Rustock Crackz

Last Thursday's post commented on malware commonly bundled with crackz. A large number of users are running files that appear to be distributed from a number of crack sites. We will not publish those domains on this post.

The filename bundles carry a common theme for a downloader that delivers more than a user would expect. Crack.exe, keygen.exe, patch.exe and install.exe have been bundled within phony cracks and released to a number of sites. They contain trojan downloaders, among other things, pulling down and executing spambot variants and many other malware executables, including our old friend Vundo. Here are just a handful of the bundle names that we've been seeing:
Microsoft_Office_Professional_Plus_2007.txt.exe
WINDOWSXPSP2ACTIVATIONCRACK.ZIP.EXE
popcapzumadeluxe!v1.0crack.zip.exe
COMMAND_AND_CONQUER_GENERALS_ZERO_HOUR_MULTI_KEYGEN_BY_FFF.ZIP.EXE
MAGICISO_V3.5_BUILD_0064.ZIP.EXE
WINDOWS_XP_HOME_EDITION_OEM_BUILD_2600_ACTIVATION_CRACK_BY_AMOL_A._MORE.ZIP.EXE
nero_8.2.8.0_serial.txt.exe
DYNOMITE_DELUXE_V2.71.ZIP.EXE
WARCRAFT_3_REIGN_OF_CHAOS_BY_RAZOR.ZIP.EXE
osadobephotoshopcs2tryouttofullactivationkeygenoscaria.zip.exe
SONIC_FOUNDRY_ACID_PRO_V4.0B.ZIP.EXE
ADOBE_PHOTOSHOP_CS2_CS2_SERIAL_NUMBER.TXT.EXE

Notice the clever(?) use of the double file extension, ending in .zip.exe or .txt.exe. DO NOT download and run these files.

In our labs, we find that running these files results in a ridiculous attack. The volume of malware that ends up running on the system is so large that the system becomes entirely unusable. We haven't seen an attack quite so bad since the 2nd-thought.com site was taken down.

One of the components infects services.exe on the system (often named "axer.exe"), and drops rootkit and spambot components (surprisingly, we see a consistent driver filename "pqasghjd.sys"), sending out waves of spam from this system process. The kernel level driver component hooks SSDT entries NtCreateKey, NtOpenKey and NtTerminateProcess, in an attempt to hide registry keys and prevent termination of the malware's user-mode processes. It also attaches to the Ntfs file system driver, in order to obscure access to its presence on-disk.

The spambot components download updated lists of user accounts and available smtp servers over http, and then peddles rather "adult" themes in outgoing messages. All of the messages include a link to phony "personal growth" pills for men. Here are a couple of "mentionable" subject lines, just to get a small percentage of users to actually open the message:
"Life will get better with this"
"Wanna know why she's hot"
"Jessica Alba bikini pics"
"All the love you need"
"Scarlett Johansson and Justin Timberlake spotted together"
"Get ready for a stunning improvement to your love life"
"Scarlett Johansson and Tom Brady spotted in Mexico"

I Do Not!

We continue to receive emails telling us that we're not smart enough or don't look good enough. It's not totally unusual, because that message frequently is communicated by the "beauty" and "diet" industries in magazines, tv ads, etc. How dreary.

A common scam continues to make the rounds, putting the two themes together and telling us that we even look dumb. The email message includes a link to a video file, implying we might look really dumb in this video. The message even looks like crass Onion humor -- next, they'll tell us that only nerds wear glasses. Now, they are telling me "You look really stupid". Unfortunately, users are falling for this bad line every day, and downloading and running "video1.exe" on their systems:


Also hosted at the compromised server is video.exe.

This work is from a russian gang, with the malware phoning back to a domain associated with other malware families in the russian federation:
Name: sr59.24ruhost.com
Address: 207.10.234.217
The owners of the compromised server have been notified.

These "videos" didn't show how dumb I really look. Instead, they download adware, rogueware, and other components. McAfee's researcher Paulo Palumbo beat us to the post this morning with a description of the blue screen that these downloaded rogueware installs frighten users with -- we'll note that this spammed executable link is one of its sources.
In our lab, we tried to reconfigure the Sysinternals' (acquired by Microsoft) screensaver used in this attack to "enable fake disk activity", but the necessary sysinternals components are not functional in this bundle. It's not even fun to tinker with, don't fall for this video.exe trick.

You're not ugly or dumb. You're beautiful, just right.

Elevated RBN Ip Range Activity

Currently, we are seeing user systems from all over the world being attacked by a series of rogueware and spyware components. The software is related to a web server at http://74.50.107.165, whose ip address you can find among other Coolwebsearch/Gromozon/RBN addresses in the Russian Federation (still known as the "Russian Business Network", even though much of the group moved operations to Panama and China). The authors continue to use many of the same simple filenames they started out with:
0.exe, 1.exe, 2.exe, 3.exe, 4.exe, 5.exe

Creative stuff, no?

The attack is using a variety of methods. One of the more effective techniques is simply bundling the software with "winpole2.exe" within a setup file, which was available as a another download at http://www.softportal2008-2008.com.

The dialog boxes' appearance are similar to the Microsoft Security Center, with claims that "Windows did not find Antivirus software on this computer", when the pages are not provided by "Windows" or Microsoft at all:



Clicking on one of the links provided by the Center-lookalike takes you to "thespybot.com", a one-off from the legitimate antispyware product SpyBot S&D:



The other link in the Center-lookalike takes the user to a page that reports on phony scan results:



Now, instead of dropping the rogueware known as "Brave Sentry", this new variant drops a variant of phony antivirus software "vav.exe", otherwise known as "Vista Antivirus 2008".


If that's not enough to convince the user to pay for the misleading product, they falsely alarm the user of "Spyware.IEPass.Thief" on their system.


Many of the components have very poor protection for now, see four of the scanners picking up for much of the dropped components:

Will the Real Virtumonde Please Stand Up?

It seems that quite a bit of malware is being classified as Vundo (Virtumonde) these days. With the volume of malware currently being distributed in dynamic link library form, it is not always easy to differentiate one from another. Frequently these modules are statically linked with C and C++ runtimes, compression, and GUI libraries, which can slow analysis down. In addition to all this embedded library code, Vundo's code seems to be under constant development and is updated to fix bugs, add a new piece of functionality, or add more randomization to prevent signature recognition quite frequently.

However, there is one construct that the developers behind the code seem to enjoy using. In almost every place where an event and sometimes registry value names are created, the name is generated by a function which is similar between variants.

The function derives this name from an attribute of the infected computer. The attribute is the serial number assigned to the "C:" drive volume when it was last formatted by the operating system. Then, the serial number is randomized by one or more bitwise cpu instructions against a number selected by the programmer. The result of these operations is converted into a string and returned for use.

The recognition of this function can help positively ID a Vundo sample. The source code representation of this function would look similar to this:

#include <windows.h>
#define arbitrary_vundo_number 0xFDEC

int generate_number(char *output)
{
    int return_value;
    DWORD volume_serial_number;
 
    return_value = GetVolumeInformation("c:\\", NULL, 0,
        &volume_serial_number, NULL, NULL, NULL, 0);
 
    volume_serial_number ^= arbitrary_vundo_number;
 
    return wsprintf(output, "%08x", volume_serial_number);
}

Actual Vundo assembly code looks like this:

push    esi             ; nFileSystemNameSize
push    esi             ; lpFileSystemNameBuffer
push    esi             ; lpFileSystemFlags
push    esi             ; lpMaximumComponentLength
lea     eax, [ebp+VolumeSerialNumber]
push    eax             ; lpVolumeSerialNumber
push    esi             ; nVolumeNameSize
push    esi             ; lpVolumeNameBuffer
push    offset RootPathName ; "c:\\"
mov     [ebp+VolumeSerialNumber], 123h
call    ds:GetVolumeInformationA
xor     [ebp+VolumeSerialNumber], 34D2121h
push    [ebp+VolumeSerialNumber]
push    offset a08x     ; "%08x"
push    [ebp+arg_0]     ; LPSTR
call    ds:wsprintfA
add     esp, 0Ch
pop     esi
leave
retn

Botnet Herder Pleads Guilty

Maybe botnet activity hasn't gone the way of Ruben Studdard like we thought it would, "yet another name now lost to the ages, silently fading into shadows numberless, suckled by the night sky", but this botnet herder has. Only with nowhere near as much elegance.
When authorities arrested him at his Fairfield residence last year, our herder Gregory King exited the back door, tried to hide a laptop in the bushes of his backyard, and then answered the front door. 'The government seized the laptop and searched it, finding "botnet software and references to King's various online monikers."' Yesterday, he agreed to a two year prison deal after pleading guilty to charges of DDoSing two web sites.

Last December, we pointed out that the Fbi's Bot Roast II would lead to more arrests and lots of activity in cyber-law enforcement. In January, we pointed out that the ChaseNet forums' shutdown coincided with the arrest of long-time member "Digerati" (Ryan Brett Goldstein), who was indicted as a result of the same Fbi operation at the time as 21 year old "SilenZ" (Gregory King).
While these developments expose past botnet activity and its disruption in definite terms, we also pointed out advertisements posted in underground forums by rogueware distributors looking to partner with these botnet herders, which we continue to see en masse:
"We upload adware, which in turn actively advertises antispyware! Our adware does not conflict with the botnets, or trojans, and it does not affect your own bots."

Unfortunately, this underground and international industry is growing and evolving. Despite these arrests and drama, our Ruben will not escape suddenly into the eternal chill of crisp autumn air.

Risk from p2p networks?

Some media attention has been given to the circulation of a number of malicious files found on gnutella networks accessed by LimeWire users. As always, please use caution when participating in these sorts of networks. Anytime files are shared amongst a community of users, there is an increased risk of malware.

Some files were distributed on those networks with a .mp3 or .mpg extension and instead of video or audio content, contain asf files, which are scripts that direct the default handler (your web browser) to a specified URL or web site.
Luckily, most users find it suspicious when they expect to play a sound or video file in their media player, and instead receive a web browser prompting them to download and install more software. So they don't run it -- that's probably why McAfee saw a half million .mpg/mp3's that contained a link to malicious software, but saw not even 10% of that number resulting in actual downloaded adware on user's desktops.




While it's great that AV scanner detection has caught up with the file extension trickery on the P2P networks, it's unfortunate that the individuals peddling this adware just skip that step and distribute binaries. Setup.exe files archived in "american pie full dvd movie.zip" and many other misleading filenames are floating around the P2P networks with the exact same payload as the downloaders described in the news.




It wouldn't make much sense that an entire "full dvd movie" could be contained in a 94kb zip file, but some users don't make that connection. Instead of a full dvd, the user gets multiple pieces of adware installed on their system, like Adware.Agent!sd5, Adware.PlayMP3z /Adware.PlayMP3z.
The old adage follows, "If it seems too good to be true, it probably is."

What's in a picture?

Sometimes, nothing that you can look at.
We are analyzing what appears to be a spike in PornClicker activity. The keenly named updater, up.exe, for this software downloads a jpg from smart-browser.com, a "sex browser" software distributor.
Jpeg files normally are a special format of image files commonly used for displaying pictures on the web. But this updater renames the downloaded jpegs to .dll and .exe extensions. They most likely are using the jpg extension on its downloaded executables to evade the simplest firewall and Url filtering schemes.

The delphi-written executable surprises us with a few camouflaging techniques. We are seeing it use multiple plays on Adobe's trademarked name. For example, when up.exe is run and deletes itself, it uses the unusual suspended process/setthreadcontext technique mentioned in a previous post to start and inject Internet Explorer with its own code. Then, the code running within the IE process creates an "Adobe" directory within the user's %Application Data% directory. This zombie Internet Explorer process downloads the udpi2.jpg file served from hxxp://smart- browser.com/ updatex/ udpi2.jpg, and renames the phony image file to rundtl.exe. Their code then creates a run registry key so that the app starts every time the machine is booted:
"HKCU\Software
\Microsoft\Windows\CurrentVersion\Run\AdobeManager"
"C:\Documents and Settings\p\Application Data\Adobe\rundtl.exe" -sys
Hmm. Is it a pdf reader or Adobe's download manager? No.

Instead, once running alongside another downloaded .jpg file renamed to an executable component (mdb.dll), the PornClicker connects to Yahoo!Messenger over http and starts spamming out messages like
"I know it's been a while but check out my webpage and let me know if you wanna talk more"
hxxp://sexmecrazyy .com
It also begins to click on and pull down garbled urls.

Nothing to look at here:






















ThreatFire's name for it is "PuA.SmartBrowser.PornClicker".
Note- It has been updated to Trojan.Injector.

Developing Malware and Rogueware on the Same System

Sometimes people with bad intentions do really dumb things. Is it something to laugh at? Is it something that provokes empathy for the subject?

Well, as we research further into the so-called MonaRonaDona virus, Registry Cleaner 2008, and Unigray Antivirus, we find characteristics common to each executable binary, leading us to believe with a high level of confidence that not only are the binaries from the same group, but they were developed on the same machine.

We performed a forensic investigation of the binaries, and in the Sherlock Holmes style we can say that the author of these masterpieces is a male (possibly Pakistani), who lives in Netherlands and speaks Dutch, in his mid 30-ies, who is a freelance programmer in C++ (MFC/ATL), who is also a soccer fan, wants to study in the U.S. or Pakistan as a Fulbright scholar and likes looking at Maria Ford and Jordon Ladd. Our Mr. X has no permanent job, so he takes the projects from his bosses to build these rogue antivirus solutions and pay his rent. He wants better projects and wants to run his own business. It is his bosses who are the real masterminds behind Unigray Antivirus and MonaRonaDona - not this man himself.

Clues?

Well, the executable was compiled on a Windows box with the Netherlands regional settings using Microsoft Visual Studio 8 and MFC/ATL settings.
MonaRonaDona is likely a word-play with Maradona - M(on)ar(on)adona, whose fans are likely to be in their mid 30-ies and older.
An ELance trace leads us to the web portal where freelance programmers can be hired.
Multiple others litter the files.

It's Elementary, My Dear Watson!

MonaRonaDona Mystery Solved

Brain Krebs at the Washington Post blogged today about a pretty common, unusually mysterious, and very badly named extortion scam, "MonaRonaDona":
"Nobody seems to know how the thing wiggles into infected PCs in the first place, but the one thing that's clear is that this invader's primary purpose is to call as much attention to itself as possible...This piece of malware disables a number of programs on the victim's PC, changes the title of each Internet Explorer Window to include its name, and pops up the warning shown in the adjacent screenshot."

Our talented friend Roel at Kaspersky blogged about symptoms that they've seen as well, without much to add about its origins:
"How the malware actually reaches the system isn't entirely clear at the moment. When first run, the only thing the program does is register itself to start at Windows boot. As symptoms of infection aren't immediately visible, this makes it harder for victims to pinpoint what they were doing when they actually got infected. "

We were analyzing the same threat earlier this morning, when one of our support team was contacted about the problem. Our ThreatExpert and ThreatFire protected community provided the binaries to find some answers.

Some of these users unfortunately were persuaded over the past week or so to run a version of "RegistryCleaner2008.exe" (afec3d0f13b8f866f2c2eec122024165 for you researchers out there), as can be seen here:




















Along with a particular version of "RegistryCleaner2008.exe", came a little friend by the name of "srvspool.exe" and friends. Some of the infection symptoms are somewhat simple and silly compared to other threats we've been researching -- "MonaRonaDona" appears in the Internet Explorer title bar, the "DisableTaskManager" key in the registry is set so users cannot use Ctl+Alt+Del to kill the threat on their system, and "srvspool.exe" appears in the All Users startup folder.

Interestingly, the release coincided with the shortlived appearance of an antivirus suite at www.unigray.com. Notice the "New Spyware Threats" list in the bottom right corner contains #1 new find "MonaRonaDona". At the moment of posting, googling for this dreadfully named virus family turns up no results from any of the credible AV vendors:


















Meanwhile, a mysterious poster "ParadiseForever" claimed that "The computer virus by the name Monaronadona is causing widespread havoc by infecting computers everywhere" and that "The only solution would be to install a good AntiVirus software package which can detect and kill the virus. There are a lot of free AntiVirus softwares available online. However the normal antivirus such as Norton or McAfee may not work for this Virus.
You can try dowloading the Unigray Antivirus which is considered the best for removing the monaronadona virus compared to the other spyware / antivirus programs", which can be seen here:


























And here is an attempt to lend credibility to this overpriced false positive producing Unigray scanner, by putting it in the same list as established and well known AV vendors:




















Note that it has been reported by other researchers that users' search engine results are modified in some way, but we have not witnessed this activity. Instead, the rogueware authors have posted at Digg and other sites in order to appear as top Yahoo and other search engine hits for the search term "MonaRonaDona", with pages that promote the rogueware Unigray AV scanner.
A clean system shows that the top unsponsored result at the yahoo web site takes you to the phony "ParadiseForever" post at hubpages.com:



















More of the scam can be read about on Krebs' post, where he instructs users "If you're a victim of this extortion scam, please don't pay up."

We'll have more details about the binaries and provide updated information as well. In the meantime, we are pleased to report that the source of this Rogueware is quiet at the moment:

Here come the mounties

I wonder if they didn't see the bright red jackets galloping towards their hard drives? Another botnet ring got busted in Canada.

This story is bigger than I thought..."Police in Quebec arrested 17 people on computer-hacking-related charges in the largest sweep of its kind in Canada".

It's not just the U.S. Fbi performing these major 2008 investigations and arrests.

What's in a name? -- Adclicker agent spambots

Sometimes family names from various AV products don't really fit the behavior of samples that we are seeing. The naming conundrum has been an ongoing challenge for the AV industry. One serious attempt at a naming standard put forth by CARO in 1991 has been casually used for some time. But no product has been absolutely compliant over the past 17 years, and a message at the group's site makes it seem that the group, and its half-used standards, is running out of steam:























Some leaders in the industry have called the latest attempt, the CME naming standard, dead. That is arguable, but the question remains, how effective is the CME standard at helping consumers of security software understand what they are being protected against and reducing the public's confusion in referencing threats during "malware incidents"? Has it improved communication and information sharing between vendors and the rest of the community?

Currently, we are looking at a surge in malicious binaries in our user community that either are currently undetected by the major AV scanners or have been misnamed altogether. The file names for these binaries are random, but look like:
ciocrw.exe
fhydx.exe

The files are custom packed to make reversing more difficult. Most of these samples use an interesting encoded series of communication that would be described as botlike activity. This morning, they are pulling down "install_cn.exe" from a variety of sites, and then go on to spam out messages with sex-themed content from the infected host (links below intentionally modified):

You really can make your wife more gratified!
You dont know what to do? It's more than simply
Follow this link to learn more
http://kfc< >esa.com/
Have an impassionedzealous love!

You have a nice chance to say goodbye to your sexual troubles
You dont know what to do? Here a recipe for you....
Use link to learn more...
http://dontw< >forsizes.com/
Have a passionate nights!

Make your lady-love satisfied!
You dont know how? It's simply!
All details are here:
http://www.incr< >esizesnow.com/
Have a fervent love!


Related malware reports of previously detected and undetected samples, dating back to the end of November, show that the effort to release this stuff exhibiting similar behaviors and communicating with the same domains is not entirely new, and that family names provided by scanners differ across all the samples when they are first released.

Unfortunately, this leads us to believe that 2008 is becoming another banner year for spam and rogueware (the new adware).
So what to call it? We'll see updates and modifications for this one, and it blurs the lines of the adclicker, spambot, zlob family characteristics and more. Right now, you might see this one prevented by ThreatFire as Trojan.ClizxkBot or Trojan.AdClicker. We hope not.

Infested stock message boards and a quick response

Sometimes, surprising events in the financial news draw users to the message boards. On Yahoo!, individual stock message boards are usually a safe haven for posting and browsing.
Right now, one stock at the Yahoo finance site appeared to have an almost 60% drop for the day. Instead, the company might be performing a reverse split with little notice. There is no news headline about a reverse split for the company, so the next logical step would be to check out the message boards and see what other users might be sharing.

Once on the message boards, a user may fall for friendly advice like "This Video Forecast should help“"(link intentionally removed). DO NOT FOLLOW THESE LINKS RIGHT NOW. We decided to follow these links once we saw them. After following one of them, our goat lab systems became totally infected by malware and completely unusable. Adware, worms, multiple processes and more were overloading the system's capacity. We can only post an image at this point of the link to the infecting site (DO NOT VISIT THESE LINKS). These attackers are acting quickly on the confusing financial news:

























UPDATE: It seems that the web links spammed to the message boards may be linked to a handful of web servers that were compromised. For example, here is a list of spammed links to another message board. We highlight one in particular in red:
















Here is the web page at the highlighted link's destination, apparently revealing a compromised site. Most likely, the malware and exploits served up at these sites were the result of compromised servers:














The operators of these sites seem to be on top of the problem, and almost all of the links we're visiting are now cleaned up.

These short lived and effective attacks can ruin your day. They lurk in the most unexpected of places, not just the adult and warez sites. Be sure to keep your security solutions updated.

Fake alert for Spyware.CyberLog-X

A new round of the FakeAlert family has been released this past weekend, the same family of rogueware components that Alex Eckelberry of Sunbelt has posted. We are seeing a surge in hits for new components installed as "MultiMedia Software" codecs that result in a barrage of popups identifying "Spyware.CyberLog-X" and "Trojan-Spy.Win32@mx" on the system:



















Of course, there was no spyware on these clean lab systems prior to the codec install, and no legitimate video codecs were installed on the machine as a result of running the setup.exe program.

New (delf?)lob or (z?)lob variant

We are seeing a number of hits from binaries served up from the Ukraine via web pages' prompts from domains registered in China and hosted in the U.S. Now that's international.
These sites in the Ukraine are linked to by servers all over the world, and serve up "Rogueware", or fraudulent adware, similar to the Zlob family. A couple of vendors are assigning it vague family names like "Delflob" or "Delf".
Through a redirected http session, the user sees the standard video codec hoax. Recently, this same hoax coldly was used with other shocking news like the Bhutto assassination and the Zoey Zane death, and most likely will continue to be used throughout 2008. This site could have been a part of the fake codecs on blogger effort, but because detection is so low, it is most likely a new effort or will be a part of a new effort. Notice the "play video" title bar and the instruction "You must download the Video ActiveX Object to play":
























Once the user is suckered into clicking on the image to download the adware posing as a legitimate video codec, a file with variations on the name install_video_3913230.exe is served up. If the user runs the installer, thinking of it as a legitimate codec, it in turn writes out G76-tmp_.exe, which also installs toprates.dll. Toprates.dll is a file that claims to be a video driver in its properties, but it is nothing more than rogueware (also called rogue antispyware), or adware making fraudulent and threatening claims that a user's system is infected and in a dangerous state. And by paying up, the user will soon fix this dangerous situation.
ThreatFire users have been seeing prompts regarding the temp file's (%TEMP%\GL76-tmp.exe) adjustments to security settings:























If the user allows the action to occur and then double clicks on "My Computer", or opens an explorer window another way, they are prompted with an intimidating warning. If the intimidated user clicks on "Ok", this adware directs user's browser to a web site peddling IeDefender, fraudulently claiming that the user's system has been infected by an "unknown trojan" (implicitly something other than this garbage):











Unfortunately, AV detection for the variant has been low since our ThreatFire community started seeing this malware:


























Even if one of our Threatfire users accepted the temp file's attempt to change the system's security settings, TF would prompt a second time on the source of the disingenuous warnings as it attempts to intimidate the user with more confusing ads. At this point the user really should quarantine this rogueware. If ThreatFire hasn't seen the specific delivered binary before, it prompts the user:























ThreatFire will be picking these off as a part of the "Zlob" family.

You might notice that this hoax has a lot to do with the very last line of a previous post, quoting an ad from the distributor of these sorts of rogueware installs.

Notes from the underground II

AV veteran Peter Ferrie of Symantec noticed that the vx scene he has been fighting for so long has been winding down. The scene's virus writers are beginning to post their farewellz and shoutz on the 29A forums and others.

He also points out that the trojan scene has steadily been replacing the activity of vx writers:
"We are striving to put them out of business. Once they're all gone, those Trojans will keep us in business for a long time. Not that we want them, either."

Even those trojan groups are beginning to disappear. The ChaseNET forums, a major international source of "Remote Administration Tool" (RAT for short, otherwise known as "Trojan Horse") activity since 2004, are closing down as well. This shutdown curiously coincides with the Fbi arrest of longtime ChaseNET member "Digerati". He faces up to five years in prison and a $250,000 fine if convicted of conspiracy to commit computer fraud, as we posted previously last year.
While the oldest of the groups might be drying up, unfortunately there are more growing to replace the vxers in different parts of the world. Recently released "Zines" from these newer groups publish technically sophisticated source details of password stealing, advanced rootkitting techniques, and more. These zines follow the trend away from virus writing for reputation to password stealer writing for profit. Plug in the slow cooker, cuz we'll see more "Bot Roast" style arrests in 2008.

Unfortunately, we are also seeing more posts overseas from individuals seeking bot herding partners, looking to install more adware on victims' systems and raise revenues for those involved. This sort of collaboration and malware should also continue throughout 2008, as we have been seeing a high level of this activity at the end of 2007.
Some of the most prevalent malware ThreatFire currently is seeing comes from the Zlob or Popuper families that are distributed in this manner. And here is one of the requests that we are seeing on an overseas forum regarding rogueware installs:
"We upload adware, which in turn actively advertises antispyware! Our adware does not conflict with the botnets, or trojans, and it does not affect your own bots."


Update: Bot Roast II resulted in another guilty plea. This time from Gregory King, indicted at the same time as "Digerati". His deal includes a two year prison term.

250,000 bots later...

...John Schiefer is pleading guilty to four federal charges related to fraud and wiretapping. Mr. Schiefer is only 26 years old:
Los Angeles hacker to plead guilty to infecting 250,000 computers to steal identities

One of the awful things about this case is that Schiefer was an "information security consultant" (or should we say con artist) for an L.A. company by the name of 3G Communications.
He is pleading guilty to charges based on his building a botnet of a quarter million systems, using those bots in order to steal user identities, and installing adware on those same users systems.

If true, the bots that he implemented scraped various user names and passwords. The software techniques most likely used by bots like these are nothing new at all. Bot source has been in wide circulation for this type of activity for years now. Almost all of it comes with a "pstore.c" file, complete with comments to describe the scraping code, like "IE AutoComplete", "MSN Explorer Signup", "IE Password-Protected sites". This bot code is all written to steal the passwords that Internet Explorer components were designed to save for you in a secure manner in Windows protected storage.

ThreatFire has detected and prevented this sort of malware behavior for a looong time. Any software component that shouldn't be looking through the protected storage in order to snag usernames and passwords is prevented from doing so.
You also can see an example report of spybot activity here at our Threatexpert site.

Some other techniques to steal paypal passwords that are in more current bots are being sold as a part of kits now as well. Hundreds of thousands of systems at the least were infected this past year by these commodity kits, and the numbers continue to increase.

Interestingly, Mr. Schiefer is from Los Angeles. Maybe he'll spend some time with another California citizen, Jeanson James Ancheta, who received the "longest known sentence for a defendent who spread computer viruses" in May 2006.