Saturday, August 15, 2009

Fragus. New botnet framework In-the-Wild

A new web application written in php and developed management system exploits, malware and control spread of botnets, have entered the illegal market in crimeware promises to be one of the most exploited.

This is Fragus v1.0, which has joined since July 2009 to the large list of applications of this kind that seek to capture the black market. This development originated in Russia and is inserted into the market with a cost sufficiently "competitive."

In recent months there are new framework for the control and administration of botnets to make this a very simple task as Liberty Exploit System and Eleonora Exploits Pack, among some other much older that have upgraded their capabilities to YES Exploit System and ElFiesta.

However, the fact finding increasingly malicious applications of this style In-the-Wild isn't a coincidence, but a response to a business model behind the development of crimeware and feeds himself with marketing of a wide range of options.

From a general point of view, Fragus has an attractive interface, support for english and russian language and a simple system that allows you to get statistics and compare information about browsers, operating systems (including versions) and countries in which zombies have been recruited as part of the network (which is the same: an intelligence that allows linking information in a timely manner). The following screenshot shows the statistical control.

It also has other features like:
  • Ability to quickly check the data through a summary of which is accessed without loading the page.
  • Manage the upload of files from the admin panel.
  • Allows you to specify a binary file that is uploaded to the system.
  • Ability to distinguish traffic by a "client" for each statistic separately.
  • Choose the file to upload from the admin panel or do a load of random.
  • Allows the client to maintain their own kit by selecting from a list of exploits.
  • It can control the statistical information from a domain independent of the administration, which allows access to information without performing the authentication process.
  • Lets clear the statistical information of a general or particular in each "customer."
  • All configuration options offered Fragus for the administration and control of botnets can be performed easily from the Framework.
  • Has an internal search system that lets you search and find quick links to iframe open in traffic. Also in general or in particular for each "customer."
In addition, also allows Fragus exploit vulnerabilities in high quality images, edit the number of domains necessary for a migration of information without losing traffic, edit a URL in the exploit packets which visits twice or more, ie downloaded from the same page several binaries, pdf, swf depending on the exploit.

Examples of malware spread Fragus are:
His exploits modular system lets you add easily and has a crypt (optional) written from scratch, according to the author, avoiding detection by a large number of antivirus companies without overburdening the browser. But nevertheless, it also allows you to select a different encrypt giving the "client" to decide which encrypts not limited to use by default. The author also says that Fragus is optimized to work seamlessly with large flows of traffic and minimal load on the server.

Another aspect that stands out and differentiates it from the classical type of crimeware is that it has an instruction to avoid detection of the domain used by the searchbots (the domain associated with default Fragus when it launched the crimeware fragus.cn) and the installation process is cumbersome and not need to touch any configuration file manually, since it has a wizard that allows aid have it installed in minutes.

Among the exploits that have preinstalled are:
  • MDAC
  • PDF printf()
  • PDF collectEmailInfo()
  • PDF getIcon()
  • MS DirectShow
  • MS09-002 - for IE7
  • MS Spreadsheet
  • AOL IWinAmp
  • MS Snapshot MS COM
The cost of this first version of Fragus is USD 800. This value includes the source code is protected with IonCube. The cost of the crypt (written from scratch) is USD 150 and USD 30 for other hidden operation of crimeware to evade detection, perhaps with fast-flux techniques.

In short, the "service" complete Fragus has a cost of USD 980 and, as usual in this illegal market, the "treatment" of purchases made through ICQ and the transaction of money via WebMoney.

As we can see, this new crimeware that is inserted into the crime scene promises to be very competitive. Furthermore, the malware that is ready for dissemination defect has a disturbingly low rate of detection, which transforms the web application in a serious threat.

Related Information
Liberty Exploit System. Otra alternativa crimeware para el control de botnets
Los precios del crimeware ruso. Parte 2
Eleonore Exploits Pack. Nuevo crimeware In-the-Wild

# Jorge Mieres

8 comments:

Anonymous said...

Is there an english version of the article about Liberty Exploit Kit?

Jorge Mieres said...

No, Liberty is another Exploits Kit. Fragus is emerging, however, Liberty already has several versions.

http://mipistus.blogspot.com/2009/08/liberty-exploit-system-otra-alternativa.html

Anonymous said...

The article at mipistus blog is in Spanish. Therefore I have asked for an English version.

Anonymous said...

http://translate.google.com/translate?js=y&prev=_t&hl=es&ie=UTF-8&u=http%3A%2F%2Fmipistus.blogspot.com%2F2009%2F08%2Fliberty-exploit-system-otra-alternativa.html&sl=auto&tl=en&history_state0=auto|es|The%2520article%2520at%2520mipistus%2520blog%2520is%2520in%2520Spanish.%2520Therefore%2520I%2520have%2520asked%2520for%2520an%2520English%2520version.

:-)

Jorge Mieres said...

http://translate.google.com/translate?js=y&prev=_t&hl=es&ie=UTF-8&u=http%3A%2F%2Fmipistus.blogspot.com%2F2009%2F08%2Fliberty-exploit-system-otra-alternativa.html&sl=auto&tl=en&history_state0=

Regards!

Anonymous said...

fargus is full shit!
Liberty and eleonore exp is very very good pack!

Anonymous said...

www.reallab.info

Anonymous said...

There is already next version Fragus v.1.1