What We’re Reading

Meta

Dream System

“Dream System” is a bot that allows hackers to use infected machines as socket servers and to run any type of files in them.


 


It launches two types of DDOS attacks:


            HTTP.


            UDP flood.


 


The bot consists of:


           


            A server component, called “Dream Bot builder”, which contains the configuration interface and allows servers to be generated.


            


 


            And a client component, which allows the bot to be managed from a web interface.


 


 


The bot version 1.3 is sold for $750, including free updates for new versions.


 


This bot is known as “Dream System” or “Dream sockets”. It seems too much coincidence that the name of the program is very similar to “Dream Downloader” of the Mpack, which was programmed by DreamCoders Team. So, it is likely to be another software developed by this team.


 


It is detected in the signature file as part of the Bck/DreamSocks family.

Posted under Malware Alerts

This post was written by Vicente Martinez on June 20, 2007

Tags:

MPack: how to infect thousands of websites

We’ve been wondering for a few months now how malware mafias can hack so many web sites automatically to be exploited by MPack. Yesterday a few theories came to light, such as hinting that all the hacked servers all belong to the same virtual hosting server or the use of a ‘IFRAME Manager tool’. We’re familiar with this tool since about 4 months. It’s real name is ‘FTP-Toolz pack’ and it is being sold for $25. Here you can see a capture from a Russian forum where it was advertised for sale:



And the tool itself:




When we found MPack at the end of last year we also found also a similar tool named ‘RooT [iFrame]’ in one of the hacked servers. There is a funny thing about this one; if you buy it through the Russian version of the hacker’s website, it is just $25. In case you go to the English version of this hacker’s site, the price doubles, it’s $50. Finally we found yet another one named FTPCheckIframe, this time only in Russian and for $25.


 


Even though we are still wondering how they gain access to those servers, it seems that they make use of tools such as the ones mentioned and feed them a list of usernames and passwords, probably stolen by the same Trojans and keyloggers they have previously gathered or purchased. But… how to work with all that mess? I mean, they can have hundreds of thousands of ftp addresses with usernames and passwords, but they don’t know which ones are working, which ones have write access, etc.


 


Then we run into yet another tool, this time a PHP script that validates ftp accounts. The hacker loads the stolen account lists in a file called acc.txt, and by means of the script (ftp_check.php) he gets dumped the valid ones into a file called valid.txt.


 


So he can use that information with any of the previous programs: FTP-Toolz pack, RooT [iFrame] or FTPCheckIframe and automatically infect hundreds of thousands of web pages with the MPack IFRAME.

Posted under Malware Alerts

This post was written by Luis Corrons on June 20, 2007

Tags: , ,

Search

Special Savings

Panda Internet Security 2009

Categories

-->