Sunday, March 21, 2010

Terrible U-Eye

Script Kiddie tools are infamous for their terrible user interfaces, but this one just makes me feel a bit uncomfortable. We can thank the creatively named "Remote Webcam v1.0" by Wolf for this one.



Apparently that's the default image while waiting for a webcam to eavesdrop on. Perhaps its some sort of psychological motivator to spread your malware faster to make the eye disappear.

Either way, its awfully creepy, and it can be yours for just $20! Yeah, I don't think so.

Thursday, March 18, 2010

Crimepack - How Not to Redact

The Crimepack exploit kit is rather new, and is beginning generate some interest on various forums and mailing lists. They appear to have a decent advertising campaign as well, with ads written clearly in both English and Russian.

On one Russian forum, someone who is presumably the author of Crimepack or very familiar with how it works went into great deal as to how to its obfuscation and other components work. I was happy to see that he was using a tool I know and love, Malzilla, to demonstrate how well its made. Unfortunately, I don't think this guy understands the tool that well, or at the very least, how to read hex:



Its apparent that this guy is trying to hide a URL. I don't think he understands that he missed all but one character in the url in his redaction. At 0x280 in the hex, with a lookup table, you'll see "ilon5.ru". Other images revealed the first character to be a "p".

Sure enough, there's a exploit kit installed right where the image said it would be!

A whois lookup for this site comes up as:
domain: PILON 5.RU
nserver: ns1.hostlife.net.
nserver: ns2.hostlife.net.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
phone: +375296543210
e-mail: ch1t3r@gmail.com
registrar: NAUNET-REG-RIPN
created: 2010.02.02
paid-till: 2011.02.02
source: TCI


ch1t3r has a history with exploit packs too it seems.

Here's hoping that this kind of redaction becomes a trend in with these guys!