Posts archive: 2012

2012 Dec

• Dec 30 - What happened if Red Kit Exploit Kit team up with BlackHole EK? = Tripple payload + infection of Khelios!
• Dec 27 - Announce of Multiple Malware Domains Deactivation Progress - The "Operation Tango Down"
• Dec 22 - The Crime Still Goes On: Trojan Fareit Credential Stealer - New Server, Same Group, Same Game (via BHEK/Cridex)
• Dec 16 - Getting more "Personal" & Deeper into Cridex joint with Fareit Credential Stealer Infection
• Dec 15 - "More" Spam to BHEK to Cridex; How they define, grab, handle & send the credentials + more things that we really (don't) need to know...
• Dec 12 - Update: The BHEK Users of Trojan Password Stealer BadActors is Shifting Their Evil Service into Germany VPS at AS25074 (SECURENETZ-DE)
• Dec 12 - JS/RunForrestRun Infector ComeBack! Full Disclosure of Decoding URL, DGA Domain List, Registrar & DNS info.
• Dec 11 - List of Name Server used by Blackhole (BHEK) v2 using Password Stealer Infector Bad Actors
• Dec 10 - Fake Facebook Notification Leads to Cridex/PasswordStealer via BHEK2, The Same BadActors Confirmed!
• Dec 09 - Spam "You have been sent a file" + WordPress Redirector * BHEK2.x(Plugindetect 0.7.9) + New Shellcode Obfuscation = Cridex Password Stealer

2012 Nov

• Nov 25 - Full Disclosure: Analysis of Fake Facebook Notification redirect to Obfuscation Blackhole(PluginDetect 0.7.9) and infecting Cridex Malware
• Nov 24 - How, from where, by which IP you got infected w/FakeAV: System Progressive Protection; UPS Fake Spam, Spain's Front End Infector+Support Page, and Taiwan's CnC server
• Nov 18 - PluginDetect 0.7.9 infector "et" Cridex Payloads of BlackHole Exploit Kit v2 (203.80.16.81) used CVE-2012-4681, CVE-2012-5076, CVE-2009-0927++
• Nov 17 - What Serenity Exploit Kit dropped? A Spambot Full Analysis & Samples
• Nov 07 - Full Disclosure: An inside peek of BlackHole v2 Landing Page Infector Server
• Nov 04 - Unknown Exploit Pack with Webshell WSO 2.3 (diversified.usereasy.net./63.250.48.135) Malware Infector, Spam Site Redirector + Webalizer :-)

2012 Oct

• Oct 29 - The crusaders' note : When #malware infector goes to Cloud - Part 2 : Amazon-AWS loaded with Trojan Bank Spy/Downloaders
• Oct 29 - The crusaders' note : Suspected JS/RunForrestRun aka PseudoRandom's NEW bad actor scheme is on going..
• Oct 29 - The crusaders' note: Found the CNC of TrojDownloader/Backdoor/Spy in GoDaddy
• Oct 29 - The crusaders' note : New BHEK2 actor spreads Zbot P2P sets
• Oct 22 - (Updated) A tale of mass infection of BHEK2 "border.htm" during ddos storm - Changes in JAR detected - Payload : Cridex - Malware Crusaders Logs
• Oct 19 - Decoding Multilayer JavaScript Packed Deobfuscation Code - Daily Log of Malware Crusaders..
• Oct 15 - Evil App: Russian FruitNinja - #Android Backdoor Analysis
• Oct 07 - [Updated] Fuzzy in Manual Cracking New PseudoRandom (JS/runforestrun?xxx=) Infector
• Oct 01 - How EVIL the PHP/C99Shell can be? From SQL Dumper, Hacktools, to Trojan Distributor Future?

2012 Sep

• Sep 30 - Chinese Malvertisement of OnlineGame Trojan/InfoStealer by Expoiting CVE-2012-1889 (MS-XML bugs MS12-043)
• Sep 22 - Following a lead of "Suspected" Blackhole2 - New changes in plugin detect PDF's infection method, PDF/JavaScript codes
• Sep 20 - "Geek" Way in Reversing #CVE-2010-1885 Infection via PluginDetect Script/Blackhole EK (85.17.165.22)
• Sep 18 - Monitoring a BlackHole Exploit Kit Services & Infectors (Target: 203.91.113.6)
• Sep 16 - A peek into "qaqipwel.ru" a Malicious Domain Redirector with Pseudo/Dynamic IP - Infector to RedKit Exploit Kit
• Sep 16 - Slight changes detected in shellcode & dropper works of Blackhole Exploit Kit (landing page: 203.91.113.6 / mothership: 146.185.220.34)
• Sep 13 - Once upon a time with 62.152.104.149's undetected CVE-2012-4681 HTML infector (+full set of JAR payload infection)
• Sep 09 - A discovery of an undetectable ZeuS/Spyware Trojan by following a lead of Blackhole Infection via Spam
• Sep 06 - When #malware infector goes to Cloud: Trojan Banker in Free Cloud Storage - MediaFire
• Sep 06 - Racing with time to get the latest payload of Blackhole Exploit Kit
• Sep 04 - Cracking of Strong Encrypted PHP / IRC Bot (PBOT) with TCP / UDP (DoS) Flooder + Backdoor (bt.php)
• Sep 02 - Important - Blackhole Exploit Kit starts dropping undetectable payloads via OS detect plugin script-dropper
• Sep 01 - Malware Hunting Log - JS/PseudoRandom infected cufon.js in Wordress
• Sep 01 - Hunting Log - PHP/RemoteAdmin
• Sep 01 - Malware Hunting - Write Reports as Hunting PoC
• Sep 01 - Suspicious Movement in ASN40034 (infector to tr2.4voip.biz & fwdservice.com)
• Sep 01 - Understanding Recent Blackhole Exploit Kit's "js.js" Infector Trend for Smart Hunting
• Sep 01 - Pseudo Randoms Infector URL - An idea to grep it (a logical bug to be used)
• Sep 01 - What can Exploit Kit do & drop? Full story of spam to malwares

2012 Aug

• Aug 31 - Payloads URI die hard - Blackhole Exploit Kit
• Aug 31 - (Updated) Beware of the BABYLON, Adware that spreads like Exploit Kit
• Aug 30 - Undetected Orange Exploit Kit Infector
• Aug 30 - What Orange Exploit Kit Dropped
• Aug 30 - Fake Flash Updater presented by #blackhole
• Aug 30 - New Blackhole HTML Infector found
• Aug 30 - Interesting Idea: (Pastebin) How to stop Blackhole Exploit Kit by using its vulnerability
• Aug 29 - #MalwareMustDie - Day1 Opening Day Report
• Aug 28 - The raise of "#MalwareMustDie!"