Rise of DIY, new botnet and keylogger generating tool in the wild

Not a day goes by that we’re talking about powerful cyber attacks and the sensational cyber espionage campaigns, the dangerous trend is also sustained by the increased offer of tools and services in the underground.

Unfortunately the underground market is very dynamic and very difficult to monitor and to aggravate the situation is the leak of knowledge of many security experts on the evolution of cybercrime ecosystem.

Dancho Danchev is one of the most skilled security professional with a deep knowledge of cybercrime ecosystem, he is always monitoring underground market warning security community on the diffusion of DIY (Do-it-Yourself Cybercrime) cybercrime-friendly tools that are approaching to the cybercrime the ordinary crime and criminals in search of profit with little knowledge of the subject.

How does it bear an offer into an underground community?

Typically a cybercriminal constitute a first seed of community inviting only cybercrime-friendly community members, he usually posts the results of his analysis on the code of malware bot, in particular he provides evidence of its efficiency publishing piece of source code. For bot efficiency one of the most interesting features is the Domain Generation Algorithm (DGA), the algorithm is used to periodically generate a large number of domain names that can be used as rendezvous points with their controllers.

The greater the number of domain names and more difficult is for security firms and law enforcement to decapitate the botnet. Usually law enforcement adopts Sinkhole techniques to neutralize botnet, botnet traffic is redirected to a “sinkhole,” allowing the authorities to oversee traffic from infected machines and prevent further diffusion of malicious code.

To elude monitoring of law enforcement botnet authors use public key cryptography mutual authenticate bots and C&C servers, in this way infected machines will be able to accept commands sent by controller servers verifying their identities.

In the case mentioned by Danchev in his post, the communication between bots and C&C servers relies on the Remote Desktop Protocol (RDP),  if the ports are disabled malicious code will tunnel the connection on a random port.

Key features of the DIY botnet include:

– Displays all the statistics about the infected host (OS, Host, NAT etc.)
– The last time of the activity of the bot
– Collects information about the payment system/banking system used on the infected machine.
– Has the ability to update the version of the bot.
– Search the log files. Ability to define tags to posts for easy sorting.
– Logs errors and access to the administrative panel.
– Controls who’s authorized to view the logs of access to the admin panel.
– Controls who’s authorized to view the logs of otstuk bots.
– Fixed an error which allows to generate a domain name from the domains range, and intercept bots.
– Supported keylogger
– Can downlaod and execute additional files on the affected hosts.

Following a Sample screenshot of the DIY botnet generating tool & command and control interface:

Danchev is still monitoring the development of the DIY botnet generating tool  and soon will be published updates as soon as new developments take place, it must be considered that the underground is full similar offers for various categories of instruments and services. 

The security expert noted that cybercrime has stimulated the growth of DIY demand providing a sales model that meets the customer’s needs and provide him all necessary support during the life cycle of the products from exclusive services available only to community members, to DIY cybercrime-friendly tools.

Another interesting phenomena described by Danchev is the diffusion of DIY cybercrime-friendly tools, and related promotion, under the umbrella of a community brand to boost the sales.

It is the case for example of a HTTP/SMTP-based keylogger that’s sold to members of a cybercrime-friendly community since 2011 and show in the following pictures:

 

The Key Logger includes typically functionalities of this family of products such as the ability to automatically copy clipboard content in the log file or write a separate log for each and every process, but what’s also characterize this particular software is that the DIY builder is coded for each and every customer individually in an attempt to prevent detection by the security community.

As usually the price is really amazing, just 60 WMZ (WebMoney) or ~$70.00 US … it is not difficult to forecast rapid diffusion of future release improved with functionalities directly committed by the community, that’s why the monitoring of underground, is a critical phase of the phase in the fight to cyber crime … if you know them, you can defeat them!

Pierluigi Paganini

(Security Affairs – Cybercrime)