Series: Looking through the keyhole – AdPack

March 25, 2009


Here is a kit called AdPack.  I will begin to start searching for the Source Code or backend code for each of these exploit packs and post them here for Security Research and Analysis.  This stuff itself is not dangerous.  These are command and control mechanisms to report and monitor botnets.

What IS dangerous is the fact that software and systems do not automatically slipstream vulernability fixes / patches to their users, ensuring that a time gap occurs which gives malicious users the opportunity to exploit systems.

We need to really start rethinking the concepts of software and challenge our traditional assumptions if we are every truly going to make progress in this area. 

adpack1

INTELLIGENCE:

Who coded this, in what language, what is its current black market price, exploitable?

How prevalent or what kind of market share does it have?

What is its backend db?

Apparently there are many configuration vulnerabilities such as weak passwords that can be leveraged to compromise the back end components such as the FTP server, which also may be vulnerable.

What web servers are typically used for these packs?  nginx? some other?

Here is a link to some other ADpack screens as well as a C&C Interface for running commands.

crimeserver4

crimeserver5

As you can see above, if you get access to the command and control site you can destroy the system.  Reference the UnInstall Me feature.  Get System info is a good way of notifying affected organizations.    Clearly they dont understand the concept of Privledged commands and Role based Access Control.  Nor is each members campaign usually segregated from other members campaigns thus no privacy per say.

Additionally these kits are like a Service so many users run multiple campaigns.  Sounds like STING TIME> 

It would be entirely plausible to generate a fake service like this with fake simulated information Lure them in, identify them, then SMASH THEM.

You could provide fake or previously compromised data stores, and simulate the growth of their botnets.  It would be all you need to Sow distrust and paranoia into people tempted to get into this line of nefarious work.

Here is what appears to be a localized Russian version of Adpack

crimeserver6

adpack2

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: