Blogspot Whammies

Slot machines in the Trump Taj MahalImage via WikipediaI enjoy seeing what the world has to say from time to time and to give everyone’s voice a fair shake I will often click “Next Blog” in Blogspot’s standard blog header. I know that Blogspot pages are now a popular point of redirection for initiating malware download, especially with Koobface. I also know that rogue AV is the gravy train of scam software and is now being promoted through Koobface. Now when I go gambling I never win anything, but it appears the Blogspot “Next Blog” slot machine has shown up all cherries. Well, maybe lemons.

In a very swift redirection I was brought to “”. This was supposed to perform a “scan” of my computer as is customary with rogue AV, but Firefox was kind enough to report this as a “Reported Attack Site!”
Let’s take a peek at “” and see what this family of rogue AV looks like. Maybe I know some of your relatives. A A NS NS NS NS

Name: Lian S Richard
Address: Overhogdal 25
Province/state: MOLNLYCKE
Country: SE
Postal Code: 43510

Administrative Contact:
Name: Lian S Richard
Organization: n/a
Address: Overhogdal 25
Province/state: MOLNLYCKE
Country: SE
Postal Code: 43510
Phone: +5.3017560166
Fax: +5.3017560166

Technical Contact:
Name: Lian S Richard
Organization: n/a
Address: Overhogdal 25
Province/state: MOLNLYCKE
Country: SE
Postal Code: 43510

Nameserver Information:

Create: 2009-10-28 18:44:36
Update: 2009-10-29
Expired: 2010-10-28

What else is going on at these IPs?

Passive DNS over at reveals the following: A A A A A A A A A A A A A A A A A A A A A A A A A PTR A A A A A A A A

And we find another IP: A A A A A A A A A A A A A A A A A A A A A A A A A

Well, rogue AV is obviously the name of the game here. Let’s look on a larger scale at the AS level. is under AS13237 (LAMBDANET) reports 200 domains under Lambdanet, the majority of which relate to rogue AV. points to AS34305 (EUROACCESS)

They are small time with only 23 domains reported by They consist of rogue AV and Zbot.

The big guy comes with AS49038 (RICCOM) which was over the IP

326 Riccom domains were reported by, and only about seven were unrelated to rogue software.

There’s a dozen other IPs mixed in here going back to March, but most notable is which also comes up under AS29550 (EUROCONNEX). This IP gem has hundreds of domains pointed to it in relation to rogue software, such as: A A A A A A A A A A A A A A

just to list a few. This also leads back to Koobface and the “2008 ali baba and 40, LLC” which you can read about in Dancho’s blog from September. It looks like was part of a large family after all. No surprise there. I’m sure I’ll be bumping into you again.

Matt Sully
Threat Research & Analysis

Related articles by Zemanta

Reblog this post [with Zemanta]


ICANN is meeting in Korea this week to discuss several issues regarding domain management, including post-expiration domain name recovery, registration abuse policies, new gTLDs and IDN ccTLDs. While all of this is interesting, I started to think about how many of English-as-their-only-language web users are even aware of this final issue. Did you ever consider that while the Internet is dominated by English focused websites, 60% of its users are non-English speakers? How many of you were aware that a URL could even be written in Chinese?

IDNs are internationalized domain names that are written using local language characters, not just limited to Latin or ASCII based script. The second level domains have been available for some time, such as “日本語ドメイン.com” but are currently limited to 2LDs and on, leaving the ASCII familiar TLDs (top-level domains) like “.com” to remain as a foreign language appendix. What we are likely to see very soon however, thanks to the ICANN discussions, is domains completely constructed using just one language.

ICANN has set up a test page at Here you can see the same example.test domain in Arabic, Greek, Cyrillic, and Hebrew.

So what does this mean for DNS which performs its Q&A based on the ASCII code? In order for DNS to understand and interpret these IDNs the unicode domain string is encoded using punycode, transforming it into ASCII so it can resolve properly. A full explanation of the punycode bootstring algorithm can be found here.

For every domain there is a label assigned to it. The DNS stored label is usually the same as the displayed label for Latin based domain names, but with IDNs and punycode we see a more significant difference between the two. A displayed label is called a U-label for unicode and its stored version is an A-label for ASCII. The result now, that most consumers will never realize, is you can have “‘example.test’, displayed as ‘пример.испытание’, (in cyrillic) but is stored as ‘xn--e1afmkfd.xn--80akhbyknj4f'”(example from ICANN). Every punycode version of these IDNs will begin with “xn--“.

It’s great that ICANN is making this movement for a more internationally conscious and applicable Internet, but it seems very delayed. How much has an English dominated Internet kept the rest of the world out of the loop? A couple of examples provided by ICANN documents bring up everyday situations many of us take for granted. If I read a billboard or advertisement that has an accompanying web address, I go there for more information. But what if that URL was in Chinese or Hindi? I wouldn’t be able to remember the address or use my keyboard to even reproduce it. I would of course prefer to have the web address in the same language as everything else I’m reading. This change will be especially advantageous for script such as Arabic that reads from right to left. You can imagine how confusing that is currently for conveying a URL properly to international consumers.

There are three programs for obtaining entire native language IDNs. The proposed launch date for the IDN ccTLD Fast Track Process is November 16, 2009.

For some application and browser IDN handling issues, check out

Matt Sully
Threat Research & Analysis

Wireshark Plugin for Mariposa Botnet Command and Control

“Yamata Li of the Palo Alto Networks Threat Research Team has developed a Wireshark plugin that will allow you to view obfuscated pcaps of traffic from a Mariposa infected client and actually decrypt them within Wireshark.”

Thanks Yamata, the time and effort you have put into this plug-in is much appreciated. 

Threat Analyst

Mariposa Botnet Analysis

*** Update ***

An updated version of the Mariposa Technical Analysis can be found at


Mariposa was first observed in May of 2009 by Defence Intelligence as an emerging botnet. In recent months, Mariposa has shown a significant increase in beaconing traffic to its command and control servers. This is indicative of an increasingly high number of compromised computers actively participating in the Mariposa botnet.

The most dangerous capability of this botnet is that arbitrary executable programs are downloaded and executed on command. This allows the bot master to infinitely extend the functionality of the malicious software beyond what is implemented during the initial compromise. In addition, the malware can be updated on command to a new variant of the binary, effectively reducing or eliminating the detection rates of traditional host detection methods.

Commands from the botnet master may be directed at participants in a specific country, individual computers, or all computers. As a result, the observation of the live command and control channel may not include all of the activity and capabilities of Mariposa.

The command and control channel employs custom encrypted UDP datagrams to receive instructions and transmit data. A detailed analysis of the encryption and message formats used by the protocol are presented in this paper.

During empirical analysis of internal controlled compromised systems, the following DNS domain names were observed as the command and control servers:

Over the last two weeks of analysis, two unique malicious programs were downloaded and executed on the compromised computers. One malware update was received during this period, introducing new command and control domain names, adding a ‘confirmation of download’ message, and renaming ASCII commands.

It has also been observed that the botnet participants are receiving Google custom search engine URL fragments in a command from the bot master. This indicates a possible hijacking of Google AdSense advertisement revenue.

This paper details the result of static binary analysis, a review of the command and control protocols including a breakdown of the encryption, and empirical behaviour analysis findings.

The full Mariposa Botnet Analysis is available in PDF form at

Mariposa Defined

Defence Intelligence has received quite a few responses to our story on the Mariposa botnet. They have run the gamut from polite information inquiries to accusations of falsifying our findings for media coverage, and thinly veiled threats of legal action. A response of our own has become necessary and we hope it at least answers some common questions many of you have asked.
Who is Defence Intelligence?
To begin with we are not an anti-virus company. We have spent the last 14 years protecting companies from hackers, not viruses. Until just a few years ago a virus and a hacker had very little to do with each other. Viruses are annoying and at times destructive but pose very little actual threat to a company or government’s information and its assets. A hacker’s goal on the other hand is to stealthily gain control of a targeted system with the intent of stealing data, attacking the internal network, or using the controlled system to attack an external network.
In the last few years these two distinct threats have blended. Hackers have discovered that direct external attacks are unnecessary and risky. It is now easier to engineer malicious software that is delivered to a system remotely through various means. Once that malicious software is on an internal computer, it then communicates outbound to the hacker, handing them complete control of the affected system.
When a system is compromised in this manner the attack is all too often misunderstood and dismissed as a mere virus, not just by the victim but by those providing that victim’s system security.
The Defence Intelligence team comes from an information security background, and not an anti-virus background, which means we view things differently. Within incident response, multiple events form an incident and events are constructed using various components. IP addresses, domain names, binaries, people, companies, and networks are all parts of this particular incident, which in this case, is a botnet.
What is Mariposa?
Mariposa is a collection of compromised computers that are directly under the control of a single malicious entity. In the security industry we call this a botnet.
Mariposa is NOT a virus, or a worm, or a trojan or any other dated designation still inappropriately assigned to modern day malware. The malicious software used by Mariposa, and any other botnet, actively evolves to become whatever is needed by its controller and is not limited by the boundaries of antivirus labels. This means that a trojan can be told to spread like a worm. It means that malware designed to send spam can be instructed to steal banking information.
Modern malware can no longer be classified by its perceived purpose or propagation method because those change in an instant. This software is engineered to gain access to and maintain control over the victim machine, and infiltrating a user’s computer is not difficult. Using a variety of software exploits and social engineering tactics, an attacker will find a way to distribute his malware to his victims.
Panda Security released a report this week showing that almost 60% of all PCs that scanned their computer this month had malware of some kind on their system.
Once the malware is on the system it seeks communication with its controlling entity. With communication to the controlling entity, any compromised machine can be capable of carrying out any order issued by the botnet controller and any data on the compromised machine can be extracted for use, sale or distribution by the attacker.
Why did you call it Mariposa?
Our naming of this botnet as Mariposa has been a cause of concern for some. The confusion comes when antivirus companies or those using antivirus, search for the Mariposa name only to find no results. This is because Mariposa refers to the botnet and not the malware it utilizes.
The malware used by Mariposa goes by many names, and this is part of the problem. Even amongst antivirus groups and within their own companies it is difficult to find a common name for any one family of malware. Below are some of the names attributed to binaries which are used within Mariposa that are detected by McAfee and Trend. This provides a quality example for the current confusion in botnet malware identification.

McAfee Trend
W32/Autorun.worm.zzq WORM_AUTORUN.ZRO
W32/Virut.n.gen WORM_Generic.DIT
Downloader-BQP TROJ_Generic.DIT
W32/Autorun.worm.zzk PE_VIRUX.A
Generic.dx!dpk WORM_PALEVO.AZ
W32/Autorun.worm.fq WORM_AUTORUN.EPB
W32/Autorun.worm.c TSPY_ZBOT.SMQ
W32/Autorun.worm!bf PE_VIRUX.F-1
Generic.dx!la PE_VIRUX.E
Generic.dx!ha PE_VIRUX.D
Generic.dx!dqe PE_VIRUX.C-1

It is our hope that perhaps not in our terminology, but with our methodology, that Defence Intelligence can provide some guidance to improve upon the multiple naming convention, allowing a clearer arena for botnet discussion and understanding.
Why didn’t my AV pick this up?
Using signatures and automated classification, especially when involving heuristics, results in a cacophony of naming options for every distinct variant of a given piece of malware. That said, many AV companies have had the ability to detect some variations of the malware behind Mariposa long before we became aware of this botnet’s activity.
With our approach to compromise detection, utilized by our Nemesis software, we can detect the botnet which allows the organization to track down systems affected by the malware, regardless of the variant or antivirus identification ability. While AV companies look at single binaries and classify based upon discrete behavior of code, or the packer that is used to obfuscate the binary, we look at the threat holistically, a macro versus micro approach.
At Defence Intelligence we consider the code used within Mariposa as only one identifying factor. Command structure is another. This is defined by domain names, IP addresses, and communication protocols and the fluctuation of each. We also consider the end point organization or individual over the botnet, ultimately any indicator as to who is responsible for the formation and/or control of the hosts affected by this malware.
With perpetual addition of variants and updates, the reliance on AV detection to keep pace is not advised. Virustotal is a free web based service that analyzes files through multiple antivirus engines, revealing their detection capability of any suspected malware. The following is a virustotal output on one of the malicious binaries related to Mariposa.

Antivirus Version Last Update Result
a-squared 2009.07.24
AhnLab-V3 2009.07.24
AntiVir 2009.07.24
Antiy-AVL 2009.07.24
Authentium 2009.07.24
Avast 4.8.1335.0 2009.07.24
AVG 2009.07.24
BitDefender 7.2 2009.07.24
CAT-QuickHeal 10 2009.07.24
ClamAV 0.94.1 2009.07.24
Comodo 1742 2009.07.24
DrWeb 2009.07.24
eSafe 2009.07.23 Suspicious File
eTrust-Vet 31.6.6637 2009.07.24
F-Prot 2009.07.23
F-Secure 8.0.14470.0 2009.07.24
Fortinet 2009.07.24
GData 19 2009.07.24
Ikarus T3. 2009.07.24
Jiangmin 11.0.800 2009.07.24
K7AntiVirus 7.10.800 2009.07.23
Kaspersky 2009.07.24
McAfee 5686 2009.07.23
McAfee+Artemis 5686 2009.07.23
McAfee-GW-Edition 6.8.5 2009.07.24 Heuristic.LooksLike.Worm.Palevo.B
Microsoft 1.4903 2009.07.24
NOD32 4273 2009.07.24
Norman 2009.07.22
nProtect 2009.1.8.0 2009.07.24
Panda 2009.07.24
PCTools 2009.07.23
Prevx 3 2009.07.24
Rising 2009.07.24 Trojan.Win32.DangerGL.a
Sophos 4.44.0 2009.07.24 Mal/EncPk-IY
Sunbelt 3.2.1858.2 2009.07.23
Symantec 2009.07.24
TheHacker 2009.07.24
TrendMicro 8.950.0.1094 2009.07.24 PAK_Generic.001
VBA32 2009.07.24 suspected of Malware-Cryptor.Win32.General.3
ViRobot 2009.7.24.1851 2009.07.24
VirusBuster 2009.07.23
Additional information
File size: 123392 bytes
MD5 : 6939c088f59258da7410f66837c62192
SHA1 : 500bb963602d45584303a4dc3f6fd6052a6752d8
SHA256: 996c2667b2bcf86c9c7c20d7c79a3024131c84e0d82d5338db99812830ad778a

As you can see, only 6 of the 41 antivirus groups was able to detect the malware. Once again, the naming is inconsistent. Given time however, most antivirus companies are able to identify the same binary.

Antivirus Version Last Update Result
a-squared 2009.09.29 P2P-Worm.Win32.Palevo!IK
AhnLab-V3 2009.09.29
AntiVir 2009.09.29
Antiy-AVL 2009.09.29
Authentium 2009.09.29
Avast 4.8.1351.0 2009.09.28 Win32:MalOb-H
AVG 2009.09.29 SHeur2.ASQE
BitDefender 7.2 2009.09.29 Trojan.Generic.2263367
CAT-QuickHeal 10.00 2009.09.29
ClamAV 0.94.1 2009.09.29
Comodo 2469 2009.09.29 Heur.Suspicious
DrWeb 2009.09.29 Trojan.Packed.541
eSafe 2009.09.29 Suspicious File
eTrust-Vet 31.6.6768 2009.09.29
F-Prot 2009.09.29
F-Secure 8.0.14470.0 2009.09.29 Packed.Win32.Krap.y
Fortinet 2009.09.29
GData 19 2009.09.29 Trojan.Generic.2263367
Ikarus T3. 2009.09.29 P2P-Worm.Win32.Palevo
Jiangmin 11.0.800 2009.09.27
K7AntiVirus 7.10.856 2009.09.29 P2P-Worm.Win32.Palevo.jaz
Kaspersky 2009.09.29 Packed.Win32.Krap.y
McAfee 5755 2009.09.28 W32/Autorun.worm.zzq
McAfee+Artemis 5755 2009.09.28 W32/Autorun.worm.zzq
McAfee-GW-Edition 6.8.5 2009.09.29 Heuristic.LooksLike.Win32.NewMalware.B
Microsoft 1.5005 2009.09.23 VirTool:Win32/Obfuscator.FL
NOD32 4467 2009.09.29 a variant of Win32/Kryptik.LR
Norman 6.01.09 2009.09.29
nProtect 2009.1.8.0 2009.09.29 Trojan/W32.Agent.123392.EB
Panda 2009.09.28 Trj/CI.A
PCTools 2009.09.29
Prevx 3.0 2009.09.29 Medium Risk Malware
Rising 2009.09.29 Trojan.Win32.DangerGL.a
Sophos 4.45.0 2009.09.29 Mal/EncPk-IY
Sunbelt 3.2.1858.2 2009.09.29 Trojan.Win32.Generic!BT
Symantec 2009.09.29 Spyware.Screenspy
TheHacker 2009.09.28
TrendMicro 8.500.0.1002 2009.09.29 WORM_AUTORUN.ZRO
VBA32 2009.09.29 Malware-Cryptor.Win32.General.3
ViRobot 2009.9.29.1963 2009.09.29
VirusBuster 2009.09.29

File size: 123392 bytes MD5 : 6939c088f59258da7410f66837c62192 SHA1 : 500bb963602d45584303a4dc3f6fd6052a6752d8 SHA256: 996c2667b2bcf86c9c7c20d7c79a3024131c84e0d82d5338db99812830ad778a
So I just need to wait for an update to my AV then?
If malware were to remain static and unchanged an identification and removal option would eventually be provided by your antivirus of choice. At that point, however, the malware has likely fulfilled any of its initial goals and its removal would be a futile and meaningless task. Unfortunately, Mariposa does not use static malware.
Malware authors often update their code to evade detection as well as try different configurations, all of which result in a new malware variant. Mariposa has over 70 variants, resulting in a persistent and dynamic botnet.
One example is this update file recently dropped onto a compromised system as instructed by the Mariposa botnet controller. Virustotal shows that only two of the 41 AV groups currently detect it.

File svc.exe received on 2009.09.29 15:27:36 (UTC) Current status: finished Result: 2/41 (4.88%)
A signature may soon come out for this code from your AV vendor, but by that time, a new piece of code may be written and downloaded that bypasses AV yet again.
Well, how do I stop this thing?
As IPs, ports, and domains involved in the command structure of Mariposa are changing, it becomes difficult for security administrators to mitigate the ability of this botnet. At this time we suggest an approach of tracking down the compromised systems rather than establish rules to block the communication to the botnet controller. UDP connections are still actively used for Mariposa communication, so observance of your network activity is the best place to start. If one system is frequently sending data across the outbound UDP protocol, regardless of port, mark it as suspicious and consider removing it from the network. Your own remediation technique is up to you but reimaging, though time consuming, is the only confident way to cleanse a compromised machine.
So what is Defence Intelligence doing about this?
As before we are contacting companies that have been affected by Mariposa. We also have other researchers and companies looking to help out in this mitigation effort and the formation of a small working group with these individuals is taking place. Updates on this and other Mariposa details will follow.

var gaJsHost = ((“https:” == document.location.protocol) ? “https://ssl.” : “http://www.”);
document.write(unescape(“%3Cscript src='” + gaJsHost + “’ type=’text/javascript’%3E%3C/script%3E”));

try {
var pageTracker = _gat._getTracker(“UA-11400163-2”);
} catch(err) {}

Mariposa FAQ

In response to a number of questions, we have prepared a short Q&A.

Q. How big is the botnet?
A. We estimate there to be between 150 to 200k compromised systems across 40,000 unique networks.

Q. What does it do?
A. It is designed for information theft, stealing passwords and personal credentials, but malware like this can be configured to do anything the attacker wants.
Q. Who created it?
A. That is still being investigated and we will work with law enforcement on the details.

Q. What banks/companies are involved? Who have you talked with?
A. We can’t release any specific names. We have contacted or attempted to contact all critical groups affected.

Q. When did you find it?
A. We have been tracking it since May of this year.

Q. What does Defence Intelligence do?
A. We specialize in compromise detection and prevention.

Q. How does it spread?
A. By default, the malware is designed to spread across instant messenger programs, USB keys, and P2P networks.

Q. What is Mariposa’s growth rate?
A. It’s current growth rate is 7,000 new compromised systems each day.

Q. Does AV detect it?
A. With 70 variants, some of them will be detected and some won’t.

Q. How to detect and fix it?
A. Until AV catches up, removal techniques will have to be determined by the individual.

Half of Fortune 100 Companies
Compromised by New Information
Stealing Trojan

The Butterfly Effect: Say Hello to Mariposa

Defence Intelligence has been tracking the growth of a new information stealing botnet we’ve named Mariposa. 50 of the world’s Fortune 100 companies are actively participating in this botnet as well as hundreds of government agencies, financial institutions, universities and corporate networks worldwide.

Since its discovery in May of 2009 we’ve identified Mariposa activity in tens of thousands of unique corporate networks. Over 70 variants have been identified with varying degrees of security and purpose, including code injection into known processes, email address harvesting, and additional malware downloads. The purpose behind so many variants may only be functionality differences or efforts at avoiding AV detection, but it does not reveal the number of controllers or the exact motivation behind the overall threat.

Believed to stem from the butterfly bot kit, formerly sold at, this botnet is successfully spreading across thousands of corporate networks, just as it was designed to do. From the site, butterflybot is a

“Security tool designed to stealthy run on winnt based systems (win2k to winvista) and to stealthy and efficiently spread with 3 spreaders, which were specially designed and improved compared to already known public methods.[sic]” The three spreaders are MSN, USB, and P2P. Listed P2P networks were “ares, bearshare, imesh, shareaza, kazaa, dcplusplus, emule, emuleplus, limewire.[sic]”

Other methods may now be in place for propagation as well as capabilities for the bf botkit, but the original add-on features included Firefox and IE password harvesting, and TCP/UDP flooding. NetBIOS worm propagation and email address harvesting also appear to have become common additions.


Analysis of this botnet has revealed only one commonly identifiable piece of information. Companies wishing to determine if they have been compromised can watch for DNS queries to the domain:

Additionally, monitor for high DNS query volume to domains containing the keywords of “butterfly” or “bf” and/or mass UDP connection attempts to any of the following IPs:

For further information regarding this botnet, please contact

Riding the Green Wave.

Considering how many people are talking about what is and is not good for the health of this planet and that everyone should be doing their part to help the environment, you shouldn’t be surprised to hear that even cyber crime is going green. Staying relevant and socially aware are key in effective malware propagation, so criminals are adding `green` gimmickry to their rogue AV sales pitch. The cyber criminals’ have marketing departments too. Cyber criminals have re-branded their fake antivirus software so that it appeals to the environmentalists by having an “Environment care program. $2 from every sale we make will be sent on saving green forests in Amazonia.” It seems they need to work on their English translations. They also claim that when your computer has malware on it, your machine slows down, which means that it takes you longer to do things, and it uses more power. Using Green AV, they say, will clean and speed up your computer so that you don’t need to go out and buy a new one! Wow, that is really nice of them, and for only $99USD !!! What a deal! I am saving the environment one piece of malware at a time. Of the people that do end up downloading the software it does an unrequested fake scan and shows you bogus results that indicate that your machine is infected with a plethora of various trojans and does the opposite of what they say it will do, opening up a backdoor for them to have complete control of your machine. It’s humorous that they have a picture of a secure lock at the top of the page that says “Secure SLL Connection 100% Privacy Guarantee.” I am unsure what an SLL connection is but I believe they mean SSL (Secure Socket Layer). 100% Privacy when giving your information to the criminals is also false security. I guess this is so other criminals can’t get your information… real secure. The criminal underworld has evolved over the years, offering various product improvements like bug testing, constant updates to avoid detection, and even Windows-like “send error report” pop-ups that send crash information back to the malware creator so they can improve on their faults. I hate to give credit to the enemy, but they seem to be doing a better job than most of the good guys that are trying to stop them. That being said, you should be scared, or if you are too proud to be scared, you should at least be concerned. With detection rates as low as they are, the AV companies are being overwhelmed by over thirty thousand new pieces of malware a day. A Finjan report from March estimated that fake antivirus distributors can make more than $10,000 a day. PandaLabs estimates there could be as many as 35 million computers infected per month with rogue antivirus programs. Fake antivirus software is everywhere and this environmentally focused approach will likely be ‘recycled’ by other criminal proponents of its spread. Remember though, just because it says it’s `green` it doesn’t mean it is good for you.B.Kilrea
Threat Analyst

The Future is Friendly

Just as so-called ‘early adopters’ and techno-geeks are always on the lookout for the latest and greatest in flashy technology, sophisticated botnet administration suites are the current must-have for cybercriminals. As bot malware becomes increasingly easy to propagate and successfully compromise massive network linked machines, the problem becomes not how to create a botnet, but how to control it. These administration suites provide better handling, control, and efficient management than their predecessors, giving their users a leg up on the competition.

The Fragus Exploit kit is a newcomer to the market, having improved upon the trend started by authors of such suites as the Liberty Exploit System and the Exp Eleonore Pack, Fragus is a grab bag of exploits for vulnerabilities in multiple software components. Similarities abound among these suites, from which vulnerabilities they exploit, to the layout and handling of the control panel, to the domains and IPs from which they can be downloaded. Liberty and Eleonore are both slightly older exploit kits whose latest versions have been updated to include much of the same functionality and easy-of-use as Fragus.

For the low price of 800 USD, Fragus is designed to simplify the administration of your bot network. It boasts support for English and Russian, statistical breakdowns of your botnet by browser, operating system (including version), by country, and by what’s euphemistically referred to as your “clients”.

Fragus comes pre-installed and ready to exploit:

MDAC – MS07-009, a vulnerability in MS Data Access Components which can allow remote code execution.

PDF – Targets 3 vulnerabilities in Acrobat Reader, util.printf, Collab.getIcon, and Collab.collectEmailInfo (CVE-2008-2992, CVE-2009-0927, and CVE-2007-5659, respectively)

DirectShow – MS09-032, exploits the MS Video (DirectShow) ActiveX Control vulnerability.

Internet Explorer – MS09-002, a critical vulnerability in IE7 that allows for memory corruption and remote code execution.

Spreadsheet – MS09-043, an ActiveX Control vulnerability is MS Office Web Components.

AOL WinAmp – another system vulnerable to an ActiveX Control exploit, (CVE-2007-6250)

Snapshot – MS08-041, an exploit targeted at MS Access Snapshot Viewer’s ActiveX Control vulnerability.

Flash – targets an integer flow vulnerability in Adobe Flash Player (CVE-2007-0071)

Some of the vulnerabilities have been patched for months or even years but their inclusion here indicates a high probability that numerous systems remain unpatched. Of greater interest is the MS09-043 vulnerability which, as of Fragus’ release, was only one month old. Increasingly, criminals are making use of recently released exploits. Obviously this tactic greatly increases their chances of success as many (if not most) people fall behind in their updates and will likely still be vulnerable to such a recent exploit.

For people concerned over spending $800 on an exploit pack only to have its payload identified by antivirus programs, for an extra $150 you will receive a proprietary encryption program specifically designed to evade detection.

Unsurprisingly, many of the domains and IPs at which Fragus is available have at one time or another hosted other sorts of malware, including the LIberty Exploit System, the Zeus trojan, and various other PDF and flash exploits.

The future of botnet administration is here now… and it sure is easy to use.

Meaghan Molloy
Threat Analyst
For a far more eloquent presentation of the facts, check out Paul Royal’s work at Purewire.

ConfickerC Update

OK just a quick update regarding ConfickerC numbers. 
I have seen published numbers that are all over the place *cough IBM/ISS cough*. 
Over the last 30 hours or so we recorded 9,795,101 raw (not unique IP) http connections to the sinkhole.
 As unique IPs go we recorded a total of 1,071,132 unique IPs from with in that 9+M. Now keep in mind, we have to think about DHCP churn, NAT (Firewalls, gateways, proxies, etc) So the number is obviously not a 100% true representation.  
Here is what the PER HOUR numbers look like from the sinkhole: