A little detected “tool” is downloading and executing bots. A version of “driveguard.exe”, with promises of cleaning up your system from infections and keeping it clean, is worming its way onto machines and downloading strains of Poison Ivy as “WinSecSys.exe”, a bot capable of stealing screenshots, keystrokes, spreading to other machines, etc. We wrote about these “RAT” tools in previous posts and the characters behind them, some of whom are sentenced to prison terms now. TF detects it as a worm.
Archive for the ‘Bifrost’ Category
Removal Tool? No.
Monday, June 23rd, 2008British anti-hacktool guidelines
Thursday, January 3rd, 2008In yesterday’s post, I mentioned that the ChaseNET forums have been shut down. The distribution links for their SharK project, Bifrost and Poison Ivy Rat (Trojan) suites also have been removed. These projects could arguably be described as “Remote Administration Tools”.
Monday, the British legislature published guidelines for the application of a 1990 Computer Misuse Act that makes it illegal to distribute “hacking tools”. A perfect example of tools that this new application might apply to would be the ChaseNET projects. While these RATs could be argued as tools comparable to PCAnywhere or GoToMyPC, they include stealth and information stealing functionality that is designed to evade security solutions for effective system compromise, control and theft of sensitive user data. These sorts of tools certainly fit under the description of “dual-use” tools, and I suppose the British law was developed with the intent to take down this sort of site.
We’ll take a look from a low level technical perspective at some of these RATs’ bad behaviors and provide some details in a later post.
Botnet arrests and indictments around the world from Bot Roast II
Monday, December 10th, 2007Two teen botnet herders that went by the aliases Akill and Digerati were arrested by the fbi and New Zealand authorities.
“The FBI estimates that more than one million computers have been infected and puts the combined economic losses at more than $20 million.”
The arrests are a part of the Fbi’s ongoing ‘Bot Roast II‘.
The arrest and past behavior of the Penn State student Ryan Brett Goldstein that went by the handle “Digerati” also is being discussed on the underground forums where he shared advice and code since around 2000. Rumors surrounding his bot herding and bot update techniques, his activities of accidental university server DoS attacks, and intentional DDoS’ing groups of other underground coders continue to circulate.
Update: Bot Roast II resulted in another guilty plea. This time from Gregory King, indicted at the same time as “Digerati”. His deal includes a two year prison term.
