A little detected “tool” is downloading and executing bots. A version of “driveguard.exe”, with promises of cleaning up your system from infections and keeping it clean, is worming its way onto machines and downloading strains of Poison Ivy as “WinSecSys.exe”, a bot capable of stealing screenshots, keystrokes, spreading to other machines, etc. We wrote about these “RAT” tools in previous posts and the characters behind them, some of whom are sentenced to prison terms now. TF detects it as a worm.
Archive for the ‘ChaseNET’ Category
Maybe botnet activity hasn’t gone the way of Ruben Studdard like we thought it would, “yet another name now lost to the ages, silently fading into shadows numberless, suckled by the night sky“, but this botnet herder has. Only with nowhere near as much elegance.
When authorities arrested him at his Fairfield residence last year, our herder Gregory King exited the back door, tried to hide a laptop in the bushes of his backyard, and then answered the front door. ‘The government seized the laptop and searched it, finding “botnet software and references to King’s various online monikers.”‘ Yesterday, he agreed to a two year prison deal after pleading guilty to charges of DDoSing two web sites.
Last December, we pointed out that the Fbi’s Bot Roast II would lead to more arrests and lots of activity in cyber-law enforcement. In January, we pointed out that the ChaseNet forums’ shutdown coincided with the arrest of long-time member “Digerati” (Ryan Brett Goldstein), who was indicted as a result of the same Fbi operation at the time as 21 year old “SilenZ” (Gregory King).
While these developments expose past botnet activity and its disruption in definite terms, we also pointed out advertisements posted in underground forums by rogueware distributors looking to partner with these botnet herders, which we continue to see en masse:
“We upload adware, which in turn actively advertises antispyware! Our adware does not conflict with the botnets, or trojans, and it does not affect your own bots.”
Unfortunately, this underground and international industry is growing and evolving. Despite these arrests and drama, our Ruben will not escape suddenly into the eternal chill of crisp autumn air.
In yesterday’s post, I mentioned that the ChaseNET forums have been shut down. The distribution links for their SharK project, Bifrost and Poison Ivy Rat (Trojan) suites also have been removed. These projects could arguably be described as “Remote Administration Tools”.
Monday, the British legislature published guidelines for the application of a 1990 Computer Misuse Act that makes it illegal to distribute “hacking tools”. A perfect example of tools that this new application might apply to would be the ChaseNET projects. While these RATs could be argued as tools comparable to PCAnywhere or GoToMyPC, they include stealth and information stealing functionality that is designed to evade security solutions for effective system compromise, control and theft of sensitive user data. These sorts of tools certainly fit under the description of “dual-use” tools, and I suppose the British law was developed with the intent to take down this sort of site.
We’ll take a look from a low level technical perspective at some of these RATs’ bad behaviors and provide some details in a later post.