Thursday, July 16, 2009

Special!!! ZeuS Botnet for Dummies

After dealing with some emphasis on the activities of the most active botnets now, ZeuS, let's see a more detailed description of their crime.

If we talk about malware and botnets, no doubt ZeuS has a particular advantage due to the amount of zombies that are part of its campus. ZeuS is designed to steal any information that is stored on the computers of victims remotely and carry out other attacks aimed at stealing information such as phishing.

Therefore, we could say that ZeuS is a spyware, but also has capabilities for other types of malware such as backdoors, trojans and viruses. However, the author mentions in the installation manual that you don't like to call any of these forms in this crimeware, but will refer to it as a "bot software".

Although we know the external face of ZeuS (the web interface management and control of zombies), has certain features that are constantly evolving and professionalize achieving greater flexibility and adaptability to ensure operation on different versions of Windows. This makes ZeuS a latent threat and very dangerous for any information system.

In this sense, ZeuS also ensures performance "working" on the privilege level 3 (where the applications are) the operating system to avoid incompatibilities between the implementation of equipment and devices (which operate at lower levels). Though it may seem an irrelevant fact, this allows greater flexibility and hence a higher yield at the time of the fraudulent and criminal activities for which it was conceived.

The latest version of ZeuS is written with version 9 of the C + + language, and among the features that have this web application (malicious), we can mention:
  • Monitor network traffic (sniffer) TCP.
  • Intercepts the FTP and POP3 connections from any port.
  • Intercepts HTTP and HTTPS requests from all applications that work with the library wininet.dll (eg IE). This demystifies the myth in which ZeuS uses a BHO to intercept applications through IE.
  • Functions server (socks4/4a/5).
  • Backconnect for all of the infected computer services (RDP, Socks, FTP, etc.).
  • Get screenshots in real time.
  • Ability to conduct phishing attacks.
  • Incorporates anti-analysis mechanisms.
  • Constructor of the trojan that spreads and configuration file.
  • Polymorphic encryption.
Another technical detail is that all communication is done by ZeuS through a symmetric encryption algorithm (RC4).

The server is the heart of ZeuS, and any botnet, and who is to obtain all records of infected computers that are part of the botnet and execute commands remotely.

On the other hand, many botnets using virtual servers to their criminal operations. However, this plays against the botnet when is very large, if ZeuS, as usually, the virtual servers don't have too many resources, so it's customary for botmaster using dedicated servers to host the bot. This is an important fact to keep in mind during the research side.

Accordingly, and as every application requires a minimum of resources to run satisfactorily, in the case of this botnet, the requirements are just to have 2GB of RAM and 2x frequency of 2 GHz CPU. As we see, the minimum requirements aren't at all a constraint VIP. Anyone can implement ZeuS, even without these minimum requirements.

Furthermore, it's assumed that the computer is running an HTTP server with PHP (the language is generally develop these crimeware) and MySQL (to create the database with statistical information that shows your activity). Another requirement is Zend Optimizer, which is necessary to protect and optimize the scripts.

With regard to updates, ZeuS is also can be "groomed" by newer versions without too much effort. During the last six months have been released five versions (based on each one approx. 35 days) with correction of errors, changes and new features, not the versions with smaller arrangements.

After looking at the diagram, many wonder what the number of each version. A teaching mode could say that if we have the "A.B.C.D" ...

A means a complete package of crimeware.
B represents changes that cause total or partial incompatibility with earlier versions.
C specifies error correction, added functionality, improvements, etc..
D is the number of refuds (changes) to the current version.

This is just a screenshot of what can and ZeuS represents in terms of skills and maneuvers that have an environment within which criminal crimeware applications are the main actors.

Related Information
Botnet. Securización en la nueva versión de ZeuS
ZeuS Carding World Template. Jugando a cambiar la cara de la botnet
Entidades financieras en la mira de la botnet ZeuS. Segunda parte
Entidades financieras en la mira de la botnet ZeuS. Primera parte
ZeuS Botnet. Masiva propagación de su troyano. Segunda parte
ZeuS Botnet. Masiva propagación de su troyano. Primera parte
LuckySploit, la mano derecha de ZeuS

# Jorge Mieres
Posted by Jorge Mieres at 7:40 AM 0 comments

Sunday, July 12, 2009

BruCON, Brussels 16-19 September 2009



BruCON is an annual security and hacker conference providing two days of an interesting atmosphere for open discussions of critical infosec issues, privacy, information technology and its cultural/technical implications on society.

Organized in Brussels, BruCON offers a high quality line up of speakers, security challenges and interesting workshops. It's affordable, accessible and entertaining. BruCON is a conference by and for the security and hacker community.

Two day trainings are available before the conference by some industry experts:

  • Crash course in Penetration Testing (By Joe McCray, and Chris Gates)


    • Former speaker at SOURCE Boston 09, NotACon ,Toorcon X and ChicagoCon. He is scheduled to speak BlackHat USA 2009 and Defcon 17

  • Web 2.0 Hacking – Attacks and Defense (By Shreeraj Shah)


    • Author of Hacking Web Services (Thomson 06) and Web Hacking: Attacks and Defense

  • Social Engineering testing for IT Security professionals (By Sharon Conheady)


    • Sharon Conheady is a social engineer/penetration tester at First Defence Information Security in the UK. She has social engineered her way into dozens of organisations across the UK and abroad, including company offices, sports stadiums, government facilities and more. Former speaker at Deepsec, Recon, CONFidence, ISSE, ISF, SANS Secure Europe and more.


    Why should people attend this event?

  • These are renowned speakers, international experts and book authors which you will seldom meet at other events.

  • It's affordable and accessible.

  • With 400 seats, it's an ideal occasion to network with others and exchange knowledge.

  • Lightning talks will give possibilities for visitors to present their own projects, tools or website

  • Various workshops on wireless security, digital ID, lockpicking, VOIP,....

  • The Hex Factor: a contest where people can learn the basics of web application security, forensics,… both fun and challenging for both absolute beginners as well as experts.



    • More info? How to register? Visit http://www.brucon.org/
    Posted by Anushree at 12:11 PM 0 comments

    SpyDLLRemover v2.5 Unleashed!

    Hey guys,

    We have released the next version of SpyDLLRemover [v2.5], which includes major updates and minor bug fixes. We have added a DLL Tracer tab, which would let you [the user] to search for processes running a specific DLL on your system. In that way, if you know the name of your injected DLL, it would list all the process names that run this DLL.

    Check it out @: http://www.rootkitanalytics.com/tools/spy-dll-remover.php

    From here on, we are shifting from 3-number versioning system to a 2-number system and we are reserving the 3rd number for internal us [to track minor updates].

    If you have any questions or comments, do not hesitate to contact us [at contact.fingers @ gmail.com] either way.

    EF
    Posted by Anushree at 12:15 AM 0 comments

    Thursday, July 9, 2009

    Waledac/Storm. Past and present a threat

    At the beginning of 2007 jumped from the darkness to begin a malicious code to be a source of important news because of their particular strategies of deception and a major campaign at the global level of infection that still remain a subject of research by the community security.

    This is Storm, aka Nuwar or Zhelatin depending on the identity assigned by the antivirus companies, although it's known as "storm", perhaps alluding to the manner in which systems ravaged by which he transformed into zombies, recruiting teams under the command of the botnet.

    At present, the threat posed Storm hasn't been to one side, but transferred to its twin brother, Waledac, which remains essentially the characteristic of trying to innovate in terms of apology necessary for the spread and recently has awakened after a period of hibernation.

    Some features of this threat are:
    • The spread is through the unwanted e-mail (spam)
    • Uses deception strategies (Social Engineering) different for each campaign to spread
    • Through a link embedded in the body of a message routed to a site where malware is downloaded
    • The infected computers are part of a botnet
    • To complete the cycle of infection through the spread of spam
    • Fast-Flux networks
    • They have polymorphic capabilities at the server level
    During virtually the entire 2007, Storm (the first appearances as a strategy of deception used to display a video on a storm unleashed in Europe) used as a means of propagation/infection e-mail with questions and topics varied inciting to click on a link embedded in the message body, which in some cases direction of a page (some of them also tried to spread Storm exploit vulnerabilities using iframe tags as resources) and others directed to the download of a binary in Storm both cases.

    Already for next year (2008), Storm joined the "surprise effect" linking the e-mail link provided to a web site that accompanied the excuse presented in the case of mail with an image alluding also to the theme that, the as in 2007, rotating with each major event (Valentine's Day, Independence of the USA, Christmas, etc). In addition, some variants spread through blogs.

    After several months of inactivity in terms of the spread of the threat, in January of this year appears Waledac, a trojan that uses the same mechanisms used by Storm and many security professionals are beginning to see the similarity between them.

    After several investigations, says that Waledac is, one might say, the twin brother of Storm. Using the same methodologies of Social Engineering with a broad portfolio of images and themes used as an excuse to capture users' attention. Passing through images rather the typical "love" for the month of Valentine Cases of alleged terrorist attacks, among others, to the recent course on a video on YouTube.

    There are, among others, two very interesting features in both Waledac Storm: the use of Fast-Flux networks and polymorphic capabilities on the server.

    The first of these threats were allowed to spread across different IP addresses and using different domain names that constantly rotate between each other with the name resolution. This causes, through a certain time to live (TTL) pre-configured every x amount of jumps between nodes (infected computers) from the same domain, you download a different prototype of malware.

    This leads to the second feature, the polymorphism. In this way, each time the package (malware) is established TTL attempt to download a different version of the malicious code to be "changes" every certain amount of time (also predetermined by the attacker) establishing capacity polymorphic.

    The diagram below provides the direct relationship, over time, the threat was used as a strategy of deception.

    Each of the zombies that are part of the botnet created by Waledac, focus your intentions in sending spam. In this sense, a very interesting extract from a report that says Waledac has the ability to send about 150,000 spam emails per day.

    Perhaps, then you know that Storm/Waledac are running campaigns with high rates of spread of infection globally and overcrowded, it's clear that their creators are continuing their criminal operations for a financial issue, which is nothing new for malware today.

    Related Information
    Masiva campaña de propagación/infección lanzada por Waledac utilizando como excusa el día de la Independencia de EEUU
    Estrategia BlackHat SEO propuesta por Waledac
    Waledac. Seguimiento detallado de una amenaza latente
    Más Waledac en acción ¿Puedes adivinar cuánto te amo gano?
    Waledac más amoroso que nunca
    Waledac e Ingeniería Social en San Valentín

    # Jorge Mieres
    Posted by Jorge Mieres at 5:09 AM 2 comments

    milw0rm is back

    Str0ke changed his mind. milw0rm.com is back.

    Most recent posting from http://twitter.com/str0ke:

    "milw0rm's back up & posting will start once again, I can't let all of the emails in my submit box to just sit there."

    We are glad that str0ke did not throw the jewel box away.
    EF
    Posted by Anushree at 4:15 AM 0 comments

    Wednesday, July 8, 2009

    milw0rm.com is shutting down

    It is very sad that CastleCops closed. It was also sad that Astalavista was taken down. Here comes the bad part... milw0rm is shutting down.

    Well, this is my goodbye header for milw0rm. I wish I had the time I did in the past to post exploits, I just don't :(. For the past 3 months I have actually done a pretty crappy job of getting peoples work out fast enough to be proud of, 0 to 72 hours (taking off weekends) isn't fair to the authors on this site. I appreciate and thank everyone for their support in the past.
    Be safe, /str0ke     - Source:milw0rm.com
    Posted by Anushree at 3:28 AM 0 comments

    Tuesday, July 7, 2009

    Sucuri & EvilFingers: Technology Partners

    Hey guys,

    Sucuri is now partnering [technology partners] EvilFingers in a collective community effort of securing users for free. Sucuri provides NBIM (Network-based Integrity monitoring) for FREE. Check out http://www.Sucuri.net for more details.

    - EF
    Posted by Anushree at 7:01 AM 0 comments
    Subscribe to: Posts (Atom)