Series: Looking through the keyhole – Multi Exploits Pack

March 25, 2009


Here is an older version.  ALL the credit for this goes to the awesome guys at Finjin who seem to have no reservation about showing to the world the innovations and backends of these infrastructures of evil.

All of their reports can be found on their Malicious Page of the Month section on their website.

I will be attempt to add my spin to research and look for new angles,  Much of this will be reference material for building on further research.  Additionally the goal will be to capture as much code as possible and hosting it here Offensive Computing Style to further research and awareness.

This pack is called Multi Exploits Pack Version 3.1

NOTE:  Early on in order to avoid analysis, sophisticated IP access monitoring is being done to ensure that clients cannot connect to these sites multiple times.  Sounds like a good opportunity to identify any configuration settings that all unfettered access to IPs for adminstration.  If they are stupid enough to put something like that in there, its a good way to conduct attribution.

multi

Here is the annoying thing.

Note the original posting in a forum to sell this puppy.  Malware authors need to be contacted somehow to sell their stuff.  NOTICE THE ICQ ID that for some reason was blurred by the Finjin report.

multi21

multi3

multi4

As you can see here there is a Targetable Identifier.  The ICQ number.  THANKS FINJIN for bluring it.  This information is useful to the community.  Maybe even possible Mob effects can take over for a little bit of Internet Justice.

This is a perfect target to identify the actors and Attribute them.  Law Enforcement should be beating down ICQ operators doors to get a real world Identity on these people, and force them to roll on their clients, better yet pay them to SNITCH or setup a STING.

Or just publish in underground channels that the Individual is now working for law enforcement.  Next thing you know this devious little reputation poisoning attack leads to a dead Russian programmer who turns up in an alley.

Eventually we will need to up the cost to these guys for doing the things they do.  Currently there is almost no risk to their operations.  We need to change that.  How,  by changing tactics…. and being ruthless.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: