Posts Tagged: Trustwave

May 16

Got $90,000? A Windows 0-Day Could Be Yours

How much would a cybercriminal, nation state or organized crime group pay for blueprints on how to exploit a serious, currently undocumented, unpatched vulnerability in all versions of Microsoft Windows? That price probably depends on the power of the exploit and what the market will bear at the time, but here’s a look at one convincing recent exploit sales thread from the cybercrime underworld where the current asking price for a Windows-wide bug that allegedly defeats all of Microsoft’s current security defenses is USD $90,000.

So-called “zero-day” vulnerabilities are flaws in software and hardware that even the makers of the product in question do not know about. Zero-days can be used by attackers to remotely and completely compromise a target — such as with a zero-day vulnerability in a browser plugin component like Adobe Flash or Oracle’s Java. These flaws are coveted, prized, and in some cases stockpiled by cybercriminals and nation states alike because they enable very stealthy and targeted attacks.

The $90,000 Windows bug that went on sale at the semi-exclusive Russian language cybercrime forum exploit[dot]in earlier this month is in a slightly less serious class of software vulnerability called a “local privilege escalation” (LPE) bug. This type of flaw is always going to be used in tandem with another vulnerability to successfully deliver and run the attacker’s malicious code.

LPE bugs can help amplify the impact of other exploits. One core tenet of security is limiting the rights or privileges of certain programs so that they run with the rights of a normal user — and not under the all-powerful administrator or “system” user accounts that can delete, modify or read any file on the computer. That way, if a security hole is found in one of these programs, that hole can’t be exploited to worm into files and folders that belong only to the administrator of the system.

This is where a privilege escalation bug can come in handy. An attacker may already have a reliable exploit that works remotely — but the trouble is his exploit only succeeds if the current user is running Windows as an administrator. No problem: Chain that remote exploit with a local privilege escalation bug that can bump up the target’s account privileges to that of an admin, and your remote exploit can work its magic without hindrance.

The seller of this supposed zero-day — someone using the nickname “BuggiCorp” — claims his exploit works on every version of Windows from Windows 2000 on up to Microsoft’s flagship Windows 10 operating system. To support his claims, the seller includes two videos of the exploit in action on what appears to be a system that was patched all the way up through this month’s (May 2016) batch of patches from Microsoft (it’s probably no accident that the video was created on May 10, the same day as Patch Tuesday this month).

A second video (above) appears to show the exploit working even though the test machine in the video is running Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), a free software framework designed to help block or blunt exploits against known and unknown Windows vulnerabilities and flaws in third-party applications that run on top of Windows.

The sales thread on exploit[dot]in.

The sales thread on exploit[dot]in.

Jeff Jones, a cybersecurity strategist with Microsoft, said the company was aware of the exploit sales thread, but stressed that the claims were still unverified. Asked whether Microsoft would ever consider paying for information about the zero-day vulnerability, Jones pointed to the company’s bug bounty program that rewards security researchers for reporting vulnerabilities. According to Microsoft, the program to date has paid out more than $500,000 in bounties.

Microsoft heavily restricts the types of vulnerabilities that qualify for bounty rewards, but a bug like the one on sale for $90,000 would in fact qualify for a substantial bounty reward. Last summer, Microsoft raised its reward for information about a vulnerability that can fully bypass EMET from $50,000 to $100,000. Incidentally, Microsoft said any researcher with a vulnerability or who has questions can reach out to the Microsoft Security Response Center to learn more about the program and process.


It’s interesting that this exploit’s seller could potentially make more money by peddling his find to Microsoft than to the cybercriminal community. Of course, the videos and the whole thing could be a sham, but that’s probably unlikely in this case. For one thing, a scammer seeking to scam other thieves would not insist on using the cybercrime forum’s escrow service to consummate the transaction, as this vendor has. Continue reading →

Mar 14 Probes Possible Card Breach

For the second time since Aug. 2013, online retailer has hired a computer forensics team after being notified by Discover about a potential breach of customer card data, KrebsOnSecurity has learned.

nomorerackOver the past several weeks, a number of banks have shared information with this reporter indicating that they are seeing fraud on cards that were all recently used by customers. Turns out, has heard this as well, and for the second time in the last seven months has called in outside investigators to check for signs of a digital break-in.

Vishal Agarwal, director of business development for the New York City-based online retailer, said the company was first approached by Discover Card back in August 2013, when the card association said it had isolated as a likely point-of-compromise.

“They requested then that we go through a forensics audit, and we did that late October by engaging with Trustwave,” Agarwal said. “Trustwave came out with a report at end of October saying there was no clear cut evidence that our systems had been compromised. There were a few minor bugs reported, but not conclusive evidence of anything that caused a leakage in our systems.”

Then, just last month, NoMoreRack heard once again from Discover, which said that between Nov. 1, 2013 and Jan. 15, 2014, the company had determined there were more incidents of fraud tied to cards that were all used at the company’s online store.

Continue reading →

Dec 13

Hacked Via RDP: Really Dumb Passwords

Businesses spend billions of dollars annually on software and hardware to block external cyberattacks, but a shocking number of these same organizations shoot themselves in the foot by poking gaping holes in their digital defenses and then advertising those vulnerabilities to attackers. Today’s post examines an underground service that rents access to hacked PCs at organizations that make this all-too-common mistake.

Makost[dot]net is a service advertised on cybercrime forums which sells access to “RDPs”, mainly Microsoft Windows systems that have been configured (poorly) to accept “Remote Desktop Protocol” connections from the Internet. Windows ships with its own RDP interface built-in; to connect to another Windows desktop or server remotely, simply fire up the Remote Desktop Connection utility in Windows, type in the Internet address of the remote system, and enter the correct username and password for a valid user account on that remote system. Once the connection is made, you’ll see the remote computer’s desktop as if you were sitting right in front of it, and have access to all its programs and files.

Makhost[dot]net sells access to thousands of hacked RDP installations. Prices range from $3 to $10 based on a variety of qualities, such as the number of CPUs, the operating system version and the PC's upload and download speeds.

Makhost[dot]net sells access to thousands of hacked RDP installations. Prices range from $3 to $10 based on a variety of qualities, such as the number of CPUs, the operating system version and the PC’s upload and download speeds.

Makost currently is selling access to more than 6,000 compromised RDP installations worldwide. As we can see from the screen shot above, hacked systems are priced according to a combination of qualities of the server:

  • city, state, country of host;
  • administrative or regular user rights;
  • operating system version;
  • number and speed of computer processors;
  • amount of system memory;
  • network download and upload speeds;
  • NAT or direct

KrebsOnSecurity was given a glimpse inside the account of a very active user of this service, an individual who has paid more than $2,000 over the past six months to purchase some 425 hacked RDPs. I took the Internet addresses in this customer’s purchase history and ran WHOIS database lookups on them all in a bid to learn more about the victim organizations. As expected, roughly three-quarters of those addresses told me nothing about the victims; the addresses were assigned to residential or commercial Internet service providers.

But the WHOIS records turned up the names of businesses for approximately 25 percent of the addresses I looked up. The largest group of organizations on this list were in the manufacturing (21 victims) and retail services (20) industries. As I sought to categorize the long tail of other victim organizations, I was reminded of the Twelve Days of Christmas carol.

twelve healthcare providers;
ten education providers;
eight government agencies;
seven technology firms;
six insurance companies;
five law firms;
four financial institutions;
three architects;
two real estate firms;
and a forestry company (in a pear tree?)

Continue reading →

Aug 12

Harvesting Data on the Xarvester Botmaster

In January of this year, I published the results of an investigation into the identity of the man behind the once-infamous Srizbi spam botnet. Today’s post looks at an individual likely involved in running the now-defunct Xarvester botnet, a spam machine that experts say appeared shortly after Srizbi went offline and shared remarkably similar traits.

In this screenshot from, Ronnie chats with “Tarelka” the Spamdot nickname used by the Rustock botmaster. The two are discussing an M86 report on the world’s top botnets.

Srizbi was also known in the underground as “Reactor Mailer,” and customers could register to spam from the crime machine by logging into accounts at That domain was registered to a, an address that my reporting indicates was used by a Philipp Pogosov. More commonly known by his nickname SPM, Pogosov was a top moneymaker for SpamIt, a rogue online pharmacy affiliate program that was responsible for a huge percentage of junk email over the past half-decade.

When was shuttered, Srizbi customers were instructed to log in at a new domain, Historic WHOIS records show was registered by someone using the email address As I wrote in January, leaked SpamIt affiliate records show that the address was used by a SpamIt affiliate named Ronnie who was referred to the program by SPM.

The Srizbi botnet would emerge as perhaps the most important casualty of the McColo takedown at the end of 2008. At the time, all of the servers used to control the giant botnet were hosted at McColo, a crime-friendly hosting facility in Northern California. When McColo’s upstream providers pulled the plug on it, that was the beginning of the end for Srizbi. SPM called it quits on spamming, and went off to focus on his online gaming company.

But according a report released in January 2009 by Trustwave’s M86 Security called Xarvester: The New Srizbi, Xarvester (pronounced “harvester”) was a pharmacy spam machine tied to SpamIt that emerged at about the same time that Srizbi disappeared, and was very similar in design and operation. It appears that SPM may have handed control over his botnet to Ronnie before leaving the spamming scene.

Continue reading →

Jul 12

Top Spam Botnet, “Grum,” Unplugged

Nearly four years after it burst onto the malware scene, the notorious Grum spam botnet has been disconnected from the Internet. Grum has consistently been among the top three biggest spewers of junk email, a crime machine capable of blasting 18 billion messages per day and responsible for sending about one-third of all spam.

Source: Symantec Message Labs

The takedown, while long overdue, is another welcome example of what the security industry can accomplish cooperatively and without the aid of law enforcement officials. Early press coverage of this event erroneously attributed part of the takedown to Dutch authorities, but police in the Netherlands said they were not involved in this industry-led effort.

The Grum ambush began in earnest several weeks ago at the beginning of July, following an analysis published by security firm FireEye, a Milpitas, Calif. based company that has played a big role in previous botnet takedowns, including Mega-D/Ozdok, Rustock, Srizbi.

Atif Mushtaq, senior staff scientist at FireEye, said the company had some initial success in notifying ISPs that were hosting control networks for Grum: The Dutch ISP Ecatel responded favorably, yanking the plug on two control servers. But Mushtaq said the ISPs where Grum hosted its other control servers — networks in Russia and Panama — proved harder to convince.

Continue reading →