Malware Market



It’s no surprise that there is a malware market, an ecosystem of buyers, sellers and middlemen known as “guarantors”. In a very interesting post, “The botnet ecosystem“, Vitaly Kamluk explains the way in which this system works. There is a malware market in which malicious code and services are exchanged with the help of trusted third parties — usually administrators of popular forums. In addition, compromised hosts and stolen credentials are also exchanged.

Here’s a microcosm of this ecosystem that I stumbled upon recently. A member of a forum (forum.inattack.ru) called “Brainy” posts an add for a bot system that steals FTP and HTTPS credentials:

brainy

Here’s the Google translate version of a post by “brainy”:

[brainyframer], bot freymer \ Gruber \ sniffer
20.11.2009, 2:06

I offer you a bot freymer / sniffer / Graber my production [BrainyFramer]
This bot will be a good assistant to many who are professionally engaged cores.

Functional:
Graber-21 FTP client
FTP-sniffer with 37 different clients (web browsers including)
-HTTPS formgraber for IE (5,6,7,8) and FF. For snifa panel hosting (~ 120 different hosts)
-Freymer Semiconductors, distributed processing your list of FTP bots. High speed. Frame akov from the bot after snifa. Removal of foreign code.

Admin at work:
Screen

Progruzheno loader for 100 cars
Article: How to see otstuk 75%
Palimost build in test 4 AB.

____________________________

Price build: 400vmz
____________________________

[!] Everyone who bought a free upgrade.
[!] Change link for free.
[!] Questions, setting free too (IMG: http://html.forum.web-hack.ru/emoticons/smile.gif)
[!] Soft palitsya. I do not crypt. I give the contact person who does it.
[!] On Vista and windows 7 is not working.
————————————————– ———–

Answers to frequently asked questions:
——
Question: What palitsya. Traverses a firewall?
A: Soft works in the context of web browsers and FTP client system. If these applications have access to the network, the bot will work.
—–
Q: Why do little in the FTP log
Answer: It depends on your downloads. With 1K purchased downloads usually goes akkov 20-100. 0.5-1K Semiconductors with 1K of purchased downloads is a myth.
If you download from the dor. traffic Kay “download ftp client” then you understand that the FTS in the log will be more.
—–
Q: What about an exchange for …?
Answer: No, I do not need anything except money.
—–
Question: Is it possible to test?
Answer: I have no desire and time to make someone test. Soft checked in not only me alone.
—–

Asya> 3_5266891_7

brainy2

A forum administrator vouches for brainy, acting as the trsuted middleman or “guarantor”. Here’s the Google translate version:

Take this software is already long enough. All the alleged author of the software options – do. The author – an appropriate person with whom pleasant girl. Update issued on a regular basis. In general – I recommend.

On a server hosting some other nasty stuff including the Liberty exploit kit I found Brainy’s kit:

IP: 210.51.166.220

Domains:

bale.ws
ciao.ws
prefix.ws
hzone666.cn

Here is the readme file that comes with the bot:

Скрипты для [BrainyFramer]

0. conf.php – Настройки базы и рабочих линков
1. create.php – Создает таблицу
3. get.php – Дает боту настройки.
4. check.php – Админка
5. list.txt – Список фтп
6. \logs\ftp.log – Лог c фтп (права 755)
7. \logs\https.log – Лог c https (права 755)
8. grab.dll – Модуль грабера, не трогать!

Как установить эти скрипты?
——————————–
-Делаем настройку папки, чтобы поисковые боты не бегали по нашим файлам)
-Создаем базу данных для них, пишем настройки базы , также задаем логин и пасс на админку.
-Запускаем create.php, если все Ок с настройками , то будет надпись “Таблицы созданы”
-Загружаем список фтп акков (список должен быть в простом текст. формате) на сервер в папку с скриптами, имя файла со списком (поумолчанию list.txt) пишем в conf.php
——————————–

(с) Brainy 352668917

Google translate:

Scripts for [BrainyFramer]

0. conf.php – Base settings and working links
1. create.php – Creates a table
3. get.php – Gives the bot settings.
4. check.php – Admin
5. list.txt – List of Semiconductors
6. \ logs \ ftp.log – log c Semiconductors (Law 755)
7. \ logs \ https.log – log c https (Law 755)
8. grab.dll – Module Graber, do not touch!

How to install these scripts?
——————————–
-Makes setting up a folder to search bots did not run on our files)
-Creating a database for them, write the base configuration, is also asking login and pass on the admin panel.
Run-create.php, if everything is OK with the settings, it will be marked “Table created”
-Load the list of FTP akkov (list must be in plain text. Format) on the server in the folder with the script, the file name from the list (poumolchaniyu list.txt) write in conf.php
——————————–

(c) Brainy 352668917

brainy3

Today the list.txt (which contains compromised FTP accounts) has 528 entries. this list has varied over time at one time swelling to 100,000 entries, although many were duplicates. Also, many accounts were taken from public postings of compromised FTP accounts. (Nov 1 – 23632 list.txt, Nov 15 – 100000 list.txt).

The ftp.log file, which are FTP credentials that this instance of the BrainyFramer kit has captured contains 1684 entries. Many are local accounts, anonymous accounts and so on. The 528 entries in list.txt appear to be a cleaned up version of the entries in ftp.log.

The most interesting file is https.log which contains credentials captured from HTTPS sessions. This file is 2.8 MB and contains credentials captured from 2059 unique IP addresses.

infectedhosts

Credentials were captured for users with accounts on 125 sites:

ac-s8.mcafee-sms.com
adklik-adpartner.mynet.com
app.expressemailmarketing.com
applin0.hostedsitebuilder.com
apps.rackspace.com
appserver.5paisa.com
auth.mail.ru
billing.hostley.net
billing.justhost.com
bne003wm.server-secure.com
bolton.eukhost.com
cart.godaddy.com
club.panasonic.jp
dc-au.server-secure.com
domains.live.com
ea.onlineregister.com
echosting.cafe24.com
email.1and1.com
email.secureserver.net
email05.secureserver.net
firstfreedom.securepagehost.com
gator340.hostgator.com
gen.gmarket.co.kr
host1.medcohealth.com
host136.aessuccess.org
hotsms.www.hi.nl
htdatabase.fluidhosting.com
idp.godaddy.com
in.adserver.yahoo.com
intranic.nic.in
irenerobles.readyhosting.com
login.1und1.de
login.bluehost.com
login.hosted-commerce.net
login.mcafee-sms.com
mail.bsf.nic.in
mail.nextpharma.com.tr
mail.nic.in
mailhost.hrhgeology.com
mailserver2.security-forces.com
market.egitimonline.com
market.mynet.com
market.sealonline.co.kr
netac80.vie.hosting.nokia.com
onlinedoctor.lloydspharmacy.com
p2.secure.hostingprod.com
partner.allianz.hu
passport.yandex.ru
portal.bsh-partner.com
rbserver.achievacu.com
rdserver.rd.go.th
register.btinternet.com
register.dailymail.co.uk
register.facebook.com
register.go.com
register.hp.com
register.metro.co.uk
register.outspark.com
register.perfectworld.com
register.remedylife.com
register.scansoft.com
registration.lycos.com
rni.nic.in
secure.domain.com
secure.hostelbookers.com
secure.odlmarkets.com
secure.server101.com
secure.turhost.com
secure.turkishost.com
secure01.bankhost.com
server.iad.liveperson.net
server.lon.liveperson.net
server.ylos.com
server10.dollarsonthenet.net
server11.dollarsonthenet.net
server12.dollarsonthenet.net
server7.dollarsonthenet.net
server8.dollarsonthenet.net
server9.dollarsonthenet.net
serverfarm.pubblica.istruzione.it
sitemail.hostway.com
smsforlife.matssoft.co.uk
sponsorlusms.turkcell.com.tr
sprint.ehosts.net
srv25.trwww.com
secure.turhost.com
suze.ucs.louisiana.edu
webhosting.icicibank.com
webmail-au.server-secure.com
webmail.makromarket.net
webmail.ruc.dk
webmailcluster.perfora.net
webserver.afyon.bel.tr
webserver.zeytinburnu.bel.tr
websms.djezzy.com
www.adbrite.com
www.bostonmarketjobs.com
www.cart32hostingred.com
www.domaindiscount24.net
www.foundationapi.com
www.garantiserver.com
www.gmarket.co.kr
www.gmarket.com.sg
www.godaddy.com
www.handelsregister.de
www.hc.ru
www.host.net.tr
www.hostelsclub.com
www.jetsms.net
www.kaynaksms.com
www.limitsizhosting.com
www.lloydspharmacy.com
www.members.hostiga.com
www.nic.lv
www.nic.ru
www.nic.tr
www.register.bilgi.edu.tr
www.smsodyssey-a01.com
www.speakerrepair.com
www.teknoserver.net
www.topmarketer.net
www.voshost.com
www.webmarket.com.tr
www.webmarketplace.de
www.websms.com.tr
www1.soriana.com

The .ws registrar has suspended the domain names, the Chinese CERT appears to have taken action against the command and control server residing in their IP space, and AusCERT has been a great help with notification. (And thanks to Jose Nazario too).

Post a comment.