Friday, May 29, 2009

Spy DLL Remover v2

Rootkit Analytics is proud to announce the release of SpyDLLRemover v2.

SpyDLLRemover is the standalone tool to effectively detect and delete spywares from the system. It comes with advanced spyware scanner which quickly discovers hidden Rootkit processes as well suspcious/injected DLLs within all running processes. It not only performs sophisticated auto analysis on process DLLs but also displays them with various threatlevels, which greatly helps in quick identification of malicious DLLs.

One of the unique feature of SpyDLLRemover is its capability to free the DLL from remote process using advanced DLL injection method which can defeat any existing Rootkit tricks. It also uses sophisticated low level anti-rootkit techniques to uncover hidden userland Rootkit processes as well as to terminate them.

Newer version comes with other cool features such as HTML based report generation, sorting the process/dll list for quick analysis, enhanced user interface etc.

To know more or to download the tool, CLICK HERE


Thursday, May 28, 2009

Unique Sploits Pack. Manipulating the safety of the attacker II

Unique Sploits Pack is another alternative offered by the underworld of the illegal sale of Russian crimeware. However, it has a peculiarity in relation to others of its kind: it incorporates a module called Vparivatel rogue through which spreads through social engineering.

In this case, this is a beta version of this crimeware that apparently is fairly active as in the few days we have been following, after "violating" your authentication scheme, has not achieved a striking level of infection by therefore has not achieved a significant number of zombies.

Still, this threat is active and spreading threats, but before seeing what the malicious code that spreads look a little more about some statistics that allow us to have a sufficiently specific to the activity which has the botnet.

From that we can capture:
  • The operating system is exploited by this crimeware Windows XP SP1.
  • The second place is occupied by "other" platforms "no windows".
  • Windows XP SP2 is the third in the list of most used OS.
  • Internet Explorer versions 5.5, 6.0, 7.0 and Firefox 3.0.5 browsers that are more broken through crimeware threats.
  • The item "others" in the browser, is a browser such as Opera and Amaya.
As for the zombies that have succeeded (so far) to recruit, are in different countries, who can see through the image below.

However, the module Vparivatel not seem as effective so far as no activity has "positive" for the botmaster ;-P

Among the threats that spread Unique Sploits Pack are as kaspersky identification:
The first one with a poor detection rate of 27.50% based on 40 antivirus engines (11/40) and the second with a rate slightly higher 43.59%, ie 17 of 40 antivirus companies detect the threat.

These malicious codes are spread through various vulnerabilities, some of which are newer than others, but despite the antiquity of most of the vulnerabilities exploited by this crimeware, remain very effective.

Not only exploit vulnerabilities in popular web browsers (IE, Firefox and Opera) but also two vulnerabilities PDF readers currently in widespread use: Adobe Acrobat Reader and Foxit Reader.

As mentioned in the beginning, now this package is spreading malware crimeware proactively exploiting different vulnerabilities on computers victims, and despite not having the time by a significant number of controlled equipment, it's a potential threat the health system which undertakes to maintain the security updates (OS and applications) per day.

Related Information
YES Exploit System. Manipulando la seguridad del atacante
Unique Sploits Pack. Crimeware para automatizar la explotación de vulnerabilidades

# Jorge Mieres

Sunday, May 24, 2009

YES Exploit System. Manipulating the safety of the attacker

Some of them want to use you. Some of them want to get used by you. Some of them want to abuse you. Some of them want to be abused
I wanna use you and abuse you. I wanna know what's inside you.
Eurythmics - 1983

Any layer of security to implement in an environment of information seeks to protect our assets from potential hostile and harmful actions, in which malicious code is one of the greatest dangers which are directed against and try to protect these security schemes.

In this sense, the applications developed to spread crimeware threats and form botnets (eg, Zeus, Unique, LeFiesta, YES Exploit, among many others) where each node then infected (zombie) is administered via the web through a control panel, are setting a trend difficult to remove malicious Internet.

However, it's very pleasant to see such protective measures that we seek through various schemes, in many cases, no account is taken of the side of the crimeware :D leaving open the door of the "park" for many of us we can "amused" by exploiting their weaknesses.

And this is not so unreasonable when you consider that this is program code that, like any other, are always prone to a number of programming bugs, bad settings or default settings.

Thus, the lack of security played against him a copy of a known and active management and control kit called YES Exploit System ...

...that after his bypass authentication scheme could have access to detailed information on each node that is part of the botnet that is administered through the crimeware.

Consequently, who handles a large amount of computers, ended up being manipulated to be :-)

However, it's a good opportunity to see statistical data stored by malicious applications. Among them:
  • Browsers and their respective versions which are exploited vulnerabilities
  • Different platforms violated
  • Controlled equipment
  • Country of origin of each infected node
In addition to other relevant information to the attacker knows what kind of exploit to be used in relation to technology that is used (IE 7 and Windows XP).

However, we also note that there are teams controlled MacOS and Linux platforms. While both platforms don't have as much victims as in the case of Microsoft platforms, marking a trend slowly on malicious code developed for these platforms.

Wednesday, May 20, 2009

Massive spread of malware through fake sites entertainment

The cases of spreading malicious code through various methods of deception are an essential part in the cycle of spreading malware that developers employ.

The resources offered through the Internet for purposes of entertainment are often among the most exploited targets for the dissemination of harmful code, and to that end I have received many inquiries about sites with material that hosts children's entertainment of any injection of malicious code or downloading malware.

A concrete example is the strategy of deception that take advantage of social engineering to exploit visual resources sought in the massive cloud of information and of which I have shown several examples.

In this regard, other alternatives maliciously engendered in the mind of a developer intentionally malicious sites are created for the spread of malicious code.

For example, a fake Emule project site (the famous client to download files via P2P networks), from where you download a binary called
Currently very low detection rate, only 3 of 40 antivirus.

Even a fake site on the player videos Live Player, from which you download an executable named
Detected by 9 of 40 antivirus engines.

This is actively being exploited through a campaign that includes website promotion programs massively used. The domains involved are:

backstripgirls .com
buscalisto .com .com .com

download.official-emule .com

download.original-solitaire .com

download.speed-downloading .com

download.web-mediaplayer .com

favorit-network .com

games-attack .com

go-astro .com go-turf .com
gomusic .com

gomusic .net

hot-tv .com

littlesmileys .com

live-player .com

official-bittorrent .com

original-solitaire .com

pc-on-internet .com

schnellsucher .com

search-solver .com

speed-downloading .com

static.favorit-creatives .com

vl02.c76.fvtn .net

web-mediaplayer .com

www.buscalisto .com

www.favorit-network .com .com

www.gomusic .com .com .com

www.official-bittorrent .com

www.official-emule .com
www.pc-on-internet .com

www.schnellsucher .com .com

www.smilymail .com

www.speed-downloading .com

www.trovarapido .com

www.web-mediaplayer .com

Even a search through these sites is obtained with a good web positioning, perhaps through Black Hat SEO techniques.

This proves the "enthusiasm" that the creators and disseminators of malware placed in these criminal acts clearly seeking to mislead users when trying to attract attention to methods of propagandists promoting malware through fake sites.

Related Information
Campaign spreading XP Antivirus Police through Visual Social Engineering - Spanish version

# Jorge Mieres

Thursday, May 14, 2009

Black Hat SEO strategy proposed by Waledac

Waledac is the name of the trojan to recruit zombie PCs to be part of their botnet, whose main function is the propagation of one of the most common spam that we receive daily: Canadian Pharmacy.

Many security professionals say it's the evolution of another famous botnet: Storm, or Nuwar depending on the antivirus company.

Like Storm, one of the most interesting features of Waledac, besides the use of advanced techniques such as Fast-Flux, are the strategies of social engineering, which in his case began with a propaganda campaign on the day of love and renewed every so often, with his latest maneuver a course program for sending SMS messages.

However, Waledac also uses web positioning techniques used in unethical ways to attract strategic arrivals to different domains, which is now redirected to the fraudulent online pharmacy, which used to spread the trojan, called Black Hat SEO.

Some of the domains used by this threat are:

yourvalentineday .com
virtualesms .com
usabreakingnews .com
urbanfear .com
terrorismfree .com
terrorfear .com
terroralertstatus .com
smspianeta .com
smsdiretto .com
smsclubnet .com
photoblogsite .com
orldlovelife .com
nuovosms .com
mobilephotoblog .com
miosmsclub .com
globalantiterror .com
freeservesms .com
freecolorsms .com
fearalert .com
easyworldnews .com

Each of the domains were created as a strategic thinking, using words to form the composition of the URL. Among them:

valentine - your - day - virtual - sms - break - king - news - urban - terror - fear - mobile - china - blog - life - best - anti - poems - ship - love - central - online - great - coupon - club - ltd - free - adore - poem - lyric - world - sales - super - portal - code - site - eye - blue - dot - funny - smart - group - fun - songs - wireless - city - wap - link - good - review - who - cher - help - radio - report - the - lovers - long - fm - michigan - chat - loving - romantics - track - cherish - space - my - digital - country - discount - tax - tnt - letter - against - mazda - car - speed - zone - dealer - cars - buy - tribute - auto - motive - parts - death - taxi - work - care - direct - pet - cab - bead - net - ming - water - data - lose - can - pool - all - pond - wager - team - doc - now - fast - bank - expo - wale - job - barack - obama - guide - greeting - december - christmas - lights - year - regards - white - mira - bella - project - company - top - father - its - media - just - gift - garb - live - cheap - service - home - black

This responds to the campaign of Black Hat SEO Waledac that used to attract potential victims, and increasingly malicious code used to achieve a web positioning so that ensures early access to malicious sites created to spread malware.

Related Information
Waledac. Follow-up of a latent threat - Spanish version
Waledac more loving than ever -
Spanish version
Waledac, Social Engineering and San Valentine Day
- Spanish version

# Jorge Mieres

Sunday, May 10, 2009

Adrenalin botnet. The trend marks the Russian crimeware

A different crimeware packages that we have briefly dealt with in some time, it adds Adrenalin.

Another Russian crimeware home only a few months of life, and doesn't purport to be better or worse than others of his family, nor, almost certain dislikes "work" in conjunction with other crimeware :-)

This last sentence appears to advertise a sale, actually reflects the current situation a little of the spread of malware and crimeware employment. Thing that we saw through Scripting attack II.

And we say that Adrenalin isn't very different from others because it also allows malicious code spread through hiding exploits obfuscated script injection of malicious code into the source code of web pages, use of Drive-by-Download, theft of information through sniffer, administration and remote control via web, etc.

However, it has some characteristics that differentiate it from others, perhaps it would also show its high cost compared to its competitors (approximately USD 3500) such as:
  • Collection of digital certificates,
  • Different methods of injection of viral code,
  • Makes use of local pharming redirects required to achieve without the user's perception,
  • Implements keylogger with screen capture,
  • Implements avoidance techniques to avoid being detected by security tools like firewalls and antirootkits,
  • Specific modules for cleaning of fingerprints,
  • Encryption of the information it collects.
Among other things, has another striking feature that isn't novel but rather particular: remove malware from the competition :-)

As seen clearly, the trend that the Internet is the greatest exponent of attack platforms, notably through crimeware applications as we have been commenting regularly on this blog.

Still, there are a couple of questions that are around in my head, and it basically translates into: why there are more and more automated crimeware packages? Why the high cost?

Trying to analyze it a little bit, maybe we have the answers before the eyes in everyday life who are dedicated to the field of security. The answer to your first question, may have a biased perspective on money channeled, that is, of course, information is the documentation of best value (however small it's and regardless of whether classification) and taking into account that, cyber-criminals looking to get money with this information, transformed the world of malware in a big business, highly profitable and difficult to break.

On the other hand, this is a problem that can not be linked through obviate the fact that it's offered as crimeware and 24x7 technical support, which means that more and more criminal-minded users are running as candidates in searching for the economic benefit that the crimeware, the larger the word, is as criminal organization via Internet.

On the second, perhaps the answer is directly related in that the cost of buying a kit of this style, can be recovered very quickly, especially bearing in mind that the botnets that are administered through these applications are often rented to other botmasters, others spammers or other characters in this dark underworld, as I mentioned in another post, reminds me of the stories of William Gibson in Neuromancer.

Related Information
Zeus Carding World Template. Change the playing side of the botnet - Spanish version
Financial institutions targeted by the botnet Zeus. Part two - Spanish version
Financial institutions targeted by the botnet Zeus. Part one - Spanish version
YES Exploit System. Another crimeware made in Russia - Spanish version
Russian prices of crimeware - Spanish version
Barracuda Bot. Botnet activamente explotada
Unique Sploits Pack. Crimeware para automatizar la explotación de vulnerabilidades
Danmec Bot, redes Fast-Flux y reclutamiento de Zombies PCs
Creating Online polymorphic malware based PoisonIvy - Spanish version

# Jorge Mieres

Friday, May 8, 2009

IS visual and the use of pornography as a vehicle of propagation and infection II

As Kevin Mitnik once said "People aren't prepared for the deception through technology." Perhaps, this calculation agree on which many of us who specialize in security field, is part of the answer to why the effectiveness of this complex technical thing?

Basically, it's again the kind of social engineering drawing visual images to spread pornographic malware.

The mode of operation, as always, is the image of the video course, but when you click to display an alert window appears indicating the lack of a codec, running and trying to spread malware.
In this case, the strategy is part of the campaign to spread a known scareware called WinPC Antivirus whose detection rate is 80%.

This shows the "universal" because the technique does not respond to a specific type of malware is a vector and highly exploited to trick users and spread through the threat of a widespread demand in Internet issues, as is the pornography.

Related Information
IS visual and the use of pornography as a vehicle of propagation and infection - Spanish version
Campaign spreading XP Antivirus Police through Visual Social Engineering - Spanish version
New strategy of social engineering to spread IE Defender - Spanish version

# Jorge Mieres

Thursday, May 7, 2009

Zeus Carding World Template. Change the playing side of the botnet

It's clear that the use cybercriminals wasted much time thinking about new ways of propagation/infection and strategies for social engineering with the aim of attracting more attention as "slaves" on the Internet :-)

Though it may seem a trivial matter, is anything but casual. But a response to organized crime from which malicious code is the main weapon of crimeware current Russian industry and one of its greatest exponents.

However, it appears that "bad guys", occasionally taking a break to "play" to improve the design, from a visual point of view of their creations.

This is the case of a not new (and I remember seeing something about it), created to improve the skin's view the administration of the botnet Zeus. Surely, created by some bored botmaster to sell the same control interface :-)

This template, completely changes the view of the boring and monotonous default interface that brings Zeus, transforming it into something ... a little more sympathetic. In fact, some versions of this crimeware will be sold with the template already built.

So Zeus is by default in this case, during the installation process of the botnet and...

...and during the authentication process to access the administration panel.

In applying the template, the view of the panel becomes the following:

As for the authentication interface, is as follows:

The design, as the template name suggests, refers to offenses involving unlawful use of numbers and credit cards by a third party (carding) and the picture does justice to it.

This gives us a clear idea about what they are looking for those who operate from the village of cybercrime. Fraudulently obtain money by exploiting the human factor.

Related Information
Financial institutions targeted by the botnet Zeus. Part two - Spanish version
Financial institutions targeted by the botnet Zeus. Part one - Spanish version
Zeus botnet. Mass propagation of trojan. Part two - Spanish version
Zeus botnet. Mass propagation of trojan. Part one - Spanish version

LuckySploit, the right hand of Zeus - Spanish version

# Jorge Mieres

Wednesday, May 6, 2009

EventPairHandle as Anti-Dbg Trick

Abstract: An EventPair Object is an Event constructed by two _KEVENT structures which are conventionally named High and Low. EventPairs are used for synchronization in Quick LPC, they allow the called thread to continue the current quantum, reducing scheduling overhead and latency. Now by looking to the basic operations that a debugger need to accomplish, we can see that these tasks are conceptually simple, when the target is normally running, the debugger is sleeping, but when certain events occur Dbg Wakes Up. Became clear that there is a strict relation between generic Event Objects and Debuggers cause they have to create a custom Event called DebugEvent able to handle exceptions. Due to the presence of Events owned by the Debugger, every information relative to the Events of a normal process differs from a debugged process.


Tuesday, May 5, 2009

IS visual and the use of pornography as a vehicle of propagation and infection

Deception strategies are diverse and only limited to the imagination of those who exploited. Considering also that the sites with pornographic content are one of the resources with the greatest demand on the Internet, it's logical to think that they are exploited for malicious as usual through social engineering of the visual type.

This is a resource that probably no malware propagator think shelve for a long time, and regardless of the type of presentation used to display a pornographic video course that will never be, the goal is always the same means and money .

The following sequence of images is a concrete example that represents the technique of social engineering that will not go out of style. Hypothetically speaking, suppose that we have come to the next site through one of the many routes proposed by the Internet. This is usually the point where we tend to "choose" the type of video...

...after selecting which is the typical streaming video window.

After a few seconds, a reminder of the need to install a component that allows us to view web content, and immediately offered the download component of course is actually a malware with a low rate of detection.
However, the page was created solely to carry out the spread of malware offering, in addition to the content porn video player a course called BB-Player. A trojan detection rate with a much more acceptable than the previous binary.
This example, taken from a real and active today, is the modus operandi of spreading malware by exploiting social engineering to exploit visual and thematic "hook" pornography.

Related Information
Campaign spreading XP Antivirus Police through Visual Social Engineering - Spanish version
New strategy of social engineering to spread IE Defender - Spanish version

# Jorge Mieres

Sunday, May 3, 2009

Campaign scareware propagation MalwareRemovalBot

Register multiple domains on a single IP address, is one of the methodologies used for the propagation of scareware programs because it allows a consistent positioning web unethical by the way, expanding the horizon of possibilities that a desperate user reaches web that promises, through its false product, its magical way of solving problems or implement a so-called security layer to your computer to potential infections.

Obviously, the scareware (or rogue) as any of the malicious code is added to the current criminal organization they represent as an active and constantly looking for economic gain, often as part of crimeware packages such as Unique Sploits Pack, which incorporates a module for the spread of scareware.

In this case it's the scareware MalwareRemovalBot, although it isn't anything new, it's now manifesting through different domain names hosted on the same IP address ( Surely using virtual servers.

Some of the domains involved in this campaign are:

antivirus360remover .com
av360removaltool .com
malwarebot .org
malwaree .com
malwaree .org
remove-a360 .com
remove-antivirus-360 .com
remove-av360 .com
remove-ie-security .com
remove-malware-defender .com
remove-personal-defender .com
remove-spyware-guard .com
remove-spyware-protect-2009 .com
remove-spyware-protect .com
remove-system-guard .com
remove-total-security .com
remove-ultra-antivir-2009 .com
remove-ultra-antivirus-2009 .com
remove-virus-alarm .com
remove-virus-melt .com
remove-winpc-defender .com
smitfraudfixtool .com
vundofixtool .com
www.antivirus360remover .com
www.av360removaltool .com
www.malwarebot .org
www.malwaree .com
www.malwaree .org
www.remove-a360 .com
www.remove-antivirus-360 .com
www.remove-av360 .com
www.remove-ie-security .com
www.remove-ms-antispyware .com
www.remove-personal-defender .com
www.remove-spyware-guard .com
www.remove-spyware-protect-2009 .com
www.remove-spyware-protect .com
www.remove-system-guard .com
www.remove-total-security .com
www.remove-ultra-antivir-2009 .com
www.remove-ultra-antivirus-2009 .com
www.remove-virus-alarm .com
www.remove-virus-melt .com
www.remove-winpc-defender .com
www.vundofixtool .com

The executable file of the threat (MD5: 08a0b7b100567eb5a1373eb4607d5b24) is setupxv.exe name, and has a low rate of detection. Only 11 of 39 antivirus companies detect it :(

This binary is only a capsule containing the other pieces of malware such as executables that allow the execution platform of Microsoft 32-bit and 64-bit, depending on the case. Any of the files are:

  • MalwareRemovalBot64.msi - 0/40 (0%) (MD5: 708149179e0f18304413edd56d16fa48)
  • MalwareRemovalBot.msi - 0/40 (0.00%) (MD5: e1a1c6175d65ab6be8d5f5cbc85a4ca6)
  • MSIStart.exe - 7/40 (17.50%) (MD5: 3de82388a6e799446bada69b6a08dc9e)
  • zlib.dll - 2/40 (5%) (MD5: 81ac3f43a5b07d202b5723145d3d88f9)
  • TCL.dll - 5/40 (12.5%) (MD5: 2a4a0083d63d44374a64a27974eea789)
  • SpyCleaner.dll - 13/40 (32.5%) (MD5: 1ca00d4ef4319c9cd454397e5659600b)
  • MalwareRemovalBot.srv.exe - 3/40 (7.50%) (MD5: 852f708466a5b74556b69c536d3add7e)
  • MalwareRemovalBot.exe - (MD5: 25166bb5d2629cb6dfb9ac6143b88f00)
In many other cases, the scareware uses other techniques to spread deception and not go out of fashion and are present as a strategy of any innate malware current use or (increasingly) from Black Hat SEO techniques, and a pair so for most.

Related Information
Continuing the important and massive campaign scareware - Spanish version
Campaign scareware infection through false Windows Explorer - Spanish version
Campaign spreading XP Antivirus Police through Visual Social Engineering - Spanish version

# Jorge Mieres

Friday, May 1, 2009

2 Tools Released

Tool 1:

BHO Remover

BHO stands for Browser Helper Objects which are plugins written for Internet Explorer to enhance its capabilities. But this feature is being misused by many spyware programs which monitor user's browsing habits and also steal the users credentials silently. Also some of the BHO's slow down the system considerably.

BHORemover helps in quick identification and elimination of such malicious BHO's present in the system. It not only displays detailed information about each BHO entry but also provides online verification mechanism which makes it easy to differentiate between legitimate and malicious plugins.

Current version of BHORemover comes with enhanced user interface with cool look & feel, sorting mechanism to arrange the entries based on various parameters and online verification of BHO using

Click Here

Tool 2:

Advanced Windows Service Manager

'Windows Service' is a program designed to perform specific service which is started automatically when Windows boots and runs as long as System is up and running. Services normally run with 'System' privilege thus enabling them to execute higher privilege operations which otherwise cannot be performed by normal processes. Due to these advantages, often malware applications use services to monitor and control the target system.

In this direction, AdvancedWinServiceManager makes it easy to eliminate such malicious services by separating out third party services from Windows services. By default it shows only third party services along with more details such as Company Name, Description, Install Date, File Path etc at one place which helps in quickly differentiating between legitimate and malicious services. It comes with rich features such as detecting hidden rootkit services, exporting the service list to html based log file, displaying only third party services etc. All these unique things make it stand apart when compared to 'Windows Service Management Console'.

Click Here

Author: Nagareshwar Talekar.

Thank you.