[Infowarrior] - Botmasters Honeypotting the Good Guys

Richard Forno rforno at infowarrior.org
Fri Nov 5 17:34:25 CDT 2010


Clever.   ---rick


Recently we obtained access to a backend server used by the EFTPS malware campaign that targets U.S. businesses that recently paid their federal taxes. The victim is normally targeted through spam, which claims that an error occurred and the company’s tax payment was rejected. The email contains a link to “remedy” the problem, and leads to a compromised website (and in some cases a website set up by the attackers) that redirects to a server that tries to exploit the user’s web browser and plugins (i.e., MDAC, Adobe Reader, Windows Help Center, Java, etc). For more info on the exploits see the Wepawet report. If any of the exploits are successful, the victim is usually infected with the Zeus trojan.

What particularly stands out about the EFTPS exploit toolkit is their admin interface. Note that it’s common for most exploit toolkits to contain an admin interface that manages exploits, payloads, and tracks exploit success rates. However, the EFTPS exploit toolkit contains a completely fake admin console. This admin interface acts as a “hacker honeypot” that records detailed information about who attempted to access the admin console, as well as who attempted to hack into it. The fake login system conveniently accepts default/easily guessed credentials and common SQL injection strings.

Finally, notice that the user can also upload “new bot” malware, which is also logged. This should serve as a warning to researchers, don’t always believe what you see on these stats pages…

< -- >

http://blog.tllod.com/2010/11/03/statistics-dont-lie-or-do-they/


More information about the Infowarrior mailing list