Monday, May 30, 2011

Keeping Money Mule Recruiters on a Short Leash - Part Nine


The following brief summarizes currently active money mule recruitment web sites, actively recruiting money mules for the processing of fraudulently obtained funds.

Currently active sites residing within AS42708, PORTLANE Network www.portlane.com; AS29713, INTERPLEXINC Interplex LLC; AS38913, Enter-Net-Team-AS; AS24940, HETZNER-AS Hetzner Online:
ATLANTALTD-UK.CC - 193.105.134.233
ATLANTA-LTD-UK.NET - 78.46.105.205 - Email: admin@atlanta-ltd-uk.net
3ATLANTA-UK.COM - 193.105.134.233
BLITZNET-GROUPINC.CC - 78.46.105.205 - Email: admin@derwart-group.at
5DALI-STYLE.COM - 98.141.220.117
DALISTYLE-GROUP.CC - 98.141.220.118 - Email: tolls@mailti.com
DERWOODE-GROUP.COM - 98.141.220.117
DERWOODE-GROUP.NET - 98.141.220.117
GLACIS-GROUPLLC.COM - 193.105.134.232
1GLACISGROUP-LLC.NET - 193.105.134.233
IT-AMIRA.NET - 86.55.210.3 - Email: support@it-amira.net
ITAMIRA-DE.COM - 86.55.210.6 - Email: admin@itamira-de.com
ITSERV-DE.CO - 78.46.105.205 - Email: admin@itserv-de.co
IT-SERVICELTD.BE - 78.46.105.205
KADE-GROUP.COM - 86.55.210.4 - Email: admin@kade-group.com
MASTERART-GROUP.COM - 98.141.220.116 - Email: east@mail13.com
MENDRYLTD.COM - 98.141.220.117 - Email: admin@mendryltd.com
MENZEL-GROUP.TV - 98.141.220.118 - Email: admin@devotion-company.com
MITISSANSERVICE-GROUP-LTD.CC - 98.141.220.117 - Email: berra@cutemail.org
MITISSANSERVICEGROUP-LTD.COM - 98.141.220.117 - Email: alibi@mailae.com
oregonltd-uk.cc - 86.55.210.5 - Email: cause@ca4.ru
PARLEN-GROUPLLC.COM - 98.141.220.118 - Email: admin@parlen-groupllc.com
PARLENGROUPLLC.NET - 98.141.220.114
PARLEN-GROUP-USA.COM - 98.141.220.118
quad-groupuk.cc - 86.55.210.6 - Email: prissy@mailae.com
QUAD-GROUPUK.CC - 86.55.210.6 - Email: prissy@mailae.com
QUAD-IT-GROUP.COM  - 193.105.134.232 - Email: admin@quad-it-group.com
QUINTAGROUP.CC - 98.141.220.117 - Email: cola@mailae.com
QUINTA-GROUPUS.COM - 98.141.220.118 - Email: admin@quinta-groupus.com
QUINTA-LLC.NET - 98.141.220.118 - Email: admin@quinta-llc.net
REXTECHINNOVATION.COM - 98.141.220.118 - Email: admin@rextechinnovation.com
REXTECHLTD.CC - 98.141.220.115 - Email: blurt@fxmail.net
REXTECHLTD-US.COM - 98.141.220.118 - Email: admin@rextechltd-us.com
SPECIAL-ART-LTD.COM - 193.105.134.233 - Email: admin@special-art-ltd.com
SPECIAL-ART-UK.CC - 193.105.134.234
SUBLIME-LTD.NET - 98.141.220.118 - Email: admin@sublime-ltd.net
TARGETMARKETGROUP-LLC.CC - 98.141.220.117 - Email: admin@targetmarketgroup-llc.cc
TAZPROGLTD-US.COM - 98.141.220.117 - Email: admin@tazprogltd-us.co
VNSPROJECT-DE.CC - 78.46.105.205 - Email: admin@vnsproject-de.cc
VORTEXLLC-UK.COM - 193.105.134.232 - Email: admin@vortexllc-uk.com
VORTEX-LLC-UK.NET - 193.105.134.230 - Email: admin@vortex-llc-uk.net


Name servers of notice:
NS1.NAMESUKNS.CC - 178.162.172.48 - Email: pal@bz3.ru
NS2.NAMESUKNS.CC - 69.10.56.131
NS3.NAMESUKNS.CC - 66.199.229.123

NS1.NAMEUK.AT - 178.162.172.57 - Email: admin@nameuk.at
NS2.NAMEUK.AT - 69.10.56.132
NS3.NAMEUK.AT - 66.199.229.124

NS1.UKDNSTART.NET - 178.162.172.40 - Email: admin@ukdnstart.net
NS2.UKDNSTART.NET - 69.10.56.130
NS3.UKDNSTART.NET - 66.199.229.122

NS1.DNSUS.SU - 217.23.15.137 - Email: wifi@yourisp.ru
NS2.DNSUS.SU - 87.118.81.7
NS3.DNSUS.SU - 87.118.81.10

NS1.NAMEUSNS.SU - 217.23.15.138 - Email: lavier@bz3.ru
NS2.NAMEUSNS.SU - 84.19.161.7
NS3.NAMEUSNS.SU - 84.19.161.10

NS1.USDENNS.SU - 217.23.15.136 -  Email: lipstick@free-id.ru
NS2.USDENNS.SU - 84.19.161.7
NS3.USDENNS.SU - 84.19.161.10

Monitoring of money mule recruitment campaigns is ongoing.

Related posts:
Keeping Money Mule Recruiters on a Short Leash - Part Eight - Historical OSINT
Keeping Money Mule Recruiters on a Short Leash - Part Seven
Keeping Money Mule Recruiters on a Short Leash - Part Six
Keeping Money Mule Recruiters on a Short Leash - Part Five
The DNS Infrastructure of the Money Mule Recruitment Ecosystem
Keeping Money Mule Recruiters on a Short Leash - Part Four
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog.

Thursday, May 26, 2011

A Peek Inside the Vertex Net Loader


It appears that the author of the of the DarkComet RAT has been keeping himself rather busy.

In early-stage development (currently in BETA), the Vertex Net Loader is your typical web-based command and control malware loader, worth keeping an eye on.

More details:
Info on the loader:
This is the small program that will send/retrieve info from/to the web panel , it is like the server part of a RAT. The loader is coded in C++. Size unpacked is ~100kb , compressed is very small and still stable. I choose C++ as the language for this project cause i code C++ since a long time but i never release some security soft, so as a friend said it is a shame to have a knowledge in C++ and don’t use it instead of Delphi all the time. Also C++ is faster and more stable than any other language.

Features of the loader:
- Send message box
- Execute any kind of commands
- close loader process
- Download files and execute them
- Get the process list
- Get the modules list from PID
- Set the keylogger status ON/OFF
- Retrieve the keylogger logs
- Read the file content and retrieve it
- Uninstall the loader
- Httpflood same technologies as i used for DarkComet that is very powerfull
- Remote shell
- Visit any webpage


Upcoming features:
- FWB
- More commands
- Panel Installer
- More possibilities in the webpanel
- User manager in the panel
- Plugins support
- and more.



Monitoring of Vertex Net Loader's development is ongoing.

Related posts:
A Peek Inside a New DDoS Bot - "Snap"
Coding Spyware and Malware for Hire
Will Code Malware for Financial Incentives
E-crime and Socioeconomic Factors
Web Based Botnet Command and Control Kit 2.0
BlackEnergy DDoS Bot Web Based


This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Wednesday, May 25, 2011

Keeping Money Mule Recruiters on a Short Leash - Part Eight - Historical OSINT


With money mule recruitment scams continuing to represent an inseparable part of the cybercrime ecosystem, in this post I'll summarize the findings from an assessment I conducted on currently active mule recruitment scams over a month ago. As always, the historical OSINT offered is invaluable in case-building practices in particular a very well segmented group of mule recruiters using identical templates which they've purchased from a vendor of standardized mule recruitment templates.

Domains known to have been participating in money mule recruitment campaigns, currently offine:
allston-groupsec.cc
atca-inc.com
atcanetworks.net
BANDSGROUP-INC.NET
BANDSGROUPNET.CC
BANDS-GROUPSVC.COM
BANDS-INC.COM
CNLGROUP-INC.CC
CNLGROUPNET.NET
CNL-GROUPSVC.COM
CNL-INC.COM
evolving-inc.com
evolvingsysinc.net
galleogroupnet.net
galleo-inc.com
GIANT-GROUPCO.NET
GIANTGROUPINC.COM
GIANT-GROUPINC.COM
GIANT-GROUPNET.CC
HOSTGROUPINC.COM
HOSTGROUP-INC.COM
HOSTGROUPNET.CC
HOST-GROUPSVC.NET
ICT-GROUPCO.COM
ICTGROUPINC.COM
ICTGROUPNET.CC
ICT-GROUPSVC.NET
IMPERIALGROUPCO.COM
IMPERIAL-GROUPINC.COM
IMPERIAL-GROUPSVC.NET
INFOTECH-GROUPCO.NET
INFOTECH-GROUPINC.COM
infotechgroup-inc.com
jvc-inc.com
magnet-groupinc.cc
netmarket-inc.com
netmarkettech.net
NOVARIS-GROUPLLC.TW
NOVARISGROUPMAIN.TW
NOVARIS-GROUPORG.CC
PERSEUS-GROUPFINE.TW
PERSEUS-GROUPINC.TW
PERSEUSGROUPLLC.CC
USIGROUPINC.COM
USIGROUP-INC.COM
USI-GROUPINC.NET
USIGROUPNET.CC
VITAL-GROUPCO.CC
VITAL-GROUPCO.TW
VITAL-GROUPINC.TW

developgroupinc.net - 69.50.199.209 - Email: slows@5mx.ru
develop-inc.com - 69.50.199.209 - Email: etude@qx8.ru
mercygroupnet.net - 69.50.198.218 - Email: bowie@bigmailbox.ru
mercy-inc.com - 69.50.198.221 - Email: spout@freenetbox.ru
solarisgroupinc.com - 69.50.199.209 - Email: slows@5mx.ru
solarisgroupnet.net - 69.50.198.197 - Email: sharp@maillife.ru
jvc-inc.com - 69.50.198.210 - Email: etude@qx8.ru
jvcgroupnet.net - 69.50.198.221 - Email: spout@freenetbox.ru

Name servers of notice, historical OSINT for the responding IPs provided:
ns1.kalipso19.cc - 208.110.80.34 - Email: tarts@freenetbox.ru
ns2.kalipso19.cc - 64.85.169.70
ns3.kalipso19.cc - 173.208.132.42

ns1.mamacholi.net - 208.110.80.35 - Email: excess@bigmailbox.ru
ns2.mamacholi.net - 64.85.169.71
ns3.mamacholi.net - 173.208.132.43

ns1.rjevski.com - 208.110.80.34 - Email: low@bigmailbox.ru
ns2.rjevski.com - 64.85.169.70
ns3.rjevski.com - 173.208.132.42

ns1.runlesrun.cc - 208.110.80.37 - Email: frost@bigmailbox.ru
ns2.runlesrun.cc - 64.85.169.73
ns3.runlesrun.cc - 173.208.132.45

ns1.skotinko.net - 208.110.80.38 - Email: info@dnregistrar.ru
ns2.skotinko.net - 64.85.169.74
ns3.skotinko.net - 173.208.132.46

ns1.solojumper.com - 208.110.80.36 - Email: crime@bigmailbox.ru
ns2.solojumper.com - 64.85.169.72
ns3.solojumper.com - 173.208.132.44

Monitoring of money mule recruitment campaigns is ongoing.

Related posts:
Keeping Money Mule Recruiters on a Short Leash - Part Seven
Keeping Money Mule Recruiters on a Short Leash - Part Six
Keeping Money Mule Recruiters on a Short Leash - Part Five
The DNS Infrastructure of the Money Mule Recruitment Ecosystem
Keeping Money Mule Recruiters on a Short Leash - Part Four
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog.

Tuesday, May 10, 2011

Keeping Money Mule Recruiters on a Short Leash - Part Seven


Continuing the what has turned into a tradition, the "Keeping Money Mule Recruiters on a Short Leash" series, in this post we'll review currently active money mule recruitment sites, and provide vital OSINT data on what is currently acting as the the cornerstone of the monetization process that cybercriminals rely on - risk forwarding thanks to money mule recruitment for processing of fraudulently obtained funds.

Description used on the majority of templates:
"Looking to buy art? Sell art? Alternative Art Ltd is the first choice for artists and buyers alike! Alternative Art Ltd is an effective tool for the artist and emerging artist to market and promote their art in a professional and inexpensive manner. We will market your art to the international community of art buyers. Whether you are looking to buy or sell original art, Alternative Art Ltd is the premier art site for those seeking to buy or sell original art online.

NO COMMISSIONS! Whether you are looking to buy art or sell art, our site is fully optimized to get results FAST! Alternative Art Ltd is the future of buying and selling original art online. Artists who choose to sell their original art will receive maximum marketing exposure. For artists, selling your art has never been easier, faster, or more cost-effective. We will help you sell your original art DIRECTLY to buyers worldwide with NO COMMISSIONS. Those wishing to buy art online are invited to browse our extensive online galleries of original art. Never before has it been this easy for a buyer to select high-quality original art online. We update daily with new original art from our artist members.

Alternative Art Ltd offers casual collectors and serious connoisseurs alike an amazing collection of original art pieces from the world over. You'll enjoy unparalleled customer care from a knowledgeable and friendly staff of experts. For artists, the inconvenience and high costs of traditional galleries are completely eliminated. Our team of experts puts the latest technology to work for you, putting your original art in front of millions of potential art buyers!"

Money mule recruitment domains:
aimic-groupllc.at - Email: admin@aimic-groupllc.at
ALTERNATIVEART-LTD.COM
alternative-art-ltd.net - Email: ibsen@ppmail.ru
artby-gorup.net - Email: admin@artby-gorup.net
artby-group.biz - Email: blonde@bz3.ru
art-marketllc.cc - Email: hear@ppmail.ru - seen here 
artsolveltdco.at - Email: admin@artsolveltd.cc
aspecs-group.cc - Email: admin@aspecs-group.cc
ASPECS-GROUP.CC - Email: admin@aspecs-group.cc
callisto-ltdco.net - Email: admin@callisto-ltdco.net
collins-group.cc - Email: admin@megatechservicegroup-ltd.cc
collins-groupusa.com - Email: admin@collins-groupusa.com
COLLINS-GROUPUSA.COM - Email: admin@collins-groupusa.com
competitorgroup-ltd.com - Email: trek@cheapbox.ru
COMPETITOR-UK-GROUP.NET - Email: admin@competitor-uk-group.net
DERWART-GROUP.AT - Email: admin@derwart-group.at
derwart-group.com - Email: admin@ephesgroup-llc.biz
drawmade-group.com - Email: admin@drawmade-group.com
DURLEY-ARTAU.NET - Email: admin@durley-artau.net
DURLEY-ART-GROUP.CC - Email: admin@durley-art-group.cc
ephesgroup-llc.biz - Email: admin@ephesgroup-llc.biz
EPHES-GROUPLLC.CC - Email: admin@ephes-groupllc.cc
ephes-groupllc.net - Email: pious@ppmail.ru
fourthgroup-ltd.cc - Email: rots@cheapbox.ru - seen here
FOURTH-UKLTD.NET - Email: admin@fourth-ukltd.net
generalabbrialgroup-ltd.net - Email: admin@generalabbrialgroup-ltd.net
GENERATION-TEAM.NET - Email: luis@cheapbox.ru
groupinc-upland.biz - Email: admin@groupinc-upland.biz
HELBY-GROUPLTD.BIZ - Email: admin@helby-groupltd.biz
HELBY-GROUP-LTD.CC - Email: packet@bz3.ru
koertig-gmbh.com - Email: usieeobq0604@yahoo.com
kresko-group.biz - Email: admin@Kresko-group.biz
LILAC-ANTIQUE.CC - Email: admin@lilac-antique.cc
MASTERPIECE-GROUP.CC - Email: poop@ca4.ru
MASTERPIECE-GROUP.ORG - Email: admin@masterpiece-group.org
megatechservicegroup-ltd.cc - Email: admin@megatechservicegroup-ltd.cc
MEGATECHSERVICE-GROUP-LTD.COM - Email: admin@collins-groupusa.com
millennial-maingrop.net - Email: mock@free-id.ru
mitissanservice-group-ltd.cc - Email: berra@cutemail.org
mitissanservicegroup-ltd.com - Email: alibi@mailae.com
neoline-groupco.cc - Email: admin@neoline-groupco.cc
neoline-llc.net - Email: admin@neoline-llc.net
qead-groupllc.net
QEAD-LLC.BIZ - Email: admin@qead-llc.biz
RICHMOND-ART-GROUP.COM - Email: binary@ca4.ru
RICHMOND-ART-UK.BIZ - Email: admin@richmond-art-uk.biz
sevg-groupnet.com - Email: belle@ca4.ru
SEVG-GROUPNET.COM - Email: belle@ca4.ru
sevg-incgr.net - Email: admin@sevg-incgr.net
SQUIT-GROUP-LLC.BIZ - Email: swept@ca4.ru
SQUITGROUP-LLC.NET - Email: admin@squitgroup-llc.net
targetmarketgroup-llc.cc - Email: admin@targetmarketgroup-llc.cc
targetmarket-groupllc.net
tazprogltd-us.com - Email: admin@tazprogltd-us.com
TONSLEY-ART.COM - Email: pagan@ppmail.ru
tonsley-group-uk.net - Email: admin@tonsley-group-uk.net
WEST-VIEW-ART.CC - Email: knees@free-id.ru
westview-art.net - Email: admin@westview-art.net


Name servers of notice:
NS1.USDENNS.SU - 217.23.15.136
NS2.DNSUS.SU - 87.118.81.7
NS3.NAMEUSNS.SU - 84.19.161.10
ns1.pidnsku.org - 86.55.210.23
ns3.us1copy.ws - 95.64.9.101
ns2.us1copy.at - 78.46.105.205
ns2.stelsgid.net - 78.46.105.205
ns1.usolomio.cc - 86.55.210.23
ns2.usetmegold.su - 78.46.105.205
ns3.usiami.su - 78.46.105.205
ns1.ukansnami.com - 78.46.105.205
ns3.uknamo.com - 66.199.236.116
ns2.dnsukrect.com - 78.46.105.205


Currently active and responding money mule recruitment domains, residing within AS42708, PORTLANE Network; AS29713, INTERPLEXINC Interplex LLC.; AS24940, HETZNER-AS Hetzner Online AG RZ:
alternative-art-ltd.net - 193.105.134.234
westview-art.net - 193.105.134.233
RICHMOND-ART-UK.BIZ - 193.105.134.232
fourthgroup-ltd.cc - 193.105.134.230
artby-group.biz - 98.141.220.118
collins-group.cc - 98.141.220.118
aspecs-group.cc - 98.141.220.117
ASPECS-GROUP.CC - 98.141.220.117
callisto-ltdco.net - 98.141.220.117
drawmade-group.com - 98.141.220.117
ephes-groupllc.net - 98.141.220.117
targetmarketgroup-llc.cc - 98.141.220.117
artby-gorup.net - 98.141.220.116
tazprogltd-us.com - 98.141.220.116
groupinc-upland.biz - 98.141.220.115
neoline-llc.net - 98.141.220.115
DERWART-GROUP.AT - 98.141.220.114
ALTERNATIVEART-LTD.COM - 86.55.210.5
collins-groupusa.com - 78.46.105.205
COLLINS-GROUPUSA.COM - 78.46.105.205
derwart-group.com - 78.46.105.205
DURLEY-ARTAU.NET - 78.46.105.205
DURLEY-ART-GROUP.CC - 78.46.105.205
ephesgroup-llc.biz - 78.46.105.205
EPHES-GROUPLLC.CC - 78.46.105.205
kresko-group.biz - 78.46.105.205
MASTERPIECE-GROUP.CC - 78.46.105.205
QEAD-LLC.BIZ - 78.46.105.205
SEVG-GROUPNET.COM - 78.46.105.205
SQUITGROUP-LLC.NET - 78.46.105.205

Psychological evaluation tests found within AS29713, basically every domain name has its associated binary:
aimicgroupllc.exe
artbygorup.exe
aspecsgroup.exe
atlantgroupmain.exe
collinsgroupusa.exe
createncegroupllc.exe
derwartgroup.exe
dogogroup.exe
ephesgroupllc.exe
megatechservicegroupltd.exe
millennialartco.exe
sevggroupnet.exe
stilegroupllc.exe
vintagegroupinc.exe


Monitoring of money mule recruitment campaigns is ongoing.

Related posts:
Keeping Money Mule Recruiters on a Short Leash - Part Six
Keeping Money Mule Recruiters on a Short Leash - Part Five
The DNS Infrastructure of the Money Mule Recruitment Ecosystem
Keeping Money Mule Recruiters on a Short Leash - Part Four
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog.

Monday, May 09, 2011

A Peek Inside a New DDoS Bot - "Snap"


Sampling malicious activity through the eyes of the cybercriminal, is always beneficial in the context of timely spotting valuable trends and fads within the ecosystem, given a decent sample of malicious activity is obtained.

In this post, we'll review a new DDoS bot on the block - "Snap".

This modular bot differentiates itself by offering the ability to choose between different modules to be added to the final package, and by allowing to perform to "proprietary" DDoS functions, namely the TurboSYN, and TrafficDDoS. Next to its core DDoS functionality, the coder of the bot is differentiating by offering Form Grabbing; Reverse Socks; MailSpamming; IM-Spamming and Exploits launching functionality.


More details from the actual proposition:
[+] language the bot is coded in : mASM
[+] no external depencies, no run times , no frame works!
[+] Ability to work with roaming user accounts
[+] modularized structure of the bot
[+] Second Backup Service watch process Activity and restart bot on fail over
[+] User Mode r00tkit
-> [+] run's as a service and hides itself
-> [+] hides & protect root process
-> [+] hides & protect files
-> [+] hides the root processes
-> [+] hides already used local&remote TCP Port(s)

-> [+] hides already used local&remote UDP Port(s)
-> [+] hides already used regkey's
[+] semi polymorphic architecture
-> [+] uses random legit process, file & service names
-> [+] generates a unique stub every run
[+] bot doesn't use eof, has no import table, doesnt need relocation and tls section => very good crypter support
[+] Unicode support for Asian pcs
[+] detects common sandboxes, virtual OSs, emulators,  and analysis tools


[================[ Webpanel ]==--

[+] the webpanel is developed with dreamweaver cs5 and ajax framework using mysql and php
[+] multi theme support available
[+] multi command support => every victim can do as many threads as you want it to
[+] reliable protocol which creates the lowest possible server load
[+] modularized structure of the bot


[===[ Modules ]==--

[+] Base price (Core) for 250$

Loader:
[+] Load module (simple) +0$
[+] Load module (extended) for 50$


Proxy:
[+] Socks5 Deamon for 50$
[+] reverse Socks 4/Socks 4a/Socks 5/ HTTP(s) for 150$


DDoS:
[+] DDoS Module (http/syn) for 50$
[+] DDoS Module (full) for 100$


DDoS(full) + Load module (extended) + Socks5 Deamon for 400$

Related posts:
Coding Spyware and Malware for Hire
Will Code Malware for Financial Incentives
E-crime and Socioeconomic Factors

Web Based Botnet Command and Control Kit 2.0
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Don't Play Poker on an Infected Table - Part Five


A currently spamvertised campaign is enticing end users into downloading a fraudulent online gambling application KingSpinEN.exe. The campaign is part of last month's Don't Play Poker on an Infected Table - Part Four series.

Detection rate:
KingSpinEN.exe - W32/Casino.F.gen!Eldorado - Result:16/43 (37.2%)
MD5   : ead8156a838842bc8463995a91eee08b
SHA1  : 239594a514c461c63dc8da69b08b9b63baaf2579
SHA256: 491c291eaed67268d14a36470e5d6f6d4ed829055fe4a2897ac5f050b50a2e36

Upon execution phones back to:
- download.thepalacegroupgaming.com /tracking.aspx?ul=en&casino=spinpalace&banner_tag=a20337&uuid=%7b9F9E0585-9340-45C0-9EC7-46FBE5E7127F%7d&state=100
- spinpalace.mgsmup.com /mupp/spinpalace/spinpalace_install.cab
- spinpalace.mgsmup.com /mupp/spinpalace/spinpalace.cab
- download.thepalacegroupgaming.com /tracking.aspx?ul=en&casino=spinpalace&banner_tag=a20337&uuid=%7b9F9E0585-9340-45C0-9EC7-46FBE5E7127F%7d&state=422
- marketing.valueactive.eu /VIP/animations/en/movies_en.htm

Portfolio of fraudulent online gambling domains part of the campaign. The majority are hosted within AS49130, ARNET-AS SC ArNet Connection SRL:
casino-elit-super.ru - 89.45.14.12
casinogoldsuper.ru - 89.45.14.12
casinokingsuper.ru - 89.45.14.12
casino-king-super.ru - 89.45.14.12
casinolabsuper.ru - 89.45.14.12   
casino-lux-super.ru - 89.45.14.12
casinomultisuper.ru - 89.45.14.12
casinonetsuper.ru - 89.45.14.12   
casino-net-super.ru - 89.45.14.12
casinonextvip.ru - 89.45.14.12
casino-online-super.ru - 90.182.175.234
casinopartysuper.ru - 90.182.175.234
casino-party-super.ru - 90.182.175.234
casinoplazasuper.ru - 90.182.175.234
1casinostarsuper.ru
- 90.182.175.234
casinosuperelit.ru - 89.45.14.12
casino-super-elit.ru - 89.45.14.12
casinosuperking.ru - 89.45.14.12
casino-super-king.ru - 89.45.14.12
casinosupermulti.ru - 89.45.14.12
casinosupernet.ru - 89.45.14.12
casino-super-net.ru - 89.45.14.12
casino-super-online.ru - 90.182.175.234
casinosupervip.ru - 89.45.14.12
casino-super-vip.ru - 89.45.14.12
casinosuperweb.ru - 89.45.14.12
casino-super-web.ru - 89.45.14.12
casinosuperwin.ru - 89.45.14.12
casino-super-win.ru - 89.45.14.12
casinovipsuper.ru - 89.45.14.12   
casino-vip-super.ru - 89.45.14.12
casino-win-super.ru - 89.45.14.12
cazino-cash-multi.ru - 89.45.14.12
3cazino-party-royal.ru - 89.45.14.12
cazinopartyweb.ru - 89.45.14.12
cazino-party-web.ru - 89.45.14.12
cazinopartywin.ru - 89.45.14.12   
cazino-party-win.ru - 89.45.14.12
cazinoplazawin.ru - 89.45.14.12
cazinoplazaworld.ru - 89.45.14.12
cazino-plaza-world.ru - 89.45.14.12
cazinowinplaza.ru - 89.45.14.12
cazino-win-plaza.ru - 89.45.14.12
cazinoworldplaza.ru - 89.45.14.12
cazino-world-plaza.ru - 89.45.14.12
4elitcasinosuper.ru - 89.45.14.12
elit-casino-super.ru - 89.45.14.12
elitsupercasino.ru - 89.45.14.12
elit-super-casino.ru - 89.45.14.12
gamelabonline.ru - 78.46.105.205
gameonlinelab.ru - 78.46.105.205
game-party-royal.ru - 78.46.105.205
gamezlabonline.ru - 89.45.14.12
gamezmultilab.ru - 89.45.14.12
gamez-net-online.ru - 89.45.14.12
gamezonlinenet.ru - 89.45.14.12
gamez-party-royal.ru - 89.45.14.12
gamez-party-web.ru - 89.45.14.12



gamezpartywin.ru
- 89.45.14.12   
gamez-party-win.ru - 89.45.14.12
gamez-plaza-win.ru - 89.45.14.12
gamezplazaworld.ru - 89.45.14.12
gamez-plaza-world.ru - 89.45.14.12
gamez-vegas-web.ru - 89.45.14.12
gamezweblab.ru - 89.45.14.12
gamezwinplaza.ru - 89.45.14.12
gamez-win-plaza.ru - 89.45.14.12
gamezworldplaza.ru - 89.45.14.12
joker-gamez-web.ru - 89.45.14.12
kingcasinosuper.ru - 89.45.14.12
king-casino-super.ru - 89.45.14.12
kinggagnerr.net - 90.182.175.234
kingsupercasino.ru - 89.45.14.12
king-super-casino.ru - 89.45.14.12
lab-cazino-multi.ru - 89.45.14.12
lab-cazino-online.ru - 89.45.14.12
labgamezonline.ru - 89.45.14.12
lab-gamez-web.ru - 89.45.14.12
labonlinecazino.ru - 89.45.14.12
labonlinegame.ru - 78.46.105.205
labvegascazino.ru - 89.45.14.12
luxcasinosuper.ru - 89.45.14.12
luxnextcasino.ru - 89.45.14.12
lux-next-casino.ru - 89.45.14.12
multicasinosuper.ru - 89.45.14.12
multilabgame.ru - 78.46.105.205
multisupercasino.ru - 89.45.14.12
netcasinosuper.ru - 89.45.14.12
net-casino-super.ru - 89.45.14.12
netpartycazino.ru - 89.45.14.12
netsupercasino.ru - 89.45.14.12
net-super-casino.ru - 89.45.14.12
nextcasinovip.ru - 89.45.14.12
next-casino-vip.ru - 89.45.14.12
next-lux-casino.ru - 89.45.14.12
nextvipcasino.ru - 89.45.14.12
onlinecasinosuper.ru - 90.182.175.234
online-casino-super.ru - 90.182.175.234
online-cazino-lab.ru - 89.45.14.12
onlinegameznet.ru - 89.45.14.12
online-gamez-vip.ru - 89.45.14.12
onlinelabcazino.ru - 89.45.14.12
onlinesupercasino.ru - 90.182.175.234
online-super-casino.ru - 90.182.175.234
partycasinosuper.ru - 90.182.175.234
party-casino-web.ru - 78.46.105.205
partycazinonet.ru - 89.45.14.12
party-cazino-royal.ru - 89.45.14.12
partycazinoweb.ru - 89.45.14.12
partycazinowin.ru - 89.45.14.12
partygamezroyal.ru - 89.45.14.12
party-gamez-royal.ru - 89.45.14.12
partygamezwin.ru - 89.45.14.12
party-gamez-win.ru - 89.45.14.12
partynetcazino.ru - 89.45.14.12
party-royal-cazino.ru - 89.45.14.12
party-super-casino.ru - 89.45.14.12
partywebcasino.ru - 78.46.105.205
partywebcazino.ru - 89.45.14.12
partywincazino.ru - 89.45.14.12
party-win-cazino.ru - 89.45.14.12
play-multi-casino.ru - 89.45.14.12
plazacazinowin.ru - 89.45.14.12
plaza-cazino-win.ru - 89.45.14.12
plazacazinoworld.ru - 89.45.14.12
plaza-cazino-world.ru - 89.45.14.12
plaza-gamez-win.ru - 89.45.14.12
plazagamezworld.ru - 89.45.14.12
plaza-gamez-world.ru - 89.45.14.12
plazawincazino.ru - 89.45.14.12
plaza-win-cazino.ru - 89.45.14.12
plazaworldcazino.ru - 89.45.14.12
plaza-world-cazino.ru - 89.45.14.12
royal-party-cazino.ru - 89.45.14.12
star-casino-super.ru - 90.182.175.234
star-super-casino.ru - 90.182.175.234
super-casino-elit.ru - 89.45.14.12
supercasinoking.ru - 89.45.14.12
super-casino-king.ru - 89.45.14.12
supercasinolab.ru - 89.45.14.12
super-casino-land.ru - 90.182.175.234
supercasinomulti.ru - 89.45.14.12
supercasinonet.ru - 89.45.14.12
super-casino-net.ru - 89.45.14.12
supercasinoonline.ru - 90.182.175.234
super-casino-online.ru - 90.182.175.234
super-casino-star.ru - 90.182.175.234
supercasinovip.ru - 89.45.14.12
super-casino-vip.ru - 89.45.14.12
super-casino-web.ru - 89.45.14.12
super-casino-west.ru - 90.182.175.234
supercasinowin.ru - 89.45.14.12
super-casino-win.ru - 89.45.14.12
super-elit-casino.ru - 89.45.14.12
superkingcasino.ru - 89.45.14.12
super-king-casino.ru - 89.45.14.12
super-land-casino.ru - 90.182.175.234
super-multi-casino.ru - 89.45.14.12
supernetcasino.ru - 89.45.14.12
super-net-casino.ru - 89.45.14.12
superonlinecasino.ru - 90.182.175.234
super-online-casino.ru - 90.182.175.234
superpartycasino.ru - 90.182.175.234
super-party-casino.ru - 89.45.14.12
superstarcasino.ru - 90.182.175.234
super-star-casino.ru - 90.182.175.234
super-vip-casino.ru - 89.45.14.12
super-web-casino.ru - 89.45.14.12
super-west-casino.ru - 90.182.175.234
superwincasino.ru - 89.45.14.12
vegas-game-web.ru - 78.46.105.205
vegas-gamez-multi.ru - 89.45.14.12
vegasgamezweb.ru - 89.45.14.12
vipcasinosuper.ru - 89.45.14.12
vip-casino-super.ru - 89.45.14.12
vipnextcasino.ru - 89.45.14.12
vipsupercasino.ru - 89.45.14.12   
vip-super-casino.ru - 89.45.14.12
web-casino-super.ru - 89.45.14.12
web-cazino-royal.ru - 89.45.14.12
webgamezroyal.ru - 89.45.14.12
webpartycazino.ru - 89.45.14.12
web-super-casino.ru - 89.45.14.12
west-super-casino.ru - 90.182.175.234
wincasinosuper.ru - 89.45.14.12
win-casino-super.ru - 89.45.14.12
win-cazino-plaza.ru - 89.45.14.12
win-gamez-plaza.ru - 89.45.14.12
winpartycazino.ru - 89.45.14.12
win-party-cazino.ru - 89.45.14.12
winplazacazino.ru - 89.45.14.12
win-plaza-cazino.ru - 89.45.14.12
winsupercasino.ru - 89.45.14.12
win-super-casino.ru - 89.45.14.12
worldcazinoplaza.ru - 89.45.14.12
world-cazino-plaza.ru - 89.45.14.12
worldgamezplaza.ru - 89.45.14.12
world-gamez-plaza.ru - 89.45.14.12
world-plaza-cazino.ru - 89.45.14.12

Monitoring of the campaign is ongoing.

Related posts:
Don't Play Poker on an Infected Table - Part Four
Don't Play Poker on an Infected Table - Part Three
Don't Play Poker on an Infected Table - Part Two
Don't Play Poker on an Infected Table

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Summarizing ZDNet's Zero Day Posts for April


The following is a brief summary of all of my posts at ZDNet's Zero Day for April. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:

Recommended reading:
01. Spamvertised "Reqest Rejected" campaign leads to scareware
02. Spamvertised 'Facebook. Your password has been changed!' emails lead to malware
03. Malware Watch: 'Spam is sent from your FaceBook account'; Spamvertised malicious photos
04. Spamvertised Easter Greetings lead to malware
05. Netcraft survey indicates slow adoption of Extended Validation SSL certificates
06. 'You've got a postcard' emails lead to exploits and scareware
07. Fake antivirus for mobile platform spotted

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.