Friday, July 31, 2009

Botnet Analytics


We are still working our way to release Botnet Analytics. The first project in this site would be trend analysis of the botnet IPs fed from EmergingThreats.net website. We are almost 80% done. But we have 1 issue. When we see an opportunity to extend the tool, we do it. Hence, the tool so far expanded to a analytics engine that will crunch every possible relation with the IP listed in the backend.

If you wish to contribute or if you have some ideas for us, feel free to contact us at any time: contact.fingers @ gmail.com

- EF

DC 571 Meeting




Hey guys,

The previous meeting went very well. It would definitely be a great time to launch DC571.com very soon. I was wondering if you guys were cool in having our next meeting on a Friday [Aug 7th, 2009]. I promise you, there wont be many weekday meetings. This time alone I would like to have this one before going to India for a month, so that you guys can meet up even when I am not around. Zak or Uber will be running the future meetings when I am not around. Contact us @ contact.fingers@gmail.com if you wish to join. The reason is because, we do not have a standard/fixed location yet. Hence, we are trying to find a spot that works out well[suitable] for everyone.

- EF

Sunday, July 26, 2009

Software as a Service on the malware industry

Several years ago we have the ability to interact with different resources that are offered via web without using the resources at local level, our teams, for example, an operating system memory (eyeOS) that applied at the time, and applies this concept, as well as others we routinely use as Google Apps.

However, at present this concept responds to a name that is setting a trend under the name of Cloud Computing offers a wide range of services that use Internet as a central infrastructure (the cloud). Where services are offered programs, is known by the acronym SaaS (Software as a Service).

The point is that under this new phenomenon, the developers of malware were not on the sidelines and give rise to a new nomenclature that accompanies the concept of Cloud Computing, MaaS - Malware as a Service.

Some months ago I mentioned an online payment service that allows malicious code to create polymorphic capabilities based on the famous trojan PoisonIvy called PoisonIvy Polymorphic Online Builder.

Adding to this trend of offering services over the HTTP protocol, there are several alternatives as a service similar to the above, but free, called FUDSOnly Online Crypter, which channels its activity in the handling of malicious code in line with the intent to avoid detection by the antivirus companies, contributing to the cause pursued by malware developers to implement their creative processes anti-analysis.

Basically it's a Crypter. One type of program normally used to encrypt the binaries used in the distribution of malicious code. This "service" has the advantage of not needing to download or run the Crypter of locally on the PC, but the entire process is carried out via web.

At the end of the process, the application returns the following legend "Your file has been encrypted without errors, Service offered by FUDSOnly. Click HERE to download." that has the link to download the file handling.

As "extra", the "service" has the potential to insert into the encrypted file with the EOF crypter data (information server which is located at the end of file) for malicious code that doesn't support it, through a small program called ReEoF.

This service offered to handle malware, has had a previous version that demonstrates that the concept had already been adopted by cyber criminals for quite some time.

In fact, many services of this style that have been uploaded to the wave.

The malware industry adds to the notion that agglomeration online services offered by the Cloud Computing, extending the possibility of danger and threats to continue with the daily bombardment that information against environments, seeking to broaden the offering criminal .

Related Information
Creación Online de malware polimórfico basado en PoisonIvy

# Jorge Mieres

Wednesday, July 22, 2009

DC 571: Meeting Schedule



Venue: http://www.shoptysons.com/location.asp [Directions Available Here]

We are meeting up once again at the 2nd floor coffee shop at Barnes & Noble, in Tysons Corner Shopping center at around 5 PM on July 25th 2009[Coming Saturday]. You are most welcome to join us. This weekend, we will decide on how we would like to meet in future, venue and other stuff.

EF

Saturday, July 18, 2009

DC 571: Change of Plans

Change of plans: Call us at 213-210-1031 or meet us at the Barnes&Nobles 2nd floor coffee shop at the Tysons Corner shopping center. DC 571 meeting starts at 5:30 PM EST July 18 2009.

EF

Thursday, July 16, 2009

Special!!! ZeuS Botnet for Dummies

After dealing with some emphasis on the activities of the most active botnets now, ZeuS, let's see a more detailed description of their crime.

If we talk about malware and botnets, no doubt ZeuS has a particular advantage due to the amount of zombies that are part of its campus. ZeuS is designed to steal any information that is stored on the computers of victims remotely and carry out other attacks aimed at stealing information such as phishing.

Therefore, we could say that ZeuS is a spyware, but also has capabilities for other types of malware such as backdoors, trojans and viruses. However, the author mentions in the installation manual that you don't like to call any of these forms in this crimeware, but will refer to it as a "bot software".

Although we know the external face of ZeuS (the web interface management and control of zombies), has certain features that are constantly evolving and professionalize achieving greater flexibility and adaptability to ensure operation on different versions of Windows. This makes ZeuS a latent threat and very dangerous for any information system.

In this sense, ZeuS also ensures performance "working" on the privilege level 3 (where the applications are) the operating system to avoid incompatibilities between the implementation of equipment and devices (which operate at lower levels). Though it may seem an irrelevant fact, this allows greater flexibility and hence a higher yield at the time of the fraudulent and criminal activities for which it was conceived.

The latest version of ZeuS is written with version 9 of the C + + language, and among the features that have this web application (malicious), we can mention:
  • Monitor network traffic (sniffer) TCP.
  • Intercepts the FTP and POP3 connections from any port.
  • Intercepts HTTP and HTTPS requests from all applications that work with the library wininet.dll (eg IE). This demystifies the myth in which ZeuS uses a BHO to intercept applications through IE.
  • Functions server (socks4/4a/5).
  • Backconnect for all of the infected computer services (RDP, Socks, FTP, etc.).
  • Get screenshots in real time.
  • Ability to conduct phishing attacks.
  • Incorporates anti-analysis mechanisms.
  • Constructor of the trojan that spreads and configuration file.
  • Polymorphic encryption.
Another technical detail is that all communication is done by ZeuS through a symmetric encryption algorithm (RC4).

The server is the heart of ZeuS, and any botnet, and who is to obtain all records of infected computers that are part of the botnet and execute commands remotely.

On the other hand, many botnets using virtual servers to their criminal operations. However, this plays against the botnet when is very large, if ZeuS, as usually, the virtual servers don't have too many resources, so it's customary for botmaster using dedicated servers to host the bot. This is an important fact to keep in mind during the research side.

Accordingly, and as every application requires a minimum of resources to run satisfactorily, in the case of this botnet, the requirements are just to have 2GB of RAM and 2x frequency of 2 GHz CPU. As we see, the minimum requirements aren't at all a constraint VIP. Anyone can implement ZeuS, even without these minimum requirements.

Furthermore, it's assumed that the computer is running an HTTP server with PHP (the language is generally develop these crimeware) and MySQL (to create the database with statistical information that shows your activity). Another requirement is Zend Optimizer, which is necessary to protect and optimize the scripts.

With regard to updates, ZeuS is also can be "groomed" by newer versions without too much effort. During the last six months have been released five versions (based on each one approx. 35 days) with correction of errors, changes and new features, not the versions with smaller arrangements.

After looking at the diagram, many wonder what the number of each version. A teaching mode could say that if we have the "A.B.C.D" ...

A means a complete package of crimeware.
B represents changes that cause total or partial incompatibility with earlier versions.
C specifies error correction, added functionality, improvements, etc..
D is the number of refuds (changes) to the current version.

This is just a screenshot of what can and ZeuS represents in terms of skills and maneuvers that have an environment within which criminal crimeware applications are the main actors.

Related Information
Botnet. Securización en la nueva versión de ZeuS
ZeuS Carding World Template. Jugando a cambiar la cara de la botnet
Entidades financieras en la mira de la botnet ZeuS. Segunda parte
Entidades financieras en la mira de la botnet ZeuS. Primera parte
ZeuS Botnet. Masiva propagación de su troyano. Segunda parte
ZeuS Botnet. Masiva propagación de su troyano. Primera parte
LuckySploit, la mano derecha de ZeuS

# Jorge Mieres

Sunday, July 12, 2009

BruCON, Brussels 16-19 September 2009



BruCON is an annual security and hacker conference providing two days of an interesting atmosphere for open discussions of critical infosec issues, privacy, information technology and its cultural/technical implications on society.

Organized in Brussels, BruCON offers a high quality line up of speakers, security challenges and interesting workshops. It's affordable, accessible and entertaining. BruCON is a conference by and for the security and hacker community.

Two day trainings are available before the conference by some industry experts:

  • Crash course in Penetration Testing (By Joe McCray, and Chris Gates)


  • Former speaker at SOURCE Boston 09, NotACon ,Toorcon X and ChicagoCon. He is scheduled to speak BlackHat USA 2009 and Defcon 17


  • Web 2.0 Hacking – Attacks and Defense (By Shreeraj Shah)


  • Author of Hacking Web Services (Thomson 06) and Web Hacking: Attacks and Defense


  • Social Engineering testing for IT Security professionals (By Sharon Conheady)


  • Sharon Conheady is a social engineer/penetration tester at First Defence Information Security in the UK. She has social engineered her way into dozens of organisations across the UK and abroad, including company offices, sports stadiums, government facilities and more. Former speaker at Deepsec, Recon, CONFidence, ISSE, ISF, SANS Secure Europe and more.


    Why should people attend this event?

  • These are renowned speakers, international experts and book authors which you will seldom meet at other events.

  • It's affordable and accessible.

  • With 400 seats, it's an ideal occasion to network with others and exchange knowledge.

  • Lightning talks will give possibilities for visitors to present their own projects, tools or website

  • Various workshops on wireless security, digital ID, lockpicking, VOIP,....

  • The Hex Factor: a contest where people can learn the basics of web application security, forensics,… both fun and challenging for both absolute beginners as well as experts.



  • More info? How to register? Visit http://www.brucon.org/

    SpyDLLRemover v2.5 Unleashed!

    Hey guys,

    We have released the next version of SpyDLLRemover [v2.5], which includes major updates and minor bug fixes. We have added a DLL Tracer tab, which would let you [the user] to search for processes running a specific DLL on your system. In that way, if you know the name of your injected DLL, it would list all the process names that run this DLL.

    Check it out @: http://www.rootkitanalytics.com/tools/spy-dll-remover.php

    From here on, we are shifting from 3-number versioning system to a 2-number system and we are reserving the 3rd number for internal us [to track minor updates].

    If you have any questions or comments, do not hesitate to contact us [at contact.fingers @ gmail.com] either way.

    EF

    Thursday, July 9, 2009

    Waledac/Storm. Past and present a threat

    At the beginning of 2007 jumped from the darkness to begin a malicious code to be a source of important news because of their particular strategies of deception and a major campaign at the global level of infection that still remain a subject of research by the community security.

    This is Storm, aka Nuwar or Zhelatin depending on the identity assigned by the antivirus companies, although it's known as "storm", perhaps alluding to the manner in which systems ravaged by which he transformed into zombies, recruiting teams under the command of the botnet.

    At present, the threat posed Storm hasn't been to one side, but transferred to its twin brother, Waledac, which remains essentially the characteristic of trying to innovate in terms of apology necessary for the spread and recently has awakened after a period of hibernation.

    Some features of this threat are:
    • The spread is through the unwanted e-mail (spam)
    • Uses deception strategies (Social Engineering) different for each campaign to spread
    • Through a link embedded in the body of a message routed to a site where malware is downloaded
    • The infected computers are part of a botnet
    • To complete the cycle of infection through the spread of spam
    • Fast-Flux networks
    • They have polymorphic capabilities at the server level
    During virtually the entire 2007, Storm (the first appearances as a strategy of deception used to display a video on a storm unleashed in Europe) used as a means of propagation/infection e-mail with questions and topics varied inciting to click on a link embedded in the message body, which in some cases direction of a page (some of them also tried to spread Storm exploit vulnerabilities using iframe tags as resources) and others directed to the download of a binary in Storm both cases.

    Already for next year (2008), Storm joined the "surprise effect" linking the e-mail link provided to a web site that accompanied the excuse presented in the case of mail with an image alluding also to the theme that, the as in 2007, rotating with each major event (Valentine's Day, Independence of the USA, Christmas, etc). In addition, some variants spread through blogs.

    After several months of inactivity in terms of the spread of the threat, in January of this year appears Waledac, a trojan that uses the same mechanisms used by Storm and many security professionals are beginning to see the similarity between them.

    After several investigations, says that Waledac is, one might say, the twin brother of Storm. Using the same methodologies of Social Engineering with a broad portfolio of images and themes used as an excuse to capture users' attention. Passing through images rather the typical "love" for the month of Valentine Cases of alleged terrorist attacks, among others, to the recent course on a video on YouTube.

    There are, among others, two very interesting features in both Waledac Storm: the use of Fast-Flux networks and polymorphic capabilities on the server.

    The first of these threats were allowed to spread across different IP addresses and using different domain names that constantly rotate between each other with the name resolution. This causes, through a certain time to live (TTL) pre-configured every x amount of jumps between nodes (infected computers) from the same domain, you download a different prototype of malware.

    This leads to the second feature, the polymorphism. In this way, each time the package (malware) is established TTL attempt to download a different version of the malicious code to be "changes" every certain amount of time (also predetermined by the attacker) establishing capacity polymorphic.

    The diagram below provides the direct relationship, over time, the threat was used as a strategy of deception.

    Each of the zombies that are part of the botnet created by Waledac, focus your intentions in sending spam. In this sense, a very interesting extract from a report that says Waledac has the ability to send about 150,000 spam emails per day.

    Perhaps, then you know that Storm/Waledac are running campaigns with high rates of spread of infection globally and overcrowded, it's clear that their creators are continuing their criminal operations for a financial issue, which is nothing new for malware today.

    Related Information
    Masiva campaña de propagación/infección lanzada por Waledac utilizando como excusa el día de la Independencia de EEUU
    Estrategia BlackHat SEO propuesta por Waledac
    Waledac. Seguimiento detallado de una amenaza latente
    Más Waledac en acción ¿Puedes adivinar cuánto te amo gano?
    Waledac más amoroso que nunca
    Waledac e Ingeniería Social en San Valentín

    # Jorge Mieres

    milw0rm is back

    Str0ke changed his mind. milw0rm.com is back.

    Most recent posting from http://twitter.com/str0ke:

    "milw0rm's back up & posting will start once again, I can't let all of the emails in my submit box to just sit there."

    We are glad that str0ke did not throw the jewel box away.
    EF

    Wednesday, July 8, 2009

    milw0rm.com is shutting down

    It is very sad that CastleCops closed. It was also sad that Astalavista was taken down. Here comes the bad part... milw0rm is shutting down.

    Well, this is my goodbye header for milw0rm. I wish I had the time I did in the past to post exploits, I just don't :(. For the past 3 months I have actually done a pretty crappy job of getting peoples work out fast enough to be proud of, 0 to 72 hours (taking off weekends) isn't fair to the authors on this site. I appreciate and thank everyone for their support in the past.
    Be safe, /str0ke
    - Source:milw0rm.com

    Tuesday, July 7, 2009

    Sucuri & EvilFingers: Technology Partners

    Hey guys,

    Sucuri is now partnering [technology partners] EvilFingers in a collective community effort of securing users for free. Sucuri provides NBIM (Network-based Integrity monitoring) for FREE. Check out http://www.Sucuri.net for more details.

    - EF

    Sunday, July 5, 2009

    Massive campaign to spread/infection Waledac launched by using as excuse the Independence Day of USA

    After a long period of inactivity, the creator (or creators) of the trojan Waledac, executed yesterday July 4 (U.S. Independence Day), a new campaign to spread using the same mechanism that characterizes Waledac and characterized Nuwar in time; Social Engineering.

    This time the excuse is Independence Day which is celebrated in the U.S. and the mechanism of propagation is the simulation of a video showing the alleged fireworks for the celebration of the special day.

    It's likely that this massive campaign to spread/infection ends with a fairly high rate of infection because the vector by which the threat is spreading is the email that respecting a characteristic of spam, massive, reaching millions users utilizing the computational power of the botnet comprising Waledac.

    We don't currently have any relevant characteristic that differentiates the mechanism of spread used on this occasion in relation to the above, perhaps the activity period is extended for a good while.

    Still, there are obvious analogies. For example, continues to make use of BlackHat SEO techniques in the composition of domain names alluding to the excuse used by (firework, 4th, independence, happy, july, movies, video).

    Among the domain names created from these words are (an active spreading waledac):

    videoindependence .com
    video4thjuly .com
    outdoorindependence .com
    moviesindependence .com
    movieindependence .com
    moviesfireworks .com
    moviefireworks .com
    movies4thjuly .com
    movie4thjuly .com
    interactiveindependence .com
    holifireworks .com
    holidaysfirework .com
    happyindependence .com
    4thfirework .com
    freeindependence .com
    4thfirework .com

    The names of binaries used by Waledac to date are:

    install.exe 885ac83376824a152f2422249cf4d7e5, b5f3d0150fb4b7e30e7a64d788e779e0 or 424a85c096ce6d9cbbe8deb35a042fda

    movie.exe 74c3b53958527b8469efa6e6d8bccaf9, 2740cee619deccad6ed49ff6a23ebd14, a45d0405518ad2c294ed1b151e808f55, 426e031049675c8136c6739530057ba5, 395b1d4a68f435416cbb69cae0c220c7 or 28de1675b2694927c16d34eacdafbc56

    run.exe 30a6e0e3bdb000ce85dc8d754582f107, b14c93fb2cf91d2a03e20f7165101f5e or 3083b6bc236121e6150f13f3d0560635

    fireworks.exe c62c388472695589bd5e0f4989d93ab0, ae2fc409bd054047f9582fb9f76eb1aa or 1b21e77b08c31bf99e5cc3f6cfd11954

    setup.exe 3c067587383d3c26a3b656f25c54ea47, f2589d96b7f6838ae322e4c6739efd07, 543630de475994ce778fa35ce45984f4 or 9fa07157ee1e1c1b86a27df816596d13

    patch.exe dcde62f021146696100d87b9c741be73, 6811725f3cdda17ba5f8877f02a796d4, d655566ba4911fc0ff60d197d54dff2c or 395b1d4a68f435416cbb69cae0c220c7

    video.exe 499db7f0870ce5de80193996179445e5, c1a3ef240be48fb500167aaedb72bdcf or 02ed2300a349a0c20c5b15b06130ba1f

    Through the monitoring carried out this threat sudosecure.net since he was born under the name Nuwar can see this information graphically.


    Similarly, we can visualize a lot of graphic information such as IP addresses involved in the dissemination of Waledac. In this case, the Top 10 and, considering that the campaign is focused in the U.S. (although this does not mean that the number of people infected is limited to the U.S.), it's logical to believe that the majority of infections are given in first instance in this country.

    On the other hand, continues to implement Waledac masking technique as Fast-flux techniques, using different IP addresses for the same domain.

    videoindependence .com
    98.211.105.230 > United States
    76.106.189.169 > United States
    201.213.72.205 > Argentina
    201.21.134.78 > Brazil
    201.6.212.62 > Brazil
    201.212.3.94 > Argentina
    69.148.172.231 > United States
    99.141.124.192 > United States


    video4thjuly .com
    72.225.252.27 > United States
    71.193.54.175 > United States
    84.109.243.13 > Israel
    200.108.196.153 > Uruguay
    201.241.106.65 > Chile
    200.26.178.12 > Paraguay
    201.213.101.148 > Argentina
    81.97.116.82 > United Kingdom
    76.103.252.191 > United States
    201.6.229.122 > Brazil
    68.56.57.51 > United States
    200.112.184.67 > Argentina
    67.242.8.170 > United States
    82.162.25.19 > Russian Federation
    84.253.71.15 > Russian Federation


    Waledac has emerged from the shadows once again turning its classic strategy that will continue to spread its campaign to spread/expand their botnet infection with the recruitment of more zombies.

    Related Information
    Estrategia BlackHat SEO propuesta por Waledac
    Waledac. Seguimiento detallado de una amenaza latente
    Más Waledac en acción ¿Puedes adivinar cuánto te amo gano?
    Waledac más amoroso que nunca
    Waledac e Ingeniería Social en San Valentín

    # Jorge Mieres