CRiMEPACK exploit software is now widely accepted in the criminal scene, and marketed under the slogan "Highest rates for the lowest price".
CRiMEPACK is currently In-the-Wild, and a 3.0 version is being developed. It is in the middle stage of evaluation, and may go on sale in underground forums in the next few days.
CRiMEPACK consists of a set of pre-compiled exploits to take advantage of a number of vulnerabilities in systems with weaknesses in some of its applications, and when downloaded and ran (Drive-by-Download & Execute) it can make that system into a criminal zombie.
And I mean "criminal" because those behind the development of this exploit are from organized crime - and judging by the pictures displayed, like a washcloth, a handgun, a wallet, money and what appears to be cocaine - this is very evident.
The first time I found this package was in 2009 it was version 2.1, and later had a "great leap" to the popular version 2.8 (still active) which in early 2010 had incorporated into its portfolio of exploits CVE-2010-0188 y CVE-2010-0806, in addition to adding an iframe generator and function "Kaspersky Anti-emulation", at a cost of US$400.
In this first stage of the evaluation of version 3, CRiMEPACK incorporates a total of 14 exploits, which are:
- name="mdac" - "IE6 COM CreateObject Code Execution" CVE-2006-0003
- name="msiemc" - "IE7 Uninitialized Memory Corruption" CVE-2010-0806
- name="java" - "JRE getSoundBank Stack BOF" CVE-2009-3867
- name="iepeers" - "IEPeers Remote Code Execution" CVE-2010-0806
- name="pdfexpl" - "PDF Exploits [collectEmailInfo (CVE-2007-5659), getIcon (CVE-2009-0927), util.printf (CVE-2008-2992)]"
- name="opera" - "Opera TN3270" CVE-2009-3269
- name="aol" - "AOL Radio AmpX Buffer Overflow" CVE-2007-5755
- name="iexml" - "Internet Explorer 7 XML Exploit" CVE-2008-4844
- name="firefoxdiffer" - "Firefox 3.5/1.4/1.5 exploits" CVE-2009-355
- name="libtiff" - "Adobe Acrobat LibTIFF Integer Overflow" CVE-2010-0188
- name="spreadsheet" - "OWC Spreadsheet Memory Corruption" CVE-2009-1136
- name="activexbundle" - "Bundle of ActiveX exploits" CVE-2008-2463
All the exploits can be enabled or disabled from the control panel called in "Aggressive Mode", and a JAVA Applet that emerge through a pop-up window asking the victim to accept the applet. If they do,it downloads the the malware.
Furthermore, this type of crimeware incorporates self-defensive measures such as avoiding desofuscación scripts and techniques like anti Wepawet and Jsunpack.
In addition, it automatically checks to see if the domain used is listed in the services:
- Norton SafeWeb
- My WebOfTrust
- Malc0de
- Google Safe Browsing
- MDL
- McAfee SiteAdvisor
- HpHosts
- MalwareURL
Brian Kreb wrote a few days ago on his blog an article about the implications that this package that is in the process of propagation and exploitation of a vulnerability - a zero-Day through JAVA.
Crimeware has a very high demand, offering low cost applications within a competitive business model ... and they are becomming increasingly aggressive.
Cross-posted from MalwareIntelligence