miércoles, 26 de diciembre de 2012

Phishing Criminal Infraestructure



It was discovered a site containing a complete full infrastructure for preparing phishings attacks. In this criminal site has been found all kind of malicious scripts, phishings kits, exploits & spam tools necessary to carry out fraudulent activities to steal credentials and obtain confidential user data from bank financial institutions in Europe, mainly in Spain, UK and Italy.


 With all this amount of malicious material is possible to do a complete fraud lifecycle.
About traces and comments in malicious scripts it seems that this infrastructure belongs to Romanian criminal groups.

The workflow of criminals takes place in three stages
  
A first step in locating legitimate Internet servers that have installed Phpmyadmin database management application, and have installed phpMyAdmin versions 3.3.10.2  y  3.4.3.1 vulnerable to certain exploits designed by criminals to upload malicious code to that legitimate server.
To find that phpmyadmin vulnerable servers, the exploit script send requests on Bing searcher to find web addresses that contain in its URL the following directory paths:


These malicious scripts exploit a weakness in the server configuration options of phpmyadmin application to upload a phpshell that allows criminals to take full control of hacked machine.

The next stage is basically the preparing the phishing of target banks. Criminals use the phpshell uploaded previously in compromised server to upload the phishing kit. This kit usually consists a compressed file type .Zip containing the exact clone copy of the financial institution against criminals want to perform the phishing attack.

The main purpose of these phishings is to obtain confidential data from credit card of costumers pretending to be legitimate bank requests to the client.

For this cause phishings simulate legitimate pages of the bank, but criminals are not interested in doing electronic banking fraud operations. They use phishings to obtain supplement data from the credit cards of customers and especially to get the ATM PIN code of credit card. This ATM PIN code is used to hire and activate financial services against the crefit card that will be used by criminals for fraudulent business transactions or to be used in electronic commerce.
















The last stage of the fraud will be to launch a massive spam campaign with emails containing that fake URLs where are hosted phishings to try to trick users to visit that fraudulent addresses and claiming  to complete their confidential bank details.

The SPAM tools and mail address lists for spamming are also hosted on the criminal located server:



viernes, 21 de diciembre de 2012

Infraestructura criminal para preparación de ataques por Phishing

Ha sido descubierto  un site alojado en direcciones de Yahoo conteniendo toda la infraestructura completa de preparación de ataques por phishings. En este site criminal se ha localizado todo tipo de scripts , phishings kits , exploits , herramientas de SPAM necesario para la realización de actividades fraudulentas de robo de credenciales y obtención de datos confidenciales contra entidades financieras bancarias de Europa , principalmente de España , Reino Unido e Italia


Con tal cantidad de material malicioso es posible realizar el ciclo de fraude completo.
Por las trazas y comentarios que aparecen en los scripts maliciosos todo parece indicar que esta infraestructura pertenece a grupos criminales de Rumania.
La forma de proceder de los delincuentes se realiza en 3 fases:
Una primera fase de localización en Internet de servidores legítimos que tengan instalados la aplicación de gestión de base de datos Phpmyadmin, y que tengan instalada las versiones  phpMyAdmin < 3.3.10.2 & < 3.4.3.1 vulnerables a ciertos exploits diseñados por los criminales para poder subir código malicioso al servidor legitimo.


Para localizar estos servidores phpmyadmin vulnerables lanzan mediante scripts peticiones en el buscador BING para encontrar las direcciones de Internet que contengan en su URL las siguientes rutas que se mustran en la imagen.
Estos exploits aprovechan una debilidad en las opciones de configuración del servidor de phpmyadmin para subir una Shell php que permita a los criminales tomar el control de la máquina vulnerada.
La siguiente fase consiste básicamente en la preparación del phishing contra las entidades bancarias objetivo. Para ello aprovechan la Shell alojada en los servidores comprometidos para subir el kit del phishing que suele consistir en un fichero .zip que contiene la copia clon exacta de la entidad financiera contra la cual quieren realizar el phishing. Estos kits ya están preparados para enviar los datos capturados a los usuarios engañados a ciertas direcciones de mail que han configurado los criminales en los scripts del phishing:
El objetivo principal de estos phishings es obtener datos confidenciales de las tarjetas de crédito de los clientes simulando ser peticiones de la entidad bancaria del cliente. Y sobre todo obtener el código PIN o ATM que se utiliza para operar en los cajeros automáticos y que en muchos comercios electrónicos y direcciones de banca electrónica es utilizado para contratar servicios financieros contra dicha tarjeta que serán utilizados posteriormente por los criminales para realizar transacciones comerciales fraudulentas.

 





La última etapa del fraude consistirá en lanzar una campaña de SPAM con correos conteniendo las URL falsas donde están alojados los phishings para intentar engañar a los usuarios y que visiten estas direcciones fraudulentas completando sus datos bancarios confidenciales.
Estas herramientas de SPAM así como listas de direcciones de mail para spamear también están alojadas en el servidor fraudulento:




viernes, 7 de diciembre de 2012

Troyan Citadel BackConnect VNC Server Manager


The Citadel Troyan kit has a module that allows criminals to connect remotely using VNC client to users' computers infected with this Citadel malware


 This allows criminals connected to the infected machine to make financial transactions through this way. This will make fraudulent transfers undetectable by operational control systems of banks because transfers are being made through the legitimate IP and legitimate computer of customers.

The structure of KIT VNC Manager is made up of the following files:


Script “test.php” is used to check the connectivity of the infected computer.

hXXp://winserv_php_gate/test.php?p1=13319&p2=23283&b=AKSERVER_D9FA7E50D0F76FCB

The script code is as follows:



It is noted as the file that opens the tunnel against the specified ports is the executable cbcs.exe (Citadel Backconnect Server), an updated version of the same application for the famous Zeus Trojan: zsbcs.exe (ZeuS Backconnect Server)

The way that initiates the connection is:

C:\>zsbcs.exe listen –cp:13319 -bp:23283


C:\> cbcs.exe listen -cp:13319 -bp:23283
Citadel Backconnect Server 1.2.0.0.
Build time: 13:12:41 07.12.2012 GMT.
Listening on IPv4 port 23283.
Listening on IPv4 port 13319.
Press Ctrl+C key to shutdown server.
Waiting for incoming connections (port of bot:23283, port of client:13319)


After opened communications port tunnel, criminals can connect remotely via VNC or execute commands against the infected user's computer to have full control of the machine and its desktop. When infected user interacts with its e-banking applications criminals can run scripts on the infected machine to modify customer transactions and operate with user credentials captured previously by the keylogger of the Citadel Troyan.

Access to the statistical panel that displays active VNC connections is via URL: hXXp://ip-serv/control.html

On this server you can see the list of computers infected with Trojan and have been used for fraudulent purposes by criminals at hXXp://195.242.218.25/control.html


This list of infected users is also stored in the server file:

hXXp://195.242.218.25/log.txt


[04.09.2012 15:37:48] WOLF_7875768F483EE109, p1=11968 ,p2=34851
[04.09.2012 15:38:22] PERSONAL_74DEB1E387314069, p1=18666 ,p2=38002
[04.09.2012 23:48:39] ANDRES-HP_E532648A4A3763CB, p1=19870 ,p2=28229
[04.09.2012 23:50:17] 3A0AAE55F75646A_7875768F3990DE0A, p1=14943 ,p2=36576
[04.09.2012 23:51:50] ADMIN-PC_74DEB1E3F090E324, p1=17688 ,p2=31963
[05.09.2012 17:37:08] DIAL_INT-PC_E532648A8AFF5F32, p1=15504 ,p2=35943
[05.09.2012 17:38:35] LUIS-4E3325EABE_B4DF7611605FA143, p1=11689 ,p2=29435
[06.09.2012 13:53:25] RAULSISTEMAS_4983EC5A2711C179, p1=12665 ,p2=24109
[06.09.2012 13:55:15] CARLOS_7875768F483EE109, p1=18871 ,p2=25181
[06.09.2012 13:55:49] JAVIER_B4DF7611483EE109, p1=11475 ,p2=26807
[06.09.2012 13:56:24] OMARVAZQUEZ_1CB98D876522DF69, p1=15011 ,p2=31385
[06.09.2012 13:57:45] PUESTOV_4983EC5ACB9AD960, p1=19115 ,p2=34960
[07.09.2012 15:47:07] SHXP2364_7875768F7E657C89, p1=14409 ,p2=36871
[07.09.2012 15:48:23] PERSONAL_74DEB1E387314069, p1=10806 ,p2=34226
[07.09.2012 15:48:34] PC-JAVIER_7875768FEABD3289, p1=17728 ,p2=36485
[07.09.2012 15:49:00] DIAGONALMARLIM1_4A073834B2FFEE74, p1=18676 ,p2=28923
[07.09.2012 15:50:10] ANA-MARI-THINK_74DEB1E315C0DF75, p1=19752 ,p2=37007

This list contains only users from Spain that have probably been victims of fraud in their online bank accounts.

Currently other servers have been located containing the same VNC criminal infrastructure:

hXXp://95.77.98.137/ hosted on the provider UPC Romania BUCURESTI B2B MPLS From Romania



hXXp://www.wanderbaresdeutschland.de/ hosted on the IP 85.214.116.67 belonging  to provider stratoserver.net from Germany



hXXp://46.166.129.65/ hosted on the provider SANTREX-INTERNET-SERVICES from UK



jueves, 6 de diciembre de 2012

Troyano Citadel BackConnect Windows Server VNC Manager


El kit del troyano Citadel tiene un modulo que permite conectarse remotamente mediante el cliente VNC a los equipos de los usuarios infectados por el troyano


Esto permite a los criminales conectarse a la máquina infectada para hacer transacciones financieras a través de esta, lo que hará que las transferencias fraudulentas sean prácticamente indetectables por los sistemas de control de operaciones del banco puesto que se están realizando a través de la IP y equipo legitimo del cliente.

La estructura del KIT del VNC Manager esta constituida por los siguientes ficheros:


El script test.php se emplea para comprobar la conectividad del equipo infectado.

hXXp://winserv_php_gate/test.php?p1=13319&p2=23283&b=AKSERVER_D9FA7E50D0F76FCB

El código de este script es el siguiente:


Se observa como el archivo que abre el tunel contra los puertos indicados es el ejecutable cbcs.exe (Citadel Backconnect Server) , una versión actualizada de la misma aplicación para el famoso troyano ZEUS: zsbcs.exe  (ZeuS BackConnect Server)

La forma como se inicia la conexión es la siguiente:

C:\>zsbcs.exe listen –cp:13319 -bp:23283


C:\> cbcs.exe listen -cp:13319 -bp:23283
Citadel Backconnect Server 1.2.0.0.
Build time: 13:12:41 07.12.2012 GMT.
Listening on IPv4 port 23283.
Listening on IPv4 port 13319.
Press Ctrl+C key to shutdown server.
Waiting for incoming connections (port of bot:23283, port of client:13319)


Una vez abierto el túnel, el criminal podrá conectarse en remoto mediante VNC o ejecutar comandos contra el equipo del usuario infectado teniendo total control de la máquina y su escritorio. Observando cuando el usuario interactúa con sus aplicaciones de banca electrónica y ejecutar scripts en la máquina infectada para modificar las transacciones del cliente y operar con las credenciales del usuario robadas por el troyano citadel.


Para acceder al panel estadístico con las conexiones VNC validas se visualizan mediante la URL: hXXp://ip-serv/control.html

En el servidor localizado anteriormente se observa la lista de equipos infectados por el troyano y que han sido utilizados por los criminales para sus propósitos fraudulentos en la dirección: 

hXXp://195.242.218.25/control.html


Esta lista de usuarios infectados también se almacena en el achivo: hXXp://195.242.218.25/log.txt


[04.09.2012 15:37:48] WOLF_7875768F483EE109, p1=11968 ,p2=34851
[04.09.2012 15:38:22] PERSONAL_74DEB1E387314069, p1=18666 ,p2=38002
[04.09.2012 23:48:39] ANDRES-HP_E532648A4A3763CB, p1=19870 ,p2=28229
[04.09.2012 23:50:17] 3A0AAE55F75646A_7875768F3990DE0A, p1=14943 ,p2=36576
[04.09.2012 23:51:50] ADMIN-PC_74DEB1E3F090E324, p1=17688 ,p2=31963
[05.09.2012 17:37:08] DIAL_INT-PC_E532648A8AFF5F32, p1=15504 ,p2=35943
[05.09.2012 17:38:35] LUIS-4E3325EABE_B4DF7611605FA143, p1=11689 ,p2=29435
[06.09.2012 13:53:25] RAULSISTEMAS_4983EC5A2711C179, p1=12665 ,p2=24109
[06.09.2012 13:55:15] CARLOS_7875768F483EE109, p1=18871 ,p2=25181
[06.09.2012 13:55:49] JAVIER_B4DF7611483EE109, p1=11475 ,p2=26807
[06.09.2012 13:56:24] OMARVAZQUEZ_1CB98D876522DF69, p1=15011 ,p2=31385
[06.09.2012 13:57:45] PUESTOV_4983EC5ACB9AD960, p1=19115 ,p2=34960
[07.09.2012 15:47:07] SHXP2364_7875768F7E657C89, p1=14409 ,p2=36871
[07.09.2012 15:48:23] PERSONAL_74DEB1E387314069, p1=10806 ,p2=34226
[07.09.2012 15:48:34] PC-JAVIER_7875768FEABD3289, p1=17728 ,p2=36485
[07.09.2012 15:49:00] DIAGONALMARLIM1_4A073834B2FFEE74, p1=18676 ,p2=28923
[07.09.2012 15:50:10] ANA-MARI-THINK_74DEB1E315C0DF75, p1=19752 ,p2=37007

Se observa como esta lista  contiene principalmente usuarios de origen español que habrán sido victimas de fraude en sus cuentas bancarias por Internet.

Actualmente se han localizado varios servidores conteniendo esta infraestructura criminal:


hXXp://95.77.98.137/ alojado en el proveedor UPC Romania BUCURESTI B2B MPLS de Rumania



hXXp://www.wanderbaresdeutschland.de/ alojado en la IP 85.214.116.67 perteneciente al proveedor stratoserver.net de Alemania



 hXXp://46.166.129.65/ alojado en el proveedor SANTREX-INTERNET-SERVICES de UK


martes, 20 de noviembre de 2012

Troyan SPYEYE against users from the Balkans Republics


Has been identified a criminal infrastructure of Troyan SpyEye  Control Panel prepared to steal confidential data from users of the Balkan republics.

This server is hosted on IP 91.220.35.45 belongs to ZAMANHOST-NET provider of Romania. This IP also resolves fraudulent domains prontomentos.com, soledantos.com, patentpendingnotetaker.net y rontomentos.com

The connection string that infected computers communicate with Troyan Control Panel is:

hXXp://91.220.35.45/forum.php


Trojan Control Panel is accessed via URL:

hXXp://91.220.35.45/kurcina123/


The “kurcina” Word means “A really big di*k” in Serbian language.

This control panel incorporates 2 new modules in its functionality.

The plugging "E-Mail Grabber":


This module is active from 11/05/2012 and has collected more 159.288 e-mail addresses, most from computer users of Slovenia, Bosnia and Herzegovina and other Balkan republics

The other New plugging is the "FTP Grabber":



If access the statistical panel module can be seen as criminals are primarily interested in collecting private data from email accounts and social networks of users, which means that this panel has been created mainly for the purpose of espionage and intelligence gathering on the profiles and behavior patterns of users of the Balkan republics.


viernes, 9 de noviembre de 2012

Kerber0s Bot Panel


has been found a new botnet called "Kerber0s Bot Panel". This control panel is hosted at IP 46.166.163.127 belonging at the Provider INTERNET-SERVICES SANTREX in Romania

The Malware infection vector is downloaded from the address:

hxxp://46.166.163.127/1.exe

Size: 489,472
MD5: e3954dfb5e35eb32c02530838fa8d4c9

&

hXXp:// 46.166.163.127/images/support/uTorrent.exe

Size: 896400
MD5: 59fe95f7fede6d69c007e2cd05356f07


The Control Panel Access Menu is located at URL: hxxp://46.166.163.127/login.php




The commands That can run this botnet  at infected machines are the same as used by the Botnet Herpes:

Commands:

Download/Execute: Download and execute the specified file.
What to put in the variable box = The URL of the file to be downloaded.

Update: Download and update.
What to put in the variable box = The URL of the file to be downloaded and updated.

Visit Page [Visible]: Open the default browser and visits the specified webpage.
What to put in the variable box = The URL of the page to be visited.

Visit Page [Invisible]: Open Internet Explorer silently and visits the specified webpage.
What to put in the variable box = The URL of the page to be visited.

Upload Keylog: Sends the keylogger log to our server and you will be able to download it
from the Bot Informations page. Attention, every uploaded file will rest there for 15 minutes, and after will be deleted.
What to put in the variable box = Nothing.

Reset Keylog: Clears the key log.
What to put in the variable box = Nothing.

Upload Screenshot: Take a screenshot and sends to our server and you will be able to download it
from the Bot Informations page. Attention, every uploaded file will rest there for 15 minutes, and after will be deleted.
. What to put in the variable box = Nothing.

Upload Error Log: Sends the Error Log to our server and you will be able to download it
from the Bot Informations page. Attention, every uploaded file will rest there for 15 minutes, and after will be deleted.
What to put in the variable box = Nothing.

DDoS Webpage: Sends a request to the specified webpage for 60 seconds
(Please note that the bot will not execute commands for 60 seconds because is DDoSing. An high amount of selected online bots will crash the webserver).
What to put in the variable box = The webpage to be requested.

Silent CPU&GPU Bitcoin Miner: Start to use your bots to make a lot of bitcoins.
What to put in the variable box = http://workerusername:workerpassword@poolhost:poolport
Example: http://lollipop:byebye@pool.bitclockers.com:8332
Tip: For disabling mining just send this command with the variable box empty.

Torrent Seeder v2.5+: Start to use your bots to seed your torrent for you.
What to put in the variable box = The url of the .torrent file to be downloaded
Example: http://www.mywebsite/download.torrent

Open and Close CD Tray v2.5.1+: Just opens or closes the CD tray.
What to put in the variable box = Nothing.

Message Box v2.5.1+: Spawn a message box on the screen.
What to put in the variable box = The message to send.

Swap and Restore Mouse Buttons v2.5.1+: Swaps or return to normal the mouse buttons.
What to put in the variable box = Nothing.

Uninstall: Remove Herpes from the system.
What to put in the variable box = Nothing.


In this criminal server infrastructure has been located the control panel "CASHMARKET AFFILIATE" that is the same botnet that the known Blackshades botnet but modified.

This control panel is accessed by malicious URL: hxxp://46.166.163.127/bs/

Criminals have not changed even the installation folder "BS" feature at BlackShade kit



martes, 30 de octubre de 2012

Control Panel for data mining information from repositories of banker Zeus Troyans

It has been found a new Control Panel focus to query and extract data from repositories of banker Troyans Zeus family and its variants. Like a data mining application is able to connect to different databases repositories that store data stolen by Troyans and search required data using regular expressions.


Access to the Control Panel shows the next information.

This method provides the advantage to criminals of being directly connected to remote databases that contain confidential information from compromised users without having to access the Control Panels where hosted data repositories are. Queries are performed directly on the databases without having to interfere at any time with the operation of the control panel that manages all botnets or zombie machines.

Of this way criminals also avoid leaving traces in web servers every time they have to perform some operation on the captured data leaving no traces in the log files of the web server.

Connection to the databases from Troyan Control Panel is quite simple.


In the Control Panel settings is configure the connection strings of database where the troyan’s repository is stored and Troyan class which wants to extract the information to analysis and process.

Troyan clasees with the application works are: Carbep, Citadel, Ice9, SpyEye, Zeus 1.1 Zeus 1.2 & Zeus2.

All these Troyans are different in their performance but retain many similarities in the manner in which the stolen information is stored in its databases and this Control Panel tools able to adapt to the structure of each Troyan database.

The data search engine in repositories is based on the powerful capacity of regular expressions, This seach engine is visible at next screen.



In this example created by default in the control panel, you can see the regular expression that should be used to locate at Troyan data repository all stolen access credentials that comply the defined format "user/ password" for accessing the legitimate websites of Paypal and Ebay

These regular expressions allow to search at full Troyan database robbed data users by defining variables names of stored passwords or any data that wish to find

With regular expressions is possible to define any text searchable format, such as email addresses, dates, passport numbers, social security numbers, etc. The possibilities are endless.

Is possible even to create search templates and store it for future actions.

The search engine also allows multiples search options, like searching by zombie machines IDs, URLs and even post data captured by users mails headers.

There is even an automated module for searching confidential information of credit cards, in this module you can specify search key fields as the CVV code of the credit card or using the Luhn algorithm.

The Luhn algorithm or "algorithm module 10" is a formula checksum used to validate the identification numbers of credit cards.

lunes, 29 de octubre de 2012

Panel de extracción de datos de repositorios Troyanos bancarios ZEUS

Se ha localizado un nuevo Panel de Control orientado para la consulta y extracción de datos de los repositorios de los troyanos bancarios de la familia Zeus y sus variantes. Como si se tratará de una aplicación de minería de datos es capaz de conectarse a diferentes bases de datos que utilizan como repositorios de datos robados los troyanos y realizar búsquedas mediante expresiones regulares de los datos deseados.


El acceso al Panel de Control muestra la siguiente información.

Este sistema proporciona directamente la ventaja de poderse conectar en remoto contra las bases de datos que contienen toda la información confidencial de los usuarios comprometidos sin tener que acceder a los Paneles de Control donde están alojados los repositorios de datos. Se realizan consultas directamente sobre las bases de datos sin tener que interferir en ningún momento con el funcionamiento del Panel de Control que maneja todos los Botnets o máquinas zombis.

De esta manera los criminales también evitan dejar rastros en los servidores webs cada vez que tengan que realizar alguna operación sobre los datos capturados no dejando trazas en los ficheros de logs del servidor web.

La conexión con las bases de datos del Panel de Control del troyano es bastante sencilla:

En las opciones de configuración del Panel de Control se le indica las cadenas de conexión de la base de Datos donde esta almacenado el repositorio del troyano así como el tipo del troyano del cual se quiere extraer la información para analizarla y procesarla.

Los tipos de Troyano con los que trabaja la aplicación son: Carbep , Citadel , ICE9, SpyEye , Zeus 1.1 , Zeus 1.2 , Zeus2.

Todos estos troyanos son diferentes en su funcionamiento pero guardan bastantes similitudes en la forma en la que almacenan la información robada en la base de datos y la herramienta es capaz de adaptarse a la estructura de cada base de datos de dichos troyanos.

El motor de búsqueda de datos en los repositorios está basado en la potencia de las expresiones regulares tal como se observa:

En este ejemplo que aparece creado por defecto en el panel de control, se observa la expresión regular que se debería emplear para localizar en el repositorio de datos del troyano todas las credenciales de acceso robadas que cumplan el formato definido usuario / password para acceder a los sitios Webs de Paypal y Ebay

Estas expresiones regulares permiten buscar en toda la base de datos del troyano los datos confidenciales de los usuarios mediante la definición de los nombres de variables que almacenan las contraseñas o cualquier dato comprometido que se deseen localizar

Con las expresiones regulares se puede definir cualquier formato de búsqueda de texto , como pueden ser direcciones de correo electrónico , fechas , números de pasaporte , de la seguridad social , etc . Las posibilidades son innumerables.

Se pude crear incluso plantillas de búsqueda y almacenarla para acciones futuras.

El motor de búsqueda también permite opciones de búsqueda por identificadores de las máquinas zombies , direcciones de URL e incluso datos de los correos capturados por las cabeceras en los usuarios comprometidos.

Dispone un modulo automatizado para realizar búsqueda de datos de las tarjetas de crédito, en el que se le puede indicar campos clave de búsqueda como el código CVV de las tarjetas de crédito o el empleo del algoritmo Luhn.

El algoritmo de Luhn o "algoritmo de módulo 10", es una fórmula de suma de verificación utilizado para validar números de identificación de las tarjetas de crédito.