News from the Rock Phish Gang

Definitely interesting:

Based in Europe, the Rock Phish group is a criminal collective that has been targeting banks and other financial institutions since 2004. According to RSA, they are responsible for half of the worldwide phishing attacks and have siphoned tens of millions of dollars from individuals’ bank accounts. The group got its name from a now discontinued quirk in which the phishers used directory paths that contained the word “rock.”

The first sign the group was expanding operations came in April, when it introduced a trojan known alternately as Zeus or WSNPOEM, which steals sensitive financial information in transit from a victim’s machine to a bank. Shortly afterward, the gang added more crimeware, including a custom-made botnet client that was spread, among other means, using the Neosploit infection kit.


Soon, additional signs appeared pointing to a partnership between Rock Phishers and Asprox. Most notably, the command and control server for the custom Rock Phish crimeware had exactly the same directory structure of many of the Asprox servers, leading RSA researchers to believe Rock Phish and Asprox attacks were using at least one common server. (Researchers from Damballa were able to confirm this finding after observing malware samples from each of the respective botnets establish HTTP proxy server connections to a common set of destination IPs.)

Posted on September 10, 2008 at 7:47 AM14 Comments


sooth sayer September 10, 2008 8:40 AM

which steals sensitive financial information in transit from a victim’s machine to a bank<<

Whatever happened to the security promised by ssl and (theoretical) defenses against man(or woman now) in the middle attack ?

David September 10, 2008 8:54 AM

@Sooth Sayer

If you “own” the machine, then you own the end “after” the decryption takes place. Internet explorer bundled into the OS makes it VERY easy.

Got to see it with a 2006 malware that stole “everything” you saw and typed, including intranets, SSL, etc..

Jakub Narebski September 10, 2008 9:04 AM

@sooth sayer: I guess (barring subvering either user’s machine, or bank server) that they used Man In the Middle attack; how close do you check SSL/TLS certificates?

Ross Snider September 10, 2008 9:15 AM

@ Sooth Sayer

This isn’t a man in the middle attack, since they are on one end of the encryption. Man in the middle is when you can sniff or relay (and therefore change) data going between computers.

As soon as you have execution on one of those machines the paradigm has changed.

Your question is like asking “How did John hear if she whispered it to both Bob and John?”

Jeroen September 10, 2008 9:35 AM

@Sooth Sayer

In addition to the other comments: Many phishing attacks rely on he fact that people not only fail to check the security certificates, they fail to recognize at all that a session to their bank SHOULD be encrypted but is not. So an attacker can set up an SSL session to that bank with the data provided by the user over the unencrypted line.

rich September 10, 2008 11:01 AM

@sooth sayer

Not sure where you got the impression that this was MITM. But if it was the portion of the article wherein it refers to the exploit occuring “in transit” – that is simply journalistic misunderstanding. Basically, based on my understanding of the inital exploit: users get phished, users get WNSPOEM trojan, trojan gets sensitive data from client, user is pwned.

There are, of course, ways to pwn users using MITM but that isn’t what this article is about.

This is about a link between Asprox and Rock Phish as they both are employing the same directory structure (which tends to imply some connection) in the command/control servers in their respective “fast-flux” bot-nets. Or at least that was my reading.

sooth sayer September 10, 2008 12:53 PM

@all the commentator

read the description of the problem more closely .. or any closely.

in transit from a victim’s machine to a bank<<

I have no idea what you guys are reading; but this says nothing of infected machines or bogus certificates — it clearly says someone was intercepting the sessions

K. Signal Eingang September 10, 2008 12:53 PM

The point’s been made before, but SSL is really not much of a security measure… MITM attacks are the exception, endpoint attacks are the rule. SSL is more about securing what was easy to secure than what needed to be secured.

Davi Ottenheimer September 10, 2008 2:05 PM


“I have no idea what you guys are reading; but this says nothing of infected machines”

Read the whole sentence again, especially the part before the comma that says “…introduced a trojan known alternately as Zeus or WSNPOEM, which steals sensitive financial information in transit from a victim’s machine”

Trojans are a reference to infected machines.

Limbo, Snatch, WSNPOEM/TCPWP/Zeus, etc. are host-based and not network MIIM.

rich September 10, 2008 4:03 PM

@sooth sayer

well, yes and no. the point isn’t the trojan, or previous exploits but rather the link between the bot-nets. i would guess that those items were just thrown in to beef up the register article and maybe give some history.

ultimately, though, one should be able to understand that this isn’t about MITM since that isn’t what trojans or bot-nets do.

also, probably should throw in here that SSL isn’t a complete security – it has a role but a limited one. for instance, if you are surfing unsecured wireless, like bruce here does (ssl or not), you may be pwned

rich September 11, 2008 9:20 AM



I wonder if anyone commenting on this post will ever have an opinion about the forensic link between rock phish and asprox instead of an off-topic remark about SSL or MITM or helpfully pointing out that a trojan could be a key-logger?!?!?

I, for one, am done with the charity work of trying to convince people that this post is not about MITM and does not implicate SSL (in its limited role).

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.