I finally got KINS since 2,3 weeks, those who follow me on youtube probably noticed it due to my videos.
KINS is the acronyme for Kasper Internet Non-Security, the guys of RSA Security have made an article here: https://blogs.rsa.com/is-cybercrime-ready-to-crown-a-new-kins-inth3wild/
The advert was took on a (lame) forum know as 'verified', hread got removed later, as usual when they see that someone use their advert to blog.
I've read also the Fox-IT article about 'kins' but did they even know what they are talking about ?
The picture of the CNC just looks like a regular zeus with a bit of CSS work.. and the hashs didn't look like Zeus but also didn't look like the Kins i get..
"users of KINS have migrated to"
Interesting, that means KINS was something before what me and criminals call KINS now..
Small edit: and that was true and i was wrong, my apologies goes to Foxit guys.
I mean, if you look on underground forums, e.g: Darkode, exploit.in etc.. KINS stand for this modular alueron (even on verified or any other undergound boards)
i know i've wrong but what's can i say when most of peoples call this KINS so.. let's call this KINS even if it's not the good things to do.
No one (just S21 guys?) blogged about this variant.
After finally got KINS, i've sent it to RSA Security due to the weird article of Fox-It and also because i appreciate more the guys of RSA :) (and i know no one at Fox-It)
We have do a 'collab' analysis of the package.
The KINS 'leaked' package (not really 'leaked' for the moment but 'for sale') is composed of many folders like:
The folder source is half complete but we have already a good insight of what KINS do.
MS10-073 (win32k.sys KeyboardLayout vuln)
MS10-092 (Task Scheduler vuln)
Some files seem to come from the Carberp leaked archive, eg with the folder 'common':
Many file names are evocative, KINS is basically: Zeus 184.108.40.206 + Power Loader 2.0 + SpyEye Plugins
And not like Citadel, KINS is almost 99% a "copy/past" of Zeus.
output (malware builder and dlls):
admindropper (Power Loader modified panel) aka 'A':
admincore (Zeus modified panel) aka 'B':
Builder folder is the first folder i've open:
KINS Builder 'Debug version'.
Dropper.exe is detected as Alureon by Microsoft (Power Loader)
Bot32.dll is detected as EyeStye.plugin by Microsoft (SpyEye)
Bot64.dll is dected by just one antivirus (SUPERAntiSpyware) and the signature is generic (LOL!).
Bot32 is a Zeus bot, he have several strings related to SpyEye.
This is probably why Microsoft identify it as it.
If you start it like this way:
It start to write C:debug.txt like zeus does when it starts in debug mode but then rundll exits and nothing happen.
When you inject it now, (inside iexplorer.exe for example) it grab datas and do the usual things Zeus do, no more no less.
And you can see/dump the base config from memory, it's easy to identify the drop zone and see webinjects.
well like Zeus huh ?
Here, the 'test' webinject do not work because ya.ru redirects to yandex.ru
KINS come also with a readMe, who explain you the life about Zeus webinjects and the package.
For the dropper well it's Alureon... MS10-073, MS10-092 injection of bot32.dll is working good.
If you want a reliable signature to identify KINS you can use Trojan:Win32/Alureon.GC of Microsoft.
During all the infection process, the dropper do several OutputDebugString making the routines identification relatively easy.
This KINS package seem more a test version not yet finished than a final package ready for customers.
For the x64 DLL of KINS and the x64 Dropper.... as i don't have this architecture i've not looked into thoses files.
After, why AV detections have vanished on the x64 versions... no idea.
Now for other files in the 'output' folder we have:
mod-killer.dll (kills SpyEye and Zeus based malware, e.g: Citadel, Ice9, Evolution...)
socks5Server32.dll (for do reverse connections through a proxy server, we have also socks5Server64.dll)
softwaregrabber.dll (Grab passwords,email,ftp,cookies,certs...)
those plugins remind you something ?
An interesting file was also 'builder_debug.exe.vmp':
220.127.116.11 ~ AS52284 Panamaserver.com
Guess what's did you find on this IP... A VMProtect panel:
For Kins licenses ?
This is what i thought first but finally there is nothing interesting inside, it's more like a 'test' implantation.
There is also a CCGRAB panel (usually used in addition for SpyEye,Zeus,Citadel,IceIX):
Once again here, nothing interesting.
Just some details:
And with a bit of data mining, i've remounted to the coder of KINS.
I got an interesting chat with him, and he confirmed my doubt about the leak of the non-finished product.
Some files are also hosted on this server and once again nothing interesting (wtf!):
grb32.dll > 0/46 (who pop-up alert window)
torrent.exe > 13/47 (is Cidox, not kins related)
Having a look on the folder 'admincore':
You probably guessed it from the folder structure, this is a Zeus control panel (with a slightly modification).
For information, here we have fixed the errors and translated the panel to English with the help of @Malwageddon.
This panel was only available in russian language and was also full of bugs (php errors everywhere)
Search in database:
For the folder admindropper:
Unlike the previous panel this one got really more code modifications.
As well as the curious title "bdrop v0.5 admin panel" instead of "PowerLoader v2.0"
See my post here for Power Loader: http://www.xylibox.com/2013/09/powerloader-20-alueron.html
Here again the panel was only in russian language and also full of bugs, the screenshot above was taken before our english translation.
Add a task:
Add a file:
Something fun is the fact that everyone seem to have the same problem with KINS (broken panels) and all panels that we've dumped from malicious servers was similars with the same errors.
KINS on a malicious server with SSL for MitB webinject:
To finish... here are two demos, for those who haven't see them:
KINS Webinject in action: http://www.youtube.com/watch?v=4dL-WTyY6LM
Hacking KINS: http://www.youtube.com/watch?v=NVlqnKPZguw
AV guys: 90CAC1E1AD70EF5433B4E12EFCF78847