Thursday, January 7, 2010

EFBlog Moved Permanently

Hello Readers,

Thank you for your uninterrupted support. We hope that you had a great time during your long weekends and holidays. We are getting back into action with the first step of moving EFBLOG permanently to http://EF.KAFFENEWS.COM. Sorry for any inconvenience. Kindly, follow us there. Thank you once again for all your support.

Kind Regards,

Tuesday, January 5, 2010

Crimeware in 2009

"Crimeware in 2009" presented in one document all that was channeled through this blog during the year in question on crimeware and associated hazards.

There are a total of 262 pages and is divided by the most relevant topics that describe the criminal activities that were a source of news on this blog. Has two indices for getting the news in a simple (content) and another on the images (image index).

Then let some of the themes they found in the document in question:
  • Current business outlook caused by crimeware
  • Framework Exploit Pack for botnets general purpose
  • Framework Exploit Pack for botnets particular purpose
  • Services associated with crimeware
  • Intelligence in the fight against crimeware
  • Campaigns of spread and infection
  • Other Exploits packs that were investigated
Short information
Malware Intelligence
Annual compendium of information. Crimeware in 2009
262 pages
Spanish language


Jorge Mieres
Malware Intelligence Blog

Friday, December 25, 2009

Anti-Virus Live 2010. Talking with the enemy

Generally one has the false belief that malicious code is trivial that any technical problems solved by just formatting the system or acquire any of the known anti-malware market offers today.

However, on the one hand, the reality is that behind the development of malware hides a very large business in which every day must be added more "associates". Moreover, what happens when we plan to buy this antivirus is just the opposite.

This is the case of the Anti-Virus Live 2010 or what is the same, Anti-Virus Elite 2010 malware scareware type (or rogue), which makes it quite evident that the processes and mechanisms by which deceives order to steal your money are well oiled and well thought out.

At first instance, as is usual in this type of threat, the strategy is supported by a website that is used to "bait" to lure potential victims, saying all sorts of justifications to "prove" some credibility on the false antivirus, which complements a typical disinformation campaign.

So far, nothing interesting. Except for the possibility of requesting assistance via chat. Interesting. Then check if this condiment is legitimate ... Yes it's.

Consequently, communication was established through this option with the surprise that immediately got response from the other side. You can then take the short conversation via chat.

We basically said Dennis, the merchant, which among other things the course antivirus is compatible with all versions of Windows, its value is USD 27, which only supports English and no enterprise version and no problems eliminating conficker.

Let us briefly discuss these points. Obviously, the scareware must be compatible with all versions of Windows as it's this time the audience that the threat is directed. Why? Simply because more than 80% of people use Windows as the main operating system in home environments where the potential for finding a particular victim increases. This way is much more likely "to close business."

For the same reason there isn't version for GNU/Linux, even, not even version oriented businesses; because usually, the companies have a higher level of security where probably the scareware not find results.

Why English and not Russian? Because English is the third most popular language. Its cost, USD 27, represents a competitive value that's commensurate with the average cost of legitimate antivirus programs. And regarding conficker, whether by koobface wondering, the answer would have been the same.

A very interesting fact that helps to understand its true magnitude of the illegal business of malware, is the error committed by the "affiliate" Dennis when requesting the URL to buy a false solution. It gives us the url and time of comment that is not in question the supposed solution, offering the proviso the corresponding url.

However, we were trying to close "business" by Anti-Virus Live 2010 and not Anti-Virus Elite 2010, making it clear that this is the same threat under different names. Even the same "partner" manages and markets various alternatives under similar mode. In this case, also offering the fraudulent sale of Registry Fix, another associated with NoAdware and scareware ErrorClean.

From a technical point of view, the domain of this threat is in the IP address, hosted by the ISP Rackspace, located in the city of Hoboken in the United States under AS27357.

According to the history of this AS, the activities generated by malicious code are important

From the website you download an executable named setup.exe (MD5: C50DC619E13345DEC2444B0DE371DFD4) which corresponds to scareware installer with a low rate of detection.

As we see, the cybercriminals don't get tired of spreading increasingly aggressive threats that accompany the infection process through marketing campaigns, even very similar to those used by many antivirus companies.

Related information
A recent tour of scareware XIX
Green IT utilizado para la propagación de scarewar...
Scareware. Repositorio de malware In-the-Wild
Scareware. Estrategia de engaño propuesta por Personal Antivirus
Campaña de propagación del scareware MalwareRemovalBot

Jorge Mieres
Malware Intelligence Blog

Thursday, December 17, 2009

RussKill. Application to perform denial of service attacks

Conceptually speaking, a DoS attack (Denial of Service attack) is basically bombarded with requests for a service or computer resource to saturate and the system can not process more data, so those resources and services are inaccessible, "denying" the access to anyone who wants them.

From the standpoint of computer security, Denial of Service attacks are a major problem because many botnets are designed to automate these attacks, especially those of particular purpose, taking advantage of computational power offered by the network of zombies. In this case, the attack is called Distributed Denial of Service (DDoS).

Moreover, under the framework of the concept of cyberwarfare, this type of attack is part of the armament "war" through which virtual scenarios presented conflicts between their requirements as to neutralize a state vital services.

RussKill is a web application that is classified within these activities and that despite being extremely simple, both in functionality and in the way of use, is an attack that could be very effective and difficult to detect.

As is customary in the current crimeware, the web application is of Russian origin and has a number of fields with information about how and against whom to carry out the attack, letting you configure the packet sequence, ie the flow in amount. The option "Hide url" is a self-defensive measure designed to ensure that the server is detected.

Although several methods of DoS attacks, RussKill makes use of the attacks HTTP-flood and SYN-flood. In both cases the servers for flood victims through http requests and packets with fake source IP addresses respectively.

As I said at first, the denial of service attacks are a danger for any information system, regardless of the platform that supports services and applications such, in this case site, demonstrates the ease with which an attack of this type can run.

Related information
DDoS Botnet. New crimeware particular purpose

Jorge Mieres
Pistus Malware Intelligence

Friday, December 11, 2009

Using Nmap Remotely Through F5 FirePass VPN

Well, we all use the common hacking tools of the trade like Nmap. Some of us use it on Windows and some on Linux. This post is for the people using it on Windows.
I was connected to a network remotely through the company's F5 VPN appliance and I wanted to scan the internal network.

It looked like:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Rafel>nmap -PN -sS -p 445 192.168.1.*

Once I pressed "Enter" I got:
Starting Nmap 4.85BETA10 ( ) at 2009-11-10 00:34 Jerusalem Standard Time
WARNING: Using raw sockets because ppp0 is not an ethernet device. This probably won't work on Windows.

pcap_open_live(ppp0, 100, 0, 2) FAILED. Reported error: Error opening adapter: The system cannot find the device specified. (20). Will wait 5 seconds then retry.

pcap_open_live(ppp0, 100, 0, 2) FAILED. Reported error: Error opening adapter: The system cannot find the device specified. (20). Will wait 25 seconds then retry.

Call to pcap_open_live(ppp0, 100, 0, 2) failed three times. Reported error: Error opening adapter: The system cannot find the device specified. (20)

There are several possible reasons for this, depending on your operating system:
LINUX: If you are getting Socket type not supported, try modprobe af_packet or recompile your kernel with SOCK_PACKET enabled.

*BSD: If you are getting device not configured, you need to recompile your kernel with Berkeley Packet Filter support. If you are getting No such file or directory, try creating the device (eg cd /dev; MAKEDEV ; or use mknod).

*WINDOWS: Nmap only supports ethernet interfaces on Windows for most operations because Microsoft disabled raw sockets as of Windows XP SP2. Depending on the reason for this error, it is possible that the -- unprivileged command-line argument will help.

SOLARIS: If you are trying to scan localhost or the address of an interface and are getting '/dev/lo0: No such file or directory' or 'lo0: No DLPI device found', complain to Sun. I don't think Solar is can support advanced localhost scans. You can probably use "-PN -sT localhost" though.


Then I realized that the VPN connection was a PPP device which is probably at the top of the device type interfaces order list and Nmap is trying to use it in order to scan, which is the point of failure because Nmap on Windows without RAW sockets (means Windows XP SP2+) can only use Ethernet devices. So I try played "Imaginary Linux on Windows" and added the option "-e eth0" which specifies using the Ethernet device indexed at 0 and it worked like a charm.

C:\Documents and Settings\Rafel>nmap -PN -sS -p 445 -e eth0 192.168.1.*

Starting Nmap 5.00 ( ) at 2009-11-10 00:49 Jerusalem Standard Time
Interesting ports on XXXXX (
445/tcp filtered microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 6.03 seconds

Thursday, December 10, 2009

Bypassing Windows Unknown Publisher Verification For Web Downloaded Executables

I was in another day of jumping from a client to a client, securing another bank in Israel when my girlfriend called and said "Honey, I am at the office, I have absolutely nothing to do and I can't connect from here to our computer at home to continue my project". I said, O.K, let's see what we can do on a 5 minute phone call. Now just want to make it clear, my girlfriend is an Information System Instructor, she is no developer or hacker.

Me: "Honey, go to, can you download it?"
Her: "yes, but when I run the setup.exe it says something weired like 'windows has blocked this software because it can't verify the publisher' and it won't let me install"

Me: "O.K, Open Start-Run, type notepad and space, now click on setup.exe and drag it to the text box at Start->Run. Now add ':Zone.Identifier' just before the last quotes. What do you see?"
Her: "I see something like ZoneId=3, now what?"
Me: "I can't talk, going into a meeting, try to change it to 1 or delete everything, bye bye bye"

After 10 minutes I get an SMS "thanks honey it worked!!!".
Well we found a bug, I wouldn't really call it a "Privilege Escalation" but I guess you don't have to be a hacker to bypass windows security restrictions :)

Fusion. A concept adopted by the current crimeware II

It's increasingly common for research processes we find that on the same server are housed, "operating" actively, several crimeware Exploit Pack type from which control and manage the zombies that are part of his fraudulent business .

A while ago we commented on ElFiesta and
ZeuS coexisting in the same environment, and meet the same objectives.

This time, the merger is between Fragus (an increasingly popular crimeware) and ElFiesta. Both packages are hosted on the same server. However, although the potential doesn't mean they are being operated by the same botmaster.

The domain in which they are staying is as follows:

Where is in Fragus and ElFiesta for, is hosted on another folder, the path is As we can see, share the server with IP address, located in Yizhuang Idc Of China Netcom, Beijing.

This demonstrates that opportunities for "business" don't go only by the sale of crimeware, malware, exploit pack and other fraudulent activities, but another alternative is to provide the infrastructure for, in terms of its computing capacity, streamline processes criminal.

Related information

Fusión. Un concepto adoptado por el crimeware actual
Fragus. New botnet framework In-the-Wild
ZeuS and power Botnet zombie recruitment
ElFiesta. Recruitment zombie across multiple threa...

Jorge Mieres
Pistus Malware Intelligence