• 1: Home
• 2: Presentations
  • 2.1: Hibernation File Attack
  • 2.2: Stoned Bootkit
  • 2.3: The Rise of MBR Rootkits & Bootkits in the Wild
  • 2.4: Stoned déjà vu - again
• 3: Trainings
  • 3.3: Hibernation File Attack - Reino de España
• 4: Articles
  • 4.1: Polymorphic Encryption Methods
  • 4.2: Writing a Boot Scan Engine
  • 4.3: The Magic of Bootkits
  • 4.4: Analysis of Sinowal
  • 4.5: Advanced Analysis of Sinowal
  • 4.6: Microsofts Rich Header
  • 4.7: Analysis of Conficker
  • 4.8: CIPAV
  • 4.9: Windows Exception Handling
  • 4.10: Pagefile Attack
  • 4.11: Software Watermarking
  • 4.12: Analysis of Stoned
  • 4.13: The Old New Thing About Development
  • 4.14: AntiWPA
  • 4.15: Kon-Boot
  • 4.16: Compiling Shellcode
  • 4.17: Elevated rights, process token and security identifier
  • 4.18: Abusing the TrueCrypt driver
  • 4.19: Nothing new: Msvcrt.dll
  • 4.21: Identifying Source Code
  • 4.22: Analysis of Mebratix
  • 4.23: Popsomp Hills
• 5: Projects
  • 5.1: DiskEdit
  • 5.2: Forensic Deletion Software
    • 5.2.1: Additional Deletion Methods
    • 5.2.2: Visual C++ Source Code
  • 5.3: Forensic Lockdown Software
  • 5.5: Information System
  • 5.6: QuickView
  • 5.7: Smart Boot Manager
  • 5.8: USB View
  • 5.9: Windows 3.1 Emulation
  • 5.10: Windows Boot System
  • 5.11: AV Tracker
  • 5.12: EIPTN
• 6: Services
  • 6.1: Boot-US work
  • 6.2: TeraByte Unlimited work
  • 6.3: EPIGUS work
• 8: Research
  • 8.1: Ascrimez Kit
  • 8.2: Analysing the PDF Exploit
  • 8.3: ZeuS
  • 8.4: infobox.ru: Botnet
  • 8.5: Operating System Development
  • 8.6: 4 million email addresses
• 9: About
  • 9.1: Links
  • 9.3: Peter Kleissner
  • 9.4: Last Modified Pages
  • 9.5: Meeting Points
  • 9.6: Live Search
  • 9.7: Terms of Use
  • 9.8: Contact

Ascrimez Kit

The term "Ascrimez Kit" refers to a php script based hacking kit. It is a set of multiple files (4 files in total), including an exhaustive shell, a spam bot, a file explorer and a notifier which can be used to find further vulnerable systems. Alltogether its a quite interesting kit, showing us that that there are active hacker groups (doing that as daily business) outside. The kit seems to be originated from albania, although it's important to say that these are just modified scripts (so just the kit, but not the scripts are new). Its features:

• Modified operating r57 Shell
• Spam Bot
• File Explorer
• Notifier for finding vulnerable servers

The software names itself "ascrimez 3.5", although there never have existed other public versions. Download the kit at http://www.web17.webbpro.de/downloads/ascrimez/ascrimez 3.5.zip.

r57 Shell

The r57 shell is already well known under security researchers. Its commonly used by young people and "occasional" hackers. The php script is well written and about 2000 lines big. Its main features are (you can review all in the readme file):

• Mail Sending
• File Browser
• File Search
• Database Access
• Botnet Features
• File Compression/Unpacking
• Execution of PHP Code, SQL Queries, C Code, Script Code
• Remote and Local File Server supported

The shells origin is russia and the latest version is 1.3 dated with 05.03.2006 (so plain nasty old). The original source code contains following lines:

/*  r57shell.php -                                                                                   
/*                                               : http://rst.void.ru
/*        : 1.3 (05.03.2006)
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
/*                                          : blf, phoenix, virus, NorD                  RST/GHC.
/*                       -                                                                          
/*     rst@void.ru.                                  .
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
/*  (c)oded by 1dt.w0lf
/*  RST/GHC http://rst.void.ru , http://ghc.ru
/*  ANY MODIFIED REPUBLISHING IS RESTRICTED

The two websites appearing there both doesn't work (one doesn't exist the others has no index.php), but a short search leads to the originators website at http://rstghc.livejournal.com/profile. A who-is outputs the name "Egor N Marcinyuk" as registrator, and his mail egor_mar@yahoo.com. Who-is information:

domain:     GHC.RU 
type:       CORPORATE 
nserver:    ns1.ghc.ru. 85.112.149.184 
nserver:    ns2.ghc.ru. 85.112.148.200 
state:      REGISTERED, DELEGATED 
person:     Egor N Marcinyuk 
phone:      +8 066 2988778 
fax-no:     +8 066 2988778 
e-mail:      egor_mar@yahoo.com
registrar:  REGTIME-REG-RIPN 
created:    2004.09.15 
paid-till:  2009.09.15 
source:     TC-RIPN

And yes, there's also a connection to the Russian Business Network / Rock Phish group, his sub-domain ns1.zeus.vps-private.net. Nothing is invisible.

Abuse.ch published a just-to-try version, which can not do any harm but shows how the shell works. View it under http://www.abuse.ch/r57shell.php. There is also a picture taken of the script in action:

Spam Script

The kit also contains a small script (jamaican.php) to spam. The interface is held in portuguese language (so differs with the others). It does not contain any author notice, only the unitary html title "J 4 M A I C A".

File Explorer

As mentioned the kit contains also a File Explorer (jm.php). It can be used for listing files, upload/download, rename and chmod. I've also published it above with the downlad of the kit.

Notifier

Like all other scripts is also the notifier a stolen one. It has some unitary references in the code:

//=================================
//
// scan inb0x hotmail v3.0
//
// coded by FilhOte_Ccs and LOST
// re-c0d3d by delet
//
//
//=================================

Also the original operating attackers are known because their email addresses stand in the code:

Muito obrigado: <u>J4MAICA</u>");
$email = "rjanio91@terra.com.br";
$assunto = "b0x";
$email1 = "jamaican.playba@hotmail.com, rjanio91@terra.com.br";

So what can we say about the attackers?

Well the attacker is from brasil, they're speaking portuguese language there. This implies and explains that the spam script was written by them (by own). It finally seems that they are making money by spam - and for that reason they are looking for vulnerable websites to place their spam script.

Pwned!