Skip navigation.
Home

jamieres's blog

Intelligence and operational level by Siberia Exploit Pack

| |

Siberia Exploit Pack is a crimeware, evolution of Napoleon Exploit Pack, which we've done a brief description on another occasion. However, since the time of that description to this day, the landscape has expanded its developer.

In this regard, and while it ends up being one of the bunch, the interesting thing about this crimeware is information provided by their panel of statistics (intelligence for the attacker), by the way very similar to that provided by Eleonore Exploit Pack, which provide data regarding the success of business which has the exploit  pack for recruitment zombie, discriminating on the basis of these data:

  • Countries affected
  • Most exploited Operating Systems
  • Reference domains with the highest percentage by which vulnerabilities are exploited
  • Browsers exploited
  • Pre-compiled exploits in this version of the package

Let me stress (because it's a minor detail) with this collection of information is nothing more than to intelligence, which allows the attacker to know, at first instance:

In the former case, the population of which country is more vulnerable, perhaps because of their level of piracy, which brings to attention the lack of security updates for operating systems and applications, because as we will see to reach exploits, all these are known and have long been concerned with the patch that fixes the vulnerability.

In this case, the first five countries where this crimeware has higher infection rate include the United States, Britain, Canada, Russia and Germany.

The same approach is being pursued with the data we obtained on operating systems "vulnerable" in quotes because, as I said above, the degree of vulnerability of the OS depends directly on a number of aspects that should be covered by hardening, in which an important factor is the implementation of security patches.

For example, the vulnerability in MDAC (Microsoft Data Access Components) from the year 2006 (four years), described in Microsoft Official Bulletin MS06-014. The impact on operating systems have this version of crimeware, we can see in the picture below.

The list of operating systems is large and attacked the three with the highest vulnerability gap belongs to the family of Microsoft (which is obviously due to the massiveness of use), and other MS also.

However, the crimeware cover other non-Windows operating systems, including PlayStation consoles (GNU / Linux or Black Rhino) and Nintendo Wii (ironically a modified version of a GNU/Linux), in the case of OS used and Workstations high-end mobile phones, including:

  • Mac OS
  • GNU/Linux
  • FreeBSD
  • iPhone
  • Windows Mobile
  • Windows CE
  • Pocket PC
  • Symbian OS

Here we are beginning to recognize that criminals have broadened the scope of coverage, incorporating into its portfolio of options exploitation of vulnerabilities (through the browser) and recruitment of zombies on other operating systems used in other computer technologies.

State of the art in CRiMEPACK Exploit Pack

| |

CRiMEPACK exploit pack is a widespread and accepted in the crime scene in this area came under the slogan "Highest Lowest rates for the price".

He is currently In-the-Wild 3.0 version is being developed as alpha (the first of this version). That's, is in the middle stage of evaluation, perhaps in the next few days will go on sale in underground forums, at which time it will know your actual cost.

Like any pack exploit, it also consists of a set of pre-compiled exploits to take advantage of a number of vulnerabilities in systems with weaknesses in some of its applications, then download and run (Drive-by-Download & Execute) codes malicious and convert that system into a zombie, and therefore part of the apparatus crime.

And I mean ... "criminal" because those behind the development of this type of crimeware do for this purpose. And judging by the pictures (a washcloth, a handgun, a wallet, money and what appears to be cocaine, own scenario of all mafia) observed in the authentication interface your control panel, this definition is very evident.

The first time I found this package was in 2009, when version In-the-Wild was version 2.1 and later expressed his "great leap" to one of the most popular: version 2.8 (still active) which in early 2010 had incorporated into its portfolio of exploits CVE-2010-0188 y CVE-2010-0806; in addition to adding an iframe generator and function "Kaspersky Anti-emulation", at a cost of USD 400.

Siberia Exploit Pack. Another package of explois In-the-Wild

|

Siberia Exploit Pack is a new package designed to exploit vulnerabilities and recruit zombies original, as is easy to deduce from its name and as is customary in this area crimeware clandestine business in Russia.

RussKill. Application to perform denial of service attacks

|

Conceptually speaking, a DoS attack (Denial of Service attack) is basically bombarded with requests for a service or computer resource to saturate and the system can not process more data, so those resources and services are inaccessible, "denying" the access to anyone who wants them.

From the standpoint of computer security, Denial of Service attacks are a major problem because many botnets are designed to automate these attacks, especially those of particular purpose, taking advantage of computational power offered by the network of zombies. In this case, the attack is called Distributed Denial of Service (DDoS).

Moreover, under the framework of the concept of cyberwarfare, this type of attack is part of the armament "war" through which virtual scenarios presented conflicts between their requirements as to neutralize a state vital services.

RussKill is a web application that is classified within these activities and that despite being extremely simple, both in functionality and in the way of use, is an attack that could be very effective and difficult to detect.

As is customary in the current crimeware, the web application is of Russian origin and has a number of fields with information about how and against whom to carry out the attack, letting you configure the packet sequence, ie the flow in amount. The option "Hide url" is a self-defensive measure designed to ensure that the server is detected.

Although several methods of DoS attacks, RussKill makes use of the attacks HTTP-flood and SYN-flood. In both cases the servers for flood victims through http requests and packets with fake source IP addresses respectively.

As I said at first, the denial of service attacks are a danger for any information system, regardless of the platform that supports services and applications such, in this case site, demonstrates the ease with which an attack of this type can run.

Jorge Mieres
Pistus Malware Intelligence

DDoS Botnet. New crimeware particular purpose

| |

An attack by Denial of Service (DoS) consists basically of abuse of a service or resource by successive requests, either intentional or negligent, which eventually break the availability of such service or resource temporarily or completely.

When this type of attack is performed using the processing power of an important set of computers carrying out the abuse of requests synchronously, we are witnessing an attack Distributed Denial of Service (DDoS).

T-IFRAMER. Kit for the injection of malware In-the-Wild

| |

T-IFRAMER is a package that allows you to automate, centralize and manage via http the spread of malicious code via code injection sites violated viral techniques using iframe, and feed a botnet. We then see a screen capture of authentication.

While there is a complex kit allows computer criminals manage the spread of malware via the http protocol type attacks using Drive-by-Download and Drive-by-Injection by inserting iframe tags in web pages violated.

The four key modules: Stats, Manager, Iframes and Injector, and each has the main function to optimize the spread of malware.

The first one (Stats) to manage FTP accounts violated having control over them with the ability to upload files. Thus begins one of the cycles of propagation of malicious code.

ZeuS and power Botnet zombie recruitment

| |

As I have said on several occasions, ZeuS botnets is one of the more "media" (hence one of the best known and popular), more aggressive and criminal activity that has more advanced functions that allow phishing attacks, monitor the zombies in real time and collect all this information through different protocols.

Syndicate content