Posts Tagged: Phoenix Exploit Kit


8
Apr 13

Phoenix Exploit Kit Author Arrested In Russia?

The creator of a popular crimeware package known as the Phoenix Exploit Kit was arrested in his native Russia for distributing malicious software and for illegally possessing multiple firearms, according to underground forum posts from the malware author himself.

The last version of the Phoenix Exploit Kit. Source: Xylibox.com

The last version of the Phoenix Exploit Kit. Source: Xylibox.com

The Phoenix Exploit Kit is a commercial crimeware tool that until fairly recently was sold by its maker in the underground for a base price of $2,200. It is designed to booby-trap hacked and malicious Web sites so that they foist drive-by downloads on visitors.

Like other exploit packs, Phoenix probes the visitor’s browser for the presence of outdated and insecure versions of browser plugins like Java, and Adobe Flash and Reader. If the visitor is unlucky enough to have fallen behind in applying updates, the exploit kit will silently install malware of the attacker’s choosing on the victim’s PC (Phoenix targets only Microsoft Windows computers).

The author of Phoenix — a hacker who uses the nickname AlexUdakov on several forums — does not appear to have been overly concerned about covering his tracks or hiding his identity. And as we’ll see in a moment, his online persona has been all-too-willing to discuss his current legal situation with former clients and fellow underground denizens.

Exploit.in forum member AlexUdakov selling his Phoenix Exploit Kit.

Exploit.in forum member AlexUdakov selling his Phoenix Exploit Kit.

For example, AlexUdakov was a member of Darkode.com, a fairly exclusive English-language cybercrime forum that I profiled last week. That post revealed that the administrator accounts for Darkode had been compromised in a recent break-in, and that the intruders were able to gain access to private communications of the administrators. That access included authority to view full profiles of Darkode members, as well as the private email addresses of Darkode members.

AlexUdakov registered at Darkode using the address “nrew89@gmail.com”. That email is tied to a profile at Vkontakte.ru (a Russian version of Facebook) for one Andrey Alexandrov, a 23-year-old male (born May 20, 1989) from Yoshkar-Ola, a historic city of about a quarter-million residents situated on the banks of the Malaya Kokshaga river in Russia, about 450 miles east of Moscow.

ASK-74u rifles. Source: Wikimedia Commons.

AKS-74u rifles. Source: Wikimedia Commons.

That nrew89@gmail.com address also is connected to accounts at several Russian-language forums and Web sites dedicated to discussing guns, including talk.guns.ru and popgun.ru. This is interesting because, as I was searching AlexUdakov’s Phoenix Exploit kit sales postings on various cybercrime forums, I came across him discussing guns on one of his sales threads at exploit.in, a semi-exclusive underground forum. There, a user with the nickname AlexUdakov had been selling Phoenix Exploit Kit for many months, until around July 2012, when customers on exploit.in began complaining that he was no longer responding to sales and support requests. Meanwhile, AlexUdakov account remained silent for many months.

Then, in February 2013, AlexUdakov began posting again, explaining his absence by detailing his arrest by the Federal Security Service (FSB), the Russian equivalent of the FBI. The Phoenix Exploit Kit author explained that he was arrested by FSB officers for distributing malware and the illegal possession of firearms, including two AKS-74U assault rifles, a Glock, a TT (Russian-made pistol), and a PM (also known as a Makarov).

Continue reading →


7
Feb 13

Microsoft, Symantec Hijack ‘Bamital’ Botnet

Microsoft and Symantec said Wednesday that they have teamed up to seize control over the “Bamital” botnet, a multi-million dollar crime machine that used malicious software to hijack search results. The two companies are now using that control to alert hundreds of thousands of users whose PCs remain infected with the malware.

bamitalThe tech firms said their research shows that in the last two years, more than eight million computers have been attacked by Bamital, and that the botnet’s search hijacking and click fraud schemes affected many major search engines and browsers, including those offered by Microsoft, Yahoo and Google.

Users of machines infected with Bamital are likely to see a Web page like the one pictured at right the next time they search for something online. That’s because Microsoft convinced a judge at the U.S. District Court for the Eastern District of Virginia to give it control over the infrastructure that Bamital used to coordinate the search hijacking activities of host PCs.

On Wednesday, technicians working on behalf of both Microsoft and Symantec raided data centers at Leaseweb USA in Manassas, Va., and ISPrime in Weekawken, New Jersey, accompanied by U.S. federal marshals. The two companies are now using the botnet’s control channels to communicate with infected PCs and to notify affected users.

According to Microsoft’s lawsuit, Bamital is most often installed via drive-by downloads, which use exploit kits stitched into hacked and malicious Web sites. Microsoft said the bad guys behind the botnet exclusively used the Phoenix Exploit Kit, a malware tool that uses vulnerabilities in Web browsers to silently install malware.

Bamital alters the organic search results on the host machine, redirecting victims away from sites as indexed by the major search providers toward pages that provide advertising and referral commissions to affiliate marketers. Redmond included several examples in its petition to the court, such as when a victim with Bamital searches for Microsoft Halo, and upon clicking the top link in the results is taken to a completely different set of search engine results.

Microsoft employees (left) at  ISPrime, a hosting facility in New Jersey.

Microsoft employees (left) at ISPrime, a hosting facility in New Jersey.

Microsoft said Bamital also orders infected systems to participate in “click fraud,” or to generate automated Internet traffic by instructing those computers — without the owner’s knowledge or intervention — to connect to any Web site chosen by the botmasters. Meanwhile, the owner of the infected computer – even if they were sitting at the computer – would not see the hidden browser.

It’s not hard to see why threats like Bamital are so prevalent: An estimated $12.7 billion was spent on Internet advertising in 2012, and click fraud is taking a huge bite out of the expected returns. Microsoft’s own research indicates that 22 percent of all ad-clicks are fraudulent.

Continue reading →