement and optimization of this approach. 

This imposes severe restrictions on the ability to convert traffic to the resource, the automatic redirection of which is impossible. Our system allows you to allows you to create your own ads and send traffic to them to where you think they fit. 

How it works: you create a campaign with your own keywords, generate a random image, customize it, generate a link to the ad and paste it into the hosting site, or include it in your email campaigns. By doing this you're able to add more interactivity in your campaigns and improve your click through rates.

Here's a summary of the features we offer you:

- Create messages with random text and random design. Change ad size and font color, underline, and the selection, styles, font and alignment, frames - everything is set up. You can use any font that you want to - it's completely up to you
- Manage design ads through profiles within the system, save your creativity
- Use of any image as the ads. This may be a screenshot of your pharmacy, banner, and even anything

- Combine different types of simple ads on the same page
- Create messages with any embedded images. For example (click on picture to see actual ad size)
- Use alternative keywords in the references (some of the resources do not allow to post links containing the names of pills and other banned words)
- Filter incoming traffic to the countries of the User-Agent, IP or range of IP"

It's important to emphasize on the fact that this is a DIY image-spam generating kit, in comparison, the much more efficient and again random image-spam generating service is offered by the sophisticated and experienced managed spam service providers who still prefer working with reputable and well known individuals, instead of going mainstream.

Related posts:
Quality Assurance in a Managed Spamming Service
Managed Spamming Appliances - The Future of Spam
Dissecting a Managed Spamming Service
Inside a Managed Spam Service
Spamming vendor launches managed spamming service
Segmenting and Localizing Spam Campaigns

Help! Someone Hijacked my 100k+ Zeus Botnet!

I've been looking for a similar chatter for a while now, given the existence of a remotely exploitable vulnerability in an old Zeus crimeware release allowing a cybercriminal to inject a new user within the admin panel of another cybecriminal.

It appears that this guy has had his 100k+ Zeus botnet hijacked several months ago, and now that he's managed to at least partly recover the number of infected hosts in two separate botnets, is requesting advice on how to properly secure his administration panel.

Here's an exact translation of his concerns :
"Dear colleagues, I'd like to hear all sorts of ideas regarding to security of Zeus. I've been using Zeus for over an year now, and while I managed to create a botnet of 100k infected hosts someone hijacked it from me by adding a new user and changing my default layout to orange just to tip once he did it. Once I fixed my directory permissions. I now have two botnets, the first one is 30k and the second (thanks to a partnership with a friend) is now 3k located at different hosting providers. 

Sadly, yesterday I once again found out that my admin panel seems to have been compromised since all the files were changed to different name, and access to the admin panel blocked by IP. Yes, that seems to be the IP the hijacker is using. The attacker has been snooping Apache logs in order to find IPs that have been used for logging purposes and blocked them all. Therefore I think the new user has been added by exploiting a flaw in Zeus. In my opinion a request  was made to the database, either through an sql injection in s.php a file or a request from within a user with higher privileges.

Since I've aplied patches to known bugs, this could also be a compromise of my hosting provider. So here are some clever tips which I offer based on my experience with securing Zeus. 

- Change the default set of commands, make them unique to your needs only. 
- If it is possible to prohibit the reading and dump tables with logs all IP, to allow only certain (so that the crackers were not able to make a dump and did not read the logs in the database). 
- If it is possible to prohibit editing of tables with all the commands of Zeus IP, to allow only certain (that could not be "hijacked", insert the command bots)"

Surreal? Not at all, given the existing monoculture on the crimeware market. Morever, yet another vulnerability was found in the Firepack web malware exploitation kit earlier this month (Firepack remote command execution exploit that leverages admin/ref.php). This exploit could have made a bigger impact in early 2008, the peak of the Firepack kit, which was also localized to Chinese several months later:

The FirePack Web Malware Exploitation Kit
The FirePack Exploitation Kit - Part Two
The FirePack Exploitation Kit Localized to Chinese

Ironically, cybercriminals too, seem to be using outdated versions of their crimeware.

Related posts:
Crimeware in the Middle - Adrenalin
76Service - Cybercrime as a Service Going Mainstream
Zeus Crimeware as a Service Going Mainstream
Modified Zeus Crimeware Kit Gets a Performance Boost
Modified Zeus Crimeware Kit Comes With Built-in MP3 Player
Zeus Crimeware Kit Gets a Carding Layout
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
Crimeware in the Middle - Zeus

Tuesday, February 24, 2009

The Cost of Anonymizing a Cybercriminal's Internet Activities - Part Two

With VPN-enabled malware infected hosts easily acting as stepping stones thanks to modules within popular malware bots, next to commercial VPN-based services, the cost of anonymizing a cybecriminal's Internet activities is not only getting lower, but the process is ironically managed in data retention heavens such as the Netherlands, Luxembourg, USA and Germany in this particular case, by using the services of the following ISPs: LeaseWeb AS Amsterdam, Netherlands; ROOT-AS root eSolutions; HOPONE-DCA HopOne Internet Corp.; NETDIRECT AS NETDIRECT Frankfurt, DE.

Operating since 2004, yet another "cybercrime anonymization" service is using the bandwidth of legitimate data centers in order to run its VPN/Double/Triple VPN channels service which it exclusively markets in a "it's where you advertise your services, and how you position yourself that speak for your intentions" fashion.

Description of the service:

"- We will never sought to make the service cheaper than saving the safety of customers.
- Our servers are located in one of the most stable and high-speed date points (total channel gigabita 1.2)
- Only we have the full support service to the date of the center, which prevents the installation of sniffers and monitoring.
- We do not use standard solutions, our software is based on the modified code.
- Only here you get a stable and reliable service.

Characteristics of Sites:
- Channel 100MB, total channels gigabita 1.2.
- MPPE encryption algorithm is 128 bit

- Complete lack of logs and monitoring - a guarantee of your safety.
- Completely unlimited traffic.
- Support for all protocols of the Internet."

On the basis of chaining several different VPN channels located in different countries all managed by the same service, combined with a Socks-to-VPN functionality where the Socks host is a malware compromised one, all of which maintain no logs at all, is directly undermining the usefulness of already implemented data retention laws. Moreover, even a not so technically sophisticated user is aware that chaining these and adding more VPN servers in countries where no data retention laws exist at all, would result in the perfect anonymization service where the degree of anonymization would be proportional with the speed of the connection. In this case, it's the mix of legitimate and compromised infrastructure that makes it so cybercrime-friendly.

In respect to the "no logs and monitoring for the sake of our customers security" claims, such services are based on trust, namely the customers are aware of the cybercriminals running them "in between" the rest of the services they offer, which and since they're all "on the same page" an encrypted connection is more easily established. However, an interesting perspective is worth pointing out - are the owners of the cybecrime-friendly VPN service forwarding the responsibility to their customers, or are in fact the customers forwarding the responsibility for their activities to the owners which are directly violating data retention laws and on purposely getting rid of forensic evidence?

Things are getting more complicated in the "cybercrime cloud" these days.

Monday, February 23, 2009

Fake Celebrity Video Sites Serving Malware - Part Three

In the overwhelming sea of template-ization of malware serving sites, (naked )celebrities would always remain the default choice offered in the majority of bogus content generating tools taking advantage of the high-page rank of legitimate Web 2.0 services.

Following the 2008's Fake Celebrity Video Sites Serving Malware series (Part Two) the very latest addition to the series demonstrates the automatic abuse of legitimate infrastructure - in this case Blogspot for the purpose of traffic acquisition.

The following are currently active and part of the same campaign:

Compared to the single-post only Blogspots, the following domains;; have a lot more bogus content to offer.

Wednesday, February 18, 2009

Pharmaceutical Spammers Targeting LinkedIn

Following January's malware campaign relying on bogus LinkedIn profiles, this time it's pharmaceutical spammers' turn to target the business-oriented social networking site.

From a spammers/blackhat SEO-er's perspective, this is done for the purpose of increasing the page rank of their pharmaceutical domains based on the number of links coming from LinkedIn. The campaigns are monetized through the usual affiliate based pharmaceutical networks.

The following is a complete list of the currently active bogus domains, all part of identical campaigns:
linkedin .com/in/buyviagra45
linkedin .com/in/phenterminetrueway
linkedin .com/in/OnlineBuyProzac
linkedin .com/in/CheapBuyGabapentin
linkedin .com/in/BuyCheapTramadol
linkedin .com/in/cheaptramadol
linkedin .com/in/buybactrimonline
linkedin .com/in/OnlineBuyAugmentin
linkedin .com/in/OnlineBuyMetformin
linkedin .com/in/OnlineBuyBiaxin
linkedin .com/in/CheapBuyNorvasc
linkedin .com/in/OrderBuyCelebrex
linkedin .com/in/OnlineBuyLipitor
linkedin .com/in/BuyCheapOxycontin
linkedin .com/in/OnlineBuyHydrocodone
linkedin .com/in/OrderBuyPercocet
linkedin .com/in/OnlineBuyFioricet
linkedin .com/in/OrderBuyKlonopin
linkedin .com/in/OnlineBuyDiazepam
linkedin .com/in/OnlineBuyXanax
linkedin .com/in/CheapBuyOxycodone
linkedin .com/in/OnlineBuyClonazepam
linkedin .com/in/OnlineBuyEffexor
linkedin .com/in/OnlineBuyAmbien
linkedin .com/in/OnlineBuyAtivan
linkedin .com/in/OnlineBuyVicodin
linkedin .com/in/OnlineBuyNexium
linkedin .com/in/OrderBuyCipro
linkedin .com/in/OnlineBuyLorazepam
linkedin .com/in/propecia
linkedin .com/in/OnlineBuyAllegra
linkedin .com/in/CheapBuyMeridia
linkedin .com/in/OnlineBuyZithromax
linkedin .com/in/OnlineBuyCelexa
linkedin .com/in/clomid
linkedin .com/in/clonazepam
linkedin .com/in/BuyCheapNeurontin
linkedin .com/in/cheapfioricet
linkedin .com/in/OnlineBuyClomid
linkedin .com/in/OnlineBuyIbuprofen
linkedin .com/in/OnlineBuyZoloft
linkedin .com/in/OnlineBuyToprol
linkedin .com/in/OnlineBuyAleve
linkedin .com/in/OnlineBuyAleve
linkedin .com/in/OnlineBuyVioxx
linkedin .com/in/OnlineBuyWellbutrin
linkedin .com/in/OnlineBuyAmoxicillin
linkedin .com/in/OnlineBuySuboxone
linkedin .com/in/OnlineBuyOxycodone
linkedin .com/in/OnlineBuyLisinopril
linkedin .com/in/OrderBuyPrevacid
linkedin .com/in/OnlineBuyLevaquin
linkedin .com/in/OnlineBuyUltram
linkedin .com/in/OnlineBuyAlprazolam
linkedin .com/in/OnlineBuyLamictal
linkedin .com/in/OnlineBuyNaproxen
linkedin .com/in/OnlineBuyZyprexa
linkedin .com/in/OnlineBuyCoumadin
linkedin .com/in/OnlineBuyValium
linkedin .com/in/OnlineBuyLithium
linkedin .com/in/OnlineBuySynthroid
linkedin .com/in/OnlineBuyHerceptin
linkedin .com/in/OnlineBuyAvandia

linkedin .com/in/OnlineBuyTramadol
linkedin .com/in/OnlineBuyCymbalta
linkedin .com/in/OnlineBuyDoxycycline
linkedin .com/in/OnlineBuyProtonix
linkedin .com/in/OnlineBuyTestosterone
linkedin .com/in/OnlineBuyTopamax
linkedin .com/in/OnlineBuyBenadryl
linkedin .com/in/OnlineBuyBactrim
linkedin .com/in/OnlineBuyMethadone
linkedin .com/in/OnlineBuyAtenolol
linkedin .com/in/OnlineBuyConcerta
linkedin .com/in/OnlineBuyCrestor
linkedin .com/in/OnlineBuyTrazodone
linkedin .com/in/OnlineBuyVytorin
linkedin .com/in/OnlineBuyMelatonin
linkedin .com/in/OnlineBuyCephalexin
linkedin .com/in/OnlineBuyThyroid
linkedin .com/in/OnlineBuyChantix
linkedin .com/in/OnlineBuyInsulin
linkedin .com/in/OnlineBuyGenace
linkedin .com/in/OnlineBuyByetta
linkedin .com/in/OnlineBuyPropecia
linkedin .com/in/OnlineBuyPlavix
linkedin .com/in/OnlineBuyYaz
linkedin .com/in/OnlineBuyYasmin
linkedin .com/in/OnlineBuyPotassium
linkedin .com/in/OnlineBuyValtrex
linkedin .com/in/OnlineBuyVoltaren
linkedin .com/in/OnlineBuyPenicillin
linkedin .com/in/OnlineBuyZyrtec
linkedin .com/in/OnlineBuyMagnesium
linkedin .com/in/OnlineBuyPrednisone
linkedin .com/in/OnlineBuySeroquel
linkedin .com/in/OnlineBuySoma
linkedin .com/in/OnlineBuyGabapentin
linkedin .com/in/OnlineBuyAspirin
linkedin .com/in/OnlineBuyPseudovent
linkedin .com/in/OnlineBuyLortab
linkedin .com/in/OnlineBuyPaxil
linkedin .com/in/OnlineBuyAlli
linkedin .com/in/BuyCheapXenical
linkedin .com/in/CheapBuyUltracet
linkedin .com/in/buyhydrocodone
linkedin .com/in/OrderBuyAlli
linkedin .com/in/buypaxilonline
linkedin .com/in/OnlineBuyMobic
linkedin .com/in/OnlineBuyNaprosyn
linkedin .com/in/OnlineBuyCipro
linkedin .com/in/OnlineBuyMorphine
linkedin .com/in/vimax
linkedin .com/in/OnlineBuyAccutane
linkedin .com/in/vigrx
linkedin .com/in/OnlineBuyNorvasc
linkedin .com/in/OnlineBuyOxycontin
linkedin .com/in/OnlineBuyProvigil
linkedin .com/in/OnlineBuyPercocet
linkedin .com/in/OnlineBuyCelebrex
linkedin .com/in/OnlineBuyAdipex
linkedin .com/in/OnlineBuyRitalin
linkedin .com/pub/dir/purchase/viagra
linkedin .com/pub/dir/cialis/online
linkedin .com/pub/dir/methocarbamol/online
linkedin .com/pub/dir/acyclovir/online
linkedin .com/pub/dir/klonopin/online
linkedin .com/pub/dir/zyprexa/online
linkedin .com/pub/dir/amitriptyline/online
linkedin .com/pub/dir/buymodalertonline/buymodalertonline
linkedin .com/pub/dir/zocor/online
linkedin .com/pub/dir/levitra/online
linkedin .com/pub/dir/citalopram/online
linkedin .com/pub/dir/arimidex/online
linkedin .com/pub/dir/niacin/online
linkedin .com/pub/dir/phentermine/online
linkedin .com/pub/dir/provigil/online
linkedin .com/pub/dir/ritalin/online

Pharmaceutical domains used in the campaigns:
buy-pharmacy .info
viagra-pills .info
nenene .og
rxoffers .net
allrxs .org
onlinepharmacy4u .org
cheap-tramadol .us
buy-tramadol.blogdrive .com
buymodalert .com
rx-prime .com
suche-project .eu

Acquiring new users in a highly competitive Web 2.0 world is crucial, no doubt about it. But in 2009, if you're not at least requiring a valid email address, a confirmation of the registration combined with a CAPTCHA to at least slow down the bogus account registration process and ruin their efficiency model - systematic abuse of the service is inevitable (Commercial Twitter spamming tool hits the market).

LinkedIn's abuse team has already been notified of these accounts.

Tuesday, February 17, 2009

Community-driven Revenue Sharing Scheme for CAPTCHA Breaking

What follows when a system that was originally created to be recognizable by humans only, gets undermined by low-waged humans or grassroots movements? Irony, with no chance of reincarnation. CAPTCHA is dead, humans killed it, not bots.

A new market entrant into the CAPTCHA-breaking economy, is proposing a novel approach that is not only going to result in a more efficient human-based CAPTCHA solving on a large scale, but is also going to generate additional revenues for webmasters and their site's community members. The concept is fairly simple, since it's mimicking reCAPTCHA's core idea.

However, instead of digitizing books, the CAPTCHA entry field that any webmaster of an underground community, or a general site in particular that would like to syndicate CAPTCHAs from Web 2.0 web properties is free to do so on a revenue-sharing, or plain simple voluntary basis.

Consider for a moment the implications if such a project of they manage to execute it successfully. Starting from community-driven CAPTCHA breaking of Web 2.0 sites on basic forum registration fields using's CAPTCHA for authenticating new/old users, the plain simple automatic rotation for idle community users, to the enforcement of CAPTCHA authentication for each and every new forum post/reply.

What happens with the successfully recognized CAPTCHAs? As usual, hundreds of thousands of bogus profiles will get automatically registered for the purpose of spam and malware spreading, or reselling purposes. The development of this service -- if any -- will be monitored and updates posted if it goes mainstream.

Related posts:
The Unbreakable CAPTCHA
Spammers attacking Microsoft's CAPTCHA -- again
Spam coming from free email providers increasing
Gmail, Yahoo and Hotmail’s CAPTCHA broken by spammers
Microsoft’s CAPTCHA successfully broken
Vladuz's Ebay CAPTCHA Populator
Spammers and Phishers Breaking CAPTCHAs
DIY CAPTCHA Breaking Service
Which CAPTCHA Do You Want to Decode Today?

Wednesday, February 11, 2009

Quality Assurance in a Managed Spamming Service

Following previous coverage of the managed spam services offered by the Set-X mail system and a copycat variant of it, a newly introduced managed spam service is emphasizing on quality assurance through the use of a Google Search Appliance for storing of the harvested email databases and the spam templates.

Here's an automatic translation of some of the key features offered by the system, currently having a price tag of $1,200 per month:

"A summary of the main possibilities of the system
- Innovative technology deliver a unique e-mail system designed specifically for ******** to maximize serve up e-mails with a low rate of rejection-Kernel Multi-organization system provides extremely high speed while the low-platform-Provide complete sender's anonymity at the maximum system performance in terms multi-technology operating system bypass content filters using the built-in special tags:

+ Configurable generation of random strings
+ Change the case of letters randomly in a block 
+ random permutation of symbols in the block 
+ Inserting a random character in an arbitrary place in the block 
+ Replacing the same style of letters Latin alphabet for the Russian block 
+ Duplicating a random character in the block 
+ Paste into the body of a random letter strings from a file 
+ Managed morfirovanie image files in the format GIF-Correct emulation header sent letters Simultaneous connection of several bases e-mail addresses of those letter-substitution is performed from file-substitution e-mail addresses for the fields From and Reply-To is performed from a file-format of outgoing messages TEXT and HTML
+Ability to send emails from attachments
+Correct work with images in HTML messages possible as a direct method and with copies of CC , BCC-record-keeping system, results of the system is stored in files good, bad and unlucky for each connection of e-mail addresses, respectively
+The system is convenient and intuitive graphical user interface

System management
The system is operated under the interface to "Control Panel". The first is of them is multifunctional and serves to start the process of sending (the state of the "Run"), pause (the state of "pause") and confirm the end of the (state "Report") . The second button ( "Stop") serves to interrupt the process otpravki. Data section also contains the following information fields: 
- executes an action in this field is carried out to date, the system-progress indicator graphic indication of progress the task, Completed Display task progress percentage 
- Successful delivery of letters to the number of addresses that had been carried out successfully, failure of the number of addresses that failed to deliver a letter-number bad non-existent addresses, duration of the actual time of the task-status displays the status of the kernel system kernel kernel memory Displays memory core systems"

The ongoing arms race between the security industry and cybercriminals, is inevitably driving innovation at both sides of the front. However, based on the scalability of these managed spam services, it's only a matter of time for the vendors to embrace simple penetration pricing strategies that would allow even the most price-conscious cybercriminals, or novice cybercriminals in general to take advantage of this standardized spamming approach. The disturbing part is that the innovation introduced on behalf of the spam vendors in terms of bypassing spam filters, seems to be introduced not on the basis of lower delivery rates, but due to the internal competition in the cybercrime ecosystem.

For instance, new market entrants in the face of botnet masters attempting to monetize their botnets by offering the usual portfolio of cybercrime services, often undercut the offerings of the sophisticated managed spam vendors. And so the vendors innovate with capabilities that the new market entrants cannot match, in order to not only preserve their current customers, but also, acquire new ones. Managed spam services as a business model is entirely driven by long term "bulk orders", compared to earning revenues on a volume basis by empowering low profile spammers with sophisticated delivery mechanisms.

In the long term, just like every other segment within the cybercrime ecosystem, vertical integration and consolidation will continue taking place, and thankfully we'll have a situation where the spam vendors would be sacrificing OPSEC (operational security) on their way to scale their business model and acquire more customers.

Thursday, February 05, 2009

Summarizing Zero Day's Posts for January

The following is a brief summary of all of my posts at ZDNet's Zero Day for January. You can also go through previous summaries for December, November, October, September, August and July, as well as subscribe to my personal RSS feed or Zero Day's main feed.

Notable articles for January include Microsoft study debunks phishing profitability; Legal concerns stop researchers from disrupting the Storm Worm botnet and Google Video search results poisoned to serve malware.

01. Thousands of Israeli web sites under attack
02. Bogus LinkedIn profiles serving malware
03. Microsoft study debunks phishing profitability
04. Paris Hilton's official web site serving malware
05. Malware author greets Microsoft's Windows Defender team
06. 3.5m hosts affected by the Conficker worm globally
07. GoDaddy hit by a DDoS attack
08. Legal concerns stop researchers from disrupting the Storm Worm botnet
09. Malware-infected WinRAR distributed through Google AdWords
10. New mobile malware silently transfers account credit
11. GPU-Accelerated Wi-Fi password cracking goes mainstream
12. Google Video search results poisoned to serve malware

Tuesday, February 03, 2009

A Diverse Portfolio of Fake Security Software - Part Fifteen

Descriptive fake security software domains speak for themselves, and what follows are the very latest ones currently active in the wild :

spywareguard2009m .com (;
systemguard2009m .com
spywareguard2009 .com
systemguard2009 .com
getsysgd09 .com

Registrant : Damir Sbil; Email:

antispyscanner13 .com (;
sgproductm .com
sgviralscan .com
sg10scanner .com
sg11scanner .com
sg12scanner .com
sg9scanner .com
sgproduct .com

Registrant: Ahmo Stolica; Email:

buysysantivirus2009 .com (
sysav-download .com
sysav-storage .com
sysantivirus-check .com
antispyware-pro-dl .com
sysantivirus2009 .com
sysav-download .com
sysav-storage .com
sysantivirus-check .com
antispywarefastcheck .com
antispyware-scanner-2009 .com
antispyware-pro-dl .com

Registrant: Dion Choiniere; Email: (

Registrant: Maksim Hirivskiy Email:

DNS servers to keep an eye on, courtesy of UralComp-as Ural Industrial Company LTD (AS48511) :
ns1.europegigabyte .com
fastuploadserver .com
ns1.managehostdns .com
dns3.systempromns .com
ns1.freehostns .com
ns1.singatours .com
ns1.airflysupport .com
ns1.eguassembly .com
ns1.fastfreetest .cn

Proactively blocking these undermines a great deal of traffic acquisition campaigns whose aim is to hijack legitimate traffic to these domains.

Related posts:
A Diverse Portfolio of Fake Security Software - Part Fourteen
A Diverse Portfolio of Fake Security Software - Part Thirteen
A Diverse Portfolio of Fake Security Software - Part Twelve
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software

Crimeware in the Middle - Adrenalin

What is Adrenalin? Adrenalin is an alternative to the Zeus crimeware kit that never actually managed to scale the way Zeus did. Following recently leaked copies of what is originally costing a hefty $3000, crimeware kit Adrenalin, it's time to profile the kit, discuss its key differentiation factors from Zeus, and emphasize on why despite the fact that it leaked, the kit is not going to take any of Zeus-es market share. At least not in its current form.

In the spirit of the emerging copycat web malware exploitation kits, Adrenalin too, isn't coded from scratch, but appears that -- at least according to cybercriminals questioning its authenticity on their way to secure a bargain deal when purchasing it -- Adrenalin is using portions of Corpse's original A-311 release.

Adrenalin's description and features :
"Injections system - inserting html / javascript code in the page / files / javascript or substitution of one code by another injection occurs in the stream mode, ie the modified page is loaded at once!
(not as in the other BHO based trojans with insertions only after the full load the page (causing javascript problems) or limiting the impact (if for instance the user is on a mobile device connection). In our implementation, all works quickly and efficiently!

- The collection of pieces of text from the html pages, as one of the modes of operation injector (balance, etc ..)

- Ftp grabbing - sniffer handles traffic and rip out from access to FTP. All of this is going in an easy to read and process the form

- Collector of certificates. Pulling out of all installed certificates including attempts to commit, and certificates that are marked as uncrackable. Certificates neatly stored for each individual bot.

- Page redirector. allows you to replace a page or separate framing in the network. everything is done completely unnoticed. substitution of the content occurs in the interior windsurfing, and even then the browser and any special lotion can be confident that is what you want.

- Domain redirector. forwards all requests from the original site on the fake. address bar, and all references point to the original course can also be used to block access to certain sites

- Universal form grabbing puller forms, can strip the data from the virtual keyboard these forms can rip off, even with not fully loaded pages. As distinguished from the other crimeware kits working through the tracking of users clicking buttons / links it intercepts the data has already been formed, which can be seen in the log. Data can be collected all the running, and keyword (filter)
to delete the logs; noise over debris to chat and not necessary for the work sites.

All data are transmitted in encrypted form, which is important to bypass the protection, like for instance ZoneAlarm's ID Lock. Undoubted advantage is also that the logs are sent instantly - in parallel with the data sent to the original site. No need to worry that the victim will go into an offline and accumulated locally log form grabbing are not able to send.

- Screenshots at the address
- TAN grabbing. The technology allows to effectively collect workers TANs
- Periodic cleaning of cookies/flashcookie.
- Grabbing around-the-forms words (without adjustment - Adrenalin defines its own algorithm that it must be collected. algorithm Improved!)
- The collection of passwords,  for instance Protected Storage (IE auto complete, protected sites, outlook)
- Classic keylogger
- Cleaning system from BHO trojans, advertising panels and other debris. As is well known - are less vulnerable machines, and want to put on something more. Cleaning system greatly increases the chances of survival
- Anti-Anti Rootkit mechanisms
- Work on the system without the EXE file
- User-friendly format logs! Forget the piles of files stupid!
- Socks4 / 5 + http (s) proxy server enabled on the infected host
- Shell + Backshell enabled on the infected host
- Socks admin
- Management of each bot individually, or simultaneously (Downloading files, updating settings, etc.)
- Requires PHP on the web based command and control host
- Ability to output commands (including downloads), taking into account the country's bot (function as a resident loader statistically for programs) - and other small pleasures"

Without the web injection and the TAN grabbing ability, Adrenalin is your typical malware kit, whose only differentiation factor would have been the customer support in the form of the managed undetected malware binaries that naturally comes with it. However, it's TAN grabbing ability, proprietary collection of data "around the forms", stripping content from virtual keyboards and automatic certificates collection on per host basis, and its ability to clean the system from competing BHO-based trojans, make it special.

How do you actually measure the popularity of crimeware kit? Based on the the market share of the crime kit, or based on another benchmark? It's all a matter a perspective and a quantitative/qualitative approach. For instance, I can easily argue that if the very same community was build around Adrenalin the way it was built around Zeus making the original Zeus release looks like an amateur-ish release, perhaps Adrenalin would have scaled pretty fast. Some of the community improvements include :

- Modified Zeus Crimeware Kit Comes With Built-in MP3 Player
- Modified Zeus Crimeware Kit Gets a Performance Boost
- Zeus Crimeware Kit Gets a Carding Layout

For the time being, the innovation or user-friendly features boosting the popularity of Zeus come from the third-party coders improving the original Zeus release. Moreover, not only are they improving it, they're also looking for vulnerabilities within the different releases, and actually finding some. What does this mean? It means that we have clear evidence of crimeware monoculture, with a single kit maintaining the largest market share.

With the cybercrime ecosystem clearly embracing the outsourcing concept for a while, it shouldn't come as a surprise, that botnets running the Zeus crimeware are offered for rent at such cheap rates that purchasing the kit and putting efforts into aggregating the botnet may seem a pointless endeavor in the eyes of a prospective cybercriminal, even an experienced one interested in milking inexperienced cybercriminals not knowing the real value of what they're doing.

Moreover, speaking of monetization, the attached screenshots represent a very decent example of monetizing the reconaissance process of E-banking authentication that cybercriminals or vendors of crimeware services undertake in order to come up with the modules targeting the financial institutions of a particular country. Is this monetization just "monetization of what used to be a commodity good/service" as usual taking into consideration this overall trend, or perhaps there's another reason for monetizing snapshots of E-banking authentication activities in order to later on achieve efficiency in the process of abusing them? But of course there is, and in that case it's the fact that no matter that a potential cybercriminal has obtained access to a crimeware kit, its database of injects is outdated and therefore a new one has to be either built or purchased.

With Adrenalin now leaked to the general script kiddies and wannabe cybercriminals, it's only a matter of time until a community is build around it, one that would inevitably increase is popularity and prompt others to introduce new features within the kit.

Related posts:
Targeted Spamming of Bankers Malware
Localized Bankers Malware Campaign
Client Application for Secure E-banking?
Defeating Virtual Keyboards
PayPal's Security Key

Monday, February 02, 2009

Copycat Web Malware Exploitation Kits Are Still Faddish

The oversupply of web malware exploitation kits is in fact

The Template-ization of Malware Serving Sites - Part Two

The growing use of "visual social engineering" in the form of legitimately looking codecs, flash player error screens, adult web sites, and YouTube windows in order to forward the infection process to the end use himself, is the direct result of the ongoing template-ization of malware serving sites. This standardizing is all about achieving efficiency, in this case, coming up with high-quality and legitimately looking templates impersonating the average Internet user by enjoying the clean reputation of the impersonated service in question.

The attached screenshot of  very latest DIY windows media player with pretty straightforward instructions on how to modify the timing of the "missing codec" pop-up, is a great example of how cybercriminals rarely value the intellectual property of their fellow colleagues. The DIY template has in fact been ripped-off from a competing affiliate network participant (currently active xxxporn-tube .com/123/2/FFFFFF/3127/TestCodec/Best), its images hosted at ImageShack, and the codec released for everyone in the ecosystem to use -- and so they will.

Interestingly, within the mirrored copy now tweaked and distributed for free using free image hosting services as infrastructure provider for the layout, there are also leftovers from the original campaign template that they mirrored - which ultimately leads us to DATORU EXPRESS SERVISS Ltd (AS12553 PCEXPRESS-AS) or In the wake of UkrTeleGroup Ltd's demise -- don't pop the corks just yet since the revenues they've been generating for the past several years will make it much less painful -- a significant number of UkrTeleGroup customer, of course under domains, have been generating quite some malicious activity at for a while.

Portfolio of fake codecs serving domains parked at the original mirrored domain's IP :
xxxporn-tube .com (
uporntube-07 .com
tubeporn08 .com
porn-tube09 .com
tubeporn09 .com
xxxporn-tube .com
allsoft-free .com
all-softfree .com
lsoftfree .com
porntubenew .com

Download locations :
brakeextra .com/download/FlashPlayer.v..exe (
brakeextra .com/download/TestCodec.v.3.127.exe

Entire portfolio of domains parked at ( :
brakeextra .com 
thebestporndump2 .com
fire-extra .com
xp-extra .com
delfiextra .com
qazextra .com
track-end .com
fire-movie .com
extrabrake .com
crack-serial-keygen-online .com
extra-turbo .com
extra-nitro .com
apple-player .com
meggauploads .com
soft-free-updates .com
quicktimesoft .com
cleanmovie .net
nitromovie .net
trackgame .net
quotre .net
rexato .net
spacekeys .net

Dots, dots dots, trackgame .net is once again proving the multitasking mentality of cybercriminals these days - it's one of the download locations participating in the recent Google Video search queries poisoning attacks.