A very slick Exploit pack that is destined to have a future. Mad props to one of my favorite researchers Dancho Danchev on making this information so accessible.  He provides excellent analysis and commentary and in my opinion is a leading researching with the right mindset for this work.





.  Another good exploit pack.


A very sophisticated pack that has been extensively written about.


I will seek out the source code to post and see if we can glean some intelligence on the authors.

is older than Icepack and Mpack and was popular because it was cheap.

Panda did an on it.





There is a small write up about it at , and some great analysis by Dancho and .

Version Firepack lite 1.1, Firepack 0.18, 0.17


Exploits for some its versions are .

Possible Sourcecode can be found for the lite version .


Here we actually see the original Russian version.

Now we can target the Coder DIEL and track him by his ICQ number.


hydra-150x150Asprox has been around for a good long time and focuses on and templated Phishing campaigns.  This stuff  is really cyberweaponry on a massive scale.  It also is used by .  These are used to launder ill gotten gains and extract money from accounts where assets are transfered to.


Here is a from Shadowserver Foundation on tracking the of the botnet after the Mcolo fiasco.

Fiasco because it didnt do a lick of good.

I will post code soon on what I have from ASprox.  There are many sites that track this.

Asprox has also moved to Fast Flux and has even that into something called  which utilizes another layer of defense to isolate its Motherships…  Uh like WOW

HydraFlux : The many headed fluxnet

“Flux” is no longer the sexy beast that it might once recently have been and the M.O is unfortunately becoming a common fixture in the criminal landscape of the internet. However, one fluxnet operation recently stood up and stood out. The emergence may simply be an evolution in one flux herder codebase, or represent a new fluxnet operation altogether. I imagine many will call it ‘rock’ (which it is not) based on URL construction alone. The uniqueness of this particular fluxnet does not become apparent until you see what is happening on the other side of the redirection going further upstream. “HydraFlux” is bestowed as a result of operational behavior based naming.

For those who have examined flux net activity you might acknowledge a few commonalities on the backend that are shared among several flux operations where the flux node to mothership relationships are one to one. ( many clients -> fluxnode:80 -> mothership:80 ) <= (this is old school, sooooo 2006/07).

Enter HydraFlux

A small flux net (at this time) where each fluxnode endpoint maintains a one to many mothership relationship *in addition* to the use of non-standard ports for upstream mothership communications. Where “many clients” -> fluxnode:80 -> Multiple_Motherships:4449 . The fluxers are breaking the rules, and btw there *are* no rules. This may be just a bad experiment since HTTP on non-standard ports can stick out like a sore thumb. Oh yes, nginx servers are upstream, and no way to validate that those hosts are not sending traffic futher upstream, though I do believe this is a case of additional layers motherships further upstream beyond what is visible from the the Fluxnode perspective.

The Son of Storm.

This is essentially a rewrite of the Storm worm with a much much stronger command and control channel protection scheme using  as written by the awesome .  Here is an of articles trackings its growth called the Waldec Tracker.


With robust encryption starting to become the norm, IE Conficker is now doing Robust Encryption it will be computationally infeasible to crack and observe the Command and Control traffic as well as conduct integrity attacks and command insertion into these botnets. 

That means we need to be more innovative.. or get some balls and be ruthless.  If your opponent gets smarter than you are, your better off just bashing him in the fucking head.  Pardon my french.


They are still using the same tricks, social engineering, email spam for propagation and fast flux for resiliency.

One of the awesome things its doing is crafting custom socially engineered LOCALIZED email spam based on a disaster theme and using GEOIP to localize it to the victims community.  So for example if you live in SanFrancisco it would say something like a Terrorist attack on the Golden Gate Bridge, or an Earth Quake.  Anything to lure the suckers in…


Here is alook at the network structure.


Thats a whole lotta pwnage boys and girls.  Keep your data close…. Here is the geographic distribution


Here are some good links to track .

is a devastating crimeware kit that is highly prevalent.  It focuses on .

Here is an example of one of its Command and Control Interfaces.


As you can see this is prevalent in the wild as shown here by Malware Domain List


Zeus is also known as NTOS or WSNPoem or PRG.  It has a long history and is responsible for MASSIVE  amounts of data theft.  To include goverments, corporations and individuals.  Encrypted data stores of over 500 GB have been found and it is estimated to have been in operation in some locations for years unoticed.

It is even vulnerable to

Many have and its progeny. Here is a . 

Frank Boldewin has done some awesome reversing and analysis of Rustock, Storm, Zeus, and other samples from some of the most notorious pieces of crimeware prevalent today.

I will mirror his content in all its glory here for posterity BUT he deserves all the credit.  You can learn alot by reviewing other peoples research.

For more on check out this awesome

This is a great trend and what is clearly needed for the community.  HOWEVER…..

Ask your self.  If stuff can stay running long enough to be tracked, and you clearly see the scale and the scope here, There is a SERIOUS problem with enforcement.  So what do you do??  Especially for a Crimeware based Software as a Service Organization running via a Bullet Proof host provider out of a foreign country with no Law Enforcement cooperation? 


All of these links are active and can allow you to download and reverse the Zeus binaries.  The configuration files, typically a .bin file hold encrypted information that represents the financial institutions target set.

The answer is simple, you go unattributable, you exploit their systems and either Crypto lock them or Cyberdestroy them.  That is the answer.  Has it been done yet?? Not that I know of.  Who is man enough to make the first move. 

It could be the shot heard round the world that would change the rules of the game.  And Im all for it.  Surgical, devastaing cyber strikes on known, persistant malware infrastructure.

Here are some of Zeus’s advertised capabilities from the Authors themselves…

ZeuS has the following main features and properties (full list is given here, in your part of assembling this list may not): - Written in VC + + 8.0, without the use of RTL, etc., on pure WinAPI, this is achieved at the expense of small size (10-25 Kb, depends on the assembly).
– Workaround most firewall (including the popular Outpost Firewall versions 3, 4, but suschetvuet temporary small problem with antishpionom). Not a guarantee unimpeded reception incoming connections.

– Difficult to d
etect finder / analysis, bot sets the victim and creates a file, the system files and arbitrary size.
- Works in limited accounts Windows (work in the guest account is not currently supported).
– Nevid ekvaristiki for antivirus, Bot body is encrypted.

– Some way creates a suspected its presence, if you do not want it. Here is the view of the fact that many authors do love spyware: unloading firewall, antivirus, the ban on their renewal, blocking Ctrl + Alt + Del, etc.

- Locking Windows Firewall (the feature is required only for the smooth reception incoming connections).
– All your settings / logs / team keeps bot / Takes / sends encrypted on HTTP (S) protocol. (ie, in text form data will see only you, everything else bot <-> server will look like garbage).

– Detecting NAT through verification of their IP through your preferred site.

– A separate configuration file that allows itself to protect against loss in cases of inaccessibility botneta main server. Plus additional (reserve) configuration files, to which the bot will ap
ply, will not be available when the main configuration file. This system ensures the survival of your botneta in 90% of cases.
– Ability to work with any browsers / programs work through wininet.dll (Internet Explorer, AOL, Maxton, etc.):

– Intercepting POST-data + interception hitting (including inserted data from the clipboard).

– Transparent URL-redirection (at feyk sites, etc.) c task redirect the simplest terms (for example: only when GET or POST request, in the presence or absence of certain data in POST-request).

– Transparent HTTP (S) substitution content (Web inzhekt, which allows a substitute for not only HTML pages, but also any other type of data). Substitution of sets with the help of guidance masks substitute.

- Obtaining the required contents page, with the exception HTML-tags. Based on Web inzhekte.
– Custo
mizable TAN-grabber for any country.
– Obtaining a list of questions and answers in the bank “Bank Of America” after successful authentication.

– Removing POST-needed data on the right URL.

– Ideal Virtual Keylogger solution: After a call to the requested URL, a screenshot happening in the area, where was clicking.

– Receiving certificates from the repository “MY” (certificates marked “No exports” are not exported correctly) and its clearance. Following is any imported certificate will be saved on the server.

– Intercepting ID / password protocols POP3 and FTP in the independence of the port and its record in the log only with a successful authorise.

– Changing the local DNS, removal / appendix records in the file% system32% \ drivers \ etc \ hosts, ie comparison specified domain with the IP for WinSocket.

– Keeps c
ontents Protected Storage at first start the computer.
– Removes S ookies from the cache when Internet Explorer first run on a computer.

– Search on the logical disk files by mask or download a specific file.

- Recorded just visited the page at first start the computer. Useful when installing through sployty, if you buy a download service from the suspect, you can see that even loaded in parallel.
- Getting screenshot with the victim’s computer in real time, the computer must be located outside the NAT.
– Admission commands from the server and sending reports back on the successful implementation. (There are currently launching a local / remote file an immediate update the configuration file, the destruction OS).

– Socks4-server.

- HTTP (S) PROXY-server.
– Bot Upgrading to the latest version (URL new version set in the configuration file).


- There has its own process, through this can not be detected in the process list.


Here is an example of the builder interface.


Here is another Console




Here is some on .



Slides of my Hack.Lu 2008 speech “Rustock.C – When a myth comes true”


With “More advanced unpacking – Part II” i show you how to decrypt an infamous reallife malware called WSNPOEM aka Infostealer.Banker.C The binaries are usually created with a tool called ZEUS Builder and there exist lots of different versions in the wild. I found samples with and without rootkit functionality, as well as ontop packed binaries, meaning they are additionally protected/packed with tools like Aspack, ACProtect, Polycrypt and so forth. We will discuss all 3 types and how to deal with them in 3 different ways. – 1. Manual unpacking + import fixing – 2. Manual unpacking + Auto import fixing – 3. Auto unpacking/import fixing – Stage 2 introduces a nice tool called “Universal Import Fixer” and Stage 3 shows how to automate unpacking/import fixing with OllyDbgScript.


This new unpacking tutorial goes far more into depth as the beginners tutorial i have released last year. It aims to show some generic tricks and tools, that can be used on many other protectors. Enjoy!


This paper is an analysis of the malware Peacomm.C aka StormWorm. It mainly focuses on extracting the native Peacomm.C code from the original crypted/packed code and all things that happens on this way, like: XOR + TEA decryption, TIBS unpacking, defeating Anti-Debugging code, files dropping, driver-code infection, VM-detection tricks and all the nasty things the rootkit-driver does.


This paper is an analysis of the Rustock.B rootkit. The rootkit used several proprietary obfuscation/packing methods to hide the native driver code from prying eyes. I have divided the paper into two main parts. The first part, which is divided in three stages, describes how to extract the native rootkit driver code without the use of kernel debuggers or other ring0 tools. The second part basically does the same, but much faster and with lesser efforts using the SoftICE kernel debugger. Each part shows various possibilities for solving the different problems facing the researcher when analyzing Rustock. All the code and IDB files are included in the package!


This flash movie covers how to manual unpack and Auto-IAT fix UPX and Aspack packed binaries. It might be useful for people who are new to malware analysis and don’t have a clue how to unpack and repair a binary. The introduced technique works for many other easy executable packers like FSG too. For best view use a resolution of 1024×768 or higher and select fullscreen (F11) in your browser.


My first paper is a step by step guidance how to use the world’s best debugger called SoftICE, which is part of Compuwares Driverstudio. This essay discusses the installation & configuration of the debugger, the most useful commands SoftICE offers, a rocking extension called IceExt, as well a categorized list of good breakpoints. For a better understanding screenshots are placed at distinctive points.

SPOTLIGHT: Shine Bright.

March 25, 2009

This site will begin to host and post Dossiers on known, identified Cybercriminals embracing the concept of “Open Source Evidence” 

Send Comments and we will begin to publish case files.


Here is an older version.  ALL the credit for this goes to the awesome guys at who seem to have no reservation about showing to the world the innovations and backends of these infrastructures of evil.

All of their reports can be found on their section on their website.

I will be attempt to add my spin to research and look for new angles,  Much of this will be reference material for building on further research.  Additionally the goal will be to capture as much code as possible and hosting it here Offensive Computing Style to further research and awareness.

This pack is called Multi Exploits Pack Version 3.1

NOTE:  Early on in order to avoid analysis, sophisticated IP access monitoring is being done to ensure that clients cannot connect to these sites multiple times.  Sounds like a good opportunity to identify any configuration settings that all unfettered access to IPs for adminstration.  If they are stupid enough to put something like that in there, its a good way to conduct attribution.


Here is the annoying thing.

Note the original posting in a forum to sell this puppy.  Malware authors need to be contacted somehow to sell their stuff.  NOTICE THE ICQ ID that for some reason was blurred by the Finjin report.




As you can see here there is a Targetable Identifier.  The ICQ number.  THANKS FINJIN for bluring it.  This information is useful to the community.  Maybe even possible Mob effects can take over for a little bit of Internet Justice.

This is a perfect target to identify the actors and Attribute them.  Law Enforcement should be beating down ICQ operators doors to get a real world Identity on these people, and force them to roll on their clients, better yet pay them to SNITCH or setup a STING.

Or just publish in underground channels that the Individual is now working for law enforcement.  Next thing you know this devious little reputation poisoning attack leads to a dead Russian programmer who turns up in an alley.

Eventually we will need to up the cost to these guys for doing the things they do.  Currently there is almost no risk to their operations.  We need to change that.  How,  by changing tactics…. and being ruthless.


Get every new post delivered to your Inbox.