Cybercriminals release Christmas themed web malware exploitation kit

Cybercriminals release Christmas themed web malware exploitation kit

Summary: "Committing cybercrime around the Christmas tree" has always been a tradition for malicious attackers introducing new ways to scam the millions of online shoppers during the holidays. This Christmas isn't going to be an exception, but what has changed compared last couple of years is the tone of the Xmas promotions already circulating across various cybercrime communities.

SHARE:
TOPICS: Security
15

Christmas themed web malware exploitation tool"Committing cybercrime around the Christmas tree" has always been a tradition for malicious attackers introducing new ways to scam the millions of online shoppers during the holidays. This Christmas isn't going to be an exception, but what has changed compared last couple of years is the tone of the Xmas promotions already circulating across various cybercrime communities. Do cybercriminals exchange gifts during the Christmas holidays? A recently released web malware exploitation kit coming with three different types of licenses and 9 modified exploits, aims to become "the pefect Christmas gift for all of your friends".

Christmas themed web malware exploitation toolNot surprisingly, the exploitation kit itself is released purely for commercial gains which when combined with the fact that it appears to be using a large percentage of the source code from a competing exploitation kit -- appreciate the irony here -- the already patched vulnerabilities it attempts to exploit can be easily taken care of. However, going through the infection rate statistics which were temporarily left available as a promotion tool, thousands of people have already became victim of their lack of decent situational awareness on how important patching of their third-party applications really is.

A translated description of the kit's marketing pitch :

"Feeling bored? Miss the Christmas spirit? Want to make a lot of money before the holidays but you lack the right tools? We have the solution to your problems - our web malware exploitation kit which will bring back the Christmas attitude and also become the perfect gift for your friends. Available are Professional, Standard and Basic licenses, with each of these including or lacking some unique features based on your budget. Professional package comes with support."

Modified exploits included within with their associated descriptions :

  • modified MDAC - "the notorious exploit that continues to provide high infection rates of IE6 users"
  • IE Snapshot - "unique exploit offering high infection rates for both IE6 and IE7 users"
  • FF Embed - "still relevant for exploiting all Firefox versions"
  • Opera Old+new - "capable of infecting all versions of Opera up to the latest one"
  • Old PDF - "targeting Adobe Reader v8.1.1 it's still relevant, also it checks whether the exact version is installed before launching the exploit"
  • New PDF - "targeting Adobe Reader 8.1.2, a perfect combination with Old PDF
  • XLS - "unique exploit targeting Microsoft Excel"
  • SWF- "modification of the infamous exploit, works quietly and targets all browsers"

Christmas themed web malware exploitation toolThe malware obtained in one of the currently active campaigns has a low detection rate (6 out of 37 AVs detect it - 16.22%) and continues phoning back home to findzproportal1 .com (64.69.33.138; 72.233.114.126) from where it attempts to drop a rootkit (TDSSserv.sys). Among the main ways of ensuring that you're going to ruin their holidays is to make sure they're not exploiting you with last year's client-side vulnerabilities, which is the main vehicle for continuing growth of web malware exploitation kits in general.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

15 comments
Log in or register to join the discussion
  • Are hackers just a little evil or---

    do they use bazookas too---
    BALTHOR
  • RE: Cybercriminals release Christmas themed web malware exploitation kit

    How about telling us WHICH 6 of the 37 AVs could identify this junk? And the "product marketing materials" indicate that they can exploit even the most recent versions of most of the targeted apps. Can we get more info regarding whether patching will work? What does the malware look like when it is sent to an unsuspecting user? Does blocking those two URLs offer any protection?

    These are basic questions that should be answered in an article like this - please don't just spread the worry, spread more of the solution and preparation to deal with it.

    Thanks,
    Buck
    Buck S.
    • RE: Cybercriminals release Christmas themed web malware exploitation kit

      How about telling us WHICH 6 of the 37 AVs could identify this junk?

      From a signatures based detection perspective, the following, detection rates will improve as more vendors analyze it. For instance, yesterday the detection rate was 6 out of 37. Today it's 15 out of 37 :

      AntiVir 7.9.0.35 2008.11.26 TR/Agent.aqmm
      Avast 4.8.1281.0 2008.11.26 Win32:Trojan-gen {Other}
      AVG 8.0.0.199 2008.11.26 Downloader.Zlob
      CAT-QuickHeal 10.00 2008.11.26 (Suspicious) - DNAScan
      eSafe 7.0.17.0 2008.11.25 Suspicious File
      F-Prot 4.4.4.56 2008.11.25 W32/SuspPack.J.gen!Eldorado
      F-Secure 8.0.14332.0 2008.11.26 Trojan.Win32.Agent.aqmm
      Fortinet 3.117.0.0 2008.11.26 PossibleThreat
      GData 19 2008.11.26 Win32:Trojan-gen {Other}
      Ikarus T3.1.1.45.0 2008.11.26 Trojan.Win32.Agent
      Kaspersky 7.0.0.125 2008.11.26 Trojan.Win32.Agent.aqmm
      McAfee+Artemis 5445 2008.11.25 potentially unwanted program Generic!Artemis
      Microsoft 1.4104 2008.11.26 VirTool:Win32/Obfuscator.DK
      NOD32 3642 2008.11.26 a variant of Win32/Kryptik.CE
      SecureWeb-Gateway 6.7.6 2008.11.26 Trojan.Agent.aqmm

      Patching works against web malware exploitation kits, since they are all using outdated and already patched flaws. As for "exploiting even the most recent versions" point, it's fairly logic to assume that once an exploit is publicly available, a malicious attacker will add it within their malware kit.
      ddanchev
      • Warning the Layman

        Has anyone spotted a page which puts this in simple terms? I have been called out several times by (blonde) friends and family who need help cleaning out this junk.(Last big one was the anti-virus scam). I would like to give them advance warning and save some rubber. I need a page which describes the problem in laymans terms. If I send them this link they will be totally baffled. Anything out there?
        robert@...
  • RE: Cybercriminals release Christmas themed web malware exploitation kit

    I really do not see the fun of it. Chrismas is a major holiday to allmost anyone. Who do enjoy exploition of unknown accounts damage?

    I wounder
    if they get scared
    when they look
    at them self
    in a mirror? ~
    user157
    • Uh, criminals?....

      I would suggest that criminals are to some extent evil and amoral; therefore they would get "joy" out of exploiting and harming others. Unfortunate, but that is the world we live in. Christmas or not, criminals rarely take a day off.
      randysmith@...
  • Man this winds me up.

    If computers werent pushed onto the uneducated as being so easy to use, this wouldnt be such a problem.

    I've been around computers a long long time and watched the home computer industry burgeon. It wasnt until they started being used by everyone, his missus and his mum that the problems really started.

    The 80s, and the likes of the Amiga were riddled pretty quickly, but the viruses of those days were for fun more than anything as there was no real way of monetising them, and the user base consisted of mainly teenagers. Who were savvy enough even then to track down cures or simply quarantine the offending software, but then they needed to be - computers were not as advanced and required a level of expertise that is no longer needed.

    Allegedly...

    The real problem is social, caused by the fact that computers are used for everything regardless of whether its even appropriate, and silently do exactly what their uninformed operators tell them to do much as they always have, but the expertise level needed to instruct them without an implacable error message has dropped to meet the current level of education - which a large proportion of adults dont even have.

    Tools for the right job, and proper training in how to use them, I say, perhaps even a computer driving license but that will never happen all the while we have Windows and OSX.
    I'm no real fan of Linux, any more than any other OS but, like the enterprise systems, it is safer because you cant run before learning to walk, and by the time youre going fast enough to hurt yourself, you know where not to put your feet. For now, at least, but even that is changing as its rolled out to the masses.

    Dont get me wrong, I love computers and would like to see one in every home as much as Microsoft does, but for very different reasons. They are an incredible educational tool, and in the hands of a skilled operator, instruments of music and science alike - and so much more.

    Which is all very well until the irresponsible, the talentless and heavy-handed are encouraged to have a go, untrained, unsupervised and without any thought for public health and safety...

    Cars, guns, even bank accounts, you cant have one unless you demonstrate competence, why not computers?
    SiO2
    • The uneducated...and educated plus computers = a mess

      Having tutored a few, I'd have a difficult time saying more than 10% of today's high school students, let alone adults are what I'd call computer literate. They know how to turn 'em on, run an app, send e-mail, surf the Internet, and turn 'em off. They know nothing of safe computing and don't want those safety features messing with their e-mail.

      If I had to guess, I'd guess that now days the percentage of the truly computer literate is no more and likely less than it was in "the early days" as it's no longer necessary. OTOH the number of users and computers is more than several orders of magnitude higher than it was back then.
      rdhalsteatzd
      • That's surely right...

        ... make something simple for the masses of morons and then wonder why we have masses of morons?

        Yes, I favor something just like the test(s) we were forced to take (and pass) to get a broadcasting license (amateur or commercial). OK, CB wasn't requiring a test, just $15 up front and the acknowledgement that you were responsible for what you did on the air; ... yeah, and look how that ended: "Breaker-breaker there, good buddy..."
        Media-Ted@...
      • I hear that.

        Both you and Ted, actually. Back in the 'early days' for most people, I signed up to Compuserve and spent a fortune on dial-up talking to other computer professionals about computers (and some other stuff, shall we say. Nothings new...) Before that it was BBS's, my first modem was a raucous 1200 bits per second.

        Point is, although we were socialising, a lot were also working. Everyone had keyboard skills, and a reasonable grasp of their primary language.

        I gave up on the chatrooms, must be getting on for a decade ago now, because of what is affectionately known now as trolls. But back then, they were people who went online with a beer or two to talk football in the Lobby, which probably makes me sound superior or anti-football, which actually isnt the case. I havent looked, but from what I hear, I'd guess I'd be relieved to talk to someone like that in chat nowadays compared to the scabby underbelly of society it represents now.

        I dont work in the industry now, but if I did I think I'd get annoyed with the amount of people I encounter who tell me they can 'program a computer'.
        Oh really? That art was lost sometime after the dawn of the PC. Compare and Jump Relative on Non Zero would probably get you arrested today, and to add insult to injury, even professional programmers actually arent programmers any more. Write code for any modern platform, and you are running other people's code to do what you want, not actually directing the processor yourself.

        So yes, instead of Superstes in amplus Scientia, standing on greater knowledge, the application of technology suppresses the skills to apply it - if it is only used to make things easier - instead of making things simpler or more efficient.
        SiO2
        • you hear what?

          You rally in what you think you know and what other people don't know. The guy that fixes you car says the same things about your ability to care for a vehicle.
          Chafalote
          • True enough

            Different strokes for different folks. I couldn't balance a crank confidently, or plumb in a central heating boiler but I know enough to either spend a long time learning or go to a guy who knows already.
            The first post in this branch was correct... computers are sold like cars and people expect to turn the key and drive. They aren't told there are 30 ways to indicate left or right and that most of them are OK most of the time, but hey, watch out for...
            Just hope friends and family are grnerous in their thanks, and look on the bright side :-)
            Merry C'mas
            robert@...
  • RE: Cybercriminals release Christmas themed web malware exploitation kit

    Translation from what language, Russian? Is this another example of bad things going on in the "Russian Business Network"? Recently an ISP (Mcolo?) was blocked in the US for being a home for spamming botnets. Maybe something similar can be done to the RBN?
    VytautasB@...
  • RE: Cybercriminals release Christmas themed web malware exploitation kit

    I don't know if you can include this period into x-mais but my e-mail has been blocked because someone has changed my pasword and are now claiming money from my contacts in to my adress book people all this done trough western union payement so i advised them but what can i do to protect myself further and how do i retreive my old e-mail adress by these criminals that claiming to be so that they are asking for money trough my name? please help here is my new e-mail adress cdpmpg_1955@hotmail.com
    cdpmpg_1955
  • RE: Cybercriminals release Christmas themed web malware exploitation kit

    Great!! ! thanks for sharing this information to us!
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>
    birumut