Here is an older version.  ALL the credit for this goes to the awesome guys at who seem to have no reservation about showing to the world the innovations and backends of these infrastructures of evil.

All of their reports can be found on their section on their website.

I will be attempt to add my spin to research and look for new angles,  Much of this will be reference material for building on further research.  Additionally the goal will be to capture as much code as possible and hosting it here Offensive Computing Style to further research and awareness.

This pack is called Multi Exploits Pack Version 3.1

NOTE:  Early on in order to avoid analysis, sophisticated IP access monitoring is being done to ensure that clients cannot connect to these sites multiple times.  Sounds like a good opportunity to identify any configuration settings that all unfettered access to IPs for adminstration.  If they are stupid enough to put something like that in there, its a good way to conduct attribution.


Here is the annoying thing.

Note the original posting in a forum to sell this puppy.  Malware authors need to be contacted somehow to sell their stuff.  NOTICE THE ICQ ID that for some reason was blurred by the Finjin report.




As you can see here there is a Targetable Identifier.  The ICQ number.  THANKS FINJIN for bluring it.  This information is useful to the community.  Maybe even possible Mob effects can take over for a little bit of Internet Justice.

This is a perfect target to identify the actors and Attribute them.  Law Enforcement should be beating down ICQ operators doors to get a real world Identity on these people, and force them to roll on their clients, better yet pay them to SNITCH or setup a STING.

Or just publish in underground channels that the Individual is now working for law enforcement.  Next thing you know this devious little reputation poisoning attack leads to a dead Russian programmer who turns up in an alley.

Eventually we will need to up the cost to these guys for doing the things they do.  Currently there is almost no risk to their operations.  We need to change that.  How,  by changing tactics…. and being ruthless.

is kind of a patriarch to many of the modern crimeware kits, however it is important to know what kicked this whole thing off.

There where many many versions (0.851, 0.91, 0.80)

Here is a screenshot of an interface. Here is an of its backend components.

Panda also wrote an on it.

Notice how many of these packs have similar interaces, reporting and features,  Not much in the way of advanced innovation.  They do innovate however slowly through evolutionary methods, not revolutionary.  I would thing that if you put real systems engineer design principals behind this you could come up with something way better. 


You would think that with the amount of money this stuff pulls in there would be more original development.  Then again it works… so why change.

Once again I will be looking for source to post here for research.

Has anyone determined or done any Marketshare studies about these packs.  It would be an interesting thing to see how the marketshare percentages play out globally and by Region. 

I would like to originate a new Thought Meme on this called “Malicious Product MarketShare”

The goal would be to track the evolutionary phases and trends of these packs and their development, the pricing trends, their percentage of market share by region and globally as well as localization and customization.

Additional trends would be the average number of exploits each includes, inclusion of new features ectera.

Here is an   Apparently it had not been using Usernames but just passwords.


Apparently Finjin in their research clearly identifies the users of these services as shown here in one of their reports.


This is a perfect example of implementing my Meme of “Open Source Evidence”  I bet you any amount of money 2 years later.  These individuals met with no penalty whatsoever due to the International excuse and throwing up our hands and saying what can you do…. we dont get cooperation… 

Here is what you do Jackasses.  Expose them to the light of day and then See what happenss.  Do you think that they would be employeed by legitimate companies if they are known criminals?  Do you think maybe you could explose them to possible physical harm due to them being outted?  Do you think they would be employed by the badguys if they are known to be exposed?  IF sufficient light is placed on these people they become worthless due to the fact that they would be potential targets for action.  Good or Bad. 
If I was a cyber mob boss and my henchmen where exposed I would not want to take the risk of having them compromised and roll on me.  So the LESSON of the day is:  POST TO THE NET FIRST THE EVIDENCE (Unredacted and its all its true form and glory.  THEN notify the authorities or the providers, IF you like.  and if its worth it.  Probably not worth it if you ask me..






is an extremely popular crimeware toolkit. Version 2.4  It includes over 25 different exploits includeing the ever dangerous embedded PDF attacks.

Here is some more on it.




Get every new post delivered to your Inbox.