The Fragus exploit pack showed up on our radar a few months ago and has been steadily growing to become one of the most prevalent exploit packs being seen in the wild today by Symantec. It is similar to other popular exploit packs available—such as Unique, YES, Eleonore, and Liberty—but it brings some new and interesting features with it. Exploit packages are generally designed as a means to allow attackers to group and serve exploits from their website against the browsers of unsuspecting visitors. It is done in a nice GUI form, hosted on a Web server, and allows the attacker to generally choose which exploits to run. Once exploited, a final payload is served to the system. All of this is dished up in a control panel with some nice statistics on how successful the campaign has been.
We thought it might be interesting to provide some additional information on the Butterfly bot kit, following our blog published last week entitled The Mariposa Butterfly. We posted that blog in response to a report that half of the Fortune 100 companies have been compromised by a botnet dubbed Mariposa (Spanish for "butterfly"). The Butterfly bot kit's creator, known as Iserdo, markets the following features of the bot kit in the user manual supplied with the kit (the below snippet is taken directly from the user manual):
a) Features of bot base
1. Polymorphic code and strings
code related to bot functionality is encoded
everytime with different key, same goes for
strings
2. Installation into hidden location
installs into location where it is impossible
to access with windows explorer...
Twitter.com is once again in the media spotlight. This time security researchers at Arbor Networks have found what is thought to be a botnet using Twitter for its command-and-control operations. Obfuscated Twitter status messages (like the ones in the image below) are being used to send out new download links to malware that Symantec calls Downloader.Sninfs.
Although Twitter.com has been used in this instance, there are plenty of alternative sites on the Internet that could also be used as a similar medium of communication. Twitter.com has already taken the appropriate action against accounts being used in this way, including suspending the account used in the example above. Our investigation and analysis of Downloader.Sninfs is ongoing but has so far shown that...
