MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.


Crimeware Exposed

Currently, the crimeware is widely exploited by individuals or criminal groups that seek to improve its economy so completely fraudulent using evasive and aggressive strategies.

To MalwareIntelligence, the fight against cyber-crime has become his philosophy and primary objective, which make everyday a perfect excuse to address different research then channeled through one of their blogs.

That is why over time, relevant information has been exposed as part of some research taken that as a whole (the year 2009) can be found in "Annual Information Digest: Crimeware in 2009" because Then, the summary of the packages MalwareIntelligence exposed through the past two years:

NOTE: While the list is in Spanish, each text can be found in its English version, in this blog.

Malware kit & Exploits Pack

6.10.10 Eleonore Exploit Pack. Nueva versión (1.4.4mod)
1.10.10 Phoenix Exploit’s Kit v2.3 Inside
30.9.10 Black Hole Exploits Kit. Otro crimeware que se suma a la oferta delictiva
8.9.10 Phoenix Exploit’s Kit v2.1 Inside
18.8.10 Estado del arte en Phoenix Exploit's Kit
3.7.10 BOMBA Botnet. Nueva alternativa delictiva alimentando la economía del crimeware
30.6.10 n0ise Bot. Crimeware de propósito particular para ataques DDoS
26.6.10 Breve revisión de Passenger Admin Panel
24.6.10 Estado del arte en Eleonore Exploit Pack II
19.5.10 Estado del arte en CRiMEPACK Exploit Pack
31.3.10 Strike Botnet, otra crimeware que nace
28.3.10 iPack y GOLOD. Nuevos crimeware en la escena delictiva
6.3.10 myLoader. Framework para la gestión de botnets
27.1.10 SpyEye. Nuevo bot en el mercado
9.1.10 Napoleon Sploit. Frameware Exploit Pack
3.1.10 Estado del arte en Eleonore Exploit Pack
25.12.09 Siberia Exploit Pack. Otro paquete de explois In-the-Wild
15.12.09 RussKill. Aplicación para realizar ataques de DoS
9.12.09 Fusión. Un concepto adoptado por el crimeware actual II
3.12.09 Una breve mirada al interior de Fragus
29.11.09 JustExploit. Nuevo Exploit Kit que explota Java
22.11.09 DDoS Botnet. Nuevo crimeware de propósito particular
15.11.09 T-IFRAMER. Kit para la inyección de malware In-the-Wild
4.11.09 QuadNT System. Sistema de administración de zombis I (Windows)
2.11.09 ZoPAck. Nueva alternativa para la explotación de vulnerabilidades
14.10.09 DDBot. Más gestión de botnets vía web
26.9.09 Nueva versión de Eleonore Exploits Pack In-the-Wild
17.9.09 Phoenix Exploit’s Kit. Otra alternativa para el control de botnets
7.9.09 iNF`[LOADER]. Control de botnets, marihuana y propagación de malware
29.8.09 Hybrid Botnet Control System. Desarrollo de http bot en perl
15.8.09 Fragus. Nueva botnet framework In-the-Wild
14.8.09 Liberty Exploit System. Otra alternativa crimeware para el control de botnets
8.8.09 TRiAD Botnet III. Administración remota de zombis multiplataforma
4.8.09 Eleonore Exploits Pack. Nuevo crimeware In-the-Wild
3.8.09 TRiAD Botnet II. Administración remota de zombis multiplataforma
25.7.09 TRiAD Botnet. Administración remota de zombis en Linux
11.7.09 Especial!! ZeuS Botnet for Dummies
29.6.09 ElFiesta. Reclutamiento zombi a través de múltiples amenazas
14.6.09 Mirando de cerca la estructura de Unique Sploits Pack
2.6.09 Fusión. Un concepto adoptado por el crimeware actual
27.5.09 Unique Sploits Pack. Manipulando la seguridad del atacante II
21.5.09 YES Exploit System. Manipulando la seguridad del atacante
22.4.09 Adrenaline botnet: zona de comando. El crimeware ruso marca la tendencia
18.4.09 Chamaleon botnet. Administración y monitoreo de descargas
12.4.09 YES Exploit System. Otro crimeware made in Rusia
26.3.09 Barracuda Bot. Botnet activamente explotada
6.3.09 Unique Sploits Pack. Crimeware para automatizar la explotación de vulnerabilidades
27.2.09 LuckySploit, la mano derecha de Zeus

Botnet activities

8.9.10 myLoader C&C Oficla Botnet en BKCNET "SIA" IZZI con la mayor tasa de infección en Brasil
9.8.10 Campaña de infección a través de Phoenix Exploit’s Pack
25.7.10 Circuito de Koobface desde (BKCNET "SIA" IZZI)
11.7.10 YES Exploit System como Crimeware-as-a-Service
28.5.10 Inteligencia y nivel de explotación según Siberia Exploit Pack
19.4.10 Scam de ZeuS sobre IRS continúa siendo activamente explotado
15.3.10 Nueva campaña de phishing contra Facebook encabezada por ZeuS
7.3.10 Oficla botnet con más de 200.000 zombis reclutados
24.2.10 Nueva campaña de phishing de ZeuS contra Google y Blogger
22.2.10 Campaña de phishing a Facebook y VISA propuesta por ZeuS
28.1.10 ZeuS y el robo de información sensible
22.1.10 Aprovechando ZeuS para enviar spam a través de redes sociales
16.1.10 YES Exploit System. Official Business Partner’s
2.1.10 Waledac. Línea de tiempo '07-'09
1.1.10 Waledac vuelve con otra estrategia de ataque
1.12.09 Campaña de propagación de Koobface a través de Blogspot
6.11.09 Desarrollo de Botnets Open Source. “My last words”?
24.10.09 ZeuS Botnet y su poder de reclutamiento zombi
17.10.09 ZeuS, spam y certificados SSL
21.9.09 Eficacia de los antivirus frente a ZeuS
17.8.09 Desarrollo de crimeware Open Source para controlar y administrar botnets
8.7.09 Waledac/Storm. Pasado y presente de una amenaza latente
4.7.09 Masiva campaña de propagación/infección lanzada por Waledac utilizando como excusa el día de la Independencia de EEUU
21.6.09 Simbiosis del malware actual. Koobface
1.6.09 Botnet. Securización en la nueva versión de ZeuS
4.5.09 ZeuS Carding World Template. Jugando a cambiar la cara de la botnet
7.4.09 Waledac. Seguimiento detallado de una amenaza latente
4.4.09 Conficker IV. Dominios relacionados... y controversiales
3.4.09 Conficker III. Campaña de propagación de falsas herramientas de limpieza
2.4.09 Conficker II. Infección distribuida del gusano mediático
1.4.09 Conficker. Cuando lo mediático se hace eco de todos descuidando el problema de fondo
27.3.09 Entidades financieras en la mira de la botnet Zeus. Segunda parte
25.3.09 Entidades financieras en la mira de la botnet Zeus. Primera parte
22.2.09 Zeus Botnet. Masiva propagación de su troyano. Segunda parte
18.2.09 Zeus Botnet. Masiva propagación de su troyano. Primera parte
28.1.09 Danmec Bot, redes Fast-Flux y reclutamiento de Zombies PCs

Ver más


Eleonore Exploit Pack. New version

Without functional alternatives to renew in the package, a new version of crimeware Eleonore Exploit Pack. This is the version 1.4.4mod.

Acces panel of Eleonore Exploit Pack 1.4.4mod

While this version of crimeware is positioned as part of a set of alternatives whose number is constantly increasing due to the large range that currently exists in the area of crime, isn't very viable option for criminals. And indeed, this particular version, parearía not have more important features that are not in previous versions.

Advertising package in underground forum

As shown in the image, incorporating a total of 16 exploits that have a high percentage of successful exploitation globally. However, although this particular version is no cause for alarm or research for security professionals, criminal activities generated by Eleonore Exploits Pack manifest daily, being the most used version 1.3.

Related information
State of the art in Eleonore Exploit Pack II
State of the art in Eleonore Exploit Pack
Eleonore Exploits Pack. New Crimeware In-the-Wild
Nueva versión de Eleonore Exploits Pack In-the-Wild
Black Hole Exploits Kit. Another crimeware in addition to criminal supply
Prices of Russian crimeware. Part 2

Ver más


Phoenix Exploit’s Kit v2.3 Inside

PEK (Phoenix Exploit's Kit) has become one of the most used by those who flood the Internet every day with different types of malicious code. Currently, a large amount of malware is distributed through this crimeware, which is also widely used for collecting information relevant to a botmaster.

Earlier we mentioned how it looks inside version 2.1 and at the same time we said that from the standpoint of design, different versions of PEK are practically very similar, with the typical dark background, the phoenix in the lower right corner and facing your authentication system trivial at first glance, but nevertheless performs a check under the SHA1 algorithm.

This time, it's version 2.3 of PEK, the final and stable so far (there is a preliminary version 2.4 known as the 2.3r). However, despite no visible differences appear, this version also upgrade a number of "details" in your code, incorporates a number of exploits which currently represent the highest success rate.

Simple statistics
Displays information about the general data tones to the recorded information with PEK.

Advanced statistics
Displays detailed information about operating systems and browsers violated.

Countries statistics
Shows statistics of the countries where the zombies.

Referer data
List the websites of direct reference.

The list shows the version used for this article is very long, but is complete on the following link: PEK v2.3 Referers List.

Upload module
Updates the malware that spreads.

Exploits that incorporates the default for this version are:
Their "sale" began in early July 2010 at a cost of $ 2200. An interesting detail is what the sentence is shown with the logo: "CONCORDIA, INTEGRITAS, INDUSTRIA…" three Latin words which are closely related to a famous German family. His translation is harmony, integrity and diligence.

Regarding the spread executable binary, in this case, it's a variant of the trojan generated with the private constructor SpyEye:
In the White paper called Phoenix Exploit's Kit In the mythology of a criminal enterprise can obtain more information on the different versions of this crimeware.

Related information

Phoenix Exploit’s Kit v2.1 Inside
State of the art in Phoenix Exploit's Kit [White paper]

Campaign infection through Phoenix Exploit's Pack
Phoenix Exploit's Kit and Pay-per-Install via PC Defender Antivirus
Phoenix Exploit’s Kit. Otra alternativa para el control de botnets

Jorge Mieres
Founder & Director of MalwareIntelligence
Crimeware & Intelligence Analyst Researcher

Ver más


Black Hole Exploits Kit. Another crimeware in addition to criminal supply

Crimeware industry continues to grow through the development and implementation of new marketing packages pre-compiled exploits add to the supply of alternatives to facilitate criminal maneuvers over the Internet.

In this case, it's Black Hole Exploits Kits, a web application developed in Russia but also incorporates for the English language interface, and the first version (beta at the moment) is trying to fit into the black market since early September 2010. Its cost is determined based on a number of features that attempt to differentiate from the rest.

Black Holes Exploits Kit statistical module
This module offers a quick view of the most relevant information for a botmaster: number of computers that are part of the network and their respective countries, exploits with higher success rates and other information processing.

Unlike many other crimeware of this style, Black Hole Exploits Kit uses a licensing system costed time. For example, purchasing this crimeware for 1 year (currently the maximum time) costs $ 1500, while a semi-annual and quarterly license, costing $ 1000 and $ 700 respectively.

Statistics on the affected operating systems
The trend marks a slight but gradual increase in committed operating systems that do not belong to the family of Microsoft. This includes crimeware *NIX based platforms such as GNU/Linux and Mac OS. Others, such as Siberia Exploit Pack and Eleonore Exploits Kit includes platforms for high-end mobile devices and gaming consoles.

It also has costs of $ 50 for the alternative of using the encryption system. This feature is a pattern for the service "extras" offered by the developers of crimeware, like the ability to verify the integrity of malware (AVChecker) spread through crimeware.

To carry out this verification, is used more often VirTest, the private service of Russian origin that has become a favorite of criminals to control the reputation not only malware but also spread exploits of the pack. There are several crimeware packages that have recently joined VirTest module, including the latest version of SpyEye.

As for the exploits, which incorporates all of the time are public and widely used by most current crimeware. However, these exploits have the highest rate of success in exploitation.

Statistics exploits
Through this module displays the statistical data on the ability of success that has every one of the exploits that are part of crimeware.

Black Hole Exploits Kit includes a TDS (Traffic Direction Script) that allows independence from another web application that allows arbitrarily manipulate web traffic, and probably this feature will catch the attention of criminals.

Also has a self-defensive module means which can block access to certain security websites by URL or IP address ranges. In the next image is set to block access to websites Kaspersky Antivirus:

Self-defense module
Through this module can also import or export a list of addresses to block.

Black Hole Exploits Kit joins the portfolio of offerings and little more than a month since its launch in underground environments no more activity In-the-Wild, perhaps due to its initial cost. However, security professionals should pay special attention to this crimeware as their characteristics and cost (probably decrease slightly for the next version) will be well accepted within the criminal community and therefore in demand by of offenders.

Related information
Jorge Mieres
Founder & Director of MalwareIntelligence
Crimeware & Intelligence Analyst Researcher

Ver más


Black Software. New affiliate business type Pay-per-Install

The business model that represent the affiliate programs through systems of the type Pay-per-Install is in full swing, being a fundamental part of criminal groups seeking to increase their economy.

In this case, we have a new affiliate program called Black Software, which promotes the discharge of malware.

Black Software Access Panel
This is a simple authentication process and conventional and password required

The program is of Russian origin and according to his IP address is based in the Netherlands. He began his business proposal in late August 2010 and has a mechanism by which each member must configure some information to get the URL needed to start the business.

Black Software Guide
This guide provides information on how to properly configure the data needed to obtain the URL, along with a brief FAQ

As usual, the registration process requires a series of information that allow to those who are behind the affiliate system, validating the potential customer and avoid potential infiltration.

It also has a statistics module whereby members check their status every 15 minutes is updated by the system administrator can view information relating to each download.

Statistical Module
Whereby the affiliate system provides the information necessary for each "customer" can check your account status

Payment is made weekly and for those accounts that have a significant revenue stream, it's optional to establish at what point do you want to be paid for criminal activities through this web application performs.

Black Software is conventional and does not have a differentiating factor from other affiliate programs to your style, and yet has a high percentage of activities, perhaps because of their status as "new" in the criminal environment and, therefore, not so known.

However, is another resource available to those who daily feed their economy through fraudulent and criminal proceedings.

Related Information
Circuit membership for the dissemination of NoAdware rogue

Ver más


Phoenix Exploit’s Kit v2.1 Inside

The crimeware is one of the most used by cyber criminals to gather intelligence enabling the identification of trends and customs around by people who use the Internet daily.

This seeks to obtain relevant information on time and complete details of the victims who, further, they allow criminals to know about which factors to emphasize their "improvements" in the web application, and botmaster think of any strategy for promoting malware.

Why? Get information processed (intelligence) is key because it provides them with real information on the different technologies used by people. This type of maneuver is widely used by criminals. Ever wondered why Koobface spread by social networks?

For example, most of this style crimeware collect data on:
  • Type and version of platforms. Let us know what operating systems used and the most vulnerable.
  • Type and version of browsers. Seeks to understand the same feature as above.
  • Countries affected. It enables computers to know the amount of victims in each country. Thus, the Botmaster could discriminate the spread of malware focusing its promotion to particular countries.
Why? Because all this information allows the developer to add and/or upgrade versions incorporating exploits "improved" the "product." Furthermore, depending on the last point for example, simplicity in terms of easy to read statistical data makes many botmaster using PEK (Phoenix Exploit's Kit) to spread malware that is used as a "bridge" to register successfully downloaded and installed to increase their economy through affiliates systems type Pay-Per-Install.

Currently PEK development is in its version 2.3r, this being a preliminary version to 2.4 and is in its stage of "testing" since mid-August 2010. The latest "stable" version is 2.3.

However, this post is about version 2.1 of Phoenix Exploit's Kit, and see that from the visual point of view has not changed in its previous or subsequent changes.

Default has 10 exploits, which are:
This version swept the feature Phoenix Triple System incorporated in version 1.4, which is basically an encryption scheme for binary executables that are disseminated. The purpose of this is hindering the process of analysis of the malware.

It consists of six modules of which 4 provide relevant information for each computer that is part of the botnet.

Simple statistics
It's an overview of data collected, through which information is displayed on browsers that have the highest percentage of successful exploitation detailing the number of visits in each of them, total number of visits and exploits that owns the package. Here is an updated version where he incorporated some exploits

Advanced statistics
Basically has a level of detail on the affected operating systems and browsers, incorporating as useful data version of each of them. In this case, committed three operating systems are Windows XP, Vista and Seven, respectively, and with a minimum compared to these, but higher than Windows ME, 2000 and 2003 platforms are Linux.

Interestingly, in terms of browsers, the three that have a higher rate of vulnerability are Firefox 3.6, InternetExplorer 8 and 7 respectively.

 Countries statistics
Information related to the countries which are the compromised computer. The detail of this information is in the number of visitors from certain countries and the number of successful exploits, also discriminated against by country.

Referers statistics
Information from reference sites to Phoenix Exploit's Kit The main feature is that the pattern followed by PEK is referencing from porn sites from which the browser operates through some of the pre-compiled exploits in the package. This module shows the list of pages, the number of visits per page and the number of exploits that have been successful with an average expressed in percentages.

The list shows the version used for this article is very long, but is complete on the following link: PEK v2.1 Referers List.

Upload .exe
This module is to allow updating to spread malicious code. Usually only change every time you submit the executable binary encryption processes Phoenix Triple System service, or when they change their strategy botmaster infection according to new targets for malware. Affiliate System change that spread their own malware for example.

In this case, PEK is used to propagate a version generated of the trojan ZeuS:
In the White paper called Phoenix Exploit's Kit. From the mythology to a criminal business can obtain more information on the different versions of this crimeware.

Información relacionada
State of the art in Phoenix Exploit's Kit [White paper]

Campaign infection through Phoenix Exploit's Pack
Phoenix Exploit's Kit and Pay-per-Install via PC Defender Antivirus
Phoenix Exploit’s Kit. Otra alternativa para el control de botnets

Jorge Mieres
Founder & Director of MalwareIntelligence
Crimeware & Intelligence Analyst Researcher

Ver más


myLoader C&C Oficla Botnet in BKCNET "SIA" IZZI with the highest infection rate in Brazil

myLoader is a web application that allows offenders to collect statistical information related to different factors and features on each of the infected computers. The crimeware is sold in the underground market at an average cost of $ 700.

The botnet Oficla started their criminal activities at the beginning of 2010 and just the executable binary detected by antivirus engines as Oficla or Sasfis and is generated by a builder who incorporates myLoader.

In early 2010, MalwareIntelligence warned activities of a botnet Oficla with recruited more than 250.000 computers, that after several days exceeded the figure of 300.000 zombies. A white paper that explains how crimeware marketing and operation of the botnet is available in the documents section.

The Latin American region has a significant development of malware, especially, no doubt, Brazil to the generation of malicious code designed to steal financial in nature through trojans usually spread by email or MSN.

However, it's unique in the region and countries such as Mexico, Peru and Argentina, the trend is also accompanied with an important flow of criminals who aspire even to copy the models of fraudulent and criminal business from across the world routinely generate new research points because of the security incidents that cause, primarily the theft of information.

Under all of this scenery, botnets play a key role in a high percentage, where I dare say almost all of the crimes committed via the Internet. That is, the role of botnets within the current scope of cybercrime, represent the key with which cyber-criminals have.

The following image is an example. This is a botnet Oficla myLoader maintained through, with a total of 9065 recruits zombies.

Statistics myLoader
Basically displays information related to the amount of compromised computers over the past 15 days, how many are online, among others

And showing what I mentioned above, the top ten of the affected countries led by Brazil with a little over 1300 zombies (almost 15%), and as regards Latin America, followed by Mexico and Argentina.

Statistics geolocation zombies
This image only shows the top ten countries concerned where the botnet has zombies

Computers affected only in Brazil
The list is long and mostly displays information on infected computers

An interesting is that this botnet is under the roof of AS6851 in IP address Known under the name of BKCNET "SIA" IZZI or SAGADE, widely popular for its relationship with the housing for criminal resources such as ZeuS, Koobface, business affiliates, among many others.

In the documents section you can download a white paper with information about criminal resources associated with a given range of IP addresses that are under the tutelage of BKCNET "SIA" IZZI.

As for the malicious code is spread through this botnets are the following binary executables:

Related information
Oficla botnet with more than 200,000 zombies recruits
myLoader. Framework for the management of botnets
myLoader. Base C&C to manage Oficla/Sasfis Botnet [Whitepaper English version]
Criminal activities from BKCNET “SIA” IZZI / ATECH-SAGADE - Part one  [Whitepaper English version]

Jorge Mieres
Founder & Director of MalwareIntelligence
Crimeware & Intelligence Analyst Researcher

Ver más

Criminal activities from BKCNET “SIA” IZZI / ATECH-SAGADE - Part one

BKCNET "SIA" IZZI, also known as or simply ATECH-SAGADE is an AS (Autonomous System) numbers in 6851, currently is one of the most active of crimeware through which are distributed daily a large amount of malicious code , besides being the control base for the accommodation of several C&C which feed the underground economy.

Your geolocation is in Latvia and, as I mentioned on another occasion, "This ASN is listed as a server of criminal activities such as spread of different families of rogue, hosting crimeware as YES Exploit System, in 2009 I host the strategies Waledac botnet (Storm successor), also to ZeuS and to have direct relationship with the criminals who are behind the botnet Koobface maneuvers".

Today, most malware that spread through the resources supported by BSI (BKCNET "SIA" IZZI) make the maneuver which supports management for affiliate systems, precisely, to increase profits for criminals through the success of successful infections.

The following evidence is left AS6851 activities in the range of IP's and chipboard from to date August 14, 2010 (in red history), responding to malicious maneuvers.

English version
Spanish version

Ver más


Circuit membership for the dissemination of NoAdware rogue

Malware hides behind a business. Without a doubt, I believe that no one denies this claim. Day by day is an important flow of malicious code that, while general purpose have a story in its activities, seeking final feedback on the business behind through fraudulent mechanisms and strategies.

One of the most popular business models is to pay a percentage of money given to those who successfully promote rogue. The model is known as affiliate programs, while the facility payment system is called Pay-Per-Install.

This is the case of rogue NoAdware, a malicious code that operates widely available for several years through different coverages.

Home NoAdware
From this website you download the official binary of "economic resource" for the system of affiliates and partners

Using common strategies imposed by this style websites, such as false certificates and testimonies that try to convey confidence in the potential victims, promote the installation of an alleged security solution that is actually malware.

Affiliate program usually provide only the executable to spread, which many criminals spread it through some  crimeware type exploit pack, and to a lesser extent, only spread by a page that is created and hosted at your own risk .

The system behind NoAdware, facilitates this issue by providing the ability to select a template and then just upload to the hosting affiliate. Thus, when a potential victim visits this site, is redirected to the homepage of NoAdware, and each member, in theory, get 75% of money for each installation. The sales of rogue (mimicked in security program) is for $47.00.

However, other values are also managed directly related to the number of licenses:
  • 2 Computers ($67.00)
  • 3 Computers ($87.00)
  • 5 Computers ($117.00)
  • 10 Computers ($197.00)
  • 25 Computers ($417.00)
  • 50 Computers ($767.00)
Site selection to propagate NoAdware
The process involves two steps: select the template and download. This web site traffic routed to the home page of NoAdware

NoAdware also promoted under the name Adware Professional 2010. It's exactly the same application to install malicious reports against the system that is behind NoAdware.

Hypothetically speaking, suppose a partner (affiliate/delinquent) successful installation per day for 30 days (one month). 75% of $47 is $35.25 (this is what would win one day and successful installation of malware). Accordingly, this partner would have a theoretical gain of $1057.5 monthly.

This affiliate program works with a payment system via the Internet, legal, called ClickBank, especially whose main trade is that a large number of rogue malware type is done through this system.

HopLink for NoAdware
This page directs traffic to the official website of NoAdware, while sending information to the payment affiliate log into your account

The address is to the URL with the following syntax:[PARTNER-NICK]

This will record the payment of a percentage of money as a commission for each of the members to serve on the circuit of this rogue.

Affiliate System Circuit
The graph shows the different stages that runs a conventional affiliate

One of the evidences that reflects the rate for ClickBank by criminal groups to secure economic transactions "safe" is the important flow of affiliate systems, many of them promote malware, which are under his roof. Some of them are:
This brief list is just a small sample, because the volume of malware that are promoted through this medium is very large.

Related  information
AntiSpy Safeguard with new social engineering approach

Ver más


FakeAV via new strategy of deception from BKCNET "SIA" IZZI

Generally cheating strategies designed for the dissemination of false antivirus (AV Rogue) consist of online simulation of a scan for malware, showing an interface that mimics Windows Explorer and which always face the same threats, including when using operating systems other than Windows.

Conventional strategy of deception
This is one of the many templates. It shows a supposed scan to verify the integrity of the computer with an interface that simulates being under the Windows Explorer

However, recently launched a new strategy with similar features but using a different maneuver is to show a real video when it occurs, the event scanning. This is shown under the caption "Scan in progress. Please wait".

New strategy of deception
It shows a real video while the traffic is routed to a false report with the detection of a threat

While playing the video, traffic is routed to another page which displays information about alleged threats found after the scan. In this instance, presumably the information is provided by several antivirus engines listed in a strategic way to display information related to detection.

False report
As the scan has detected malware on your system. This seeks to give notice to the users through the false report with information from multiple antivirus engines

Coincidentally, each of the "products" to detect alleged antivirus malware activity provides the opportunity to download the application that will solve the problem:
Both the beginning and the end of the video shows the words "Protect your privacy! Use only licensed software!". It contains a high psychological impact of action on the user who "entertains" watching a video about the theft of data and then read the "recommendation".

Protect your privacy!
Psychological action strategy seeks to provoke a persuasive effect on users who then buy the rogue

This strategy is being channeled through the AS6851, better known as BKCNET "SIA" IZZI or SAGADE. BKCNET "SIA" IZZI serves as a "repository" to promote various criminal activities and provide cover for housing botnets and other crimeware as Koobface, ZeuS, Phoenix Exploit's Kit, BOMBA, among others, as well as some affiliated business type Pay-per-Install. In this case, solving from IP address.

The team is completed by installing a rogue called AntiSpy Safeguard that the duration of their initial scan blocks access to operating system resources. The ultimate goal of rogue is, as usually happens, get stuck buying the application is malicious.

Purchase rogue
These pages are usually under the guise of legal services, and is whereby the offender obtained money from the sale of rogue data and credit card

With this maneuver, the offender, or affiliate program, make sure the one hand a percentage of money for the cost of the rogue, and on the other, to feed its database with information on the credit card which is then sold on the black market variable costs directly proportional to the type of credit card.

Related information

Campaign infection through Phoenix Exploit's Pack
Circuit Koobface from (BKCNET "SIA" IZZI)
BOMBA Botnet. New alternative crimeware fuel the economy criminalPhoenix Exploit's Kit and Pay-per-Install via PC Defender Antivirus

Ver más


State of the art in Phoenix Exploit's Kit

Criminal alternatives grow very fast in an ecosystem where day to day business opportunities are conceived through fraudulent processes. In this sense, the demand for resources for the cyber criminal isn't expected and is constantly growing.

Generally I find new crimeware looking to get a place and a good acceptance in the virtual streets of the world underground, trying to reflect a balance on the cost/benefit of the "product" promoted, that allows criminals to enter the market as quickly as possible.

Similarly, crimeware already accepted in the well-known circuit and updated looking to optimize their "quality of service." Phoenix Exploit's Kit, despite its minimalist state compared to others in its style, is one of the most active malicious crimeware today.

This paper presents a series of data on criminal activities and fraud carried out using Phoenix Exploit's Kit as channel management, how often the cycle of criminal business on this crimeware and what are the exploits found in its different versions.

Phoenix Exploit’s Kit v2.3r
Phoenix Exploit’s Kit v2.3
Phoenix Exploit’s Kit v2.21
Phoenix Exploit’s Kit v2.2
Phoenix Exploit’s Kit v2.1
Phoenix Exploit’s Kit v2.0
Phoenix Exploit’s Kit v1.4
Phoenix Exploit’s Kit v1.31
Phoenix Exploit’s Kit v1.3
Phoenix Exploit’s Kit v1.2
Phoenix Exploit’s Kit v1.1
Phoenix Exploit’s Kit v1.0
Phoenix Exploit’s Kit v1.0beta

Spanish version | English version

Others articles of MalwareIntelligence

Ver más


Pirated Edition. Affiliate program Pay-per-Install

Affiliate programs are a growing business model more profitable for criminals and create a complete circuit of spreading / malware infection among many other alternatives, encouraging its customers with a percentage of money they get in terms of success their own business.

One of the systems with greater uptake in this business model is provided by the facility payment, Pay-per-Install, where every customer gets the money for the installation of malware. That is, only to propagate malware and wait for someone to become infected.

In this circuit, each member can be either a single person as a botnet, because obviously the economic return generated by spreading the malware offenders provided by the affiliate system is massified, and botmaster benefits from a wider economic gap within a shorter time span, in addition to other veins fraudulent economically generated by botnets.

Another of these affiliate programs is Pirated Edition, whose access panel can be seen in the picture below.

Looking into the affiliate system, we find extremely minimalist model that only allows the client-offender check the amount of money earned and download the malware to spread, including updates to this.

This malicious code whose default name is limew.exe (757eda0929b94ea104a1a80825dee3e2) has a very low detection rate. According to the report of VT, is only detected by 8 of 41 AV engines.

When run, it's reported to true affiliate program that is behind this criminal circuit, in this case, answers

/get2.php?c=ROBFNNDI&d=26606B67393C34322E64636F317E3E3D2121222B25263078747D456E757923271416411A111410015D404E1618156A1971090A03700302010C090B7D7D0C07790305727474047E060C7072786A2F27212634206E6563677130303E666C6E3866505404004204020A55584C041F1B0B1D4D442D42522A021413444A4B4C494E4CB3B5B7B0A2F5F4E8EBB4CFF3FCE1E1FDF5E3BCD6CCD0B0FBFCA8C5FEA1ACB8FCCCCFD6FCC1989681DF9F9E969C8BC892808394D7D1D9D7CE85898A8B8C8D8E8FF1E7A1ADA0A9FBAAA9A5BDAABEA8E3BDB5A2B7B2B7BDF8BBB7BABBB7B8B2B3BE898FC48A80849282D5D8D8D3DDDAD6DDC8C7C6D5B1BAA4 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Cache-Control: no-cache

However, this is only one side presented the strategy and that the same IP ( other domains are resolved that each of them carries the same template.

It's worth mentioning a particular detail of the policies of this affiliate program. To obtain payment for each installation of malware, it must infect computers that are in the following countries: Australia, Belgium, Brazil, Canada, Czech Republic, Denmark, Estonia, France, Germany, Greece, Finland, Hungary, Italy, Ireland , Kuwait, Lithuania, Mexico, Netherlands, New Zealand, Norway, Poland, Portugal, Romania, Russia, Saudi Arabia, Singapore, Slovakia, Spain, Sweden, Switzerland, Turkey, Ukraine, United Arab Emirates, United Kingdom, United States and Japan . And as a payment system using Epassporte services, AlertPay, PayPal and Webmoney.

Related information

Ver más



One of the most profitable businesses in the area computer crime, what are the affiliate programs. These are systems which adhere offenders an economic return for a commission, as in this case, for each successful installation of malware that takes place through the system distributed. 

VIVA INSTALLS, belonging to the same criminal group that is facing HAPPY INSTALLS, is one of them. This system is "protected" under the AS6851 to BKCNET "SIA" IZZI (ATECH-SAGADE) in the IP address, which resolves the domain This AS is known for its high incidence in fraudulent activities, and because it's also used for the propagation of Koobface.

The system promotes a concerned member of the malicious code more known rogue type: A-fast Antivirus.

The fake antivirus business generates several veins, regardless of the number of successful installations. On the one hand, the cost of this rogue is USD 69.65, which all those unprepared to "buy the malware" will be fueling the business. 

At the same time, for the purchase you must complete a form, which should specify the information of credit card, which gives the offender more data to fraudulent activities. Without describing in detail the information in your credit card will fill in the fields of any database, which then also sold. 

How is the circuit of infection?
The affiliate system provides its "customers" the URL from which to download the malware, warning that not verify the integrity of the executable through public services, such Virustotal. In this case it is the setup.exe file and exe.exe (971eab628a7aac18bb29cba8849dff61), the downloader which acts as a link for the download of A-fast Antivirus.

While the system is at members, download the rogue is from, domain This maneuver, although common, shows that BKCNET "SIA" IZZI is home to a large volume of criminal activity.

How is the process of registration?
Particularly access to the circuit of the members of business means having the necessary requirements. Basically, an activation code that is issued by the affiliate system based on the recommendation of another member of "trust" that is, an offender who is already actively in the circuit and load with a period of recognized activities.

How much does the affiliate for each successful installation?
A topic of interest around the affiliate systems is how much is paid in this case, for installation?

While affiliate systems share the same business model, the cost they pay for installation is the same for each of them. In the case of VIVA INSTALLS/HAPPY INSTALLS, prices are as follows:

    • USD 0.30 per installation in U.S.
    • USD 0.20 per installation in Canada, Australia and England.
    • USD 0.01 for installation in other countries.
In short, VIVA INSTALLS / HAPPY INSTALLS dedicated only for the moment, promotion and distribution of only one of many (hundreds) rogue circuit forming part of the offense.

Ver más