The Future is Friendly

Just as so-called 'early adopters' and techno-geeks are always on the lookout for the latest and greatest in flashy technology, sophisticated botnet administration suites are the current must-have for cybercriminals. As bot malware becomes increasingly easy to propagate and successfully compromise massive network linked machines, the problem becomes not how to create a botnet, but how to control it. These administration suites provide better handling, control, and efficient management than their predecessors, giving their users a leg up on the competition.

The Fragus Exploit kit is a newcomer to the market, having improved upon the trend started by authors of such suites as the Liberty Exploit System and the Exp Eleonore Pack, Fragus is a grab bag of exploits for vulnerabilities in multiple software components. Similarities abound among these suites, from which vulnerabilities they exploit, to the layout and handling of the control panel, to the domains and IPs from which they can be downloaded. Liberty and Eleonore are both slightly older exploit kits whose latest versions have been updated to include much of the same functionality and easy-of-use as Fragus.

For the low price of 800 USD, Fragus is designed to simplify the administration of your bot network. It boasts support for English and Russian, statistical breakdowns of your botnet by browser, operating system (including version), by country, and by what's euphemistically referred to as your "clients".

Fragus comes pre-installed and ready to exploit:

MDAC - MS07-009, a vulnerability in MS Data Access Components which can allow remote code execution.

PDF - Targets 3 vulnerabilities in Acrobat Reader, util.printf, Collab.getIcon, and Collab.collectEmailInfo (CVE-2008-2992, CVE-2009-0927, and CVE-2007-5659, respectively)

DirectShow - MS09-032, exploits the MS Video (DirectShow) ActiveX Control vulnerability.

Internet Explorer - MS09-002, a critical vulnerability in IE7 that allows for memory corruption and remote code execution.

Spreadsheet - MS09-043, an ActiveX Control vulnerability is MS Office Web Components.

AOL WinAmp - another system vulnerable to an ActiveX Control exploit, (CVE-2007-6250)

Snapshot - MS08-041, an exploit targeted at MS Access Snapshot Viewer's ActiveX Control vulnerability.

Flash - targets an integer flow vulnerability in Adobe Flash Player (CVE-2007-0071)

Some of the vulnerabilities have been patched for months or even years but their inclusion here indicates a high probability that numerous systems remain unpatched. Of greater interest is the MS09-043 vulnerability which, as of Fragus' release, was only one month old. Increasingly, criminals are making use of recently released exploits. Obviously this tactic greatly increases their chances of success as many (if not most) people fall behind in their updates and will likely still be vulnerable to such a recent exploit.

For people concerned over spending $800 on an exploit pack only to have its payload identified by antivirus programs, for an extra $150 you will receive a proprietary encryption program specifically designed to evade detection.

Unsurprisingly, many of the domains and IPs at which Fragus is available have at one time or another hosted other sorts of malware, including the LIberty Exploit System, the Zeus trojan, and various other PDF and flash exploits.

The future of botnet administration is here now... and it sure is easy to use.

Meaghan Molloy

Threat Analyst

For a far more eloquent presentation of the facts, check out Paul Royal's work at Purewire.