CRiMEPACK Zombie Exploit Gets Upgrades

Wednesday, May 26, 2010

Jorge Mieres


CRiMEPACK exploit software is now widely accepted in the criminal scene, and marketed under the slogan "Highest rates for the lowest price".

CRiMEPACK is currently In-the-Wild, and a 3.0 version is being developed. It is in the middle stage of evaluation, and may go on sale in underground forums in the next few days.

CRiMEPACK consists of a set of pre-compiled exploits to take advantage of a number of vulnerabilities in systems with weaknesses in some of its applications, and when downloaded and ran (Drive-by-Download & Execute) it can make that system into a criminal zombie.

And I mean "criminal" because those behind the development of this exploit are from organized crime - and judging by the pictures displayed, like a washcloth, a handgun, a wallet, money and what appears to be cocaine - this is very evident.

The first time I found this package was in 2009 it was version 2.1, and later had a "great leap" to  the popular version 2.8 (still active) which in early 2010 had incorporated into its portfolio of exploits CVE-2010-0188 y CVE-2010-0806, in addition to adding an iframe generator and function "Kaspersky Anti-emulation", at a cost of US$400.

In this first stage of the evaluation of version 3, CRiMEPACK incorporates a total of 14 exploits, which are:

All the exploits can be enabled or disabled from the control panel called in "Aggressive Mode", and a JAVA Applet that emerge through a pop-up window asking the victim to accept the applet. If they do,it downloads the the malware.

Furthermore, this type of crimeware incorporates self-defensive measures such as avoiding desofuscación scripts and techniques like anti Wepawet and Jsunpack.

In addition, it automatically checks to see if the domain used is listed in the services:

  • Norton SafeWeb
  • My WebOfTrust
  • Malc0de
  • Google Safe Browsing
  • MDL
  • McAfee SiteAdvisor
  • HpHosts
  • MalwareURL

Brian Kreb wrote a few days ago on his blog an article about the implications that this package that is in the process of propagation and exploitation of a vulnerability - a zero-Day through JAVA.

Crimeware has a very high demand, offering low cost applications within a competitive business model ... and they are becomming increasingly aggressive.

Cross-posted from MalwareIntelligence

Viruses & Malware
Post Rating I Like this!
Mourad Ben Lakhoua Totally agree Micheal.
Metasploit has a user friendly graphical interface and help to quickly create new modules. eXploit Builder includes a whole bunch of useful Tools needed for debugging and testing new exploits.
Jorge Mieres Hi!
they don't have any doubts that metasploit is also used by criminals, in short, any type of unauthorized access to any information system is not legal.

However, what is presented in this post is another of the many crimeware that uses an interesting list of pre-compiled exploits to generate massive attacks. Regardless of what type of web application is used, it's true that the fraud committed through crimeware represent a highly profitable business to computer criminals (and in this sense are not talking about hackers, crackers, scriptkiddies or anything like that).

The sale of these applications (exploits pack, malware kit, blackhat seo kit, etc.), generate another vein of business because it certainly is sold and, who is buying? a guy who does not know how to pull an exploit. These applications have marked a trend that unfortunately continues to rise and this in particular is an economic application as compared to other ZeuS for example, where the cost of a private version can exceed U$S 12.000.

The highest rate of infection is to massively spread malware through these applications, the large volume of rogue Internet there we owe it especially to the systems of members, the majority of online fraud automate and manage a through these applications, and if we talk about cyberwar, DDoS attacks are executed through this kind of application.

I can assure you that those who are behind this huge business are no idiots, but look at the statistics of the volume of malware that appears daily and the economic losses generated by the online fraud.

hamza karmani to remove it do this
1. Used MBam in Safe mode & let it get rid of everything it can find
2. Reboot in Ultimate Boot CD (or similar)
3. Delete c:\windows\system32\drivers\directxsli.sys
4. Reboot

And then .. to fix the active desktop problem (where all the options were greyed out)

Click On start>Run> type Regedit

Go to HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Policies

Check in all the tabs, and delete entries for wallpapers or active desktop

Go to HKEY_LOCAL_MACHINE Software Microsoft Windows Current Version Policies

Check in all the tabs, and delete entries for wallpapers or active desktop
Jorge Mieres Exactly! crimeware of this type incorporates mechanisms to evade detection by antivirus programs and security analysis by researchers.

In this case makes a check against databases to determine if these services is listed in that domain, thus the change or simply pack some exploit and malware kit, use the backup domain, as in the case of SpyEye:

Even against the services to verify the integrity of the files:

This is all a criminal organization where even make intelligence:

Rohit Bansal Mostly High traffic from asian country like india and pakistan
hamza karmani don't forget china and Russia traffic most be high in this country i suppose
Rohit Bansal CrimePack V3.0 Leaked & fully decode :)
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.