martes, 20 de noviembre de 2012

Troyan SPYEYE against users from the Balkans Republics


Has been identified a criminal infrastructure of Troyan SpyEye  Control Panel prepared to steal confidential data from users of the Balkan republics.

This server is hosted on IP 91.220.35.45 belongs to ZAMANHOST-NET provider of Romania. This IP also resolves fraudulent domains prontomentos.com, soledantos.com, patentpendingnotetaker.net y rontomentos.com

The connection string that infected computers communicate with Troyan Control Panel is:

hXXp://91.220.35.45/forum.php


Trojan Control Panel is accessed via URL:

hXXp://91.220.35.45/kurcina123/


The “kurcina” Word means “A really big di*k” in Serbian language.

This control panel incorporates 2 new modules in its functionality.

The plugging "E-Mail Grabber":


This module is active from 11/05/2012 and has collected more 159.288 e-mail addresses, most from computer users of Slovenia, Bosnia and Herzegovina and other Balkan republics

The other New plugging is the "FTP Grabber":



If access the statistical panel module can be seen as criminals are primarily interested in collecting private data from email accounts and social networks of users, which means that this panel has been created mainly for the purpose of espionage and intelligence gathering on the profiles and behavior patterns of users of the Balkan republics.


viernes, 9 de noviembre de 2012

Kerber0s Bot Panel


has been found a new botnet called "Kerber0s Bot Panel". This control panel is hosted at IP 46.166.163.127 belonging at the Provider INTERNET-SERVICES SANTREX in Romania

The Malware infection vector is downloaded from the address:

hxxp://46.166.163.127/1.exe

Size: 489,472
MD5: e3954dfb5e35eb32c02530838fa8d4c9

&

hXXp:// 46.166.163.127/images/support/uTorrent.exe

Size: 896400
MD5: 59fe95f7fede6d69c007e2cd05356f07


The Control Panel Access Menu is located at URL: hxxp://46.166.163.127/login.php




The commands That can run this botnet  at infected machines are the same as used by the Botnet Herpes:

Commands:

Download/Execute: Download and execute the specified file.
What to put in the variable box = The URL of the file to be downloaded.

Update: Download and update.
What to put in the variable box = The URL of the file to be downloaded and updated.

Visit Page [Visible]: Open the default browser and visits the specified webpage.
What to put in the variable box = The URL of the page to be visited.

Visit Page [Invisible]: Open Internet Explorer silently and visits the specified webpage.
What to put in the variable box = The URL of the page to be visited.

Upload Keylog: Sends the keylogger log to our server and you will be able to download it
from the Bot Informations page. Attention, every uploaded file will rest there for 15 minutes, and after will be deleted.
What to put in the variable box = Nothing.

Reset Keylog: Clears the key log.
What to put in the variable box = Nothing.

Upload Screenshot: Take a screenshot and sends to our server and you will be able to download it
from the Bot Informations page. Attention, every uploaded file will rest there for 15 minutes, and after will be deleted.
. What to put in the variable box = Nothing.

Upload Error Log: Sends the Error Log to our server and you will be able to download it
from the Bot Informations page. Attention, every uploaded file will rest there for 15 minutes, and after will be deleted.
What to put in the variable box = Nothing.

DDoS Webpage: Sends a request to the specified webpage for 60 seconds
(Please note that the bot will not execute commands for 60 seconds because is DDoSing. An high amount of selected online bots will crash the webserver).
What to put in the variable box = The webpage to be requested.

Silent CPU&GPU Bitcoin Miner: Start to use your bots to make a lot of bitcoins.
What to put in the variable box = http://workerusername:workerpassword@poolhost:poolport
Example: http://lollipop:byebye@pool.bitclockers.com:8332
Tip: For disabling mining just send this command with the variable box empty.

Torrent Seeder v2.5+: Start to use your bots to seed your torrent for you.
What to put in the variable box = The url of the .torrent file to be downloaded
Example: http://www.mywebsite/download.torrent

Open and Close CD Tray v2.5.1+: Just opens or closes the CD tray.
What to put in the variable box = Nothing.

Message Box v2.5.1+: Spawn a message box on the screen.
What to put in the variable box = The message to send.

Swap and Restore Mouse Buttons v2.5.1+: Swaps or return to normal the mouse buttons.
What to put in the variable box = Nothing.

Uninstall: Remove Herpes from the system.
What to put in the variable box = Nothing.


In this criminal server infrastructure has been located the control panel "CASHMARKET AFFILIATE" that is the same botnet that the known Blackshades botnet but modified.

This control panel is accessed by malicious URL: hxxp://46.166.163.127/bs/

Criminals have not changed even the installation folder "BS" feature at BlackShade kit