Posts Tagged: Kafeine


15
Aug 13

Personalized Exploit Kit Targets Researchers

As documented time and again on this blog, cybercrooks are often sloppy or lazy enough to leave behind important clues about who and where they are. But from time to time, cheeky crooks will dream up a trap designed to look like they’re being sloppy when in fact they’re trying to trick security researchers into being sloppy and infecting their computers with malware.

A fake Nuclear Exploit Pack administrative panel made to serve malware.

A Nuclear Exploit Pack administrative panel made to serve malware.

According to Peter Kruse, a partner and cybercrime specialist with CSIS Security Group, that’s what happened late last month when a Twitter user “Paunchbighecker” started messaging security researchers on Twitter. Paunch the nickname of a Russian hacker who for the past few years has sold the wildly popular Blackhole exploit kit, a crimeware package designed to be stitched into hacked or malicious sites and foist browser exploits on visitors. The person behind Paunchbighecker Twitter account probably figured that invoking Paunch’s name and reputation would add to the allure of his scam.

The Paunchbighecker Twitter account appears to have been created on July 30 for the sole purpose of sending tweets to several security researchers, including this author, Mikko Hypponen of Finnish security firm F-Secure, French malware researcher Kafeine, Polish security researcher tachion24, and SecObsecurity. Strangely enough, the other Twitter account that received messages from this user belongs to Sauli Niinistö, the current president of Finland.

The link that Paunchbighecker sent to researchers displays what appears to be the back-end administrative panel for a Nuclear Pack exploit kit. In fact, the landing page was a fake merely made to look like a Nuclear pack statistics panel. Rather, embedded inside the page itself is a series of active Java exploits. 

Update, 1:56 p.m.: Security researcher Kafeine said he does not believe this was an attack against security researchers, but rather an intentional leak of badguy credentials.  Furthermore, Kafeine notes that visitors to the site link in the Twitter messages would have to take an additional step in order to infect their own computers.

Continue reading →


8
Jul 13

Styx Exploit Pack: Domo Arigato, PC Roboto

Not long ago, miscreants who wanted to buy an exploit kit — automated software that helps booby-trap hacked sites to deploy malicious code  – had to be fairly well-connected, or at least have access to semi-private underground forums. These days, some exploit kit makers are brazenly advertising and offering their services out in the open, marketing their wares as browser vulnerability “stress-test platforms.”

Styx Pack victims, by browser and OS version.

Styx Pack victims, by browser and OS version.

Aptly named after the river in Greek mythology that separates mere mortals from the underworld, the Styx exploit pack is a high-end software package that is made for the underground but marketed and serviced at the public styx-crypt[dot]com. The purveyors of this malware-as-a-service also have made a 24 hour virtual help desk available to paying customers.

Styx customers might expect such niceties for the $3,000 price tag that accompanies this kit. A source with access to one Styx kit exploit panel that was apparently licensed by a team of bad guys shared a glimpse into their operations and the workings of this relatively slick crimeware offering.

The Styx panel I examined is set up for use by a dozen separate user accounts, each of which appears to be leveraging the pack to load malware components that target different moneymaking schemes. The account named “admin,” for example, is spreading an executable file that tries to install the Reveton ransomware.

Other user accounts appear to be targeting victims in specific countries. For example, the user accounts “IT” and “IT2″ are pushing variants of the ZeuS banking trojan, and according to this Styx panel’s statistics page, Italy was by far the largest source of traffic to the malicious domains used by these two accounts. Additional apparently country-focused accounts included “NL,” AUSS,” and “Adultamer” (“amer” is a derisive Russian slur used to describe Americans).

ZeuS Trojan variants targeted at Italian victims were detected by fewer than 5 out 17 antivirus tools.

ZeuS Trojan variants targeted at Italian victims were detected by fewer than 5 out 17 antivirus tools.

An exploit kit — also called an “exploit pack” (Styx is marketed as “Styx Pack”) is a software toolkit that gets injected into hacked or malicious sites, allowing the attacker to foist a kitchen sink full of browser exploits on visitors. Those visiting such sites with outdated browser plugins may have malware silently installed.

Unlike other kits, Styx doesn’t give a detailed breakdown of the exploits used in the panel. Rather, the panel I looked at referred to its bundled exploits by simple two-digit numbers. This particular Styx installation used just four browser exploits, all but one of which targets recent vulnerabilities in Java. The kit referred to each exploit merely by the numbers 11, 12, 13 and 32.

According to the considerable legwork done by Kafeine, a security blogger who digs deeply into exploit kit activity, Styx Kit exploit #11 is likely to be CVE-2013-1493, a critical flaw in a Java browser plugin that Java maker Oracle fixed with an emergency patch in March 2013. Exploit 12 is almost certainly CVE-2013-2423, another critical Java bug that Oracle patched in April 2013. In an instant message chat, Kafeine says exploit #13 is probably CVE-2013-0422, a critical Java vulnerability that was patched in January 2013. The final exploit used by the kit I examined, number 32, maps to CVE-2011-3402, the same Microsoft Windows font flaw exploited by the Duqu Trojan.

The Styx stats page reports that the hacked and malicious sites used by this kit have been able to infect roughly one out of every 10 users who visited the sites. This particular Styx installation was set up on June 24, 2013, and since that time it has infected approximately 13,300 Windows PCs — all via just those  four vulnerabilities (but mostly the Java bugs).

Continue reading →


22
May 13

Krebs, KrebsOnSecurity, As Malware Memes

Hardly a week goes by when I don’t hear from some malware researcher or reader who’s discovered what appears to be a new sample of malicious software or nasty link that invokes this author’s name or the name of this blog. I’ve compiled this post to document a few of these examples, some of which are quite funny.

loginbetabot1

Source: Exposedbotnets.com

Take, for example, the login panel for “Betabot“: Attempt to log in to this malware control panel with credentials that don’t work and you’ll be greeted with a picture of this author, accompanied by the following warning: “Enter the correct password or I will write a 3-part article on this failed login attempt.”

The coders behind Betabot evidently have several versions of this login panel warning: According to a threat intelligence report being released tomorrow by RSA, the latest iteration of this kit uses the mugshot from my accounts at Twtter (follow me!) and Facebook (like it!).

As first detailed by Sophos’s award-winning Naked Security blog, the code inside recent versions of the Redkit exploit kit includes what appears to be a message blaming me for…well, something. The message reads: “Crebs, its [sic] your fault.”

sophosredkit

Text string inside of the Redkit exploit kit. Source: Sophos

The one I probably hear about most from researchers is a text string that is built into Citadel (PDF), an offshoot of the ZeuS banking trojan botnet kit that includes the following reference: “Coded by BRIAN KREBS for personal use only. I love my job and my wife.”

A text string inside of the Citadel trojan. Source: AhnLab

A text string within the code of the Citadel trojan. Source: AhnLab

Those are just the most visible examples. More commonly, if Yours Truly is invoked in the name of cybercrime, it tends to show up in malicious links that lead to malware. Here are a few just from the past couple of weeks:

Continue reading →


7
Jan 13

Crimeware Author Funds Exploit Buying Spree

The author of Blackhole, an exploit kit that booby-traps hacked Web sites to serve malware, has done so well for himself renting his creation to miscreants that the software has emerged as perhaps the most notorious and ubiquitous crimeware product in the Underweb. Recently, however, the author has begun buying up custom exploits to bundle into a far more closely-held and expensive exploit pack, one that appears to be fueling a wave of increasingly destructive online extortion schemes.

Cool Exploit Kit.

Cool Exploit Kit.

An exploit pack is a software toolkit that gets injected into hacked or malicious sites, allowing the attacker to foist a kitchen sink full of browser exploits on visitors. Those visiting such sites with outdated browser plugins may have malware silently installed. In early October  2012, security researchers began noticing that a new exploit pack called Cool Exploit Kit was showing up repeatedly in attacks from “ransomware,” malicious software that holds PCs hostage in a bid to extract money from users.

Kafeine,” a French researcher and blogger who has been tracking the ties between ransomware gangs and exploit kits, detailed Cool’s novel use of a critical vulnerability in Windows (CVE-2011-3402) that was first discovered earlier in the year in the Duqu computer worm. Duqu is thought to be related to Stuxnet, a sophisticated cyber weapon that experts believe was designed to sabotage Iran’s nuclear program.

About a week after Kafeine highlighted the Duqu exploit’s use in Cool, the same exploit showed up in Blackhole. As Kafeine documented in another blog post, he witnessed the same thing happen in mid-November after he wrote about a never-before-seen exploit developed for a Java vulnerability (CVE-2012-5076) that Oracle patched in October. Kafeine said this pattern prompted him to guess that Blackhole and Cool were the work of the same author or malware team.

“It seems that as soon as it is publicly known [that Cool Exploit Kit] is using a new exploit, that exploit shows up in Blackhole,” Kafeine said in an interview with KrebsOnSecurity.

As detailed in an excellent analysis by security firm Sophos, Blackhole is typically rented to miscreants who pay for the use of the hosted exploit kit for some period of time. A three-month license to use Blackhole runs $700, while a year-long license costs $1,500. Blackhole customers also can take advantage of a hosting solution provided by the exploit kit’s proprietors, which runs $200 a week or $500 per month.

Blackhole is the brainchild of a crimeware gang run by a miscreant who uses the nickname “Paunch.” Reached via instant message, Paunch acknowledged being responsible for the Cool kit, and said his new exploit framework costs a whopping $10,000 a month.

At first I thought Paunch might be pulling my leg, but that price tag was confirmed in a discussion by members of a very exclusive underground forum. Not long after Kafeine first wrote about Cool Exploit Kit, an associate of Paunch posted a message to a semi-private cybercrime forum, announcing that his team had been given an initial budget of $100,000 to buy unique Web browser exploits, as well as information on unpatched software flaws. Here is a portion of that post, professionally translated from Russian:

Continue reading →


13
Aug 12

Inside a ‘Reveton’ Ransomware Operation

The U.S Federal Bureau of Investigation is warning about an uptick in online extortion scams that impersonate the FBI and frighten people into paying fines to avoid prosecution for supposedly downloading child pornography and pirated content. This post offers an inside look at one malware gang responsible for orchestrating such scams.

Reveton ransomware scam impersonating FBI

Reveton ransomware scam page impersonating the FBI

In an alert published last week, the FBI said that The Internet Crime Complaint Center — a partnership between the FBI and the National White Collar Crime Center — was “getting inundated with complaints” from consumers targeted or victimized by the scam, which uses drive-by downloads to hijack host machines. The downloaded malware displays a threatening message (see image to the right) and blocks the user from doing anything else unless he pays the fine or finds a way to remove the program.

The FBI alert said the attacks have surged with the help of a “new drive-by virus” called Reveton; in fact, Reveton and its ilk are hardly new. These types of attacks have been around for years, but traditionally have targeted European users. The scam pages used in the attacks mimic official notices from various national police or investigatory agencies, corresponding to the country in which the victim resides. For a breakdown of these Reveton-related ransomware scam pages by country, see this comprehensive gallery set up at botnets.fr.

Reveton.A is blamed in these most recent attacks, and the FBI said it appears Reveton is being distributed in conjunction with Citadel, an offshoot of the ZeuS Trojan that I have written about on several occasions. It is certainly possible that crooks are using Citadel to deploy Reveton, but as I’ll illustrate below, it seems more likely that the attackers in these cases are using exploit kits like BlackHole to plant both threats on victim PCs.

INSIDE A REVETON MALWARE GANG

Operations of one Reveton crime group. Source: ‘Kafeine,’ from botnets.fr.

At least that’s the behavior that’s been observed by a ragtag group of researchers that has been tracking Reveton activity for many months. Some of the researchers are associated with botnets.fr, but they’ve asked to remain nameless because of the sensitivity of their work. One of them, who goes by the screen name “Kafeine,” said much of the Reveton activity traces back to a group that is controlling the operation using reverse proxies at dozens of servers scattered across data centers globally (see this PDF for a more detailed look at the image above).

Kafeine said the groups involved in spreading Reveton are constantly fine-tuning all aspects of their operations, from the scam pages to solidifying their back-end hosting infrastructure. The latest versions of Reveton, for example, serve the scam pages from an encrypted (https://) connection, and only cough up the pages when an infected machine visits and sends a special request. Continue reading →