is kind of a patriarch to many of the modern crimeware kits, however it is important to know what kicked this whole thing off.

There where many many versions (0.851, 0.91, 0.80)

Here is a screenshot of an interface. Here is an of its backend components.

Panda also wrote an on it.

Notice how many of these packs have similar interaces, reporting and features,  Not much in the way of advanced innovation.  They do innovate however slowly through evolutionary methods, not revolutionary.  I would thing that if you put real systems engineer design principals behind this you could come up with something way better. 

mpack

You would think that with the amount of money this stuff pulls in there would be more original development.  Then again it works… so why change.

Once again I will be looking for source to post here for research.

Has anyone determined or done any Marketshare studies about these packs.  It would be an interesting thing to see how the marketshare percentages play out globally and by Region. 

I would like to originate a new Thought Meme on this called “Malicious Product MarketShare”

The goal would be to track the evolutionary phases and trends of these packs and their development, the pricing trends, their percentage of market share by region and globally as well as localization and customization.

Additional trends would be the average number of exploits each includes, inclusion of new features ectera.

Here is an   Apparently it had not been using Usernames but just passwords.

mpack2

Apparently Finjin in their research clearly identifies the users of these services as shown here in one of their reports.

crim

This is a perfect example of implementing my Meme of “Open Source Evidence”  I bet you any amount of money 2 years later.  These individuals met with no penalty whatsoever due to the International excuse and throwing up our hands and saying what can you do…. we dont get cooperation… 

Here is what you do Jackasses.  Expose them to the light of day and then See what happenss.  Do you think that they would be employeed by legitimate companies if they are known criminals?  Do you think maybe you could explose them to possible physical harm due to them being outted?  Do you think they would be employed by the badguys if they are known to be exposed?  IF sufficient light is placed on these people they become worthless due to the fact that they would be potential targets for action.  Good or Bad. 
If I was a cyber mob boss and my henchmen where exposed I would not want to take the risk of having them compromised and roll on me.  So the LESSON of the day is:  POST TO THE NET FIRST THE EVIDENCE (Unredacted and its all its true form and glory.  THEN notify the authorities or the providers, IF you like.  and if its worth it.  Probably not worth it if you ask me..

mpack22

mpack11

mpack3

mpack8

mpack_chinese_01

is an older pack.  It is supposedly coded by a group call “The IDT Group”

Here is a good writeup of its .  Its a professional job. Great analysis by Dancho .

Here is some additional analysis by .  Here is an on its Entire Capabilities.

Note that most of these packs are Russian in origin and then become localized later in other languages.

I will be looking for the source to post as well as doing research on possible exploits for this.  Its possible that many of these packs are going the way of the dodo bird due to Darwin and Natural selection.  Adapt or die.

Here are some of its interfaces.

icepack005

icepack3

 

icepack4

icepack5

icepack6

icepack7

icepack1

icepack_chinese_01

icepack_chinese_02

is an extremely popular crimeware toolkit. Version 2.4  It includes over 25 different exploits includeing the ever dangerous embedded PDF attacks.

Here is some more on it.

fiesta1

fiesta_stats

Here is a kit called .  I will begin to start searching for the or backend code for each of these exploit packs and post them here for Security Research and Analysis.  This stuff itself is not dangerous.  These are command and control mechanisms to report and monitor botnets.

What IS dangerous is the fact that software and systems do not automatically slipstream vulernability fixes / patches to their users, ensuring that a time gap occurs which gives malicious users the opportunity to exploit systems.

We need to really start rethinking the concepts of software and challenge our traditional assumptions if we are every truly going to make progress in this area. 

adpack1

INTELLIGENCE:

Who coded this, in what language, what is its current black market price, exploitable?

How prevalent or what kind of market share does it have?

What is its backend db?

Apparently there are many configuration vulnerabilities such as weak passwords that can be leveraged to compromise the back end components such as the FTP server, which also may be vulnerable.

What web servers are typically used for these packs?  ? ?

Here is a to some other ADpack screens as well as a C&C Interface for running commands.

crimeserver4

crimeserver5

As you can see above, if you get access to the command and control site you can destroy the system.  Reference the UnInstall Me feature.  Get System info is a good way of notifying affected organizations.    Clearly they dont understand the concept of Privledged commands and Role based Access Control.  Nor is each members campaign usually segregated from other members campaigns thus no privacy per say.

Additionally these kits are like a Service so many users run multiple campaigns.  Sounds like STING TIME> 

It would be entirely plausible to generate a fake service like this with fake simulated information Lure them in, identify them, then SMASH THEM.

You could provide fake or previously compromised data stores, and simulate the growth of their botnets.  It would be all you need to Sow distrust and paranoia into people tempted to get into this line of nefarious work.

Here is what appears to be a localized Russian version of Adpack

crimeserver6

adpack2

Unique Pack –

uu

going_along51

NOTE: the possible author of the pack. 

Indication of author is not tantamount to owner of pack or operator of pack.

Most of these things are coded collaboratively from many authors and geographic locations.

For perspective this would be a true realization of the distruptive nature of open source software.

The only real intelligence value of these things are:

What unique identifiers are in the kits that could allow for detection.  See GOOGLE hacking.

["unique sheaf sploits" "Vparivatel" "All Vpars" "Totals/Loads"]

What language is used, can the implementation be exploited.

How can you pwn the server to monitor usage? Exploitable??

Are the operators stupid enough to connect directly or do they come in via proxied connections such as Tor?

WHERE is the DROP SITE?  Can we Trojan the drop site with a payload to track the movement of its data?

Can we poison Pill the data (via Cryptographic attack or assured destruction Secure delete) or the systems that use the data?

So one may ask your self, well anyone can host a page that has exploits.  But how do they manage the sheer scale and scope of the attacks we are seeing today.  The answer is through sophisticated Traffic Redirectors.

Here is an example of one.  It is called .  It provides for sophisticated reporting and statistics.  It basically monitors the traffic that is redirected based on a malicious IFrame placed on a compromised site.  The IFrame will then redirect to a exploit page.

 sutra11

going_along21

SEEKING INTELLIGENCE ON:

Geographic origin of code

Language coded in: CGI possibly PERL

Black Market price range

Forums its marketed on: (Forums/IRC?)

Who the authors are?

Exploitable? TBD

Google identifier search strings.

Code derived from? Progeny.

How long its been in existence?

Number of Versions.

Apparently there are many many of these Traffic Redirector services and even for this traffic. 

robotraff

I wanted to demonstrate the level of sophistication that is running the back end Command and Control servers for many of these web based usually p2p botnets.  Included are support contracts, fees for advanced services, reporting and sometimes the occasional backdoor! Duh.

As currently shown by the the following pack is now very popular..

, currently by many analysts to be at the head of the pack in terms of obfuscation and features.

The pack includes dynamically generated runtime creation of obfuscated Javascript in order to establish an encrypted communication session with the browser via asymmetric encryption.  The browser then sends its critical info such as user agent type, active x controls, plugins, and platform information.

Based on this exchange of information, the pack sends a crafted exploit JUST FOR THE VICTIM.  whee. How special.

luckysploit21

Here is the admin page.

luckysploit101

Forget about it.  Events like this and other zero days will forever put data at Risk.  Of course Im talking about the new 0-day vulnerability that promises to pwn systems the world over, unless you use another browser such as the excellent and wind up getting pwned by some other exploit.  These are called drive-bys but don’t leave your physical body red and bloody, just your bank account and identity and you sense of personal well being and place in this world.  At least there are some that can rapidly respond with intelligence and sympathy.  Im speaking about the excellent analysis that is available from the researchers at and other organizations who consistently provide the detail for enlightened understanding. 

heap_spray

Here is what they have … on …DruUUUm roll please…  The !  It exploits a library function in IE to exploit XML functionality with a ofuscated Javascript delivered by still more SQL injection attacks.  The actual shell code is pretty awesome and can pwn Vista as well due to the evolution of exploits utilizing techniques instead of typical and rapidly becoming exinct buffer overflows via the stack.  From this point it can deliver to a host system any manner of malware as seen and .

Heh,  I just confirmed that one of our clients got exploited on the 11th/12th which means that its pretty prevalent.  That was like 4 days ago!

already has posted the so its only a matter of time till mass chaos.  At this point Microsoft doesnt have a patch yet.  And has already added a for it in the excellent engine of mass destruction. 

On another note, peeps should be using the as it removes a ton of malware from their systems monthly.  You can it removes here which gives pretty good descriptions of the nastiness out there today.

An attack vector trend that is currently in vogue is exploiting legitimate websites such as via SQLinjection attacks to plant hostile IFrames into the websites pages, somtimes all of them, that are invisible because their properties are 0x0 in dimension.  The content of these IFrames are highly javascripts which bounce to other IFrames over and over and finally wind up at a site hosting a malicious webpage constructured to identify user agent settings (IE What browser you are using) and then run a version/product/platform/geographic region specific series of exploits against the users system which has unpatched vulnerabilities either in the OS/Browser or now the trend is in exploiting ancilliary applications such as Browser helper activeX objects, and file parsers such as flash, Jpeg, quicktime. 

Sometimes it takes a whole organization to set this up but there are entire packages that can enable this crimeware to work and even report (enterprise reporting style via digital dashboards back to the operator).  Fortunately there is a lot of competition now and access to these kits are getting easier.  They typically rely on PHP and other scripting languages with a typical database backend. 

When this whole enchilada works however you basically have organizations PWNing their own customers and facilitating the theft of their information.  Each victim that visits the site gets a nasty little downloaded piece of malware, mostly likely packed to get around their antivirus, injected into their explorer.exe process to evade firewalls, and opcode instructed via shellcode to do a reverse shell out of their organization or dump additional modular capabilities.  All in all its an ugly day. 

Some of these are even under the guise of intellectual property protection.

Follow

Get every new post delivered to your Inbox.