KINS Source Code Leaked

Much Ado About Nothing

Today the KINS source code was posted publicly after being sold to just about everyone and their dog. As expected it’s just a Zeus modification containing code taken from various places (there is also evidence of the bootkit).

As you can see in this image, there is evidence of a bootkit present in the solution, however the files have been deleted by either the seller or someone who had the source before me. The files that have been deleted have the same names as those in the rovnix bootkit (from leaked carberp), I can say with 100% certainty that the bootkit being used by KINS is the one from the carberp leak.

This is some basic code to allow execution of 64-bit instructions from inside a 32-bit (wow64) process, I explained how this sort of thing is done in a previous blog post. The code was taken from rewolf’s blog.

The above code makes use of the code taken from rewolf, it allows the bot to escape from the wow64 emulation layer. This code is useful because the wow64 layer prevents 32-bit processes from injecting into 64-bit processes on a 64-bit system, KINS makes use of this code to inject 64-bit processes from inside a 32-bit (wow64) process.

After a quick look, I wasn’t able to find any evidence of a rootkit, however i did find this. The code keeps attempting to read the malware’s file until it is successful, then keep rewriting the file and registry key every 2 seconds. You’ll noticed the local variable “hFile” isn’t actually used, so the check is useless.

That’s all

I just highlighted the interesting stuff i found in the source, the rest of the code is taken from Zeus, however there is a lot of evidence in the solution that point to the presence of a bootkit and some exploits: ms10-073, ms10-092, and a spooler elevation (possibly MS10-061). You can also read xylitol’s post about it here.

Why Open Source Ransomware is Such a Problem

A while back 2sec4u posted a poll asking if people considered open source ransomware helpful to detection and prevention, with 46% voting yes. Although the poll wasn’t limited to people working in the antimalware industry, 46% is scarily high. Trying to prove a point, help me out Twitter. Is open source ransomware helping …

Mapping Mirai: A Botnet Case Study

Mirai is a piece of malware designed to hijack busybox systems (commonly used on IoT devices) in order to perform DDoS attacks, it’s also the bot used in the 620 Gbps DDoS attack on Brian Kreb’s blog and the 1.1 Tbps attack on OVH a few days later. Although Mirai isn’t even close to …

Dridex Returns to the UK With Updated TTPs

With the exception of a few unconfirmed reports of Dridex targeting Baltic countries (which doesn’t make much sense economically), infection campaigns have ceased since mid August when Dridex briefly resumed spreading to propagate multiple new botnets aimed at Switzerland. This morning a friend of mine, Liam, reported receiving a malicious email which unusually didn’t …