A very slick Exploit pack that is destined to have a future. Mad props to one of my favorite researchers Dancho Danchev on making this information so accessible.  He provides excellent analysis and commentary and in my opinion is a leading researching with the right mindset for this work.

76service

76service1

76service2

76

The Son of Storm.

This is essentially a rewrite of the Storm worm with a much much stronger command and control channel protection scheme using  as written by the awesome .  Here is an of articles trackings its growth called the Waldec Tracker.

shadowserver_transp_2-500x167

With robust encryption starting to become the norm, IE Conficker is now doing Robust Encryption it will be computationally infeasible to crack and observe the Command and Control traffic as well as conduct integrity attacks and command insertion into these botnets. 

That means we need to be more innovative.. or get some balls and be ruthless.  If your opponent gets smarter than you are, your better off just bashing him in the fucking head.  Pardon my french.

waldec6

They are still using the same tricks, social engineering, email spam for propagation and fast flux for resiliency.

One of the awesome things its doing is crafting custom socially engineered LOCALIZED email spam based on a disaster theme and using GEOIP to localize it to the victims community.  So for example if you live in SanFrancisco it would say something like a Terrorist attack on the Golden Gate Bridge, or an Earth Quake.  Anything to lure the suckers in…

waldec1

Here is alook at the network structure.

waldec21

Thats a whole lotta pwnage boys and girls.  Keep your data close…. Here is the geographic distribution

waldec4

Here are some good links to track .

is a devastating crimeware kit that is highly prevalent.  It focuses on .

Here is an example of one of its Command and Control Interfaces.

zeus1

As you can see this is prevalent in the wild as shown here by Malware Domain List

zeus21

Zeus is also known as NTOS or WSNPoem or PRG.  It has a long history and is responsible for MASSIVE  amounts of data theft.  To include goverments, corporations and individuals.  Encrypted data stores of over 500 GB have been found and it is estimated to have been in operation in some locations for years unoticed.

It is even vulnerable to

Many have and its progeny. Here is a . 

Frank Boldewin has done some awesome reversing and analysis of Rustock, Storm, Zeus, and other samples from some of the most notorious pieces of crimeware prevalent today.

I will mirror his content in all its glory here for posterity BUT he deserves all the credit.  You can learn alot by reviewing other peoples research.

For more on check out this awesome

This is a great trend and what is clearly needed for the community.  HOWEVER…..

Ask your self.  If stuff can stay running long enough to be tracked, and you clearly see the scale and the scope here, There is a SERIOUS problem with enforcement.  So what do you do??  Especially for a Crimeware based Software as a Service Organization running via a Bullet Proof host provider out of a foreign country with no Law Enforcement cooperation? 

zeus4

All of these links are active and can allow you to download and reverse the Zeus binaries.  The configuration files, typically a .bin file hold encrypted information that represents the financial institutions target set.

The answer is simple, you go unattributable, you exploit their systems and either Crypto lock them or Cyberdestroy them.  That is the answer.  Has it been done yet?? Not that I know of.  Who is man enough to make the first move. 

It could be the shot heard round the world that would change the rules of the game.  And Im all for it.  Surgical, devastaing cyber strikes on known, persistant malware infrastructure.

Here are some of Zeus’s advertised capabilities from the Authors themselves…

ZeuS has the following main features and properties (full list is given here, in your part of assembling this list may not): - Written in VC + + 8.0, without the use of RTL, etc., on pure WinAPI, this is achieved at the expense of small size (10-25 Kb, depends on the assembly).
– Workaround most firewall (including the popular Outpost Firewall versions 3, 4, but suschetvuet temporary small problem with antishpionom). Not a guarantee unimpeded reception incoming connections.

– Difficult to d
etect finder / analysis, bot sets the victim and creates a file, the system files and arbitrary size.
- Works in limited accounts Windows (work in the guest account is not currently supported).
– Nevid ekvaristiki for antivirus, Bot body is encrypted.

– Some way creates a suspected its presence, if you do not want it. Here is the view of the fact that many authors do love spyware: unloading firewall, antivirus, the ban on their renewal, blocking Ctrl + Alt + Del, etc.

- Locking Windows Firewall (the feature is required only for the smooth reception incoming connections).
– All your settings / logs / team keeps bot / Takes / sends encrypted on HTTP (S) protocol. (ie, in text form data will see only you, everything else bot <-> server will look like garbage).

– Detecting NAT through verification of their IP through your preferred site.

– A separate configuration file that allows itself to protect against loss in cases of inaccessibility botneta main server. Plus additional (reserve) configuration files, to which the bot will ap
ply, will not be available when the main configuration file. This system ensures the survival of your botneta in 90% of cases.
– Ability to work with any browsers / programs work through wininet.dll (Internet Explorer, AOL, Maxton, etc.):

– Intercepting POST-data + interception hitting (including inserted data from the clipboard).

– Transparent URL-redirection (at feyk sites, etc.) c task redirect the simplest terms (for example: only when GET or POST request, in the presence or absence of certain data in POST-request).

– Transparent HTTP (S) substitution content (Web inzhekt, which allows a substitute for not only HTML pages, but also any other type of data). Substitution of sets with the help of guidance masks substitute.

- Obtaining the required contents page, with the exception HTML-tags. Based on Web inzhekte.
– Custo
mizable TAN-grabber for any country.
– Obtaining a list of questions and answers in the bank “Bank Of America” after successful authentication.

– Removing POST-needed data on the right URL.

– Ideal Virtual Keylogger solution: After a call to the requested URL, a screenshot happening in the area, where was clicking.

– Receiving certificates from the repository “MY” (certificates marked “No exports” are not exported correctly) and its clearance. Following is any imported certificate will be saved on the server.

– Intercepting ID / password protocols POP3 and FTP in the independence of the port and its record in the log only with a successful authorise.

– Changing the local DNS, removal / appendix records in the file% system32% \ drivers \ etc \ hosts, ie comparison specified domain with the IP for WinSocket.

– Keeps c
ontents Protected Storage at first start the computer.
– Removes S ookies from the cache when Internet Explorer first run on a computer.

– Search on the logical disk files by mask or download a specific file.

- Recorded just visited the page at first start the computer. Useful when installing through sployty, if you buy a download service from the suspect, you can see that even loaded in parallel.
- Getting screenshot with the victim’s computer in real time, the computer must be located outside the NAT.
– Admission commands from the server and sending reports back on the successful implementation. (There are currently launching a local / remote file an immediate update the configuration file, the destruction OS).

– Socks4-server.

- HTTP (S) PROXY-server.
– Bot Upgrading to the latest version (URL new version set in the configuration file).

Bot:

- There has its own process, through this can not be detected in the process list.

=============================================================

Here is an example of the builder interface.

zeus61

Here is another Console

zeus5

zeus7

zeus8

Here is some on .

zeus_new_layout_11

24.10.2008

Slides of my Hack.Lu 2008 speech “Rustock.C – When a myth comes true”

14.02.2008

With “More advanced unpacking – Part II” i show you how to decrypt an infamous reallife malware called WSNPOEM aka Infostealer.Banker.C The binaries are usually created with a tool called ZEUS Builder and there exist lots of different versions in the wild. I found samples with and without rootkit functionality, as well as ontop packed binaries, meaning they are additionally protected/packed with tools like Aspack, ACProtect, Polycrypt and so forth. We will discuss all 3 types and how to deal with them in 3 different ways. – 1. Manual unpacking + import fixing – 2. Manual unpacking + Auto import fixing – 3. Auto unpacking/import fixing – Stage 2 introduces a nice tool called “Universal Import Fixer” and Stage 3 shows how to automate unpacking/import fixing with OllyDbgScript.

21.01.2008

This new unpacking tutorial goes far more into depth as the beginners tutorial i have released last year. It aims to show some generic tricks and tools, that can be used on many other protectors. Enjoy!

21.09.2007

This paper is an analysis of the malware Peacomm.C aka StormWorm. It mainly focuses on extracting the native Peacomm.C code from the original crypted/packed code and all things that happens on this way, like: XOR + TEA decryption, TIBS unpacking, defeating Anti-Debugging code, files dropping, driver-code infection, VM-detection tricks and all the nasty things the rootkit-driver does.

21.01.2007

This paper is an analysis of the Rustock.B rootkit. The rootkit used several proprietary obfuscation/packing methods to hide the native driver code from prying eyes. I have divided the paper into two main parts. The first part, which is divided in three stages, describes how to extract the native rootkit driver code without the use of kernel debuggers or other ring0 tools. The second part basically does the same, but much faster and with lesser efforts using the SoftICE kernel debugger. Each part shows various possibilities for solving the different problems facing the researcher when analyzing Rustock. All the code and IDB files are included in the package!

13.12.2006

This flash movie covers how to manual unpack and Auto-IAT fix UPX and Aspack packed binaries. It might be useful for people who are new to malware analysis and don’t have a clue how to unpack and repair a binary. The introduced technique works for many other easy executable packers like FSG too. For best view use a resolution of 1024×768 or higher and select fullscreen (F11) in your browser.

18.03.2006

My first paper is a step by step guidance how to use the world’s best debugger called SoftICE, which is part of Compuwares Driverstudio. This essay discusses the installation & configuration of the debugger, the most useful commands SoftICE offers, a rocking extension called IceExt, as well a categorized list of good breakpoints. For a better understanding screenshots are placed at distinctive points.

Here is an older version.  ALL the credit for this goes to the awesome guys at who seem to have no reservation about showing to the world the innovations and backends of these infrastructures of evil.

All of their reports can be found on their section on their website.

I will be attempt to add my spin to research and look for new angles,  Much of this will be reference material for building on further research.  Additionally the goal will be to capture as much code as possible and hosting it here Offensive Computing Style to further research and awareness.

This pack is called Multi Exploits Pack Version 3.1

NOTE:  Early on in order to avoid analysis, sophisticated IP access monitoring is being done to ensure that clients cannot connect to these sites multiple times.  Sounds like a good opportunity to identify any configuration settings that all unfettered access to IPs for adminstration.  If they are stupid enough to put something like that in there, its a good way to conduct attribution.

multi

Here is the annoying thing.

Note the original posting in a forum to sell this puppy.  Malware authors need to be contacted somehow to sell their stuff.  NOTICE THE ICQ ID that for some reason was blurred by the Finjin report.

multi21

multi3

multi4

As you can see here there is a Targetable Identifier.  The ICQ number.  THANKS FINJIN for bluring it.  This information is useful to the community.  Maybe even possible Mob effects can take over for a little bit of Internet Justice.

This is a perfect target to identify the actors and Attribute them.  Law Enforcement should be beating down ICQ operators doors to get a real world Identity on these people, and force them to roll on their clients, better yet pay them to SNITCH or setup a STING.

Or just publish in underground channels that the Individual is now working for law enforcement.  Next thing you know this devious little reputation poisoning attack leads to a dead Russian programmer who turns up in an alley.

Eventually we will need to up the cost to these guys for doing the things they do.  Currently there is almost no risk to their operations.  We need to change that.  How,  by changing tactics…. and being ruthless.

is an older pack.  It is supposedly coded by a group call “The IDT Group”

Here is a good writeup of its .  Its a professional job. Great analysis by Dancho .

Here is some additional analysis by .  Here is an on its Entire Capabilities.

Note that most of these packs are Russian in origin and then become localized later in other languages.

I will be looking for the source to post as well as doing research on possible exploits for this.  Its possible that many of these packs are going the way of the dodo bird due to Darwin and Natural selection.  Adapt or die.

Here are some of its interfaces.

icepack005

icepack3

 

icepack4

icepack5

icepack6

icepack7

icepack1

icepack_chinese_01

icepack_chinese_02

is an oldie but goodie.  There are many versions and at one point it had a lot of marketshare.  It also was one of the first to be ripped and used / configured by many others.  Cannibals eat their own it seems.  The effect this has is it drives down exploit pack prices.

It is written in C as a CGI program to be run on a web server.  It is possible that it was written by “Grabarz”

Known Versions 3.0.7, 3.1, , 2.0.17, 2.0.15, 2.0, 1.5, 1.0

Supposedly this crew quit development but their source code and legacy will remain as more and more of these crimeware kits are cloned and innovated by others. 

neosploit1

 

neosploit31

I will be searching for the of this to make it available for research.

Why?  To exploit that’s why.  Usually the nubs that run this shit are clueless on how to secure their own systems.  Also we can take advantage of backdoors the authors put into to rip the data from the users.  No honor among theives of course.

However these .  The problem is that many times researchers do find out who it is, then notify the authorities to no avail. 

I am advocating as a Thought Meme the era of Open Source Evidence.  What does this mean exactly?  It means the active and aggressive publication and publishing of evidence that validates and verifies known malware authors and crimeware authors.  The evidence should clearly incriminate said parties.  The evidence should be Posted FIRST to the open source in hightraffic blogs and then reported to Authorities. 

Law enforcement has had plenty of time to pursue these guys and in their Investigations “keep all hush hush” about the evidence and the personalities and organziations behind this fiasco of a mess.  I the mean time victims suffer, with no compensation, retribution, or entity to champion their woes.  I have said many times.  We are sheep among wolves, and our protectors are down the street, hanging out at MacDonalds.

Here is another screenshot of Neosploit. 

takingdown

Here is some additional detail such as the login page..

neo1

neo2

neo31

These are the sites the criminal compromised with Iframes

neo4

Here is a Geographic distribution of the PWNed victims

neo5

is an extremely popular crimeware toolkit. Version 2.4  It includes over 25 different exploits includeing the ever dangerous embedded PDF attacks.

Here is some more on it.

fiesta1

fiesta_stats

Here is a kit called .  I will begin to start searching for the or backend code for each of these exploit packs and post them here for Security Research and Analysis.  This stuff itself is not dangerous.  These are command and control mechanisms to report and monitor botnets.

What IS dangerous is the fact that software and systems do not automatically slipstream vulernability fixes / patches to their users, ensuring that a time gap occurs which gives malicious users the opportunity to exploit systems.

We need to really start rethinking the concepts of software and challenge our traditional assumptions if we are every truly going to make progress in this area. 

adpack1

INTELLIGENCE:

Who coded this, in what language, what is its current black market price, exploitable?

How prevalent or what kind of market share does it have?

What is its backend db?

Apparently there are many configuration vulnerabilities such as weak passwords that can be leveraged to compromise the back end components such as the FTP server, which also may be vulnerable.

What web servers are typically used for these packs?  ? ?

Here is a to some other ADpack screens as well as a C&C Interface for running commands.

crimeserver4

crimeserver5

As you can see above, if you get access to the command and control site you can destroy the system.  Reference the UnInstall Me feature.  Get System info is a good way of notifying affected organizations.    Clearly they dont understand the concept of Privledged commands and Role based Access Control.  Nor is each members campaign usually segregated from other members campaigns thus no privacy per say.

Additionally these kits are like a Service so many users run multiple campaigns.  Sounds like STING TIME> 

It would be entirely plausible to generate a fake service like this with fake simulated information Lure them in, identify them, then SMASH THEM.

You could provide fake or previously compromised data stores, and simulate the growth of their botnets.  It would be all you need to Sow distrust and paranoia into people tempted to get into this line of nefarious work.

Here is what appears to be a localized Russian version of Adpack

crimeserver6

adpack2

So one may ask your self, well anyone can host a page that has exploits.  But how do they manage the sheer scale and scope of the attacks we are seeing today.  The answer is through sophisticated Traffic Redirectors.

Here is an example of one.  It is called .  It provides for sophisticated reporting and statistics.  It basically monitors the traffic that is redirected based on a malicious IFrame placed on a compromised site.  The IFrame will then redirect to a exploit page.

 sutra11

going_along21

SEEKING INTELLIGENCE ON:

Geographic origin of code

Language coded in: CGI possibly PERL

Black Market price range

Forums its marketed on: (Forums/IRC?)

Who the authors are?

Exploitable? TBD

Google identifier search strings.

Code derived from? Progeny.

How long its been in existence?

Number of Versions.

Apparently there are many many of these Traffic Redirector services and even for this traffic. 

robotraff

So virus’s spread back in the day, then got PWNed by antivirus, then vulnerabilities lead to exploits, which lead to worms.  Worms get PWNed by antivirus, Worms get whittled down and turned into trojans that become massively networked to become bots which came from IRC scripts.  Everything is now hid by and protected from reverse engineering and analysis by packing, crypting, poly and meta morphism.  Advanced features are built-in such as automatic bank account balance checking… YEOCH.  Been going on for years.. 

Here is a example of one such bot () that has been OWNING for years and got progressively nastly,  It now targets powerusers in the organizations that can use Sysadmin tools such as psexec and Microsoft SMS or patch distributiom mechanisms to seed entire organizations, including the STATE police.  Fun Fun.  Wonder what data systems they have access to know.  O yea keystroke logging, cookie theft, and password grabbing on the wire, but that’s all STANDARD now in this malware code.  The guys at  are badasses for this. 

This little diddy had HUNDREDS of gigabytes of user data and credentials on its drop site.  Most of which had been already pulled off. Not to mention all the CASH MoOLa they have walked off with.  $90,000 grand on one account alone. 

O ya and No they still have’nt caught the guys yet.  When the US goverment charges the head driver/protector of Osama bin Laden with 5 years in jail even though he most likely knew about the 9/11 plot, what kind of penalties do you think we are levying against extreme ripoff artists with digital weapons….. HRMMM?

is everyone on when this stuff is running around?! Granted Storm is pretty kickass because its decentralized and using a hacked up p2p protocol and .  .  I did tons of research on P2P and its disruptive effects a long time ago, awesome stuff.

By the way why the hell do we not see any AES encrypted malware out there.  Are malware coders dumbasses because most all of their encryption in their products is based on RC4/ROT13/Base64 or some other weak ass pseudo crypto/encoding/scrambling that gets easily broken.

I’m going to have to search for lightweight AES implementations.

Follow

Get every new post delivered to your Inbox.