The Russian crimeware “YES Exploit System” is a fully manageable system that generates malicious code for injecting into compromised pages or malicious web sites. This code is designed to redirect victims to files on your own hosted exploit server allowing you to push out malicious files invisibly and instantly, and it just got a major version update.
The advertisement for the latest version boasts:
“Hacked all Windows version 9x to 7 32 bit and 64 bit
Hacked all browsers running a vulnerable plug-in”
Using the built in TDS (Traffic Direction System) criminals can specify which malware they want to push out by country, by browser and by OS. It is clearly designed to support the inter-related vendor infrastructure of the criminal economy. YES Exploit System is a fully fledged platform for delivering malware on behalf of other criminal enterprises, perhaps to seed a new ZeuS campaign or maybe to push out some scareware. As previous blog posts have shown YES is often bundled into full service underground ZeuS offerings. As you can see from the screen shot below, projects can be divided on a per-customer basis.
One feature that really stood out for me in this new version, in light of other recent blog postings, was the addition of a module that automates testing against AV vendors to ensure the malware remains undetected. This is in addition to URL checking functionality already released in earlier versions of YES.
In another illustration of cloud adoption in online crime, the module is priced on a subscription basis at $70USD per month (including support of course) and tests malicious files against 26 of the biggest security companies out there. All processing is offloaded so as not to overburden your own server.
As is so often the case, the first step in this chain of compromise is a malicious script inserted into an otherwise innocent website, my previous blog gives you a few tips on securing your browser against these types of attack.