Posts Tagged: Nmap


19
Jul 13

Styx Crypt Makers Push DDoS, Anti-Antivirus Services

I recently published a piece that examined the role of several Ukrainian men likely responsible for making and marketing the Styx Pack malware exploit kit. Today’s post will show how this same enterprise is linked to a DDoS protection scheme and a sprawling cybercrook-friendly malware scanning service that is bundled with Styx-Crypt.

Anonymous antivirus scanning service -- captain-checker[dot]com -- bundled with the Styx exploit pack.

Anonymous antivirus scanning service — captain-checker.com — bundled with Styx.

As I noted in a graphic accompanying a July 8 analysis of Styx, the $3,000 exploit pack includes a built-in antivirus scanning service that employs at least 17 antivirus products. The scanning service is “anonymous,” in that it alerts Styx customers whenever one of the antivirus tool detects their malware  as such, but the service also prevents the antivirus products from reporting home about the new malware detections.

When Styx customers click on one of these malware scanning reports from within the Styx pack panel itself, the full scanning results are displayed in a new browser window at the domain captain-checker[dot]com (see screenshot above). The Styx panel that I examined earlier this month was based at the Internet address 5.199.167.196, and was reachable only by appending the port number 10665 to the numeric address. At first, I thought this might be a standard port used by Styx installations but that turns out not to be the case, according to interviews with other researchers. I didn’t realize it at the time, but now I’m thinking it’s likely that the panel I examined was actually one run by the Styx Pack curators themselves.

I discovered that although captain-checker[dot]com is hosted at another address (46.21.146.130), it also had this 10665 port open. I noticed then that captain-checker shares that server with 12 other Web sites. All of those sites also respond on port 10665, each revealing a captain-checker login page. Among the 12 is uptimer[dot]biz, one of two sites that led to the identity of Alexander “Nazar” Nazarenko — one of the main marketers and sellers of Styx pack.

styx-reality7-mapNot only are all of these sites on the same server, an Nmap scan of these systems shows that they all are on the same Windows workgroup — “Reality7.” This dovetails nicely with the other domain that I noted in that July 10 story as tied to Nazarenko — reality7solutions[dot]com.

Many of the other domains on the server (see graphic to the left) use some variation of the word “wizard,” and share a Google Analytics code, UA-19307857. According to SameID.net, this code is embedded in the homepage for at least 38 different Web sites.

In my previous story on Nazarenko and his Styx Pack business partner — Max “Ikar” Gavryuk —  I noted that both men were advertising “Reality Guard,” a service to help protect clients from distributed denial-of-service (DDoS) attacks designed to knock sites offline. I had a closer look at their site — reality-guard[dot]com — and learned several interesting things: For starters, the site also responds with a captain-checker[dot]com login page when you append “:10665” to the domain name. It also is on a Microsoft Windows workgroup called “Reality7”. Finally, the reality-guard[dot]com home page includes an icon for virtual currency Webmoney that when hovered over pops up Nazar’s Webmoney account (someone changed the name on this account from “Nazar” to “Lives” within hours after my July 10 story on the Styx Pack purveyors).

Continue reading →


6
Dec 11

Download.com Bundling Toolbars, Trojans?

It wasn’t long ago that I felt comfortable recommending CNET‘s download.com as a reputable and trustworthy place to download software. I’d like to take back that advice: CNET increasingly is bundling invasive and annoying browser toolbars with software on its site, even some open-source titles whose distribution licenses prohibit such activity.

Although this change started this summer, I only first became aware of it after reading a mailing list posting on Monday by Gordon “Fyodor” Lyon, the software developer behind the ever useful and free Nmap network security scanner. Lyon is upset because download.com, which has long hosted his free software for download without any “extras,” recently began distributing Nmap and many other titles with a “download installer” that bundles in browser toolbars like the Babylon toolbar.

CNET’s own installer is detected by many antivirus products as a Trojan horse, even though the company prefaces each download with the assurance that “CNET hosts this file and has scanned it to ensure it is virus and spyware free.” CNET also has long touted download.com’s zero tolerance policy toward all bundled adware.

Lyon said he found his software was bundled with the StartNow Toolbar, which is apparently powered by Microsoft‘s “Bing decision engine.” When I grabbed a copy of the Nmap installer from download.com and ran it on a test Windows XP machine, CNET’s installer offered the Babylon Toolbar, which is a translation toolbar that many Internet users have found challenging to remove.

The CNET download installer that I got for Nmap from download.com was made by CBS Interactive (CNET Networks was acquired by CBS in 2008), and it is detected as malicious by three antivirus products at Virustotal.com. When I unpacked the installer from the Nmap program and scanned just the installer, 10 out of the 39 antivirus products detected the file as either a Trojan horse or adware.

Continue reading →