A little detected “tool” is downloading and executing bots. A version of “driveguard.exe”, with promises of cleaning up your system from infections and keeping it clean, is worming its way onto machines and downloading strains of Poison Ivy as “WinSecSys.exe”, a bot capable of stealing screenshots, keystrokes, spreading to other machines, etc. We wrote about these “RAT” tools in previous posts and the characters behind them, some of whom are sentenced to prison terms now. TF detects it as a worm.
Archive for the ‘RAT’ Category
Removal Tool? No.
Monday, June 23rd, 2008Botnet Herder Pleads Guilty
Wednesday, June 11th, 2008Maybe botnet activity hasn’t gone the way of Ruben Studdard like we thought it would, “yet another name now lost to the ages, silently fading into shadows numberless, suckled by the night sky“, but this botnet herder has. Only with nowhere near as much elegance.
When authorities arrested him at his Fairfield residence last year, our herder Gregory King exited the back door, tried to hide a laptop in the bushes of his backyard, and then answered the front door. ‘The government seized the laptop and searched it, finding “botnet software and references to King’s various online monikers.”‘ Yesterday, he agreed to a two year prison deal after pleading guilty to charges of DDoSing two web sites.
Last December, we pointed out that the Fbi’s Bot Roast II would lead to more arrests and lots of activity in cyber-law enforcement. In January, we pointed out that the ChaseNet forums’ shutdown coincided with the arrest of long-time member “Digerati” (Ryan Brett Goldstein), who was indicted as a result of the same Fbi operation at the time as 21 year old “SilenZ” (Gregory King).
While these developments expose past botnet activity and its disruption in definite terms, we also pointed out advertisements posted in underground forums by rogueware distributors looking to partner with these botnet herders, which we continue to see en masse:
“We upload adware, which in turn actively advertises antispyware! Our adware does not conflict with the botnets, or trojans, and it does not affect your own bots.”
Unfortunately, this underground and international industry is growing and evolving. Despite these arrests and drama, our Ruben will not escape suddenly into the eternal chill of crisp autumn air.
cDc Hacktivist Tool Release
Thursday, February 21st, 2008The Cult of the Dead Cow is a group that has been around for over a decade, presented by its members as an underground hacker/do-it-yourself media group. Every now and then, they release another “tool” as a result of their research. They are known mostly for their Back Orifice tool release in the late 1990’s. Unfortunately, it was only a taste of what was to come from the world of “RAT” development, or so-called remote administration tools. These sorts of tools were often used to maintain botnets and control over compromised systems for malicious purposes.
This new tool, the Goolag Scanner, is a stab at using Google’s technologies for security research (open to definitions of white, grey, or black hat), and a part of the cDc hacktivist response “to Google’s decision to comply with China’s Internet censorship policy and censor search results in the mainland-Chinese version of its search engine.” Its interface is similar to the popular Nessus vulnerability scanner. While use of the scanner most likely violates every contractual licensing agreement in the Google’s terms of service, it provides an automated method of evaluating web sites for vulnerabilities using “Google Hacks”, or “Dorks” that were popularized by “Johnny Hack” and his “Google Hacking Database“.
In line with their generally dark humor, this version of the scanner is being released as the “Stanley Kowalski” version, most likely in reference to an awful character from Tennessee Williams’ “Streetcar Named Desire”, along with a tough love usage statement:
“If this software does something bad to your computer or network or provides information that you have no legal right to see, then that’s your problem. In some countries this software might be illegal. Don’t be stupid, and don’t come whining to us if you get into trouble. You’ve been warned.”
Discussions on various security mailing lists wager on how long the site will remain up. It seems that the cDc presents the site as a parody of the google site itself:
“It isn’t even a particularly good parody. As such, it is protected by the First Amendment.” It most likely will be up for a while:
Web admins should be sure to attend to the security needs of their servers.
