Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    March 2014
    S M T W T F S
    « Feb   Apr »
  • Email Subscription

  • About Us

    Archive for March 19th, 2014

    We recently came across this particular post in an underground forum:

    Figure 1. Underground forum post

    This particular post in Russian was advertising a new product, known as “BlackOS”. Contrary to the name, it is not an operating system. However, it is definitely “black”, or malicious: it is used to manage and redirect Internet traffic from malicious/compromised websites to other malicious sites.

    These types of products are not new in underground communities – for example, Brian Krebs talked about the similar site almost two years ago. Even BlackOS itself is not completely new. It is a new version of the earlier “Tale of the North” software, described by security researchers in September 2013.

    Capabilities of BlackOS

    BlackOS and other similar packages are designed to automate the process of managing and exploiting websites easier. This allows a cybercriminal to squeeze out the most profit from his victims. It has a web interface which is used to manage the web traffic and its different features. It can cope with high volumes of Internet traffic, and inject iframes and redirect traffic as specified by its user.

    Here are some of the features of BlackOS, as stated in an advertisement in underground forums (as translated from the original Russian):

    1) Implement the optimal model of converting traffic. Distribute and installs on geo user agent;
    2) Get a unique opportunity to refuse to sell iframe traffic ;
    3) Automatically detect PR domains , links and implement an effective impact on the issuance of search engines ;
    4) Get a fast , stable and socks5 private lists for any of your software, requiring the use of proxy;
    5) Sort the list of accounts as fast as possible ;
    6) Upload any of your scripts with verification . Pour shells and mass execute commands on them set / code cleanup , eval (), system (), sendmail and check antiDDOS ;
    7) Perform a vulnerability scan on your servers
    8) Proccess the parsing Databases of remote CMS

    New features for managing accounts, along with a powerful SEO tools and interface as intuitive novice webmasters and professionals allow us to hope that BlackOS take its rightful place on your work space.

    BlackOS is not particularly cheap. It costs $3,800 a year; a reinstall/rebuild costs $100. For cybercriminals on a budget, basic configurations (16GB of RAM, octacore CPU, and SSD storage) can be rented for $100 a month. (The creators of BlackOS only accept payment in Bitcoin, Litecoin, or Perfect Money.)

    One of the features of BlackOS is integration with online scanners that check if a website is already blocked by various security solutions, as seen below:

    Figure 2. Online scanner
    (Click image above to enlarge)

    As we mentioned earlier, BlackOS appears to be an updated version of the previous Tale of the North package. One may ask why, then, is it being sold as “new” software? For that, we have to look into the Tale of the North and its author, Peter Severa.

    Peter Severa and the Tale of the North

    Peter Severa, who uses the handle Severa in various underground forums, began as a spammer as far back as 2003. He has used various spam botnets to send spam, including the Waledac and Kelihos botnets – in fact, he is currently facing criminal charges relating to his use of the latter. This has not scared him, though: to this day he is still active in the underground.

    His ICQ and Jabber accounts are well-known to the underground community; he also had a Webmoney account at one time, although that account was banned. We believe that the now-banned account was used by another “handle”, which was actually Severa hiding his identity. We also believe that Severa has a new Webmoney account.

    Severa wrote Tale of the North to manage the web traffic coming from users clicking links in his spam emails. For example, he could redirect users to various websites based on their geographic location.

    Recently, however, there appears to have been a dispute between Severa and other people involved with Tale of the North. According to the following underground forum post, Severa left the project and the other “contributors” have continued under the BlackOS name:

    Figure 3. Underground forum post
    (Click image above to enlarge)

    A partial translation of that post follows:

    BlackOS previously sold as North Tale. We had a team and there was a conflict, and I closed the project. The system is now marketed under the name BlackOS, and I have nothing to do with it now. I make no claims to manager/BlackOS; all conflicts between us completely settled and I wish him success in his future development and sales of the software. It ‘s a really cool product that is unparalleled in the market, which required a decent number of man-years of development

    We don’t know much about who’s selling BlackOS now. His Jabber account is publicly known (so would-be clients can contact him), and he also goes by the handle manager. Beyond that, his identity is unclear.

    What about Severa? He hasn’t left the underground community. He is now running two active affiliate programs—both named partially after himself: SevPod and SevSka—that spread spambot malware.

    In February, Severa was advertising SevPod in forum posts, like this one:

    Figure 4. SevPod advertisement
    (Click image above to enlarge)

    A partial translation follows:

    I want to introduce you to your new project – a private affiliate for substitution issue, {affiliate program URL}. I managed to make a really long-lived substitute, and your download will bring you income for many months, even after you stop shipping. Unlike other substitutions, I have bids for virtually all countries. Of course, miracles do not happen, and you will get the maximum revenue from the US, Canada, Australia, UK, Western Europe, but the third world countries will be bring you a steady income for a long time to! 95% of the money that I get for clicks from feed providers, I’m pay for your your ads.

    The about page for SevPod goes on:

    … is the latest revolutionary affiliate program by substitution SERPs. We get maximum bids from our feed providers, 95% of the funds we receive we give to our clients. Convert clicks from almost all countries of the world. We also use more modern methods of monetizing traffic, such as pay per user activity on the site, pay per view and interactions with different content. Unlike click bot traffic, we use live traffic, so our traffic is much more expensive, and will bring you income for a long time.

    From these posts and sites, it is clear that Severa is still involved in the traffic redirection business and spam, although one could say he is focusing more on the “business” aspect of cybercrime than the technical aspects.

    The information we gathered in this post was taken from various underground sources, although all of it was essentially public. We urge any law enforcement agencies investigating Severa or the creators of BlackOS to reach out to us, as we have additional information that is not part of this post.

    Posted in Bad Sites, Malware | Comments Off on New BlackOS Software Package Sold In Underground Forums

    The ZeuS/ZBOT malware family is probably one of the most well-known malware families today . It is normally known for stealing credentials associated with online banking accounts. However, ZBOT is no one-trick pony. Some ZBOT variants perform other routines like downloading or dropping other threats like ransomware.

    We recently came across one variant detected as TROJ_ZCLICK.A, which seemingly “locks” the desktop to display websites. This kind of behavior is out of the ordinary for a ZBOT variant. Once it infiltrates the system, this occurs every time the user performs any activity, such as opening a window or file. These sites occupy the entire desktop screen, hindering access to any open windows or files. There have been instances wherein the user can still see the open windows, but with the sites running in the background. Users can bypass this inconvenience by performing the “show desktop” command but the malware will continue to display windows.

    Figure 1. Sites are displayed full-screen in the background of the running program Space Cadet

     It should be noted that the sites being displayed are all legitimate–running from gaming sites, ticketing sites, music sites to search engines. Users can actually navigate these displayed sites. One curious feature of this malware is that it also performs various mouse movements and scrolling when the mouse is idle.

    It is noteworthy to say that this variant doesn’t perform traditional routines associated with this malware family like stealing information. However, analysis reveals that the sample does contain the ZBOT code and this only means that this ZBOT variant only loads the clickbot routine. In this light, it’s only logical to assume that the main motivation for this variant is to generate income via the pay-per-click model.

    This malware proves that cybercriminals are continuously tweaking familiar or known malware to deliver new payloads, all in the name of generating income from victimizing users. As such, users should always remember key safety practices when going online. Habits like installing the latest software updates or deleting spammed messages can go a long way in protecting computers from threats.

    Posted in Malware | Comments Off on ZBOT Adds Clickbot Routine To Arsenal


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice