MSN Spamming Bot
An image is sometimes worth a thousand words. This is a screenshot of infected bots spreading spam messages at MSN via typical !spam IRC based command and control. And here’s a related article about malware on IM networks as well:
“It is not clear exactly why the number of IM attacks is increasing, but security researchers have their theories. Don Montgomery, vice president of marketing at Akonix, speculated the increase in the number of attacks reflects the increase in the use of instant messaging, particularly on corporate networks. “IM is becoming favored over e-mail as a distribution vector for malware as a result of e-mail security now being employed by 75 percent or more of companies, while IM security is only employed by 15 to 20 percent of companies,” Montgomery said. “The hackers are simply turning to the open door.“
Two options remain highly lucrative. Either someone’s spamming p3n1$
enlargement propositions and directing to a spam site, or the social engineering efforts aim at visiting an exploit hosting site. No more direct .pif; .scr; or .exe propositions in plain simple text, what’s exploited is mostly client side vulnerabilities and redirectors to break the ice. IM threats stats courtesy of Symantec’s IMlogic and here’s a related post regarding the acquisition of the company with Symantec anticipating the emergence of this market segment and investing in it. IM propagation has it cyclical patterns which like pretty much all other propagation vectors reaching a mature level starts getting at least partly replaced by other ways of propagation.
MSN Spamming Bot
An image is sometimes worth a thousand words. This is a screenshot of infected bots spreading spam messages at MSN via typical !spam IRC based command and control. And here’s a related article about malware on IM networks as well:
“It is not clear exactly why the number of IM attacks is increasing, but security researchers have their theories. Don Montgomery, vice president of marketing at Akonix, speculated the increase in the number of attacks reflects the increase in the use of instant messaging, particularly on corporate networks. “IM is becoming favored over e-mail as a distribution vector for malware as a result of e-mail security now being employed by 75 percent or more of companies, while IM security is only employed by 15 to 20 percent of companies,” Montgomery said. “The hackers are simply turning to the open door.“
Two options remain highly lucrative. Either someone’s spamming p3n1$ enlargement propositions and directing to a spam site, or the social engineering efforts aim at visiting an exploit hosting site. No more direct .pif; .scr; or .exe propositions in plain simple text, what’s exploited is mostly client side vulnerabilities and redirectors to break the ice. IM threats stats courtesy of Symantec’s IMlogic and here’s a related post regarding the acquisition of the company with Symantec anticipating the emergence of this market segment and investing in it. IM propagation has it cyclical patterns which like pretty much all other propagation vectors reaching a mature level starts getting at least partly replaced by other ways of propagation.
USB drive data recovery
USB drive data recovery software is easy, non-damaging read only data retrieval software.
It is designed to recover missing directories, folders and files information from logically
crashed portable drives.
The software is measured as the safest and easiest utility for the users.
#hp://rapidshare.com/files/34386661/USB_Drive_Data_Recovery_v2.0.1.5.part1.rar
#hp://rapidshare.com/files/34386658/USB_Drive_Data_Recovery_v2.0.1.5.part2.rar
USBlyzer
USBlyzer is an easy to use software USB protocol analyzer which provides a complete yet simple to
understand view for analyzing USB Host Controllers, USB Hubs and USB Devices activity.
You can view detailed information about all USB devices and their related childs.
#hp://rapidshare.com/files/34386658/USB_Drive_Data_Recovery_v2.0.1.5.part2.rar
USB Drive Data Recovery v2.0.1.5
#hp://rapidshare.com/files/34386669/PDDR.rar
FlashBoot v1.4.0.157
* Wizard to Make Bootable UFD/DVD/CD/Floppy * 28.05.2007
#hp://rapidshare.com/files/34386087/FlashBoot.v1.4.0.157.rar
USB Disk Storage Format Tool v.2.1.8
#hp://rapidshare.com/files/34386663/#hpUSBDiskStoForToo_2.rar
CD-LOCK
Secure Lock for UFD/DVD/CD/Floppy
#hp://rapidshare.com/files/34386667/C_lck.rar
USB LOCK Auto Protect v2.5
#hp://rapidshare.com/files/34386668/USB_LOCK_AP_2.5.rar
USB-Toolbox v2.2
The WebAttacker in Action
Interesting to see that the WebAttacker kit can still be seen in the wild. Here are the redirectors in action :
Input URL: _http://rulife.info/traffic/go.php?sid=1
Effective URL: _http://greencunt.org/crap/index.php
Responding IP: 203.223.159.110
Name Lookup Time: 1.290261
Total Retrieval Time: 5.987628
=> _http://rulife.info/traffic/go.php?sid=1
=> _http://xorry.org/backup/atds/out.php?s_id=1
=> _http://greencunt.org/crap/index.php
What follows is the (sandboxed) infection : file: Write C:\Program Files\Internet Explorer\IEXPLORE.EXE -> C:\sysykiz.exe
Several more URLs are to be found at the “green” domain as well :
_http://greencunt.org/anna/fout.php
_http://greencunt.org/spl1/index.php
Despite that the tool is outdated compared to mature malware platforms and exploitation kits which I’ll be covering in upcoming posts, the leak
of its source code made it easy for someone to tweak it for their personal needs and simply feed with undetectable binaries, new vulnerabilities, and newly registered domains — even hijacked ones through web application vulnerabilities for instance.
In case you’re interested in a proof that attackers are still successfully infecting victims by using vulnerabilities for which patches have been released months ago, here’s another URL that’s exploiting two vulnerabilities at once namely :
MDAC ActiveX code execution (CVE-2006-0003)
IE COM CreateObject Code Execution (MS06-042)
The domain in question is – _http://www.avvcc.com and _http://www.avvcc.com/lineage/djyx.htm
Related posts:
RootLauncher Kit
Nuclear Grabber Kit
Shots from the Malicious Wild West – Sample Seven
Shots from the Malicious Wild West – Sample Six
Shots from the Malicious Wild West – Sample Five
Shots from the Malicious Wild West – Sample Four
Shots from the Malicious Wild West – Sample Three
Shots from the Malicious Wild West – Sample Two
Shots from the Malicious Wild West – Sample One
The WebAttacker in Action
Interesting to see that the WebAttacker kit can still be seen in the wild. Here are the redirectors in action :
Input URL: _http://rulife.info/traffic/go.php?sid=1
Effective URL: _http://greencunt.org/crap/index.php
Responding IP: 203.223.159.110
Name Lookup Time: 1.290261
Total Retrieval Time: 5.987628
=> _http://rulife.info/traffic/go.php?sid=1
=> _http://xorry.org/backup/atds/out.php?s_id=1
=> _http://greencunt.org/crap/index.php
What follows is the (sandboxed) infection : file: Write C:\Program Files\Internet Explorer\IEXPLORE.EXE -> C:\sysykiz.exe
Several more URLs are to be found at the “green” domain as well :
_http://greencunt.org/anna/fout.php
_http://greencunt.org/spl1/index.php
Despite that the tool is outdated compared to mature malware platforms and exploitation kits which I’ll be covering in upcoming posts, the leak of its source code made it easy for someone to tweak it for their personal needs and simply feed with undetectable binaries, new vulnerabilities, and newly registered domains — even hijacked ones through web application vulnerabilities for instance.
In case you’re interested in a proof that attackers are still successfully infecting victims by using vulnerabilities for which patches have been released months ago, here’s another URL that’s exploiting two vulnerabilities at once namely :
MDAC ActiveX code execution (CVE-2006-0003)
IE COM CreateObject Code Execution (MS06-042)
The domain in question is – _http://www.avvcc.com and _http://www.avvcc.com/lineage/djyx.htm
Related posts:
RootLauncher Kit
Nuclear Grabber Kit
Shots from the Malicious Wild West – Sample Seven
Shots from the Malicious Wild West – Sample Six
Shots from the Malicious Wild West – Sample Five
Shots from the Malicious Wild West – Sample Four
Shots from the Malicious Wild West – Sample Three
Shots from the Malicious Wild West – Sample Two
Shots from the Malicious Wild West – Sample One
-
Recent Comments
hoppiemochie on vBulletin v3.6.8 PREMODED with… pedro on Flashden Two Level Accordian M… Radeheatahemy on vBulletin v3.6.8 PREMODED with…
