With China in the focus of international fiasco (consider going through the Google-China cyber espionage saga - FAQ)
Related Chinese hacking/hacktivism coverage:
Localizing Open Source Malware
Custom DDoS Capabilities Within a Malware
Custom DDoS Attacks Within Popular Malware Diversifying
The FirePack Exploitation Kit Localized to Chinese
MPack and IcePack Localized to Chinese
Massive SQL Injection Attacks - the Chinese Way
A Chinese DIY Multi-Feature Malware
DIY Chinese Passwords Stealer
A Chinese Malware Downloader in the Wild
Chinese Hackers Attacking U.S Department of Defense Networks
Chinese Hacktivists Waging People's Information Warfare Against CNN
The DDoS Attack Against CNN.com
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Tuesday, January 26, 2010
Inside a Commercial Chinese DIY DDoS Platform
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Inside a Commercial Chinese DIY DDoS Platform
With China in the focus of international fiasco (consider going through the Google-China cyber espionage saga - FAQ)
Related Chinese hacking/hacktivism coverage:
Localizing Open Source Malware
Custom DDoS Capabilities Within a Malware
Custom DDoS Attacks Within Popular Malware Diversifying
The FirePack Exploitation Kit Localized to Chinese
MPack and IcePack Localized to Chinese
Massive SQL Injection Attacks - the Chinese Way
A Chinese DIY Multi-Feature Malware
DIY Chinese Passwords Stealer
A Chinese Malware Downloader in the Wild
Chinese Hackers Attacking U.S Department of Defense Networks
Chinese Hacktivists Waging People's Information Warfare Against CNN
The DDoS Attack Against CNN.com
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Related Chinese hacking/hacktivism coverage:
Localizing Open Source Malware
Custom DDoS Capabilities Within a Malware
Custom DDoS Attacks Within Popular Malware Diversifying
The FirePack Exploitation Kit Localized to Chinese
MPack and IcePack Localized to Chinese
Massive SQL Injection Attacks - the Chinese Way
A Chinese DIY Multi-Feature Malware
DIY Chinese Passwords Stealer
A Chinese Malware Downloader in the Wild
Chinese Hackers Attacking U.S Department of Defense Networks
Chinese Hacktivists Waging People's Information Warfare Against CNN
The DDoS Attack Against CNN.com
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Facebook/AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Exploits
Continuing the Pushdo coverage from last week, the "Your AOL Instant Messenger account is flagged as inactive" "or the latest update for the AIM" themed campaign from the weekend, has once again returned to a well known theme, namely, the "Facebook Update Tool" spam campaign.
The botnet masters have introduced several new name servers -- domain suspension is pending -- but continue using the same IP embedded on all the pages, for serving the client-side exploits, with a slight change in the directory structure.
- Sample subject: Facebook Update Tool
- Sample body: "Dear Facebook user, In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security. Before you are able to use the new login system, you will be required to update your account. Click here to update your account online now. If you have any questions, reference our New User Guide. Thanks, The Facebook Team"
- Sample URL: facebook.com.ddeassrq .vc/usr/LoginFacebook.php?ref
- Detection rates for scripts/crimeware/exploits: File.exe (phones back to the currently down nekovo .ru/cbd/nekovo.bri); IE.js; IE2.js; nowTrue.swf; pdf.pdf
- Sample iFrame exploitation structure: 109.95.114 .251/us01d/in.php
- 109.95.114 .251/us01d/jquery.jxx
- 109.95.114 .251/us01d/xd/pdf.pdf
- 109.95.114 .251/us01d/load.php
- 109.95.114 .251/us01d/file.exe
- Sample typosquatted and currently active domains:
ddeasaeq .vc - Email: mspspaceki@mad.scientist.com
ddeasuqq .vc - Email: mspspaceki@mad.scientist.com
ddeassrq .vc - Email: mspspaceki@mad.scientist.com
ddeasutq .vc - Email: mspspaceki@mad.scientist.com
ddeasauq .vc - Email: mspspaceki@mad.scientist.com
ddeasqwq .vc - Email: mspspaceki@mad.scientist.com
ddeasqyq .vc - Email: mspspaceki@mad.scientist.com
reeesassf .la - Email: palatalizefxt@popstar.com
ukgedsa.com .hn - Email: zmamarc689@witty.com
ukgedsc.com .vc - Email: zmamarc689@witty.com
ukgedse.com .hn - Email: zmamarc689@witty.com
ukgedsg.com .vc - Email: zmamarc689@witty.com
ukgedsh.com .vc - Email: zmamarc689@witty.com
ukgedsi .hn - Email: zmamarc689@witty.com
ukgedsq.com .hn - Email: zmamarc689@witty.com
ukgedsr.com .sc - Email: zmamarc689@witty.com
ukgedst.com .sc - Email: zmamarc689@witty.com
ukgedsu.com .vc - Email: zmamarc689@witty.com
ukgedsv.com .vc - Email: zmamarc689@witty.com
ukgedsy.com .vc - Email: zmamarc689@witty.com
- Name servers of notice:
ns1.availname .net - 204.12.229.89 - Email: Larimore@yahoo.com
ns1.sorbauto .com - 204.12.229.89 - Email: xtrai@email.com
ns1.worldkinofest .com - Email: tolosa1965@snail-mail.net
ns1.pdsproperties .net - 92.84.23.138 - Email: PDSProperties@yahoo.com
ns1.drinckclub .com - 94.23.177.147 - Email: excins@iname.com
ns1.transsubmit .net - 94.23.177.147 - Email: Alaniz@gmail.com
ns1.theautocompany .net - suspended
ns1.24stophours .com - suspended
ns1.disksilver .net - suspended
Thankfully, quality assurance is not taken into consideration in this campaign - the iFrame's IP is already heavily blacklisted, and the crimeware sample itself attempts to phone back to a C&C that has been down for several days.
The gang's activities will be updated as they happen.
Related posts:
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You
This post has been reproduced from Dancho Danchev's blog.
The botnet masters have introduced several new name servers -- domain suspension is pending -- but continue using the same IP embedded on all the pages, for serving the client-side exploits, with a slight change in the directory structure.
- Sample subject: Facebook Update Tool
- Sample body: "Dear Facebook user, In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security. Before you are able to use the new login system, you will be required to update your account. Click here to update your account online now. If you have any questions, reference our New User Guide. Thanks, The Facebook Team"
- Sample URL: facebook.com.ddeassrq .vc/usr/LoginFacebook.php?ref
- Detection rates for scripts/crimeware/exploits: File.exe (phones back to the currently down nekovo .ru/cbd/nekovo.bri); IE.js; IE2.js; nowTrue.swf; pdf.pdf
- Sample iFrame exploitation structure: 109.95.114 .251/us01d/in.php
- 109.95.114 .251/us01d/jquery.jxx
- 109.95.114 .251/us01d/xd/pdf.pdf
- 109.95.114 .251/us01d/load.php
- 109.95.114 .251/us01d/file.exe
- Sample typosquatted and currently active domains:
ddeasaeq .vc - Email: mspspaceki@mad.scientist.com
ddeasuqq .vc - Email: mspspaceki@mad.scientist.com
ddeassrq .vc - Email: mspspaceki@mad.scientist.com
ddeasutq .vc - Email: mspspaceki@mad.scientist.com
ddeasauq .vc - Email: mspspaceki@mad.scientist.com
ddeasqwq .vc - Email: mspspaceki@mad.scientist.com
ddeasqyq .vc - Email: mspspaceki@mad.scientist.com
reeesassf .la - Email: palatalizefxt@popstar.com
ukgedsa.com .hn - Email: zmamarc689@witty.com
ukgedsc.com .vc - Email: zmamarc689@witty.com
ukgedse.com .hn - Email: zmamarc689@witty.com
ukgedsg.com .vc - Email: zmamarc689@witty.com
ukgedsh.com .vc - Email: zmamarc689@witty.com
ukgedsi .hn - Email: zmamarc689@witty.com
ukgedsq.com .hn - Email: zmamarc689@witty.com
ukgedsr.com .sc - Email: zmamarc689@witty.com
ukgedst.com .sc - Email: zmamarc689@witty.com
ukgedsu.com .vc - Email: zmamarc689@witty.com
ukgedsv.com .vc - Email: zmamarc689@witty.com
ukgedsy.com .vc - Email: zmamarc689@witty.com
- Name servers of notice:
ns1.availname .net - 204.12.229.89 - Email: Larimore@yahoo.com
ns1.sorbauto .com - 204.12.229.89 - Email: xtrai@email.com
ns1.worldkinofest .com - Email: tolosa1965@snail-mail.net
ns1.pdsproperties .net - 92.84.23.138 - Email: PDSProperties@yahoo.com
ns1.drinckclub .com - 94.23.177.147 - Email: excins@iname.com
ns1.transsubmit .net - 94.23.177.147 - Email: Alaniz@gmail.com
ns1.theautocompany .net - suspended
ns1.24stophours .com - suspended
ns1.disksilver .net - suspended
Thankfully, quality assurance is not taken into consideration in this campaign - the iFrame's IP is already heavily blacklisted, and the crimeware sample itself attempts to phone back to a C&C that has been down for several days.
The gang's activities will be updated as they happen.
Related posts:
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You
This post has been reproduced from Dancho Danchev's blog.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Monday, January 18, 2010
Follow Me on Twitter!
Are you on Twitter? If so, consider following my tweets, or if you're not using it you can always subscribe to the RSS feed.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Wednesday, January 13, 2010
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
UPDATED, Friday, 15, 2010: The gang continues rotating the campaigns by targeting different brands. Over the 24 hours they've spamming the well known "Notice of Underreported Income" theme this time targeting HM Revenue and Customs (HMRC), and have also introduced new portfolios of typosquatted domains next to changing the client-side exploits serving iFrame embedded on each and every page.
- Sample message: "Filing and paying your federal taxes correctly and on time is an important part of living and working in the United Kingdom. Please review (download and execute) your tax statement. If the statement is incorrect, contact our Taxpayer Advocate Service."
- Sample URL: online.hmrc.gov.uk.olpiku5v .com.pl/SecurityWebApp/httpsmode/statement.php
Detection rates for tax-statement.exe (Trojan-Spy.Win32.Zbot.gen) and file.exe (Trojan-Spy.Win32.Zbot.gen). Upon execution, the samples attempt to connect to elnasa .ru/asd/elnasa.ble (109.95.114 .71/asd/elnasa.ble).
The structure of the iFrame, now using an IP address instead of a domain name, remains the same:
- 109.95.114.251 /uks1/in.php - 109.95.114.251 - AS50369 - VISHCLUB-as Kanyovskiy Andriy Yuriyovich - akanyovskiy@troyak.org
- 109.95.114.251 /uks1/jquery.jxx
- 109.95.114.251 /uks1/xd/pdf.pdf
- 109.95.114.251 /uks1/load.php
- 109.95.114.251 /uks1/file.exe
DNS servers of notice:
ns1.pds-properties .com - 89.238.165.195
ns1.noeproperties .com - 84.243.201.159
ns1.densondatabase .com - 94.23.177.147
ns1.dogsgrem .net - 89.238.165.195 - Email: glonders@gmail.com - Email seen in previous domain registrations
Typosquatted domains spammed over the past 24 hours:
olpiku5a .com.pl
olpiku5b .com.pl
olpiku5c .com.pl
olpiku5d .com.pl
olpiku5e .com.pl
olpiku5f .com.pl
olpiku5g .com.pl
olpiku5q .com.pl
olpiku5r .com.pl
olpiku5s .com.pl
olpiku5t .com.pl
olpiku5v .com.pl
olpiku5w .com.pl
olpiku5x .com.pl
olpiku5z .com.pl
ujo9ia .com.pl
ujo9id .com.pl
ujo9ie .com.pl
ujo9if .com.pl
ujo9ig .com.pl
ujo9ih .com.pl
ujo9im .com.pl
ujo9in .com.pl
ujo9iq .com.pl
ujo9ir .com.pl
ujo9is .com.pl
ujo9it .com.pl
ujo9iw .com.pl
ujo9iy .com.pl
ujo9iz .com.pl
t111ut .me.uk
t111uy .me.uk
t111uz .me.uk
t111uk .org.uk
t111ut .org.uk
t111uz .org.uk
t111uk .co.uk
t111uy .co.uk
okio1h .ne.kr
okio1w .ne.kr
okio1h .kr
okio1h .co.kr
okio1u .co.kr
okio1v .co.kr
okio1w .co.kr
okio1h .or.kr
okio1u .or.kr
okio1v .or.kr
okio1w .or.kr
okio1u .kr
okio1v .kr
okio1w .kr
proterp1 .im
virtdit1 .im
virtdit2 .im
virtdit3 .im
virtdit4 .im
virtdit5 .im
virtdit6 .im
virtdit7 .im
virtdit8 .im
UPDATED: Gary Warner offers additional insights into the latest campaigns - This Week in Avalanche / Zbot / Zeus Bot: HSBC & eBay.
What the botnet masters forget is that with each and every campaign, based on a number of factors, they reveal more about themselves and their affiliations within the cybercrime ecosystem. The degree of monetization is proportional with the loss of OPSEC (operational security), and this remains valid for any fraudulent campaign, botnet or cybercrime community in general.
UPDATED: To clarify, in this campaign Pushdo acts as the spam platform for the Avalanche/MS-Redirect botnet.
In need of a good example why you shouldn't be interacting with spam/phishing emails in any other way but reporting/deleting them, unless of course you're in the business of analyzing them?
Last week's OWA-themed Zeus-serving spam campaign courtesy of the Pushdo botnet, has not just resumed, but is continuing to serve client-side exploits (CVE-2007-5659; CVE-2008-2992; CVE-2009-0927) to anyone visiting the spammed web sites through an iFrame embedded on all of them. Such traffic optimization tactics are nothing new, since the botnet master is anticipating the fact that the visitor that clicked on the link, may not be that stupid the next time, so attempting to serve the malware without any kind of interaction on his behalf through client-side exploits is the tactic of choice.
Let's dissect the campaign, list all of the currently active fast-fluxed domains, the name servers of notice, the client-side exploit serving structure, and the Russian Brides scam domains spamvertised over the last few days.
Active fast-fluxed domains part of the campaign:
leptprs.co .kr - Email: wawddhaepny@yahoo.com
leptprs .kr - Email: wawddhaepny@yahoo.com
leptprs.ne .kr - Email: wawddhaepny@yahoo.com
leptprs.or .kr - Email: wawddhaepny@yahoo.com
oki8uuu.co .kr - Email: wawddhaepny@yahoo.com
ui7772.co .kr - Email: jn.hadler@jkh.org.uk
ui7772 .kr - Email: jn.hadler@jkh.org.uk
ui7772.ne .kr - Email: jn.hadler@jkh.org.uk
ui7772.or .kr - Email: jn.hadler@jkh.org.uk
ui777f .kr - Email: jn.hadler@jkh.org.uk
ui777f.ne .kr - Email: jn.hadler@jkh.org.uk
ui777f.or .kr - Email: jn.hadler@jkh.org.uk
ui777fne .kr - Email: jn.hadler@jkh.org.uk
ui777l.co .kr - Email: jn.hadler@jkh.org.uk
ui777p.co .kr - Email: jn.hadler@jkh.org.uk
ui777p .kr - Email: jn.hadler@jkh.org.uk
ui777p.ne .kr - Email: jn.hadler@jkh.org.uk
ui777p.or .kr - Email: jn.hadler@jkh.org.uk
DNS servers of notice:
ns1.raddoor .com - Email: figarro77@gmail.com
ns1.snup-up .net - Email: dietsnak@socialworker.net
ns1.aj-realty .net - Email: support@aj-realty.net
ns1.aj-administration .com - Email: manager@mack.net
ns1.aj-talentsearch .com - Email: supp@mail.net
ns1.eurobankfinance .net - Email: termer@counsellor.com
ns1.hetn91 .com - Email: astrix@aol.com
ns1.personnel-aj .com - Email: KimMIngram@aol.com
ns1.nitroexcel .net
ns1.fredoms .com
ns1.ajstaffing .net
ns1.angel-death .net
ns1.aj-estate .com
ns1.aj-realtors .com
ns1.pdsproperties .com
ns1.groupswat .com
Upon execution, settings-file.exe (Trojan-Spy.Win32.Zbot.adsy), phones back to 109.123.70 .97/fh3245sq/config.bin. Detection rate for pdf.pdf (Exploit-PDF.ac) and file.exe (Trojan.Win32.Riern). The structure of the iFrame is as follows:
- atthisstage .com/uksp/in.php - 84.45.45.135 - Email: soakes@soakes.com
- atthisstage .com/uksp/jquery.jxx
- atthisstage .com/uksp/xd/pdf.pdf
- atthisstage .com/uksp/load.php
- atthisstage .com/uksp/file.exe
Russian Brides spamvertised domains part of an affiliate network:
toolbarsunited .com - Email: soft.tj@gmail.com
2006jubilee .com - Email: soft.tj@gmail.com
avtofo .org - Email: flarnes@gmail.com
lovesexdatings .com - Email: kauplus@li.ru
stars-dating .com - Email: kauplus@li.ru
avtofo.com .ua
dinenyc .net
cid-f5f40ef1f5210d08.spaces .live.com
cid-c1b015ffe1b44573.spaces .live.com
cid-b78f4f23e27d2b45.spaces .live.com
cid-8d3413073f537740.spaces .live.com
cid-205046cf66900102.spaces .live.com
If you want to know more the inner workings of the Pushdo/Cutwail botnet, consider going through the Pushdo / Cutwail - An Indepth Analysis report.
Related posts:
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You
This post has been reproduced from Dancho Danchev's blog.
- Sample message: "Filing and paying your federal taxes correctly and on time is an important part of living and working in the United Kingdom. Please review (download and execute) your tax statement. If the statement is incorrect, contact our Taxpayer Advocate Service."
- Sample URL: online.hmrc.gov.uk.olpiku5v .com.pl/SecurityWebApp/httpsmode/statement.php
Detection rates for tax-statement.exe (Trojan-Spy.Win32.Zbot.gen) and file.exe (Trojan-Spy.Win32.Zbot.gen). Upon execution, the samples attempt to connect to elnasa .ru/asd/elnasa.ble (109.95.114 .71/asd/elnasa.ble).
The structure of the iFrame, now using an IP address instead of a domain name, remains the same:
- 109.95.114.251 /uks1/in.php - 109.95.114.251 - AS50369 - VISHCLUB-as Kanyovskiy Andriy Yuriyovich - akanyovskiy@troyak.org
- 109.95.114.251 /uks1/jquery.jxx
- 109.95.114.251 /uks1/xd/pdf.pdf
- 109.95.114.251 /uks1/load.php
- 109.95.114.251 /uks1/file.exe
DNS servers of notice:
ns1.pds-properties .com - 89.238.165.195
ns1.noeproperties .com - 84.243.201.159
ns1.densondatabase .com - 94.23.177.147
ns1.dogsgrem .net - 89.238.165.195 - Email: glonders@gmail.com - Email seen in previous domain registrations
Typosquatted domains spammed over the past 24 hours:
olpiku5a .com.pl
olpiku5b .com.pl
olpiku5c .com.pl
olpiku5d .com.pl
olpiku5e .com.pl
olpiku5f .com.pl
olpiku5g .com.pl
olpiku5q .com.pl
olpiku5r .com.pl
olpiku5s .com.pl
olpiku5t .com.pl
olpiku5v .com.pl
olpiku5w .com.pl
olpiku5x .com.pl
olpiku5z .com.pl
ujo9ia .com.pl
ujo9id .com.pl
ujo9ie .com.pl
ujo9if .com.pl
ujo9ig .com.pl
ujo9ih .com.pl
ujo9im .com.pl
ujo9in .com.pl
ujo9iq .com.pl
ujo9ir .com.pl
ujo9is .com.pl
ujo9it .com.pl
ujo9iw .com.pl
ujo9iy .com.pl
ujo9iz .com.pl
t111ut .me.uk
t111uy .me.uk
t111uz .me.uk
t111uk .org.uk
t111ut .org.uk
t111uz .org.uk
t111uk .co.uk
t111uy .co.uk
okio1h .ne.kr
okio1w .ne.kr
okio1h .kr
okio1h .co.kr
okio1u .co.kr
okio1v .co.kr
okio1w .co.kr
okio1h .or.kr
okio1u .or.kr
okio1v .or.kr
okio1w .or.kr
okio1u .kr
okio1v .kr
okio1w .kr
proterp1 .im
virtdit1 .im
virtdit2 .im
virtdit3 .im
virtdit4 .im
virtdit5 .im
virtdit6 .im
virtdit7 .im
virtdit8 .im
UPDATED: Gary Warner offers additional insights into the latest campaigns - This Week in Avalanche / Zbot / Zeus Bot: HSBC & eBay.
What the botnet masters forget is that with each and every campaign, based on a number of factors, they reveal more about themselves and their affiliations within the cybercrime ecosystem. The degree of monetization is proportional with the loss of OPSEC (operational security), and this remains valid for any fraudulent campaign, botnet or cybercrime community in general.
UPDATED: To clarify, in this campaign Pushdo acts as the spam platform for the Avalanche/MS-Redirect botnet.
In need of a good example why you shouldn't be interacting with spam/phishing emails in any other way but reporting/deleting them, unless of course you're in the business of analyzing them?
Last week's OWA-themed Zeus-serving spam campaign courtesy of the Pushdo botnet, has not just resumed, but is continuing to serve client-side exploits (CVE-2007-5659; CVE-2008-2992; CVE-2009-0927) to anyone visiting the spammed web sites through an iFrame embedded on all of them. Such traffic optimization tactics are nothing new, since the botnet master is anticipating the fact that the visitor that clicked on the link, may not be that stupid the next time, so attempting to serve the malware without any kind of interaction on his behalf through client-side exploits is the tactic of choice.
Let's dissect the campaign, list all of the currently active fast-fluxed domains, the name servers of notice, the client-side exploit serving structure, and the Russian Brides scam domains spamvertised over the last few days.
Active fast-fluxed domains part of the campaign:
leptprs.co .kr - Email: wawddhaepny@yahoo.com
leptprs .kr - Email: wawddhaepny@yahoo.com
leptprs.ne .kr - Email: wawddhaepny@yahoo.com
leptprs.or .kr - Email: wawddhaepny@yahoo.com
oki8uuu.co .kr - Email: wawddhaepny@yahoo.com
ui7772.co .kr - Email: jn.hadler@jkh.org.uk
ui7772 .kr - Email: jn.hadler@jkh.org.uk
ui7772.ne .kr - Email: jn.hadler@jkh.org.uk
ui7772.or .kr - Email: jn.hadler@jkh.org.uk
ui777f .kr - Email: jn.hadler@jkh.org.uk
ui777f.ne .kr - Email: jn.hadler@jkh.org.uk
ui777f.or .kr - Email: jn.hadler@jkh.org.uk
ui777fne .kr - Email: jn.hadler@jkh.org.uk
ui777l.co .kr - Email: jn.hadler@jkh.org.uk
ui777p.co .kr - Email: jn.hadler@jkh.org.uk
ui777p .kr - Email: jn.hadler@jkh.org.uk
ui777p.ne .kr - Email: jn.hadler@jkh.org.uk
ui777p.or .kr - Email: jn.hadler@jkh.org.uk
DNS servers of notice:
ns1.raddoor .com - Email: figarro77@gmail.com
ns1.snup-up .net - Email: dietsnak@socialworker.net
ns1.aj-realty .net - Email: support@aj-realty.net
ns1.aj-administration .com - Email: manager@mack.net
ns1.aj-talentsearch .com - Email: supp@mail.net
ns1.eurobankfinance .net - Email: termer@counsellor.com
ns1.hetn91 .com - Email: astrix@aol.com
ns1.personnel-aj .com - Email: KimMIngram@aol.com
ns1.nitroexcel .net
ns1.fredoms .com
ns1.ajstaffing .net
ns1.angel-death .net
ns1.aj-estate .com
ns1.aj-realtors .com
ns1.pdsproperties .com
ns1.groupswat .com
Upon execution, settings-file.exe (Trojan-Spy.Win32.Zbot.adsy), phones back to 109.123.70 .97/fh3245sq/config.bin. Detection rate for pdf.pdf (Exploit-PDF.ac) and file.exe (Trojan.Win32.Riern). The structure of the iFrame is as follows:
- atthisstage .com/uksp/in.php - 84.45.45.135 - Email: soakes@soakes.com
- atthisstage .com/uksp/jquery.jxx
- atthisstage .com/uksp/xd/pdf.pdf
- atthisstage .com/uksp/load.php
- atthisstage .com/uksp/file.exe
Russian Brides spamvertised domains part of an affiliate network:
toolbarsunited .com - Email: soft.tj@gmail.com
2006jubilee .com - Email: soft.tj@gmail.com
avtofo .org - Email: flarnes@gmail.com
lovesexdatings .com - Email: kauplus@li.ru
stars-dating .com - Email: kauplus@li.ru
avtofo.com .ua
dinenyc .net
cid-f5f40ef1f5210d08.spaces .live.com
cid-c1b015ffe1b44573.spaces .live.com
cid-b78f4f23e27d2b45.spaces .live.com
cid-8d3413073f537740.spaces .live.com
cid-205046cf66900102.spaces .live.com
If you want to know more the inner workings of the Pushdo/Cutwail botnet, consider going through the Pushdo / Cutwail - An Indepth Analysis report.
Related posts:
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You
This post has been reproduced from Dancho Danchev's blog.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Friday, January 08, 2010
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
UPDATED: Sunday, January 10, 2010 - The post has been updated with the latest domains spammed within the past 24 hours.
UPDATED: Saturday, January 09, 2010 - The post has been updated with the latest domains spammed within the past 24 hours. The spam campaign is ongoing.
A currently ongoing spam campaign is using the "Your default mailbox settings have changed" theme, in order to infect gullible users into executing Trojan-Spy.Win32.Zbot (settings-file.exe).
Sample message:
"The default settings of your mailbox were automatically changed. Please download and launch a file with a new set of settings for your e-mail account:fx-settings-file.exe.
We constantly work on the quality level of our service, as well as on the development of its security and protection. During the last upgrade several essential improvements were adopted, such as new ports for the POP3 & SMTP protocols, plus the SMTP autentification. The new settings are necessary for those who use the mailings clients (for ex. Microsoft Outlook, The Bat!, Mozilla Thunderbird etc.) or those who use our service via the web-interface."
Sample campaign structure: molendf.co .kr/owa/service_directory/settings.php?email=fx@yahoo.com&from=yahoo.com&fromname=fx
Fast-fluxed seed IPs:
61.64.170.232
77.126.141.142
188.56.139.174
189.110.244.68
189.179.13.36
190.82.217.255
195.174.109.241
200.169.71.144
201.232.187.200
201.236.48.117
210.106.80.90
218.153.64.25
221.26.184.25
59.92.58.166
61.20.133.88
DNS servers of notice:
ns1.moorcargo .net
ns1.aj-realtors .com - Email: support@ajr.com
ns1.groupswat .com
ns1.elkins-realty .net - Email: BO.la@yahoo.com
ns1.nocksold .com - Email: termer@counsellor.com
ns1.seldomservice .net - 89.238.165.195 - Email: pp0271@gmail.com
ns1.viking-gave .net - 89.238.165.195 - Email: glonders@gmail.com
ns1.controlpanellsolutions .com - 212.95.50.175 - Email: jobwes@clerk.com
Hundreds of typosquatted subdomains reside within the following currently active domains:
ujjiks.co .im
ujjiks.com .im
ujjiks.org .im
ujjikx.co .im
ujjikx.com .im
ujjikx.org .im
molendf.co .kr
molendf .com
molendf .kr
molendf.ne .kr
molendf.or .kr
vcrssd1 .cc
vcrssd1 .eu
vfrtssd .com
vsmprot.co .uk
vsmprot .com
vsmprot .eu
vsmprot.me .uk
vsmprot.org .uk
ikuu8a .com - Email: bjnjnsls@technologist.com
ikuu8d .com - Email: bjnjnsls@technologist.com
ikuu8e .com - Email: bjnjnsls@technologist.com
ikuu8q .com - Email: bjnjnsls@technologist.com
ikuu8s .com - Email: bjnjnsls@technologist.com
ikuu8w .com - Email: bjnjnsls@technologist.com
ikuu8x .com - Email: bjnjnsls@technologist.com
ikuu8z .com - Email: bjnjnsls@technologist.com
ikuu8a .net - Email: bjnjnsls@technologist.com
ikuu8e .net - Email: bjnjnsls@technologist.com
ikuu8q .net - Email: bjnjnsls@technologist.com
ikuu8s .net - Email: bjnjnsls@technologist.com
ikuu8w .net - Email: bjnjnsls@technologist.com
ikuu8x .net - Email: bjnjnsls@technologist.com
ikuu8z .net - Email: bjnjnsls@technologist.com
yhuttte.ne .kr - Email: scepterpdg@chemist.com
yhuttti.ne .kr - Email: scepterpdg@chemist.com
yhutttu.ne .kr - Email: scepterpdg@chemist.com
yhuttte .kr - Email: scepterpdg@chemist.com
yhuttti .kr - Email: scepterpdg@chemist.com
yhuttte.co .kr - Email: scepterpdg@chemist.com
yhuttti.co .kr - Email: scepterpdg@chemist.com
yhutttr.co .kr - Email: scepterpdg@chemist.com
yhutttu.co .kr - Email: scepterpdg@chemist.com
yhuttte.or .kr - Email: scepterpdg@chemist.com
yhuttti.or .kr - Email: scepterpdg@chemist.com
yhutttr.or .kr - Email: scepterpdg@chemist.com
yhutttu.or .kr - Email: scepterpdg@chemist.com
yhutttr .kr - Email: scepterpdg@chemist.com
yhutttu .kr - Email: scepterpdg@chemist.com
ujyhl.ne .kr - Email: combinetct@financier.com
ujyho.ne .kr - Email: combinetct@financier.com
ujyhf .kr - Email: combinetct@financier.com
ujyhl .kr - Email: combinetct@financier.com
ujyhf.co .kr - Email: combinetct@financier.com
ujyhl.co .kr - Email: combinetct@financier.com
ujyho.co .kr - Email: combinetct@financier.com
ujyhs.co .kr - Email: combinetct@financier.com
ujyho .kr - Email: combinetct@financier.com
ujyhf.or .kr - Email: combinetct@financier.com
ujyhl.or .kr - Email: combinetct@financier.com
ujyho.or .kr - Email: combinetct@financier.com
ujyhs.or .kr - Email: combinetct@financier.com
ujyhs .kr - Email: combinetct@financier.com
Seen within the past 24 hours, now offline domains part of the campaign:
yhe3essa .com.pl
yhe3essd .com.pl
yhe3esse .com.pl
yhe3essf .com.pl
yhe3essg .com.pl
yhe3essi .com.pl
yhe3esso .com.pl
yhe3essp .com.pl
yhe3essq .com.pl
yhe3essr .com.pl
yhe3esss .com.pl
yhe3esst .com.pl
yhe3essu .com.pl
yhe3essw .com.pl
yhe3essy .com.pl
ok9iio1 .com
ok9iio2 .com
ok9iio3 .com
ok9iio4 .com
ok9iio5 .com
ok9iio6 .com
ok9iio7 .com
ok9iio8 .com
ok9iio1 .net
ok9iio2 .net
ok9iio3 .net
ok9iio4 .net
ok9iio5 .net
ok9iio6 .net
ok9iio7 .net
Upon execution the sample phones back to the already blacklisted by the Zeus Tracker nekovo .ru:
nekovo .ru/cbd/nekovo.bri; nekovo .ru/ip.php - 109.95.114.70 - Email: kievsk@yandex.ru - AS50215 - Troyak-as Starchenko Roman Fedorovich.
Related Zeus crimeware name servers respond to the same IP:
- ns1.trust-service .cn - (domain itself responds to 193.104.41.133) - Email: olezhiosapiel@yahoo.es
- ns1.elnasa .ru - (domain itself responds to 91.200.164.12) - Email: kievsk@yandex.ru
- ns1.recessa .ru - (domain itself responds to 193.104.41.69) - Email: kievsk@yandex.ru
- ns1.stomaid .ru - (domain itself responds to 91.200.164.10) - Email: kievsk@yandex.ru
Parked withn the same AS, are also the following currently active Zeus crimeware serving domains:
web-information-services .com - 91.198.109.69 - Email: pita@bigmailbox.ru
erthjuyt44u .com - 91.198.109.19 - Email: rails@qx8.ru
excellenthostingservice .com - 91.198.109.48 - Email: xm@qx8.ru
goldhostingservice .com - 91.198.109.32 - Email: clod@qx8.ru
Pretty much your typical cybercrime-friendly virtual neighborhood.
Related posts:
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You
This post has been reproduced from Dancho Danchev's blog.
UPDATED: Saturday, January 09, 2010 - The post has been updated with the latest domains spammed within the past 24 hours. The spam campaign is ongoing.
A currently ongoing spam campaign is using the "Your default mailbox settings have changed" theme, in order to infect gullible users into executing Trojan-Spy.Win32.Zbot (settings-file.exe).
Sample message:
"The default settings of your mailbox were automatically changed. Please download and launch a file with a new set of settings for your e-mail account:fx-settings-file.exe.
We constantly work on the quality level of our service, as well as on the development of its security and protection. During the last upgrade several essential improvements were adopted, such as new ports for the POP3 & SMTP protocols, plus the SMTP autentification. The new settings are necessary for those who use the mailings clients (for ex. Microsoft Outlook, The Bat!, Mozilla Thunderbird etc.) or those who use our service via the web-interface."
Sample campaign structure: molendf.co .kr/owa/service_directory/settings.php?email=fx@yahoo.com&from=yahoo.com&fromname=fx
Fast-fluxed seed IPs:
61.64.170.232
77.126.141.142
188.56.139.174
189.110.244.68
189.179.13.36
190.82.217.255
195.174.109.241
200.169.71.144
201.232.187.200
201.236.48.117
210.106.80.90
218.153.64.25
221.26.184.25
59.92.58.166
61.20.133.88
DNS servers of notice:
ns1.moorcargo .net
ns1.aj-realtors .com - Email: support@ajr.com
ns1.groupswat .com
ns1.elkins-realty .net - Email: BO.la@yahoo.com
ns1.nocksold .com - Email: termer@counsellor.com
ns1.seldomservice .net - 89.238.165.195 - Email: pp0271@gmail.com
ns1.viking-gave .net - 89.238.165.195 - Email: glonders@gmail.com
ns1.controlpanellsolutions .com - 212.95.50.175 - Email: jobwes@clerk.com
Hundreds of typosquatted subdomains reside within the following currently active domains:
ujjiks.co .im
ujjiks.com .im
ujjiks.org .im
ujjikx.co .im
ujjikx.com .im
ujjikx.org .im
molendf.co .kr
molendf .com
molendf .kr
molendf.ne .kr
molendf.or .kr
vcrssd1 .cc
vcrssd1 .eu
vfrtssd .com
vsmprot.co .uk
vsmprot .com
vsmprot .eu
vsmprot.me .uk
vsmprot.org .uk
ikuu8a .com - Email: bjnjnsls@technologist.com
ikuu8d .com - Email: bjnjnsls@technologist.com
ikuu8e .com - Email: bjnjnsls@technologist.com
ikuu8q .com - Email: bjnjnsls@technologist.com
ikuu8s .com - Email: bjnjnsls@technologist.com
ikuu8w .com - Email: bjnjnsls@technologist.com
ikuu8x .com - Email: bjnjnsls@technologist.com
ikuu8z .com - Email: bjnjnsls@technologist.com
ikuu8a .net - Email: bjnjnsls@technologist.com
ikuu8e .net - Email: bjnjnsls@technologist.com
ikuu8q .net - Email: bjnjnsls@technologist.com
ikuu8s .net - Email: bjnjnsls@technologist.com
ikuu8w .net - Email: bjnjnsls@technologist.com
ikuu8x .net - Email: bjnjnsls@technologist.com
ikuu8z .net - Email: bjnjnsls@technologist.com
yhuttte.ne .kr - Email: scepterpdg@chemist.com
yhuttti.ne .kr - Email: scepterpdg@chemist.com
yhutttu.ne .kr - Email: scepterpdg@chemist.com
yhuttte .kr - Email: scepterpdg@chemist.com
yhuttti .kr - Email: scepterpdg@chemist.com
yhuttte.co .kr - Email: scepterpdg@chemist.com
yhuttti.co .kr - Email: scepterpdg@chemist.com
yhutttr.co .kr - Email: scepterpdg@chemist.com
yhutttu.co .kr - Email: scepterpdg@chemist.com
yhuttte.or .kr - Email: scepterpdg@chemist.com
yhuttti.or .kr - Email: scepterpdg@chemist.com
yhutttr.or .kr - Email: scepterpdg@chemist.com
yhutttu.or .kr - Email: scepterpdg@chemist.com
yhutttr .kr - Email: scepterpdg@chemist.com
yhutttu .kr - Email: scepterpdg@chemist.com
ujyhl.ne .kr - Email: combinetct@financier.com
ujyho.ne .kr - Email: combinetct@financier.com
ujyhf .kr - Email: combinetct@financier.com
ujyhl .kr - Email: combinetct@financier.com
ujyhf.co .kr - Email: combinetct@financier.com
ujyhl.co .kr - Email: combinetct@financier.com
ujyho.co .kr - Email: combinetct@financier.com
ujyhs.co .kr - Email: combinetct@financier.com
ujyho .kr - Email: combinetct@financier.com
ujyhf.or .kr - Email: combinetct@financier.com
ujyhl.or .kr - Email: combinetct@financier.com
ujyho.or .kr - Email: combinetct@financier.com
ujyhs.or .kr - Email: combinetct@financier.com
ujyhs .kr - Email: combinetct@financier.com
Seen within the past 24 hours, now offline domains part of the campaign:
yhe3essa .com.pl
yhe3essd .com.pl
yhe3esse .com.pl
yhe3essf .com.pl
yhe3essg .com.pl
yhe3essi .com.pl
yhe3esso .com.pl
yhe3essp .com.pl
yhe3essq .com.pl
yhe3essr .com.pl
yhe3esss .com.pl
yhe3esst .com.pl
yhe3essu .com.pl
yhe3essw .com.pl
yhe3essy .com.pl
ok9iio1 .com
ok9iio2 .com
ok9iio3 .com
ok9iio4 .com
ok9iio5 .com
ok9iio6 .com
ok9iio7 .com
ok9iio8 .com
ok9iio1 .net
ok9iio2 .net
ok9iio3 .net
ok9iio4 .net
ok9iio5 .net
ok9iio6 .net
ok9iio7 .net
Upon execution the sample phones back to the already blacklisted by the Zeus Tracker nekovo .ru:
nekovo .ru/cbd/nekovo.bri; nekovo .ru/ip.php - 109.95.114.70 - Email: kievsk@yandex.ru - AS50215 - Troyak-as Starchenko Roman Fedorovich.
Related Zeus crimeware name servers respond to the same IP:
- ns1.trust-service .cn - (domain itself responds to 193.104.41.133) - Email: olezhiosapiel@yahoo.es
- ns1.elnasa .ru - (domain itself responds to 91.200.164.12) - Email: kievsk@yandex.ru
- ns1.recessa .ru - (domain itself responds to 193.104.41.69) - Email: kievsk@yandex.ru
- ns1.stomaid .ru - (domain itself responds to 91.200.164.10) - Email: kievsk@yandex.ru
Parked withn the same AS, are also the following currently active Zeus crimeware serving domains:
web-information-services .com - 91.198.109.69 - Email: pita@bigmailbox.ru
erthjuyt44u .com - 91.198.109.19 - Email: rails@qx8.ru
excellenthostingservice .com - 91.198.109.48 - Email: xm@qx8.ru
goldhostingservice .com - 91.198.109.32 - Email: clod@qx8.ru
Pretty much your typical cybercrime-friendly virtual neighborhood.
Related posts:
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You
This post has been reproduced from Dancho Danchev's blog.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Scareware, Blackhat SEO, Spam and Google Groups Abuse, Courtesy of the Koobface Gang
The Koobface gang is known to have embraced the potential of the "underground multi-tasking" model a long time ago, in order to achieve the "malicious economies of scale" effect. This "underground multi-tasking" most commonly comes in the form of multiple monetization campaigns, which upon closer analysis always lead back to the Koobface gang's infrastructure. In fact, the gang is so obsessed with efficiency, that particular redirectors and key malicious domains for a particular campaign, are also, simultaneously rotated across all the campaigns that they manage.
For instance, throughout the past half an year, a huge percentage of the malicious infrastructure used simultaneously in multiple campaigns, was parked on the now shut down Riccom LTD - AS29550. From the massive blackhat SEO campaigns affecting millions of legitimate web sites managed by the gang, to the malvertising attack at the New York Times web site, and the click-fraud facilitating Bahama botnet, the Koobface botnet is only the tip of the iceberg for the efficient and fraudulent money machine that the gang operates.
In this analysis, I'll once again establish a connection between the ongoing blackhat SEO campaigns managed by the gang (Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware; U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding; Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign), with a spam campaign that's also syndicated across multiple Google Groups, and the Koobface botnet itself, with a particular emphasis on the scareware monetization taking place across all the campaigns.
Related Koobface research and analysis:
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
This post has been reproduced from Dancho Danchev's blog.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Monday, January 04, 2010
Top Ten Must-Read DDanchev Posts For 2009
The following ten posts have been featured due to their insightful content, comprehensiveness of the topic covered, and due to plain simple exclusivity in the time of publishing, and not necessarily based on page views.
Thank you for being a regular reader of my personal blog. Feel free to subscribe to my RSS feed, keep track of my posts at ZDNet's Zero Day, or follow me on Twitter.
01. Conficker's Scareware/Fake Security Software Business Model
02. Koobface Botnet's Scareware Business Model - Part One and Part Two
03. Inside a Money Laundering Group's Spamming Operations
04. A Peek Inside the Managed Blackhat SEO Ecosystem
05. Iranian Opposition DDoS-es pro-Ahmadinejad Sites
06. Koobface Botnet Redirects Facebook's IP Space to my Blog
07. Standardizing the Money Mule Recruitment Process
08. Koobface Botnet Starts Serving Client-Side Exploits
09. The SMS Ransomware series - SMS Ransomware Displays Persistent Inline Ads; SMS Ransomware Source Code Now Offered for Sale; 3rd SMS Ransomware Variant Offered for Sale; 4th SMS Ransomware Variant Offered for Sale; 5th SMS Ransomware Variant Offered for Sale; 6th SMS Ransomware Variant Offered for Sale
10. The Koobface Gang Wishes the Industry "Happy Holidays"
This post has been reproduced from Dancho Danchev's blog.
Thank you for being a regular reader of my personal blog. Feel free to subscribe to my RSS feed, keep track of my posts at ZDNet's Zero Day, or follow me on Twitter.
01. Conficker's Scareware/Fake Security Software Business Model
02. Koobface Botnet's Scareware Business Model - Part One and Part Two
03. Inside a Money Laundering Group's Spamming Operations
04. A Peek Inside the Managed Blackhat SEO Ecosystem
05. Iranian Opposition DDoS-es pro-Ahmadinejad Sites
06. Koobface Botnet Redirects Facebook's IP Space to my Blog
07. Standardizing the Money Mule Recruitment Process
08. Koobface Botnet Starts Serving Client-Side Exploits
09. The SMS Ransomware series - SMS Ransomware Displays Persistent Inline Ads; SMS Ransomware Source Code Now Offered for Sale; 3rd SMS Ransomware Variant Offered for Sale; 4th SMS Ransomware Variant Offered for Sale; 5th SMS Ransomware Variant Offered for Sale; 6th SMS Ransomware Variant Offered for Sale
10. The Koobface Gang Wishes the Industry "Happy Holidays"
This post has been reproduced from Dancho Danchev's blog.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Top Ten Must-Read Posts at ZDNet's Zero Day for 2009
The end of the year naturally means a rush to come up with 'best of the best' top lists consisting of your finest content. However, based on personal observations, during the holidays season the short attention span of the average reader becomes even shorter with everyone looking forward to taking a well-deserved break. Therefore, the first working week of the new year appears to be the perfect moment to summarize some of my most insightful posts/analysis published at ZDNet's Zero Day for 2009.
The following ten posts have been featured due to their insightful content, comprehensiveness of the topic covered, and due to plain simple exclusivity in the time of their publishing. You will be, of course, missing the big picture if you don't keep track of Ryan Naraine's coverage.
Thank you for being a Zero Day reader!
01. Microsoft study debunks phishing profitability
02. Inside BBC's Chimera botnet
03. China's 'secure' OS Kylin - a threat to U.S offsensive cyber capabilities?
04. Microsoft study debunks profitability of the underground economy
05. Iranian opposition launches organized cyber attack against pro-Ahmadinejad sites - Related coverage
06. The Ultimate Guide to Scareware Protection
07. 'Anonymous' group attempts DDoS attack against Australian government (Operation Didgeridie)
08. Google's CAPTCHA experiment and the human factor
09. Does software piracy lead to higher malware infection rates?
10. Koobface botnet enters the Xmas season
Related posts:
Summarizing Zero Day's Posts for January, 2009
Summarizing Zero Day's Posts for February, 2009
Summarizing Zero Day's Posts for March, 2009
Summarizing Zero Day's Posts for April, 2009
Summarizing Zero Day's Posts for May, 2009
Summarizing Zero Day's Posts for June, 2009
Summarizing Zero Day's Posts for July, 2009
Summarizing Zero Day's Posts for August, 2009
Summarizing Zero Day's Posts for September, 2009
Summarizing Zero Day's Posts for October, 2009
Summarizing Zero Day's Posts for November, 2009
Summarizing Zero Day's Posts for December, 2009
This post has been reproduced from Dancho Danchev's blog.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Summarizing Zero Day's Posts for December
The following is a brief summary of all of my posts at ZDNet's Zero Day for December, 2009.
You can also go through previous summaries, as well as subscribe to my personal RSS feed, Zero Day's main feed, or follow all of ZDNet's blogs on Twitter.
01. Koobface botnet enters the Xmas season
02. How many people fall victim to phishing attacks?
03. Zeus crimeware using Amazon's EC2 as command and control server
04. Report: Google's reCAPTCHA flawed
05. FBI: Scareware distributors stole $150M
This post has been reproduced from Dancho Danchev's blog.
You can also go through previous summaries, as well as subscribe to my personal RSS feed, Zero Day's main feed, or follow all of ZDNet's blogs on Twitter.
01. Koobface botnet enters the Xmas season
02. How many people fall victim to phishing attacks?
03. Zeus crimeware using Amazon's EC2 as command and control server
04. Report: Google's reCAPTCHA flawed
05. FBI: Scareware distributors stole $150M
This post has been reproduced from Dancho Danchev's blog.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Posts (Atom)