Botnet Feature Advancement Zeus !

When you’re building your very own botnet you need to be quite selective about the botnet agent you’re planning on running with. Many of the botnets we encounter operating within enterprise environments today are constructed using commonly available DIY malware construction kits – of which Zeus is the most popular.

Zeus is an interesting DIY malware construction kit. Over the years it has added to its versatility and developed in to an open platform for third-party tool integration – depending upon the type of fraud or cybercrime the botnet master is most interested in. Along the way, many malware developers have tweaked the Zeus kit and offer specialized (and competing) major versions of the DIY suite (for sale). As such, the “Zeus” kit has morphed and isn’t really even a single kit any more. You can find Zeus construction kits retailing between $400-$700 for the latest versions – dropping to “free” within a couple of months as pirated versions start circulating Torrent feeds.

That said, competition between Zeus vendors is fierce – driving new innovation within within this single DIY construction kit.

Take for example the recently posted “for sale” instruction for a new Zeus version over on one of the popular hacking forums – retailing for $700 new…

It’s interesting to note the major changes in the DIY kits changelog –

[Version 1.3.0.0, 20.11.2009]
[*] Interception WinApi by splicing.
[+] Be fully operational in Windows Vista / 7.
[*] Temporarily disable hidden files Trojan.
[*] Removed TAN-grabber.
[-] Fixed duplicate records in nspr4.dll.
[*] Grabbed certificates are now written with the name grabbed_dd_mm_yyy.pfx, and password in UTF-8.
[*] Team getcerts, obtained certificates only from MY-store, and not from all. Since obtaining certificates from all hranilish not make sense.
[*] Changed behavior grabber certificates.
[*] Rewrote FTP/POP3 sniffer, ulucheshno detection logins, made support for IPv6-addresses.
[*] Rewrote the interception of keyboard input, fixed method of working with international characters to.
[-] Corrected a bug in HTTP-fakie, which could lead to deadlock.

I think the most interesting advances are those I’ve bolded above.

Obviously Windows 7 support is going to be pretty import going forward for Zeus-dependent botnet masters, so too is the gabbing of certificates from the victims systems (e.g. SSL/TLS client certificates and corporate VPN access). The fact that the TAN-grabber has been removed is probably more indicative of features no longer required by Zeus “customers” and an effort to keep the Zeus botnet agent down in size.

The most significant addition with this release in my mind is the additional support for IPv6 – particularly as it relates to network sniffing. As enterprise networks (and government networks) take up IPv6 internally, botnet operators need to ensure that they’re also “IPv6 compliant” (which is easy enough if the victim’s operating system is configured to rely upon IPv6), but more critical is the capability to sniff IPv6 network traffic and automatically extract the data most valuable to the botnet operator – rather than having to deal with bulk packet captures.

For those enterprise networks already running IPv6 it’s important that their network administrators and security teams know that botnet masters are already armed with IPv6 capabilities – and are constantly tweaking and enhancing botnet agent capabilities.

One last thing to note though. Just because Zeus is a common botnet malware family, it doesn’t mean that you’re likely to have antivirus detection coverage within typical enterprise networks. Zeus is practically never deployed in its “raw” state – instead, botnet masters typically deploy heavily obfuscated and protected serial variants of the malware – making each victim unique. So don’t be surprised if it evades any host-based detection technologies you may have deployed.

Latest Dridex Banking Trojan? How it Works?

Dridex malware – also known as Bugat and Cridex – is believed to have been created by cyber criminals in Eastern Europe in an effort to harvest online banking details. Even after a high-profile takedown operation in late 2015, the Dridex botnet seems to be active again.

The Dridex virus typically distributes itself through spam messages or emails that include malicious attachments, most often a Microsoft Office file or Word document integrated with malicious macros.

Once the malicious file has been clicked, the macros download and install the main payload of the virus – the trojan program itself – from a hijacked server, which installs and runs on the victim's computer.

The Dridex trojan program then creates a keylogger on the infected machine and manipulates banking websites with the help of transparent redirects and web-injects.

This results in stealing victim's personal data like usernames and passwords, with an ultimate aim to break into bank accounts and siphon off cash.

Hacker replaces Trojan with Anti-virus

However, the recent Hack Surprises: Instead of distributing banking trojan, a portion of the Dridex botnet currently seems to be spreading legitimate copies of the free anti-virus software from Avira, as the company has announced itself.

"The content behind the malware download [link] has been replaced, it is now providing [a legitimate], up-to-date Avira web installer instead of the usual Dridex loader," 

Avira believes that the white hat hacker or hackers may have hacked into a portion of infected web servers using the same flaws the malware authors used and then replaced the malicious code with the Avira installer.

So, once infected, instead of receiving Dridex malware, the victims get a valid, signed copy of Avira antivirus software.

The Simda botnet Botnet that enslaved 770,000 PCs worldwide !

Simda, as the botnet was known, infected an additional 128,000 new computers each month over the past half year, a testament to the stealth of the underlying backdoor trojan and the organization of its creators. The backdoor morphed into a new, undetectable form every few hours, allowing it to stay one step ahead of many antivirus programs. Botnet operators used a variety of methods to infect targets, including exploiting known vulnerabilities in software such as Oracle Java, Adobe Flash, and Microsoft Silverlight. The exploits were stitched into websites by exploiting SQL injection vulnerabilities and exploit kits such as Blackhole and Styx. Other methods included sending spam and other forms of social engineering. Countries most affected by Simda included the US, with 22 percent of the infections, followed by the UK, Turkey with five percent, and Canada and Russia with four percent.

The malware modified the HOSTS file Microsoft Windows machines use to map specific domain names to specific IP addresses. As a result, infected computers that attempted to visit addresses such as connect.facebook.net or google-analytics.com were surreptitiously diverted to servers under the control of the attackers. Often the booby-trapped HOSTS file remains even after the Simda backdoor has been removed. Security researchers advised anyone who may have been infected to inspect their HOSTS file, which is typically located in the directory %SYSTEM32%\drivers\etc\hosts. People who want to discover if they have been infected by Simda can check this page provided by AV provider Kaspersky Lab.

The page is effective as long as a person's IP address hasn't changed from when the infection was detected.
The takedown involved the seizing of 14 command-and-control servers that were located n the Netherlands, US, Luxembourg, Poland, and Russia. The highly coordinated takedown occurred simultaneously all over the world last Thursday and Friday and was organized by the Interpol Global Complex for Innovation in Singapore.

It included officers from the Dutch National High Tech Crime Unit, the US FBI, the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, and the Russian Ministry of the Interior’s Cybercrime Department “K." INTERPOL also worked with Microsoft, Kaspersky Lab, Trend Micro, and Japan’s Cyber Defense Institute for technical assistance.

Last week's takedown is only the latest international operation to shut down a botnet that indiscriminately menaced huge numbers of people around the world. Last week a separate takedown targeted Beebone, a highly elusive botnet that provided a captive audience of backdoored PCs to criminals who were looking for an easy way to quickly install malware on large numbers of computers. Get Latest Setup and Botnet configuration contact me on skype nitro_9ice or Ymessenger- nitro_ice9 for more insight.

RAMNIT Botnet that Infected 3.2 Million Computers

Alike GameOver Zeus, RAMNIT is also a 'botnet' - a network of zombie computers which operate under criminal control for malicious purposes like spreading viruses, sending out spam containing malicious links, and carrying out distributed denial of service attacks (DDoS) in order to bring down target websites.

RAMNIT believes to spread malware via trustworthy links sent through phishing emails or social networking sites, and mainly target people running Windows operating systems in order to steal money from victims bank accounts. Moreover, public FTP servers have also been found distributing the malware.

 

Once installed, the infected computer comes under the control of the botnet operators. The module inadvertently downloads a virus onto the victim’s computer which could be used by operators to access personal or banking information, steal passwords and disable anti-virus protection. 

NASTY FEATURES OF RAMNIT BOTNET

Symantec says that Ramnit has been around for over four years, first originating as a computer worm. According to the anti-virus firm, Ramnit is a "fully-featured cybercrime tool, featuring six standard modules that provide attackers with multiple ways to compromise a victim." The features are:

• SPY MODULE - This is one of the most powerful Ramnit features, as it monitors the victim’s web browsing and detects when they visit online banking sites. It can also inject itself into the victim’s browser and manipulate the bank’s website in such a way that it appears legitimate and easily grab victim’s credit card details.
• COOKIE GRABBER - This steals session cookies from web browsers and send them back to the Ramnit operators, who can then use the cookies to authenticate themselves on websites and impersonate the victim. This could allow an attacker to hijack online banking sessions.
• DRIVE SCANNER - This scans the computer’s hard drive and steals files from it. The scanner is configured in such a way that it searches for specific folders which contain sensitive information such as victims’ passwords.
• ANONYMOUS FTP SERVER - By connecting to this server, the malware lets attackers remotely access the infected computers and browse the file system. The server can be used to upload, download, or delete files and execute commands.
• VIRTUAL NETWORK COMPUTING (VNC) MODULE - This feature provides the attackers with another means to gain remote access to the compromised computers.
• FTP GRABBER - This feature allows the attackers to gather login credentials for a large number of FTP clients.

WHY BOTNET RE-EMERGE AFTER TAKEDOWNS ?

According to the authorities, Ramnit botnet has been taken down, but is it guaranteed that the botnet will not re-emerged again? We have seen the took down of GameOver Zeus botnet by FBI and Europol as well, but what happened at last? Just after a month, GameOver Zeus botnet again came into operation with more nasty features.

Carbon Form Grabber BOTNET - All Browser Intrusion !

I bring to you a brand new product! This is really very cool! This form grabber was written from scratch with the customer in mind.

we have made a web panel that is very intuitive, easy to use and sleek! This product was made for new comers and for pros,
it will suit the needs of any user with our easy to use panel and our advance features, this product is the best of both worlds.  

 The Carbon Form Grabber created by AlexHF runs on 32-bit and 64-bit platforms and exhibits some semi-persistence.  the Carbon Grabber is composed of a Builder and an intuitive PHP Panel.
The Carbon Grabber is able to capture logins and passwords from SSL & HTTP webpages in Chrome, Firefox and Internet Explorer.
The kit contains the following features :

• Startup (Hidden) - Meaning the process doesn’t appear in the Windows Task Manager.
• Userkit (x86 & x64 )
• Injection
• Chrome SSL & HTTP Grabber
• Firefox SSL & HTTP Grabber
• Internet Explorer SSL & HTTP Grabber
• Intuitive PHP Panel
• Escalate to Administrator Privileges - Apparently performed via runas

Features

* Startup ( Hidden)
* Userkit(x86 & x64 )
* Injection
* Chrome SSL & HTTP Grabber
* Firefox SSL & HTTP Grabber
* Internet Explorer SSL & HTTP Grabber
* Intuitive PHP Panel
* Escalate to Administrator Privileges.


Contact NitRo on Ymessenger for SETUP files or SETUPS - Ymessenger ID- nitro_ice9@yahoo.com

Newest Zeus banking Trojan is Born, ZeusVM

NOTORIOUS BANKING TROJAN Zeus is back in another variant, security firm Malwarebytes has warned.
Dubbed ZeusVM, the modded version of the infamous Trojan is being distributed in many different ways, but typically through phishing emails or web-based attacks, including "malvertising", whereby people are infected by visiting websites containing malicious ads.
"The Zeus/Zbot Trojan is one the most notorious banking Trojans ever created; it's so popular it gave birth to many offshoots and copycats,"

"The particularity of Zeus is that it acts as a 'man in the browser', allowing cyber-crooks to collect personal information from its victims as well as to surreptitiously perform online transactions.
"A new variant of this Trojan, dubbed ZeusVM, is using images as a decoy to retrieve its configuration file, a vital piece for its proper operation."
Malwarebytes senior security researcher Jerome Segura explained that there are various parts to this piece of malware. While the main executable - the bot - will bury itself into your computer and ensure it is reactivated every time you reboot, at regular intervals it also checks with its command and control server for new instructions while monitoring user activity.
"The JPG contains the malware configuration file which is essentially a list of scripts and financial institutions - but doesn't need to be opened by the victim themselves," Segura said.
"In fact, the JPEG itself has very little visibility to the user and is largely a cloaking technique to ensure it is undetected from a security software standpoint."

This enables a "man in the browser' attack where everything the victim does while browsing can be intercepted and modified at will.
"Visiting certain URLs, such as a bank website, will trigger an alert and the Trojan will start interacting in real-time. For example, it will alter the login page and ask for additional personal details, which it does using a technique known as 'webinjects', where code is injected directly into the browser, changing the webpage in real time," he added.
It can also perform wire transfers while the victim is logged in, Segura said, and even alter the appearance of the current account balance to ensure that it remains unnoticed.
although most anti-malware products should detect banking Trojans, traditional anti-virus software products might not.

"It only matters if the detection is timely. There's little use if you have been infected for two days and your account has already been depleted," the firm said, advising that observing basic security tips like "not opening email attachments unless you are absolutely sure it is safe" will help.
However, while Malwarebytes recorded a new variant of the popular Zeus trojan, security firm Fireeye has said that hackers are dropping standard malware like Zeus in favour of more advanced but harder to use remote access Trojans (RATs) such as Xtreme RAT.

Xtreme RAT is a notorious RAT that has been freely available on a number of cyber black markets since June 2010. The RAT is dangerous as it can be used for a variety of purposes, including interacting with the victim machine via a remote shell, uploading and downloading files, interacting with the registry and manipulating running processes and services

Neverquest banking malware Partners Zeus trojan

New Neverquest malware steals bank account logins and lets attackers access accounts through victims' computers.

For over five years, Zeus has been the undisputed king of banking malware. Once this trojan was loaded onto a victim's machine, it could:

• Detect when the owner entered banking information into a web browser.
• Steal passwords and other pertinent login information.
• Encrypt the stolen information and send it to the attacker's specified servers.

Zeus was also one of the first pieces of malicious software to be sold under a license. For the right price, anyone could use it.
Zeus remains active today, but its source code was published online in 2011 and this cyberscourge has about run its course. Unfortunately, Security experts are already sounding the alarm about a new piece of malware that makes Zeus look like a simpleton. Neverquest significantly raises the bar for online banking malware.

How Neverquest works

Like Zeus, Neverquest is a Trojan. Bad guys introduce Neverquest to the victim’s computer via social media, email, or file transfer. According to the security blog Threat Post, Neverquest replicates in a manner similar to the Bredolab botnet client:

"Bredolab malware used the same methods of distribution that Neverquest is currently using. Bredolab would eventually become the third most widely distributed piece of malware on the Internet."

Before it was shuttered, the Bredolab botnet consisted of 30 million computers. Why not use something that works?
If the victim’s computer is vulnerable to an exploit targeted by Neverquest’s trojan loader; the malware is installed. Then Neverquest starts paying attention to what the user is typing into their web browser. If a predetermined financial term is recognized, Neverquest checks the website domain name. Since, Neverquest has hundreds of banking and financial institutions in its database; there’s a better than average chance Neverquest will be familiar with the banking website.
Once Neverquest recognizes a banking site, it will relay the login information back to the attackers’ command and control server. Once the victim's credentials are in the hands of the attackers, they will remotely control the victim's computer using VNC, log into the victim's banking website, and do one of the following:

• Transfer money to different accounts
• Change login credentials, locking out account owner
• Write checks to money mules

And to make matters worse, banking sites are unable to distinguish the victim's login from that of the attacker using Neverquest.
One capability Neverquest has that Zeus doesn’t, is the ability to cultivate new banking sites for its database. If the malcode recognizes certain financial terms, but not the domain; Neverquest will send the information back to the command and control server which then creates a new identity, and updates every compromised computer under its control.

Neverquest in the wild

One sobering reality is that Neverquest is already for sale. Zeus, being “first of its kind” malware, required skilled controllers. Not so with Neverquest, script kiddies and malware non-experts are able to make use of the potent malware as soon as they buy it.