The Fragus exploit pack showed up on our radar a few months ago and has been steadily growing to become one of the most prevalent exploit packs being seen in the wild today by Symantec. It is similar to other popular exploit packs available—such as Unique, YES, Eleonore, and Liberty—but it brings some new and interesting features with it. Exploit packages are generally designed as a means to allow attackers to group and serve exploits from their website against the browsers of unsuspecting visitors. It is done in a nice GUI form, hosted on a Web server, and allows the attacker to generally choose which exploits to run. Once exploited, a final payload is served to the system. All of this is dished up in a control panel with some nice statistics on how successful the campaign has been.
The Zeus crimeware toolkit has been around now for some time and is well established in the underground economy as being an easy-to-use and powerful tool for stealing personal data from remote systems. Initially linked to a group of criminals known as the “Rock Phish” group and targeting worldwide financial institutions, the toolkit has since become widely available both for sale and for free on underground forums.
The following video provides an insight into the Zeus crimeware toolkit, the underground economy, and distribution methods for the Trojan:
The problem: You develop a software package that you want to sell in the underground community. However, your buyers are not the most reputable/trustworthy people. How do you prevent your product from being purchased once and then distributed freely afterwards? How do you enforce your “copyright”?
The solution: Ask the antivirus companies to help you out.
Here is a perfect example. The screen shot below is taken from a typical underground software package. Shown in the screen shot are the terms and conditions of the sale—the “licensing agreement.” Yes, that’s right; some underground packages come with a licensing agreement. The document is written in Russian, but a translation is provided below.