Malware Market

It’s no surprise that there is a malware market, an ecosystem of buyers, sellers and middlemen known as “guarantors”. In a very interesting post, “The botnet ecosystem“, Vitaly Kamluk explains the way in which this system works. There is a malware market in which malicious code and services are exchanged with the help of trusted third parties — usually administrators of popular forums. In addition, compromised hosts and stolen credentials are also exchanged.

Here’s a microcosm of this ecosystem that I stumbled upon recently. A member of a forum ( called “Brainy” posts an add for a bot system that steals FTP and HTTPS credentials:


Here’s the Google translate version of a post by “brainy”:

[brainyframer], bot freymer \ Gruber \ sniffer
20.11.2009, 2:06

I offer you a bot freymer / sniffer / Graber my production [BrainyFramer]
This bot will be a good assistant to many who are professionally engaged cores.

Graber-21 FTP client
FTP-sniffer with 37 different clients (web browsers including)
-HTTPS formgraber for IE (5,6,7,8) and FF. For snifa panel hosting (~ 120 different hosts)
-Freymer Semiconductors, distributed processing your list of FTP bots. High speed. Frame akov from the bot after snifa. Removal of foreign code.

Admin at work:

Progruzheno loader for 100 cars
Article: How to see otstuk 75%
Palimost build in test 4 AB.


Price build: 400vmz

[!] Everyone who bought a free upgrade.
[!] Change link for free.
[!] Questions, setting free too (IMG:
[!] Soft palitsya. I do not crypt. I give the contact person who does it.
[!] On Vista and windows 7 is not working.
————————————————– ———–

Answers to frequently asked questions:
Question: What palitsya. Traverses a firewall?
A: Soft works in the context of web browsers and FTP client system. If these applications have access to the network, the bot will work.
Q: Why do little in the FTP log
Answer: It depends on your downloads. With 1K purchased downloads usually goes akkov 20-100. 0.5-1K Semiconductors with 1K of purchased downloads is a myth.
If you download from the dor. traffic Kay “download ftp client” then you understand that the FTS in the log will be more.
Q: What about an exchange for …?
Answer: No, I do not need anything except money.
Question: Is it possible to test?
Answer: I have no desire and time to make someone test. Soft checked in not only me alone.

Asya> 3_5266891_7


A forum administrator vouches for brainy, acting as the trsuted middleman or “guarantor”. Here’s the Google translate version:

Take this software is already long enough. All the alleged author of the software options – do. The author – an appropriate person with whom pleasant girl. Update issued on a regular basis. In general – I recommend.

On a server hosting some other nasty stuff including the Liberty exploit kit I found Brainy’s kit:



Here is the readme file that comes with the bot:

Скрипты для [BrainyFramer]

0. conf.php – Настройки базы и рабочих линков
1. create.php – Создает таблицу
3. get.php – Дает боту настройки.
4. check.php – Админка
5. list.txt – Список фтп
6. \logs\ftp.log – Лог c фтп (права 755)
7. \logs\https.log – Лог c https (права 755)
8. grab.dll – Модуль грабера, не трогать!

Как установить эти скрипты?
-Делаем настройку папки, чтобы поисковые боты не бегали по нашим файлам)
-Создаем базу данных для них, пишем настройки базы , также задаем логин и пасс на админку.
-Запускаем create.php, если все Ок с настройками , то будет надпись “Таблицы созданы”
-Загружаем список фтп акков (список должен быть в простом текст. формате) на сервер в папку с скриптами, имя файла со списком (поумолчанию list.txt) пишем в conf.php

(с) Brainy 352668917

Google translate:

Scripts for [BrainyFramer]

0. conf.php – Base settings and working links
1. create.php – Creates a table
3. get.php – Gives the bot settings.
4. check.php – Admin
5. list.txt – List of Semiconductors
6. \ logs \ ftp.log – log c Semiconductors (Law 755)
7. \ logs \ https.log – log c https (Law 755)
8. grab.dll – Module Graber, do not touch!

How to install these scripts?
-Makes setting up a folder to search bots did not run on our files)
-Creating a database for them, write the base configuration, is also asking login and pass on the admin panel.
Run-create.php, if everything is OK with the settings, it will be marked “Table created”
-Load the list of FTP akkov (list must be in plain text. Format) on the server in the folder with the script, the file name from the list (poumolchaniyu list.txt) write in conf.php

(c) Brainy 352668917


Today the list.txt (which contains compromised FTP accounts) has 528 entries. this list has varied over time at one time swelling to 100,000 entries, although many were duplicates. Also, many accounts were taken from public postings of compromised FTP accounts. (Nov 1 – 23632 list.txt, Nov 15 – 100000 list.txt).

The ftp.log file, which are FTP credentials that this instance of the BrainyFramer kit has captured contains 1684 entries. Many are local accounts, anonymous accounts and so on. The 528 entries in list.txt appear to be a cleaned up version of the entries in ftp.log.

The most interesting file is https.log which contains credentials captured from HTTPS sessions. This file is 2.8 MB and contains credentials captured from 2059 unique IP addresses.


Credentials were captured for users with accounts on 125 sites:

The .ws registrar has suspended the domain names, the Chinese CERT appears to have taken action against the command and control server residing in their IP space, and AusCERT has been a great help with notification. (And thanks to Jose Nazario too).

Post a comment.