Rootkit Analytics is proud to announce the release of SpyDLLRemover v2.
SpyDLLRemover is the standalone tool to effectively detect and delete spywares from the system. It comes with advanced spyware scanner which quickly discovers hidden Rootkit processes as well suspcious/injected DLLs within all running processes. It not only performs sophisticated auto analysis on process DLLs but also displays them with various threatlevels, which greatly helps in quick identification of malicious DLLs.
One of the unique feature of SpyDLLRemover is its capability to free the DLL from remote process using advanced DLL injection method which can defeat any existing Rootkit tricks. It also uses sophisticated low level anti-rootkit techniques to uncover hidden userland Rootkit processes as well as to terminate them.
Newer version comes with other cool features such as HTML based report generation, sorting the process/dll list for quick analysis, enhanced user interface etc.
To know more or to download the tool, CLICK HERE
EF
Friday, May 29, 2009
Thursday, May 28, 2009
Unique Sploits Pack. Manipulating the safety of the attacker II
Unique Sploits Pack is another alternative offered by the underworld of the illegal sale of Russian crimeware. However, it has a peculiarity in relation to others of its kind: it incorporates a module called Vparivatel rogue through which spreads through social engineering.
In this case, this is a beta version of this crimeware that apparently is fairly active as in the few days we have been following, after "violating" your authentication scheme, has not achieved a striking level of infection by therefore has not achieved a significant number of zombies.
Still, this threat is active and spreading threats, but before seeing what the malicious code that spreads look a little more about some statistics that allow us to have a sufficiently specific to the activity which has the botnet.
From that we can capture:
However, the module Vparivatel not seem as effective so far as no activity has "positive" for the botmaster ;-P
Among the threats that spread Unique Sploits Pack are as kaspersky identification:
These malicious codes are spread through various vulnerabilities, some of which are newer than others, but despite the antiquity of most of the vulnerabilities exploited by this crimeware, remain very effective.
Not only exploit vulnerabilities in popular web browsers (IE, Firefox and Opera) but also two vulnerabilities PDF readers currently in widespread use: Adobe Acrobat Reader and Foxit Reader.
As mentioned in the beginning, now this package is spreading malware crimeware proactively exploiting different vulnerabilities on computers victims, and despite not having the time by a significant number of controlled equipment, it's a potential threat the health system which undertakes to maintain the security updates (OS and applications) per day.
Related Information
YES Exploit System. Manipulando la seguridad del atacante
Unique Sploits Pack. Crimeware para automatizar la explotación de vulnerabilidades
# Jorge Mieres
In this case, this is a beta version of this crimeware that apparently is fairly active as in the few days we have been following, after "violating" your authentication scheme, has not achieved a striking level of infection by therefore has not achieved a significant number of zombies.
Still, this threat is active and spreading threats, but before seeing what the malicious code that spreads look a little more about some statistics that allow us to have a sufficiently specific to the activity which has the botnet.
From that we can capture:- The operating system is exploited by this crimeware Windows XP SP1.
- The second place is occupied by "other" platforms "no windows".
- Windows XP SP2 is the third in the list of most used OS.
- Internet Explorer versions 5.5, 6.0, 7.0 and Firefox 3.0.5 browsers that are more broken through crimeware threats.
- The item "others" in the browser, is a browser such as Opera and Amaya.
However, the module Vparivatel not seem as effective so far as no activity has "positive" for the botmaster ;-PAmong the threats that spread Unique Sploits Pack are as kaspersky identification:
- Exploit.JS.Pdfka.ip (8112e241092a63e13084b14439f87ee8)
- Trojan.Win32.Pakes.nkq (0d89729a0df4f6ad57103d670af62b20)
These malicious codes are spread through various vulnerabilities, some of which are newer than others, but despite the antiquity of most of the vulnerabilities exploited by this crimeware, remain very effective.
Not only exploit vulnerabilities in popular web browsers (IE, Firefox and Opera) but also two vulnerabilities PDF readers currently in widespread use: Adobe Acrobat Reader and Foxit Reader.
As mentioned in the beginning, now this package is spreading malware crimeware proactively exploiting different vulnerabilities on computers victims, and despite not having the time by a significant number of controlled equipment, it's a potential threat the health system which undertakes to maintain the security updates (OS and applications) per day.
Related Information
YES Exploit System. Manipulando la seguridad del atacante
Unique Sploits Pack. Crimeware para automatizar la explotación de vulnerabilidades
# Jorge Mieres
Sunday, May 24, 2009
YES Exploit System. Manipulating the safety of the attacker
Some of them want to use you. Some of them want to get used by you. Some of them want to abuse you. Some of them want to be abused
I wanna use you and abuse you. I wanna know what's inside you.
I wanna use you and abuse you. I wanna know what's inside you.
Eurythmics - 1983
Any layer of security to implement in an environment of information seeks to protect our assets from potential hostile and harmful actions, in which malicious code is one of the greatest dangers which are directed against and try to protect these security schemes.
In this sense, the applications developed to spread crimeware threats and form botnets (eg, Zeus, Unique, LeFiesta, YES Exploit, among many others) where each node then infected (zombie) is administered via the web through a control panel, are setting a trend difficult to remove malicious Internet.
However, it's very pleasant to see such protective measures that we seek through various schemes, in many cases, no account is taken of the side of the crimeware :D leaving open the door of the "park" for many of us we can "amused" by exploiting their weaknesses.
And this is not so unreasonable when you consider that this is program code that, like any other, are always prone to a number of programming bugs, bad settings or default settings.
Thus, the lack of security played against him a copy of a known and active management and control kit called YES Exploit System ...
...that after his bypass authentication scheme could have access to detailed information on each node that is part of the botnet that is administered through the crimeware.
Consequently, who handles a large amount of computers, ended up being manipulated to be :-)However, it's a good opportunity to see statistical data stored by malicious applications. Among them:
- Browsers and their respective versions which are exploited vulnerabilities
- Different platforms violated
- Controlled equipment
- Country of origin of each infected node
In addition to other relevant information to the attacker knows what kind of exploit to be used in relation to technology that is used (IE 7 and Windows XP).
However, we also note that there are teams controlled MacOS and Linux platforms. While both platforms don't have as much victims as in the case of Microsoft platforms, marking a trend slowly on malicious code developed for these platforms.Related Information
YES Exploit System. Otro crimeware made in Rusia
ZeuS Carding World Template. Jugando a cambiar la cara de la botnet
Adrenalin botnet: zona de comando. El crimeware ruso marca la tendencia
Chamaleon botnet. Administración y monitoreo de descargas
Unique Sploits Pack. Crimeware para automatizar la explotación de vulnerabilidades
Barracuda Bot. Botnet activamente explotada
Creación Online de malware polimórfico basado en PoisonIvy
# Jorge Mieres
Wednesday, May 20, 2009
Massive spread of malware through fake sites entertainment
The cases of spreading malicious code through various methods of deception are an essential part in the cycle of spreading malware that developers employ.
The resources offered through the Internet for purposes of entertainment are often among the most exploited targets for the dissemination of harmful code, and to that end I have received many inquiries about sites with material that hosts children's entertainment of any injection of malicious code or downloading malware.
A concrete example is the strategy of deception that take advantage of social engineering to exploit visual resources sought in the massive cloud of information and of which I have shown several examples.
In this regard, other alternatives maliciously engendered in the mind of a developer intentionally malicious sites are created for the spread of malicious code.
For example, a fake Emule project site (the famous client to download files via P2P networks), from where you download a binary called
Even a fake site on the player videos Live Player, from which you download an executable named
This is actively being exploited through a campaign that includes website promotion programs massively used. The domains involved are:
backstripgirls .com
buscalisto .com download.hot-tv .com
download.live-player .com
download.official-emule .com
download.original-solitaire .com
download.speed-downloading .com
download.web-mediaplayer .com
favorit-network .com
games-attack .com
go-astro .com go-turf .com
gomusic .com
gomusic .net
hot-tv .com
littlesmileys .com
live-player .com
official-bittorrent .com
original-solitaire .com
pc-on-internet .com
schnellsucher .com
search-solver .com
speed-downloading .com
static.favorit-creatives .com
vl02.c76.fvtn .net
web-mediaplayer .com
www.buscalisto .com
www.favorit-network .com
www.games-attack .com
www.gomusic .com
www.hot-tv .com
www.live-player .com
www.official-bittorrent .com
www.official-emule .com
www.pc-on-internet .com
www.schnellsucher .com
www.search-solver .com
www.smilymail .com
www.speed-downloading .com
www.trovarapido .com
www.web-mediaplayer .com
Even a search through these sites is obtained with a good web positioning, perhaps through Black Hat SEO techniques.
This proves the "enthusiasm" that the creators and disseminators of malware placed in these criminal acts clearly seeking to mislead users when trying to attract attention to methods of propagandists promoting malware through fake sites.
Related Information
Campaign spreading XP Antivirus Police through Visual Social Engineering - Spanish version
# Jorge Mieres
The resources offered through the Internet for purposes of entertainment are often among the most exploited targets for the dissemination of harmful code, and to that end I have received many inquiries about sites with material that hosts children's entertainment of any injection of malicious code or downloading malware.
A concrete example is the strategy of deception that take advantage of social engineering to exploit visual resources sought in the massive cloud of information and of which I have shown several examples.
In this regard, other alternatives maliciously engendered in the mind of a developer intentionally malicious sites are created for the spread of malicious code.
For example, a fake Emule project site (the famous client to download files via P2P networks), from where you download a binary called
- Official-eMule_setup.exe (MD5: 71f0aa3305d5e87c0cbcfba0c2bb3425)
Even a fake site on the player videos Live Player, from which you download an executable named- Live-Player_setup.exe (MD5: 1f9e21ffbf6030f1f1bd77e0ba57368c)
This is actively being exploited through a campaign that includes website promotion programs massively used. The domains involved are:backstripgirls .com
buscalisto .com download.hot-tv .comdownload.live-player .com
download.official-emule .com
download.original-solitaire .com
download.speed-downloading .com
download.web-mediaplayer .com
favorit-network .com
games-attack .com
go-astro .com go-turf .comgomusic .com
gomusic .net
hot-tv .com
littlesmileys .com
live-player .com
official-bittorrent .com
original-solitaire .com
pc-on-internet .com
schnellsucher .com
search-solver .com
speed-downloading .com
static.favorit-creatives .com
vl02.c76.fvtn .net
web-mediaplayer .com
www.buscalisto .com
www.favorit-network .com
www.games-attack .com
www.gomusic .com
www.hot-tv .com
www.live-player .com
www.official-bittorrent .com
www.official-emule .comwww.pc-on-internet .com
www.schnellsucher .com
www.search-solver .com
www.smilymail .com
www.speed-downloading .com
www.trovarapido .com
www.web-mediaplayer .com
Even a search through these sites is obtained with a good web positioning, perhaps through Black Hat SEO techniques.
This proves the "enthusiasm" that the creators and disseminators of malware placed in these criminal acts clearly seeking to mislead users when trying to attract attention to methods of propagandists promoting malware through fake sites.Related Information
Campaign spreading XP Antivirus Police through Visual Social Engineering - Spanish version
# Jorge Mieres
Thursday, May 14, 2009
Black Hat SEO strategy proposed by Waledac
Waledac is the name of the trojan to recruit zombie PCs to be part of their botnet, whose main function is the propagation of one of the most common spam that we receive daily: Canadian Pharmacy.
Many security professionals say it's the evolution of another famous botnet: Storm, or Nuwar depending on the antivirus company.
Like Storm, one of the most interesting features of Waledac, besides the use of advanced techniques such as Fast-Flux, are the strategies of social engineering, which in his case began with a propaganda campaign on the day of love and renewed every so often, with his latest maneuver a course program for sending SMS messages.
However, Waledac also uses web positioning techniques used in unethical ways to attract strategic arrivals to different domains, which is now redirected to the fraudulent online pharmacy, which used to spread the trojan, called Black Hat SEO.
Some of the domains used by this threat are:
yourvalentineday .com
virtualesms .com
usabreakingnews .com
urbanfear .com
terrorismfree .com
terrorfear .com
terroralertstatus .com
smspianeta .com
smsdiretto .com
smsclubnet .com
photoblogsite .com
orldlovelife .com
nuovosms .com
mobilephotoblog .com
miosmsclub .com
globalantiterror .com
freeservesms .com
freecolorsms .com
fearalert .com
easyworldnews .com
Each of the domains were created as a strategic thinking, using words to form the composition of the URL. Among them:
valentine - your - day - virtual - sms - break - king - news - urban - terror - fear - mobile - china - blog - life - best - anti - poems - ship - love - central - online - great - coupon - club - ltd - free - adore - poem - lyric - world - sales - super - portal - code - site - eye - blue - dot - funny - smart - group - fun - songs - wireless - city - wap - link - good - review - who - cher - help - radio - report - the - lovers - long - fm - michigan - chat - loving - romantics - track - cherish - space - my - digital - country - discount - tax - tnt - letter - against - mazda - car - speed - zone - dealer - cars - buy - tribute - auto - motive - parts - death - taxi - work - care - direct - pet - cab - bead - net - ming - water - data - lose - can - pool - all - pond - wager - team - doc - now - fast - bank - expo - wale - job - barack - obama - guide - greeting - december - christmas - lights - year - regards - white - mira - bella - project - company - top - father - its - media - just - gift - garb - live - cheap - service - home - black
This responds to the campaign of Black Hat SEO Waledac that used to attract potential victims, and increasingly malicious code used to achieve a web positioning so that ensures early access to malicious sites created to spread malware.
Related Information
Waledac. Follow-up of a latent threat - Spanish version
Waledac more loving than ever - Spanish version
Waledac, Social Engineering and San Valentine Day - Spanish version
# Jorge Mieres
Many security professionals say it's the evolution of another famous botnet: Storm, or Nuwar depending on the antivirus company.
Like Storm, one of the most interesting features of Waledac, besides the use of advanced techniques such as Fast-Flux, are the strategies of social engineering, which in his case began with a propaganda campaign on the day of love and renewed every so often, with his latest maneuver a course program for sending SMS messages.
However, Waledac also uses web positioning techniques used in unethical ways to attract strategic arrivals to different domains, which is now redirected to the fraudulent online pharmacy, which used to spread the trojan, called Black Hat SEO.Some of the domains used by this threat are:
yourvalentineday .com
virtualesms .com
usabreakingnews .com
urbanfear .com
terrorismfree .com
terrorfear .com
terroralertstatus .com
smspianeta .com
smsdiretto .com
smsclubnet .com
photoblogsite .com
orldlovelife .com
nuovosms .com
mobilephotoblog .com
miosmsclub .com
globalantiterror .com
freeservesms .com
freecolorsms .com
fearalert .com
easyworldnews .com
Each of the domains were created as a strategic thinking, using words to form the composition of the URL. Among them:
valentine - your - day - virtual - sms - break - king - news - urban - terror - fear - mobile - china - blog - life - best - anti - poems - ship - love - central - online - great - coupon - club - ltd - free - adore - poem - lyric - world - sales - super - portal - code - site - eye - blue - dot - funny - smart - group - fun - songs - wireless - city - wap - link - good - review - who - cher - help - radio - report - the - lovers - long - fm - michigan - chat - loving - romantics - track - cherish - space - my - digital - country - discount - tax - tnt - letter - against - mazda - car - speed - zone - dealer - cars - buy - tribute - auto - motive - parts - death - taxi - work - care - direct - pet - cab - bead - net - ming - water - data - lose - can - pool - all - pond - wager - team - doc - now - fast - bank - expo - wale - job - barack - obama - guide - greeting - december - christmas - lights - year - regards - white - mira - bella - project - company - top - father - its - media - just - gift - garb - live - cheap - service - home - black
This responds to the campaign of Black Hat SEO Waledac that used to attract potential victims, and increasingly malicious code used to achieve a web positioning so that ensures early access to malicious sites created to spread malware.
Related Information
Waledac. Follow-up of a latent threat - Spanish version
Waledac more loving than ever - Spanish version
Waledac, Social Engineering and San Valentine Day - Spanish version
# Jorge Mieres
Sunday, May 10, 2009
Adrenalin botnet. The trend marks the Russian crimeware
A different crimeware packages that we have briefly dealt with in some time, it adds Adrenalin.
Another Russian crimeware home only a few months of life, and doesn't purport to be better or worse than others of his family, nor, almost certain dislikes "work" in conjunction with other crimeware :-)
This last sentence appears to advertise a sale, actually reflects the current situation a little of the spread of malware and crimeware employment. Thing that we saw through Scripting attack II.
And we say that Adrenalin isn't very different from others because it also allows malicious code spread through hiding exploits obfuscated script injection of malicious code into the source code of web pages, use of Drive-by-Download, theft of information through sniffer, administration and remote control via web, etc.
However, it has some characteristics that differentiate it from others, perhaps it would also show its high cost compared to its competitors (approximately USD 3500) such as:
As seen clearly, the trend that the Internet is the greatest exponent of attack platforms, notably through crimeware applications as we have been commenting regularly on this blog.
Still, there are a couple of questions that are around in my head, and it basically translates into: why there are more and more automated crimeware packages? Why the high cost?
Trying to analyze it a little bit, maybe we have the answers before the eyes in everyday life who are dedicated to the field of security. The answer to your first question, may have a biased perspective on money channeled, that is, of course, information is the documentation of best value (however small it's and regardless of whether classification) and taking into account that, cyber-criminals looking to get money with this information, transformed the world of malware in a big business, highly profitable and difficult to break.
On the other hand, this is a problem that can not be linked through obviate the fact that it's offered as crimeware and 24x7 technical support, which means that more and more criminal-minded users are running as candidates in searching for the economic benefit that the crimeware, the larger the word, is as criminal organization via Internet.
On the second, perhaps the answer is directly related in that the cost of buying a kit of this style, can be recovered very quickly, especially bearing in mind that the botnets that are administered through these applications are often rented to other botmasters, others spammers or other characters in this dark underworld, as I mentioned in another post, reminds me of the stories of William Gibson in Neuromancer.
Related Information
Zeus Carding World Template. Change the playing side of the botnet - Spanish version
Financial institutions targeted by the botnet Zeus. Part two - Spanish version
Financial institutions targeted by the botnet Zeus. Part one - Spanish version
YES Exploit System. Another crimeware made in Russia - Spanish version
Russian prices of crimeware - Spanish version
Barracuda Bot. Botnet activamente explotada
Unique Sploits Pack. Crimeware para automatizar la explotación de vulnerabilidades
Danmec Bot, redes Fast-Flux y reclutamiento de Zombies PCs
Creating Online polymorphic malware based PoisonIvy - Spanish version
# Jorge Mieres
Another Russian crimeware home only a few months of life, and doesn't purport to be better or worse than others of his family, nor, almost certain dislikes "work" in conjunction with other crimeware :-)This last sentence appears to advertise a sale, actually reflects the current situation a little of the spread of malware and crimeware employment. Thing that we saw through Scripting attack II.
And we say that Adrenalin isn't very different from others because it also allows malicious code spread through hiding exploits obfuscated script injection of malicious code into the source code of web pages, use of Drive-by-Download, theft of information through sniffer, administration and remote control via web, etc.
However, it has some characteristics that differentiate it from others, perhaps it would also show its high cost compared to its competitors (approximately USD 3500) such as:
- Collection of digital certificates,
- Different methods of injection of viral code,
- Makes use of local pharming redirects required to achieve without the user's perception,
- Implements keylogger with screen capture,
- Implements avoidance techniques to avoid being detected by security tools like firewalls and antirootkits,
- Specific modules for cleaning of fingerprints,
- Encryption of the information it collects.
As seen clearly, the trend that the Internet is the greatest exponent of attack platforms, notably through crimeware applications as we have been commenting regularly on this blog.
Still, there are a couple of questions that are around in my head, and it basically translates into: why there are more and more automated crimeware packages? Why the high cost?
Trying to analyze it a little bit, maybe we have the answers before the eyes in everyday life who are dedicated to the field of security. The answer to your first question, may have a biased perspective on money channeled, that is, of course, information is the documentation of best value (however small it's and regardless of whether classification) and taking into account that, cyber-criminals looking to get money with this information, transformed the world of malware in a big business, highly profitable and difficult to break.
On the other hand, this is a problem that can not be linked through obviate the fact that it's offered as crimeware and 24x7 technical support, which means that more and more criminal-minded users are running as candidates in searching for the economic benefit that the crimeware, the larger the word, is as criminal organization via Internet.
On the second, perhaps the answer is directly related in that the cost of buying a kit of this style, can be recovered very quickly, especially bearing in mind that the botnets that are administered through these applications are often rented to other botmasters, others spammers or other characters in this dark underworld, as I mentioned in another post, reminds me of the stories of William Gibson in Neuromancer.
Related Information
Zeus Carding World Template. Change the playing side of the botnet - Spanish version
Financial institutions targeted by the botnet Zeus. Part two - Spanish version
Financial institutions targeted by the botnet Zeus. Part one - Spanish version
YES Exploit System. Another crimeware made in Russia - Spanish version
Russian prices of crimeware - Spanish version
Barracuda Bot. Botnet activamente explotada
Unique Sploits Pack. Crimeware para automatizar la explotación de vulnerabilidades
Danmec Bot, redes Fast-Flux y reclutamiento de Zombies PCs
Creating Online polymorphic malware based PoisonIvy - Spanish version
# Jorge Mieres
Friday, May 8, 2009
IS visual and the use of pornography as a vehicle of propagation and infection II
As Kevin Mitnik once said "People aren't prepared for the deception through technology." Perhaps, this calculation agree on which many of us who specialize in security field, is part of the answer to why the effectiveness of this complex technical thing?
Basically, it's again the kind of social engineering drawing visual images to spread pornographic malware.
The mode of operation, as always, is the image of the video course, but when you click to display an alert window appears indicating the lack of a codec, running and trying to spread malware.
In this case, the strategy is part of the campaign to spread a known scareware called WinPC Antivirus whose detection rate is 80%.
This shows the "universal" because the technique does not respond to a specific type of malware is a vector and highly exploited to trick users and spread through the threat of a widespread demand in Internet issues, as is the pornography.
Campaign spreading XP Antivirus Police through Visual Social Engineering - Spanish version
New strategy of social engineering to spread IE Defender - Spanish version
# Jorge Mieres
Basically, it's again the kind of social engineering drawing visual images to spread pornographic malware.
The mode of operation, as always, is the image of the video course, but when you click to display an alert window appears indicating the lack of a codec, running and trying to spread malware.- codec.exe 32/40 (80%) - (MD5: 2b128610c3c32bc6d1da4bbf97901768)
In this case, the strategy is part of the campaign to spread a known scareware called WinPC Antivirus whose detection rate is 80%.This shows the "universal" because the technique does not respond to a specific type of malware is a vector and highly exploited to trick users and spread through the threat of a widespread demand in Internet issues, as is the pornography.
Related Information
IS visual and the use of pornography as a vehicle of propagation and infection - Spanish versionCampaign spreading XP Antivirus Police through Visual Social Engineering - Spanish version
New strategy of social engineering to spread IE Defender - Spanish version
# Jorge Mieres
Thursday, May 7, 2009
Zeus Carding World Template. Change the playing side of the botnet
It's clear that the use cybercriminals wasted much time thinking about new ways of propagation/infection and strategies for social engineering with the aim of attracting more attention as "slaves" on the Internet :-)
Though it may seem a trivial matter, is anything but casual. But a response to organized crime from which malicious code is the main weapon of crimeware current Russian industry and one of its greatest exponents.
However, it appears that "bad guys", occasionally taking a break to "play" to improve the design, from a visual point of view of their creations.
This is the case of a not new (and I remember seeing something about it), created to improve the skin's view the administration of the botnet Zeus. Surely, created by some bored botmaster to sell the same control interface :-)
This template, completely changes the view of the boring and monotonous default interface that brings Zeus, transforming it into something ... a little more sympathetic. In fact, some versions of this crimeware will be sold with the template already built.
So Zeus is by default in this case, during the installation process of the botnet and...
...and during the authentication process to access the administration panel.
In applying the template, the view of the panel becomes the following:
As for the authentication interface, is as follows:
The design, as the template name suggests, refers to offenses involving unlawful use of numbers and credit cards by a third party (carding) and the picture does justice to it.
This gives us a clear idea about what they are looking for those who operate from the village of cybercrime. Fraudulently obtain money by exploiting the human factor.
Related Information
Financial institutions targeted by the botnet Zeus. Part two - Spanish version
Financial institutions targeted by the botnet Zeus. Part one - Spanish version
Zeus botnet. Mass propagation of trojan. Part two - Spanish version
Zeus botnet. Mass propagation of trojan. Part one - Spanish version
LuckySploit, the right hand of Zeus - Spanish version
# Jorge Mieres
Though it may seem a trivial matter, is anything but casual. But a response to organized crime from which malicious code is the main weapon of crimeware current Russian industry and one of its greatest exponents.
However, it appears that "bad guys", occasionally taking a break to "play" to improve the design, from a visual point of view of their creations.
This is the case of a not new (and I remember seeing something about it), created to improve the skin's view the administration of the botnet Zeus. Surely, created by some bored botmaster to sell the same control interface :-)
This template, completely changes the view of the boring and monotonous default interface that brings Zeus, transforming it into something ... a little more sympathetic. In fact, some versions of this crimeware will be sold with the template already built.
So Zeus is by default in this case, during the installation process of the botnet and...
...and during the authentication process to access the administration panel.
In applying the template, the view of the panel becomes the following:
As for the authentication interface, is as follows:
The design, as the template name suggests, refers to offenses involving unlawful use of numbers and credit cards by a third party (carding) and the picture does justice to it.This gives us a clear idea about what they are looking for those who operate from the village of cybercrime. Fraudulently obtain money by exploiting the human factor.
Related Information
Financial institutions targeted by the botnet Zeus. Part two - Spanish version
Financial institutions targeted by the botnet Zeus. Part one - Spanish version
Zeus botnet. Mass propagation of trojan. Part one - Spanish version
LuckySploit, the right hand of Zeus - Spanish version
# Jorge Mieres
Wednesday, May 6, 2009
EventPairHandle as Anti-Dbg Trick
Abstract: An EventPair Object is an Event constructed by two _KEVENT structures which are conventionally named High and Low. EventPairs are used for synchronization in Quick LPC, they allow the called thread to continue the current quantum, reducing scheduling overhead and latency. Now by looking to the basic operations that a debugger need to accomplish, we can see that these tasks are conceptually simple, when the target is normally running, the debugger is sleeping, but when certain events occur Dbg Wakes Up. Became clear that there is a strict relation between generic Event Objects and Debuggers cause they have to create a custom Event called DebugEvent able to handle exceptions. Due to the presence of Events owned by the Debugger, every information relative to the Events of a normal process differs from a debugged process.
Read more...
Read more...
Tuesday, May 5, 2009
IS visual and the use of pornography as a vehicle of propagation and infection
Deception strategies are diverse and only limited to the imagination of those who exploited. Considering also that the sites with pornographic content are one of the resources with the greatest demand on the Internet, it's logical to think that they are exploited for malicious as usual through social engineering of the visual type.
This is a resource that probably no malware propagator think shelve for a long time, and regardless of the type of presentation used to display a pornographic video course that will never be, the goal is always the same means and money .
The following sequence of images is a concrete example that represents the technique of social engineering that will not go out of style. Hypothetically speaking, suppose that we have come to the next site through one of the many routes proposed by the Internet. This is usually the point where we tend to "choose" the type of video...
...after selecting which is the typical streaming video window.
After a few seconds, a reminder of the need to install a component that allows us to view web content, and immediately offered the download component of course is actually a malware with a low rate of detection.
However, the page was created solely to carry out the spread of malware offering, in addition to the content porn video player a course called BB-Player. A trojan detection rate with a much more acceptable than the previous binary.
This example, taken from a real and active today, is the modus operandi of spreading malware by exploiting social engineering to exploit visual and thematic "hook" pornography.
Related Information
Campaign spreading XP Antivirus Police through Visual Social Engineering - Spanish version
New strategy of social engineering to spread IE Defender - Spanish version
# Jorge Mieres
This is a resource that probably no malware propagator think shelve for a long time, and regardless of the type of presentation used to display a pornographic video course that will never be, the goal is always the same means and money .
The following sequence of images is a concrete example that represents the technique of social engineering that will not go out of style. Hypothetically speaking, suppose that we have come to the next site through one of the many routes proposed by the Internet. This is usually the point where we tend to "choose" the type of video...
...after selecting which is the typical streaming video window.
After a few seconds, a reminder of the need to install a component that allows us to view web content, and immediately offered the download component of course is actually a malware with a low rate of detection.- set.exe6/40 (15.00%) - (MD5: a39b53afa8ac6bfb52b4ec16c0630916)
However, the page was created solely to carry out the spread of malware offering, in addition to the content porn video player a course called BB-Player. A trojan detection rate with a much more acceptable than the previous binary.- BB-Player.exe 28/40 (70%) - (MD5: 8d2e1cf60f7fdf9edca3dfba5bf73cc0)
This example, taken from a real and active today, is the modus operandi of spreading malware by exploiting social engineering to exploit visual and thematic "hook" pornography.Related Information
Campaign spreading XP Antivirus Police through Visual Social Engineering - Spanish version
New strategy of social engineering to spread IE Defender - Spanish version
# Jorge Mieres
Sunday, May 3, 2009
Campaign scareware propagation MalwareRemovalBot
Register multiple domains on a single IP address, is one of the methodologies used for the propagation of scareware programs because it allows a consistent positioning web unethical by the way, expanding the horizon of possibilities that a desperate user reaches web that promises, through its false product, its magical way of solving problems or implement a so-called security layer to your computer to potential infections.
Obviously, the scareware (or rogue) as any of the malicious code is added to the current criminal organization they represent as an active and constantly looking for economic gain, often as part of crimeware packages such as Unique Sploits Pack, which incorporates a module for the spread of scareware.
In this case it's the scareware MalwareRemovalBot, although it isn't anything new, it's now manifesting through different domain names hosted on the same IP address (174.132.250.194). Surely using virtual servers.
Some of the domains involved in this campaign are:
antivirus360remover .com
av360removaltool .com
malwarebot .org
malwaree .com
malwaree .org
remove-a360 .com
remove-antivirus-360 .com
remove-av360 .com
remove-ie-security .com
remove-malware-defender .com
remove-personal-defender .com
remove-spyware-guard .com
remove-spyware-protect-2009 .com
remove-spyware-protect .com
remove-system-guard .com
remove-total-security .com
remove-ultra-antivir-2009 .com
remove-ultra-antivirus-2009 .com
remove-virus-alarm .com
remove-virus-melt .com
remove-winpc-defender .com
smitfraudfixtool .com
vundofixtool .com
www.antivirus360remover .com
www.av360removaltool .com
www.malwarebot .org
www.malwaree .com
www.malwaree .org
www.remove-a360 .com
www.remove-antivirus-360 .com
www.remove-av360 .com
www.remove-ie-security .com
www.remove-ms-antispyware .com
www.remove-personal-defender .com
www.remove-spyware-guard .com
www.remove-spyware-protect-2009 .com
www.remove-spyware-protect .com
www.remove-system-guard .com
www.remove-total-security .com
www.remove-ultra-antivir-2009 .com
www.remove-ultra-antivirus-2009 .com
www.remove-virus-alarm .com
www.remove-virus-melt .com
www.remove-winpc-defender .com
www.vundofixtool .com
The executable file of the threat (MD5: 08a0b7b100567eb5a1373eb4607d5b24) is setupxv.exe name, and has a low rate of detection. Only 11 of 39 antivirus companies detect it :(
This binary is only a capsule containing the other pieces of malware such as executables that allow the execution platform of Microsoft 32-bit and 64-bit, depending on the case. Any of the files are:
Related Information
Continuing the important and massive campaign scareware - Spanish version
Campaign scareware infection through false Windows Explorer - Spanish version
Campaign spreading XP Antivirus Police through Visual Social Engineering - Spanish version
# Jorge Mieres
Obviously, the scareware (or rogue) as any of the malicious code is added to the current criminal organization they represent as an active and constantly looking for economic gain, often as part of crimeware packages such as Unique Sploits Pack, which incorporates a module for the spread of scareware.
In this case it's the scareware MalwareRemovalBot, although it isn't anything new, it's now manifesting through different domain names hosted on the same IP address (174.132.250.194). Surely using virtual servers.
Some of the domains involved in this campaign are:antivirus360remover .com
av360removaltool .com
malwarebot .org
malwaree .com
malwaree .org
remove-a360 .com
remove-antivirus-360 .com
remove-av360 .com
remove-ie-security .com
remove-malware-defender .com
remove-personal-defender .com
remove-spyware-guard .com
remove-spyware-protect-2009 .com
remove-spyware-protect .com
remove-system-guard .com
remove-total-security .com
remove-ultra-antivir-2009 .com
remove-ultra-antivirus-2009 .comremove-virus-alarm .com
remove-virus-melt .com
remove-winpc-defender .com
smitfraudfixtool .com
vundofixtool .com
www.antivirus360remover .com
www.av360removaltool .com
www.malwarebot .org
www.malwaree .com
www.malwaree .org
www.remove-a360 .com
www.remove-antivirus-360 .com
www.remove-av360 .com
www.remove-ie-security .com
www.remove-ms-antispyware .com
www.remove-personal-defender .com
www.remove-spyware-guard .com
www.remove-spyware-protect-2009 .com
www.remove-spyware-protect .com
www.remove-system-guard .com
www.remove-total-security .com
www.remove-ultra-antivir-2009 .com
www.remove-ultra-antivirus-2009 .com
www.remove-virus-alarm .com
www.remove-virus-melt .com
www.remove-winpc-defender .com
www.vundofixtool .com
The executable file of the threat (MD5: 08a0b7b100567eb5a1373eb4607d5b24) is setupxv.exe name, and has a low rate of detection. Only 11 of 39 antivirus companies detect it :(
This binary is only a capsule containing the other pieces of malware such as executables that allow the execution platform of Microsoft 32-bit and 64-bit, depending on the case. Any of the files are:
- MalwareRemovalBot64.msi - 0/40 (0%) (MD5: 708149179e0f18304413edd56d16fa48)
- MalwareRemovalBot.msi - 0/40 (0.00%) (MD5: e1a1c6175d65ab6be8d5f5cbc85a4ca6)
- MSIStart.exe - 7/40 (17.50%) (MD5: 3de82388a6e799446bada69b6a08dc9e)
- zlib.dll - 2/40 (5%) (MD5: 81ac3f43a5b07d202b5723145d3d88f9)
- TCL.dll - 5/40 (12.5%) (MD5: 2a4a0083d63d44374a64a27974eea789)
- SpyCleaner.dll - 13/40 (32.5%) (MD5: 1ca00d4ef4319c9cd454397e5659600b)
- MalwareRemovalBot.srv.exe - 3/40 (7.50%) (MD5: 852f708466a5b74556b69c536d3add7e)
- MalwareRemovalBot.exe - (MD5: 25166bb5d2629cb6dfb9ac6143b88f00)
Related Information
Continuing the important and massive campaign scareware - Spanish version
Campaign scareware infection through false Windows Explorer - Spanish version
Campaign spreading XP Antivirus Police through Visual Social Engineering - Spanish version
# Jorge Mieres
Friday, May 1, 2009
2 Tools Released
Tool 1:
BHO Remover
BHO stands for Browser Helper Objects which are plugins written for Internet Explorer to enhance its capabilities. But this feature is being misused by many spyware programs which monitor user's browsing habits and also steal the users credentials silently. Also some of the BHO's slow down the system considerably.
BHORemover helps in quick identification and elimination of such malicious BHO's present in the system. It not only displays detailed information about each BHO entry but also provides online verification mechanism which makes it easy to differentiate between legitimate and malicious plugins.
Current version of BHORemover comes with enhanced user interface with cool look & feel, sorting mechanism to arrange the entries based on various parameters and online verification of BHO using ProcessLibrary.com
Click Here
Tool 2:
Advanced Windows Service Manager
'Windows Service' is a program designed to perform specific service which is started automatically when Windows boots and runs as long as System is up and running. Services normally run with 'System' privilege thus enabling them to execute higher privilege operations which otherwise cannot be performed by normal processes. Due to these advantages, often malware applications use services to monitor and control the target system.
In this direction, AdvancedWinServiceManager makes it easy to eliminate such malicious services by separating out third party services from Windows services. By default it shows only third party services along with more details such as Company Name, Description, Install Date, File Path etc at one place which helps in quickly differentiating between legitimate and malicious services. It comes with rich features such as detecting hidden rootkit services, exporting the service list to html based log file, displaying only third party services etc. All these unique things make it stand apart when compared to 'Windows Service Management Console'.
Click Here
Author: Nagareshwar Talekar.
Thank you.
-EF
BHO Remover
BHO stands for Browser Helper Objects which are plugins written for Internet Explorer to enhance its capabilities. But this feature is being misused by many spyware programs which monitor user's browsing habits and also steal the users credentials silently. Also some of the BHO's slow down the system considerably.
BHORemover helps in quick identification and elimination of such malicious BHO's present in the system. It not only displays detailed information about each BHO entry but also provides online verification mechanism which makes it easy to differentiate between legitimate and malicious plugins.
Current version of BHORemover comes with enhanced user interface with cool look & feel, sorting mechanism to arrange the entries based on various parameters and online verification of BHO using ProcessLibrary.com
Click Here
Tool 2:
Advanced Windows Service Manager
'Windows Service' is a program designed to perform specific service which is started automatically when Windows boots and runs as long as System is up and running. Services normally run with 'System' privilege thus enabling them to execute higher privilege operations which otherwise cannot be performed by normal processes. Due to these advantages, often malware applications use services to monitor and control the target system.
In this direction, AdvancedWinServiceManager makes it easy to eliminate such malicious services by separating out third party services from Windows services. By default it shows only third party services along with more details such as Company Name, Description, Install Date, File Path etc at one place which helps in quickly differentiating between legitimate and malicious services. It comes with rich features such as detecting hidden rootkit services, exporting the service list to html based log file, displaying only third party services etc. All these unique things make it stand apart when compared to 'Windows Service Management Console'.
Click Here
Author: Nagareshwar Talekar.
Thank you.
-EF
Subscribe to:
Posts (Atom)
