Thursday 14 July 2011

Tracking Cyber Crime: Ready to Ride v3 (Win32/Cycbot Affiliate)

I've view in twitter the new article of David Harley posted today (@DavidHarleyBlog) about the Win32/Cycbot used by the "Ready to Ride v3" affiliate.
Let it be, It's time to pose as bad guys once again and infiltrate the network.

Main page of Ready To Ride:

Here is what you can see when logged, the 'blog' a news page about latest update:

Statistics, it's just one screenshot but you can have overlall, sub-accounts, countries and manage sub-accounts:

Each hour an AV scan is done with scan4you service, the detection rates are very low.
Here you have the detections for Cycbot and for the exploit pack (BlackHole):

Malware download (Cycbot) and link to exploit pack, with an access to BlackHole statistics:

The info page, (only available in Russian):

Cybot is crypted with a custom shit and upx, but it's isn't hard.

Fixxing the IAT is not a problem too but after there is again some tricks to do if you want make it work.

An AV list like in the David Harley post:

When infected if you try to go on the NOD32, Avira, Avast.. etc.. officials website you will be redirected on a search page "" who will redirect you on a affill search engine like here:

And if you browse one of these results, all will ask you to pay per SMS for download the product:

Hardcoded C&C urls:

Hmm about him, (David Harley) ESET NOD32 don't detect the packed version of Cycbot.
But when unpacked... winning :þ

Two files (Cycbot) are dropped:
%TEMP% ~ csrss.exe
%APPDATA% ~ dwm.exe
I've not checked that deeper but that what's i've see in new running process.

Related ~
Tracking Cyber Crime: PharmIncome and CigIncome Drugstore affiliates (10 July 2k11)
Tracking Cyber Crime: Severa and Black Software AV Affiliates (28 June 2k11)
Tracking Cyber Crime: Gagarincash AV Affiliate (19 June 2k11)
Tracking Cyber Crime: Inside the FakeAV Business (14 Jun 2k11)

No comments:

Post a Comment