Fragus – crimeware in the wild
To control and administer botnets, a lot of frameworks are developed for simplifying the
tasks. In a posting on an underground forum, the announcement was made for a new framework called Fragus v1.0.
Login screen:
Fragus, build with PHP, has a nice and shiney interface which supports the English and Russian language. Statistics can be viewed about browsers, OS and the countries in which the zombies are situated. During the investigation some hosts with Windows 7 were detected to be infected.
Some of the features of Fragus:
# Exploits imaging of high quality with possibility of checking with the help of ajax whether current exploit infects or not before loadint the next one.
# Possibility to edit host on necessary URL after it is done allows not to lose used traffic, and to utilize it pro domo sua.
# Complete exploits modularity in th system. Your coder will be able to add them easily
# Zero-written cryptor of exploits doesn’t overload browser, but nevertheless protects exploits pack safely from antiviruses
# Cryptor lies in separate file and if you want you can easily add you cryptor
# Patterns of pages on exploits imaging, with the page for those who visits twice,lie separately, disguising as 404 error.
# Fragus hides from searchbots, what disables domain detection
# Fragus is highly optimized for operating with massive traffic flows and minimum load on server
Using the exploit modular system is a piece of cake. You can add easily new ones and crypt them to prevent detection from anti-virus vendors.
Examples of malware in Fragus:
xploits:
* Mdac
* PDF: printf(), collectEmailInfo(), getIcon().
* MS DirectShow, large break increment
* MS09-002 – for IE7
* MS Spreadsheet, rather new exploit
* AOL IWinAmp
* MS Snapshot
* MS COM finish IE6
Example:
The basic pricing for this package is 800 USD; some extra features can be purchased e.g. a Zero-written cryptor for another extra 150 USD.
