CRiMEPACK Zombie Exploit Gets Upgrades

CRiMEPACK exploit software is now widely accepted in the criminal scene, and marketed under the slogan "Highest rates for the lowest price".

CRiMEPACK is currently In-the-Wild, and a 3.0 version is being developed. It is in the middle stage of evaluation, and may go on sale in underground forums in the next few days.

CRiMEPACK consists of a set of pre-compiled exploits to take advantage of a number of vulnerabilities in systems with weaknesses in some of its applications, and when downloaded and ran (Drive-by-Download & Execute) it can make that system into a criminal zombie.

And I mean "criminal" because those behind the development of this exploit are from organized crime - and judging by the pictures displayed, like a washcloth, a handgun, a wallet, money and what appears to be cocaine - this is very evident.

The first time I found this package was in 2009 it was version 2.1, and later had a "great leap" to  the popular version 2.8 (still active) which in early 2010 had incorporated into its portfolio of exploits CVE-2010-0188 y CVE-2010-0806, in addition to adding an iframe generator and function "Kaspersky Anti-emulation", at a cost of US$400.

In this first stage of the evaluation of version 3, CRiMEPACK incorporates a total of 14 exploits, which are:

• name="mdac" - "IE6 COM CreateObject Code Execution" CVE-2006-0003
• name="msiemc" - "IE7 Uninitialized Memory Corruption" CVE-2010-0806
• name="java" - "JRE getSoundBank Stack BOF" CVE-2009-3867
• name="iepeers" - "IEPeers Remote Code Execution" CVE-2010-0806
• name="pdfexpl" - "PDF Exploits [collectEmailInfo (CVE-2007-5659), getIcon (CVE-2009-0927), util.printf (CVE-2008-2992)]"
• name="opera" - "Opera TN3270" CVE-2009-3269
• name="aol" - "AOL Radio AmpX Buffer Overflow" CVE-2007-5755
• name="iexml" - "Internet Explorer 7 XML Exploit" CVE-2008-4844
• name="firefoxdiffer" - "Firefox 3.5/1.4/1.5 exploits" CVE-2009-355
• name="libtiff" - "Adobe Acrobat LibTIFF Integer Overflow" CVE-2010-0188
• name="spreadsheet" - "OWC Spreadsheet Memory Corruption" CVE-2009-1136
• name="activexbundle" - "Bundle of ActiveX exploits" CVE-2008-2463

All the exploits can be enabled or disabled from the control panel called in "Aggressive Mode", and a JAVA Applet that emerge through a pop-up window asking the victim to accept the applet. If they do,it downloads the the malware.

Furthermore, this type of crimeware incorporates self-defensive measures such as avoiding desofuscación scripts and techniques like anti Wepawet and Jsunpack.

In addition, it automatically checks to see if the domain used is listed in the services:

• Norton SafeWeb
• My WebOfTrust
• Malc0de
• Google Safe Browsing
• MDL
• McAfee SiteAdvisor
• HpHosts
• MalwareURL

Brian Kreb wrote a few days ago on his blog an article about the implications that this package that is in the process of propagation and exploitation of a vulnerability - a zero-Day through JAVA.

Crimeware has a very high demand, offering low cost applications within a competitive business model ... and they are becomming increasingly aggressive.

Cross-posted from MalwareIntelligence