Posts archive: 2013

2013 Dec

• Dec 29 - MMD-0012-2013 - ARP Spoofing Malware Infection Project Disclosure
• Dec 29 - MMD-0011-2013 - Let's be more serious about (mitigating) DNS Amp ELF hack attack
• Dec 11 - BotConf 2013 - #Kelihos: Payload+Domain Analysis, Actor's ID Disclosure, Stopping Payload (as Crime PoC)
• Dec 03 - #Tango Down of 2,989 (allowed to release: 311) Malicious domains Related to Kelihos Reseller

2013 Nov

• Nov 13 - MMD #Tango Down of 44 + 19 + 75 CryptoLocker CnC Domains
• Nov 08 - A Step by Step Decoding Guide for CookieBomb's (as Front-end) Latest Threat, with Evil ESD.PHP Redirection (as the Back-end)
• Nov 05 - MMD-0010-2013 - Wordpress Hack Case: Site's Credential Stealer with New ASCII Obfuscation in POST Destination URL
• Nov 02 - MMD-0009-2013 - RunForrestRun DGA "Comeback" with new obfuscation
• Nov 02 - How bad an IP's Reputation can be? A story of: 31.170.179.179 & 62.116.143.18 (park domains)

2013 Oct

• Oct 21 - MMD-0008-2013 - What's Behind the #w00tw00t Attack
• Oct 12 - Intelligence report. Beware: Trojan7sec, A wolf in sheep's skin
• Oct 10 - MMD-0007-2013 - KINS? No! PowerZeuS, yes! Source Code for View & Download
• Oct 07 - ...And (again!) ZeroAccess/Sirefef is NOT Dead (yet!)

2013 Sep

• Sep 21 - MMD-0006-2013 - Rogue 302-Redirector "Cushion Attack", an attempt to evade IDS/IPS
• Sep 09 - MMD-0005-2013 - A Leaked Malvertisement, Cutwail+BHEK & Triple Payloads of "Syria Campaign"

2013 Aug

• Aug 08 - The result on 48hours+ in battle with Kelihos < request for FURTHER block/dismantle cooperation & support. #Tango is going down..
• Aug 02 - MMD-0004-2013 - "You hacked.. we cracked" - "WP Super Cache" & Glazunov EK

2013 Jul

• Jul 25 - #Alert! #Facebook scam emails that will lead you to #Blackhole EK (162.216.18.169, GoDaddy/Linode)
• Jul 25 - Suspension announcement of 97 .RU domains (registered in REGGI.RU) used by Kelihos Crime Group to spread payload via Red Kit Exploit Pack
• Jul 23 - MMD-0003-2013 - First "comeback" of the .RU RunForrestRun's DGA with 365 domains infector (ALIVE!)
• Jul 23 - What is behind #CookieBomb attack? (by @malm0u53)
• Jul 21 - Some encoding note(s) on modified #CookieBomb attack's obfuscated injection code
• Jul 19 - #Alert - Kelihos payload download zone in .RU 93 domains still ALIVE - RedKit EK #malware distribution!
• Jul 19 - MMD-0002-2013 - How Cutwail and other SpamBot can fool (spoof) us?
• Jul 17 - MMD-0001-2013 - Proof of Concept of "CookieBomb" code injection attack

2013 Jun

• Jun 29 - Suspension announcement of 61 unique domains used by Blackhole Exploit Kit ("closest" type) Crime Group operated on 80.78.247.114 (Russia)
• Jun 24 - Knockin' on Neutrino Exploit Kit's door.. (where is "that" PluginDetect 0.8.0 ??)
• Jun 07 - MMD-0000-2013 - Malware Infection Alert on Plesk/Apache Remote Code Execution zeroday vulnerability
• Jun 05 - A mistery of Malware URL "cnt.php" Redirection Method with Apache's mod_rewrite.c's RewriteCond in .htaccess
• Jun 04 - Case of Pony downloading ZeuS via Passworded Zip Attachment of Malvertisement Campaign
• Jun 03 - Full disclosure of 309 Bots/Botnet Source Codes Found via Germany Torrent

2013 May

• May 30 - Another story of Unix Trojan: Tsunami/Kaiten.c (IRC/Bot) w/ Flooder, Backdoor at a hacked xBSD
• May 29 - A story of a Spam Botnet Cutwail Trojan - Via fake Paypal's spam link w/redirector (92.38.227.2) backboned by BHEK2 (80.78.247.227)

2013 Apr

• Apr 25 - CNC analysis of Citadel Trojan Bot-Agent - Part 2: Understanding its stealer functionalities by decoding the configs
• Apr 21 - (Peeling + Exposal) Kelihos via Redkit, mass-infection threat following unfortnate US disaster news..
• Apr 15 - #Howto - Analysis infection of RedKit sourced at 91.206.200.199 via OS X/Mountain Lion
• Apr 08 - CNC analysis of Citadel Trojan Bot-Agent - Part 1: with Wireshark
• Apr 05 - Mistery of unknown EK using JAR exploit with Hidden Class & XOR-Encoded Embedded RansomWare

2013 Mar

• Mar 26 - Announce of Multiple Malware Domains Deactivation March, 2013 - The "Operation Tango Down"
• Mar 24 - The Evil Came Back: Darkleech's Apache Malware Module: Recent Infection, Reversing, Prevention & Source Details
• Mar 07 - Fake Adobe Flash Updater in 173.246.102.2 - Win32/Fareit downloads Win32/Medfos (to then download OTHER malware at Megaupload.com)
• Mar 05 - Case: "*.RU:8080/*/column.php", Hey Stealer! What do you want to steal today? Keywords: #Cridex #Fareit #Naunet

2013 Feb

• Feb 21 - Hulk and Malware Crusaders vs FakeAV scandsk.exe (Win32/Simda Backdoor Downloader)
• Feb 20 - Blackhole NOW served Cridex combo with Ransomware rotated with GeoIP - Changes in credential crime scheme (powered by NAUNET.RU)
• Feb 10 - "Confirmed ITW" CVE-2013-0634 This LadyBoyle is not nice at all.
• Feb 06 - Blackhole of "/closest/" version with an infection of Trojan ZeroAccess (alias MaxPlus, Sirefef) w/Recycler Variant
• Feb 03 - The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)
• Feb 02 - Peeking at Anon JDB Exploit Kit JAR infectors (212,7,192,100/jdb/lib/java/lives/xxx) - Story continues, many more Payloads came up!

2013 Jan

• Jan 31 - Peeking at Anon JDB Exploit Kit infector (212.7.192.100/jdb/inf.php?id=xxx) with AV verdicted called "DarkKomet", but actually a NayraBOT/AryaNBot an IRC Backdoor USB Worm
• Jan 29 - CrimeBoss landing page and its Jar infector
• Jan 27 - Hulk teams up with the Malware Crusaders to smash The CrimeBoss! (infector abrahamspath.org.uk//cb.php)
• Jan 27 - A Guide to flush Blackhole payloads (Cridex dropped Fareit case)
• Jan 27 - When the PWS Stealer try to improve their way to steal... a story of Cridex/PWS Fareit (via Blackhole EK at eziponoma.ru:8080)
• Jan 20 - A case of "Buggy Ransomware" with Backdoor, Spyware (is an Andromeda + Botnet CnC) Infection via Apache's Blackhole Exploit Kit
• Jan 18 - Cridex + Fareit Infection Analysis - "dozakialko.ru:8080" A Credential Stealer Case
• Jan 14 - Flushing, Peeling and Understanding the Cool Exploit Kit infection
• Jan 14 - Decoding #Guide: Double Obfuscation Blackhole Exploit Kit Landing Page (re-upload issue)
• Jan 13 - Some De-obfuscation notes on CritXPack Exploit Kit at root(.)kaovo.com
• Jan 12 - Trojan VBS/Bicololo at infected WordPress
• Jan 12 - Once upon a time with another Red Kit infection & its Payload
• Jan 11 - A double hit - PC Trojan W32/VBS Bicololo and Mobile Java Android/Trojan SMS Apps via a hacked Wordpress site
• Jan 10 - Let's say Hello! to Impact Exploit Kit w/ RansomWare Infector
• Jan 04 - A PBot (PHP + Perl Backdoor IRC Bot + Network Attack Tool) Infection on hegeman.com