Ice(Pack) for the summer

It’s summer, about 29ºC – 84ºF in Bilbao, a sunny and beautiful day. Good time for an ice-cream. But today we’ll change the menu and we’ll have an IcePack instead.

 

 

IcePack Platinum is the name of a new “Kit for installing malware through exploits”. Regarding the exploits it uses, nothing new can be added, it is very similar to Mpack, which takes advantage of the last exploits that have appeared. This way, they have more chances to infect the users that are not patched with the last updates:

 

– MS06-014 Internet Explorer 6 – MS06-006 Firefox 1.5

– MS06-006 Opera 7

– WVF Overflow

– QuickTime Overflow

– WinZip Overflow

– VML Overflow

 

  

 

 

Here you have an image of the ftp checker:

 

IcePack is programmed by other group (IDT Group) different from Mpack creators (Dream Coders Team) . The price of this tool is also lower than the Mpack and can be purchased for $400 .

XRumer

As we commented in Spam in PHP forums and in Spam in PHP forums (II), it has become more and more usual to see websites (forums, blogs, wikis, guestbooks, etc…) that contain advertising comments or links that direct to sites that infect with malware.

We are going to talk about a program that allows this type of comments to be created: the XRumer.

It is sold for $450, and for $50 more you can have the Hrefer, which includes more functions.

This application, with regard to the web section, is more powerful than Zunker, as this is only able to post in phpBB and VBulleting.

Xrumer allows to post in phpBB and PHP-Nuke (with any modification), yaBB, VBulletin, Invision Power Board, IconBoard, UltimateBB, exBB, and phorum.org.

 Basically, it follows the process below:

            It looks for websites where comments can be inserted.

            It registers itself as a user.

            It posts the message.

This type of websites usually include human verification codes, in order to make automatic registration more difficult for this kind of robots or they use filters in order to block IP addresses that carry out suspicious operations.

That’s why, this program is able to recognize the texts in the following type of images:

It also allows to connect to a list of proxies in order to use different IP addresses.

Here you have a video where the working of the program is shown.

According to the comments of its creators, it is able to post 1100 links in only 15 minutes.

More about Mpack (II)

 

Today I have come across a server hosting an Mpack that has 292 different websites with iframes that make reference to it.
 

Most of the infected users are Italian, as in the case we explained a month ago. You can check the information by following this link: http://blogs.pandasoftware.com/blogs/pandalabs/archive/2007/06/19/More-about-Mpack.aspx

But, the most curious thing is that after analyzing the range of the IP addresses, we have seen that the websites are hosted in the same Italian provider as in the other case.

The version of this Mpack is 0.91. However, the latest version we have found is 0.94.

PINCH, THE TROJAN CREATOR

Some time ago, we talked to you about malware prices, HTTP botnets, etc. Today I will show you the level Trojan creators have reached and the way in which some of them launch their creation ‘builders’, authentic centers for designing and creating totally customizable Trojans. And this is where Pinch comes in.

It is a tool for creating Trojans which allows: defining the actions for the Trojan to take, packing the executable file to make its detection more difficult, disabling specific ‘annoying’ services such as those of antiviruses…

Among the tools for creating viruses, Trojans, etc. this might be the most commonly used, distributed and sold, given its ease of use due to a very intuitive interface. This allows malicious attackers to have an executable ready to infect, steal, spread, etc. in a few minutes. Consequently, it causes victims serious problems without them even realizing, until it is too late and they have to face the financial consequences.

First, attackers must choose the ‘return’ mode of the data the Trojan obtains. More specifically, whether the data should be sent via SMTP, HTTP or simply be left on a system file to recover it later through a backdoor opened on the victim’s computer by the Trojan.

If SMTP is chosen, the following parameters must be specified:
+ SMTP server and port to use.
+ ‘From’ and ‘To’ fields of email to send.
+ Subject
+ Interval between data sending

If HTTP is chosen, the name of the server with mail3.php must be specified. Mail3.php loads the information onto the server.

If the FILE method is chosen, the name of the file created with the information and its path must be specified.

There are several tabs in the middle of the screen where the parameters below can be specified:

PWD: The type of password to be stolen can be indicated: from mail programs to passwords stored on browsers, including system information. The report can also be encrypted.

RUN: The way the Trojan will run on the target computer, the location it will be copied to (if necessary), its name, etc. are indicated.
 If Autorun is selected, there are several options to choose from:

+ Standard: It copies the executable file onto the selected directory and includes it in the registry to carry out the autorun.
+ DLL RUN: It copies the Trojan to the directory, creates a .dll and includes a reference in the Windows Registry for it to run automatically.
+ UNDELETE: It compiles the Trojan and changes it to different formats (exe, dll), it compiles a .dll again with one of the conversions, etc.
+ SERVICE: It copies the Trojan to the directory, and creates a reference in the Windows Registry so it runs automatically. The name of the service can be specified.

It can also be set to act on a specific date and time, delete itself, and run when it detects a network connection or after a reboot. It can also be compiled to change the firewall settings in Windows and allow the Trojan to act.

SPY: The following parameters are specified in this section: lets Trojans act as keyloggers, takes screenshots of the victim’s desktop, captures IE data, looks for certain files on the target system, etc.

NET: Allows the victim’s PC to be turned into a Proxy, specifying ports, etc. It also acts as a downloader; by specifying the address of the executable file, victims download the .exe file and run it. The last option allows connecting to a php script, allowing parameter specification, etc.

BD: Or backdoor. Allows ports to be specified and logs to be opened on victims’ computers.

ETC: Allows the Trojan to be hidden using typical joiner methods.

KILL: It allows the selected services or processes to be killed. It allows most antivirus services to be selected by default.

IE: Allows attackers to add sites to the IE Trusted Sites and the favorites section.

WORM: Allows worm characteristics to be determined for the Trojan so it distributes itself.

IRC-BOT: Allows victims’ computers to be added to an IRC bot network, specifying the server, channel, port and password.

It also allows the Trojan to be encrypted using RC4, packing it using FSG, UPX or MEW.

 

Once all the Trojan’s characteristics are specified, it must be compiled to obtain the .exe file.

The version I have used for this post is version 2.60 since the builder in this version is very complete. Later versions are available, but they are disabled builders which do not allow all the Trojan’s characteristics to be specified from a single builder. The author has ‘diversified’ them, has created a specific builder for SMTP, and has removed several options which are now included in the final Trojan by default. Bearing in mind builder prices, this process to make their ‘creations’ more profitable is not surprising. Here you have a screenshot of the latest version:

 

The parser: The pinch is accompanied by a parser program which is capable of reading and decrypting the logs left by the Trojan. The parser lets you search the logs and truth be said, it is easy to use and allows easy visualization of different log data obtained by the Trojan:

A new case of RansomWare !!!

We have detected a new case of RansomWare.

Once the malware infects users and encrypts their files, several “read_me.txt” files are created in the infected system, which warn users that their data files have been encrypted and that they won’t be able to access them unless they pay a ransom of $300.

 The email addresses indicated in the message may vary:

kiloglamour@gmail.com

tristanniglam@gmail.com

oxyglamour@gmail.com

glamourepalace@gmail.com

The “personal code” may also vary depending on the random value that is used to encrypt the data.

The encrypted files usually begin with the text “GLAMOUR”:

We have managed to access the data of the infected systems and there are 1,108 infected computers.

Besides, in 111 of those machines the port 6838 is open so that the machines act as socket servers.

The “construction kit” of Trj/Sinowal has been used to create this Trojan.

We have already mentioned this malware family in the eCrime 2007

http://research.pandasoftware.com/blogs/research/archive/2007/03/29/eCrime-2007-Congress.aspx

According to SecureWorks, this “construction kit” is sold for around $1,000.

http://www.computerworlduk.com/management/security/cybercrime/news/index.cfm?RSS&NewsId=3740

This variant has been detected as Trj/Sinowal.FY in the signature file.

Spammers: PDF rules!

A few weeks ago a spam attack was launched – as it happens everyday. But that time there was something new. It was a pump and dump stock scam, using a PDF attachment. And what’s more, the PDF looked in a very professional way, so many people could be fooled. You can download the PDF clicking on the image below:

 

 

It must have been successful somehow, as the number of  these PDF scams are increasing a lot. We must say that most of them are made in a really poor way, just take a look at the following screenshots:

 

  

 

  

 

But you can find some which look better:

 

  

 

 

As you can see most of the times they are just copy-pasting the body of the “old” spam messages into the PDF file. But today, I have found one that has caught my eye. The first thing is the Subject (Off the record), which, on its own, makes anyone’s curiosity arouse. If the message is opened, there is a PDF attached, whose name is the name and surname of the user’s mail account! When it is opened, we discover that we will be given $500 if we reactivate an online casino account, finally it was not so exciting:

 

 

Guidded shopping

Last week we have heard about an online shop that sells Iphones. This matter wouldn’t be unusual except for the fact that it is the classic case of phishing. Basically, you access the web thinking you are buying in an Apple’s official shop but, in fact, it’s not. No matter how many Iphones you purchase and pay, you won’t receive any.

 

I’ve gone a little bit further in order to see how the swindle has been carried out and I’ve been really surprised by the discovery.

 

They have plenty of resources in order to make you visit their website instead of the official one. We have never seen before a deployment in resources and organization like this.

 

We’ve already known about the existence of banker Trojans that send all the information they obtain to a server. But in addition, they turn your computer into a bot that is completely controlled by a central server, from which each bot and the stolen information can be managed… Well, I have come across a variation of this framework, which is totally focused on the Iphone swindle.

 

When a PC is infected by the Trojan, it automatically turns into a bot of the server in question. The first time you connect to the Internet, the Trojan will send several requests to the server, in order to receive some instructions that will be carried out by the Trojan in your computer.

 

The server sends several data in such a way that when you visit certain websites, you are redirected to other ones without being aware. Up to the moment this can seem normal, but what surprises me most is that as well as being redirected, it is able to display popups and banners, and it can even modify the results offered by the most usual Internet search engines, such as Google, when certain searches are made.

 

When an infected PC visits www.iphone.com in order to purchase an Iphone, the user will be actually buying it in their website instead of in the official one.

 

As you can see, they are able to carry out all kind of operations from the control panel, in order to guide us to their Iphone online shop.

 

 

Currently, this bot server controls 7519 bots, a number not to be sneezed at.

 

From the section “COMMANDS ADMIN”, all kind of commands can be sent to the bots, from downloading new executables to restarting the PC.

 

 

In “REDIRECTS ADMIN”, the redirection is specified. In order to do so, it is indicated the website the user thinks that they will be visiting and the website that they will be really visiting. As you can see, almost all the redirections belong to Apple websites.

 

 

In “SEARCH REDIR”, it is indicated the URLs that will be displayed when the bot makes a search with an Internet search engine, and the words that triggers the redirecting as well.

 

In “INJECTS ADMIN”, the “injects” are specified, that is, when a bot visits a URL that has been specified, the bot will inject code into the URL, in such a way that, for example, it can modify the links of the website. As you can see, all the injections make reference to Apple’s websites, and they inject code so that when a link of the website is followed, you will be redirected to their “online shop”.

 

 

In “POPUPS ADMIN” and “BANNERS ADMIN”, the banners and popups that will be displayed in the bot browser are specified. They always make reference to their online shop of Iphones sale.

 

 

We have never seen before a botnet that is specifically dedicated to “guide” its bots when their owners want to buy an Iphone. We can come to the conclusion that it is a very important business for them, above all for the determination with which they have developed it.

 

It is interesting to see how the most used tools in the world of Trojans and botnets are being used in the world of phishing. This proves that thousands of computer crimes are being committed, and the worst thing of all is that many people all over the world have been victims of these swindles.

 

This server is currently working and at the moment it is still sending commands to its bots so that the PCs are redirected to their illegal web.

 

The most interesting thing of all is that not only they can use this management device for one shop, but in a future they can also use it for other shops that offer brand-new and outstanding products, such as the case of the Apple’s Iphones. In fact, the shop is offline right now but I’m sure that they will use their Botnet  again with other “Online shops”.

June spyware list

This month, Application/MyWebSearch joins the list in the first position, with only 36 detections less than Adware/Lop, which goes down to the second position.

 

1.- Application/MyWebSearch

2.- Adware/Lop

3.- Adware/Gator

4.- Dialer.XD

5.- Spyware/Virtumonde

6.- Application/SystemDoctor2006

 

Application/SystemDoctor2006 goes up from the 11th to the 6th position. It is a fake error-repairing program that is usually installed by Adware/SystemDoctor. There are also many websites or advertisements that simulate an analysis of the machine so that users install the program. Then, they are requested to purchase, for a modest price, a program to remove them.

 

Adware/Navipromo goes up from the 21st to 19th position. It is an adware that promotes dialers and uses rootkit techniques in order to go unnoticed. It usually comes with other programs such as MailSkinner, WebMediaplayer  or InternetGameBox .

 

Trj/Torpig, which is a banker Trojan, keeps the 37th position as in the previous month. The families belonging to Trj/Torpig and Trj/Sinowal are very similar. We explained the techniques used by Trj/Sinowal in the eCrime Congress. You can take a look at the paper here.