With China in the focus of international fiasco (consider going through the Google-China cyber espionage saga - FAQ)
Related Chinese hacking/hacktivism coverage:
Localizing Open Source Malware
Custom DDoS Capabilities Within a Malware
Custom DDoS Attacks Within Popular Malware Diversifying
The FirePack Exploitation Kit Localized to Chinese
MPack and IcePack Localized to Chinese
Massive SQL Injection Attacks - the Chinese Way
A Chinese DIY Multi-Feature Malware
DIY Chinese Passwords Stealer
A Chinese Malware Downloader in the Wild
Chinese Hackers Attacking U.S Department of Defense Networks
Chinese Hacktivists Waging People's Information Warfare Against CNN
The DDoS Attack Against CNN.com
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Tuesday, January 26, 2010
Inside a Commercial Chinese DIY DDoS Platform
With China in the focus of international fiasco (consider going through the Google-China cyber espionage saga - FAQ)
Related Chinese hacking/hacktivism coverage:
Localizing Open Source Malware
Custom DDoS Capabilities Within a Malware
Custom DDoS Attacks Within Popular Malware Diversifying
The FirePack Exploitation Kit Localized to Chinese
MPack and IcePack Localized to Chinese
Massive SQL Injection Attacks - the Chinese Way
A Chinese DIY Multi-Feature Malware
DIY Chinese Passwords Stealer
A Chinese Malware Downloader in the Wild
Chinese Hackers Attacking U.S Department of Defense Networks
Chinese Hacktivists Waging People's Information Warfare Against CNN
The DDoS Attack Against CNN.com
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Related Chinese hacking/hacktivism coverage:
Localizing Open Source Malware
Custom DDoS Capabilities Within a Malware
Custom DDoS Attacks Within Popular Malware Diversifying
The FirePack Exploitation Kit Localized to Chinese
MPack and IcePack Localized to Chinese
Massive SQL Injection Attacks - the Chinese Way
A Chinese DIY Multi-Feature Malware
DIY Chinese Passwords Stealer
A Chinese Malware Downloader in the Wild
Chinese Hackers Attacking U.S Department of Defense Networks
Chinese Hacktivists Waging People's Information Warfare Against CNN
The DDoS Attack Against CNN.com
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Facebook/AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Exploits
The botnet masters have introduced several new name servers -- domain suspension is pending -- but continue using the same IP embedded on all the pages, for serving the client-side exploits, with a slight change in the directory structure.
- Sample subject: Facebook Update Tool
- Sample body: "Dear Facebook user, In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security. Before you are able to use the new login system, you will be required to update your account. Click here to update your account online now. If you have any questions, reference our New User Guide. Thanks, The Facebook Team"
- Sample URL: facebook.com.ddeassrq .vc/usr/LoginFacebook.php?ref
- Detection rates for scripts/crimeware/exploits: File.exe (phones back to the currently down nekovo .ru/cbd/nekovo.bri); IE.js; IE2.js; nowTrue.swf; pdf.pdf
- Sample iFrame exploitation structure: 109.95.114 .251/us01d/in.php
- 109.95.114 .251/us01d/jquery.jxx
- 109.95.114 .251/us01d/xd/pdf.pdf
- 109.95.114 .251/us01d/load.php
- 109.95.114 .251/us01d/file.exe
- Sample typosquatted and currently active domains: ddeasaeq .vc - Email: mspspaceki@mad.scientist.com
ddeasuqq .vc - Email: mspspaceki@mad.scientist.com
ddeassrq .vc - Email: mspspaceki@mad.scientist.com
ddeasutq .vc - Email: mspspaceki@mad.scientist.com
ddeasauq .vc - Email: mspspaceki@mad.scientist.com
ddeasqwq .vc - Email: mspspaceki@mad.scientist.com
ddeasqyq .vc - Email: mspspaceki@mad.scientist.com
reeesassf .la - Email: palatalizefxt@popstar.com
ukgedsa.com .hn - Email: zmamarc689@witty.com
ukgedsc.com .vc - Email: zmamarc689@witty.com
ukgedse.com .hn - Email: zmamarc689@witty.com
ukgedsg.com .vc - Email: zmamarc689@witty.com
ukgedsh.com .vc - Email: zmamarc689@witty.com
ukgedsi .hn - Email: zmamarc689@witty.com
ukgedsq.com .hn - Email: zmamarc689@witty.comukgedsr.com .sc - Email: zmamarc689@witty.com
ukgedst.com .sc - Email: zmamarc689@witty.com
ukgedsu.com .vc - Email: zmamarc689@witty.com
ukgedsv.com .vc - Email: zmamarc689@witty.com
ukgedsy.com .vc - Email: zmamarc689@witty.com
- Name servers of notice:
ns1.availname .net - 204.12.229.89 - Email: Larimore@yahoo.com
ns1.sorbauto .com - 204.12.229.89 - Email: xtrai@email.com
ns1.worldkinofest .com - Email: tolosa1965@snail-mail.net
ns1.pdsproperties .net - 92.84.23.138 - Email: PDSProperties@yahoo.com
ns1.drinckclub .com - 94.23.177.147 - Email: excins@iname.com
ns1.transsubmit .net - 94.23.177.147 - Email: Alaniz@gmail.com
ns1.theautocompany .net - suspended
ns1.24stophours .com - suspended
ns1.disksilver .net - suspended
Thankfully, quality assurance is not taken into consideration in this campaign - the iFrame's IP is already heavily blacklisted, and the crimeware sample itself attempts to phone back to a C&C that has been down for several days.
The gang's activities will be updated as they happen.
Related posts:
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You
This post has been reproduced from Dancho Danchev's blog.