Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Massive Blackhat SEO Campaign Serving Scareware

April 22, 2009

Over the past couple of days, I've been monitoring yet another massive blackhat SEO campaign consisting of the typical hundreds of thousands of already crawled bogus pages serving scareware/fake security software.

Later on Google detected the campaign and removed all the blackhat SEO farms from its index, which during the time of assessment were close to a hundred domains with hundreds of subdomains, and thousands of pages within.

And despite that the abuse notifications for some of the central redirection domains proved effective, it took the cybercriminals approximately 24 hours to catch up, and once again start hijacking search queries, in a combination of scareware, and pay per click redirections.

It's worth pointing out that this very latest campaign is directly related to last's week's keywords hijacking blackhat SEO campaign, with both campaigns relying on identical redirection domains, and serving the same malware. Who's behind these search engine poisoning attacks? An Ukranian gang monetizing the hijacked traffic through the usual channels - scareware and reselling of the anticipated traffic.

The first stage of the campaign was relying on mainstream media titles within its pages such as USA News; BBC News; CNN News as well as Hottest info!; HOT NEWS; Official Website and Official Site, thereby making it fairly easy to expose their portfolio of domains.

Interestingly, the cybercriminals appear to have detected the activity -- certain traffic management kits can log attempts of wandering around -- and removed the titles, which combined with the typical referrer checking made the campaign a bit more evasive :

""var ref,i,is_se=0; var se = new Array("google.","msn.","yahoo.","comcast.","aol.","dead"); if(document.referrer)ref=document.referrer; else ref=""; for(i=0;i<5;i++""

Once the user visits any of the domains within the portfolio, with a referrer check confirming he used a search engine to do so, two javascripts load, one dynamically redirecting to the portfolio of fake security software, and the other logging the visit using an Ukrainian web site counter service (c.hit.ua/hit?i=6058&g=0&x=2&s=1&c=1&t=420&w=1024&h=768&d=24&0.5505934176708958&r=&u=http%3A//13news.hobby-site.com/counter.js')

The most recent list of of domains on popular DNS services is as follows. Sub-domains within are excluded since there are several hundred currently active per domain:
0kfzzl .us - 95.168.172.202 - Email: diannefostergcei@yahoo.com
52ubih .us - 95.168.172.198 - Email: joeminoryhjb@yahoo.com
5nw8b3 .us - 95.168.172.193 - Email: carolynfosteruwwi@yahoo.com
60mptk .us - 95.168.172.192 - Email: bernadettehockadayfedt@yahoo.com
6ry4nv .us - 95.168.172.191 - Email: markpackvesa@yahoo.com
77m8uh .us - 95.168.172.190 - Email: miguelbellhyes@yahoo.com
axnwpy .us - 95.168.172.204 - Email: hungsandfordoehx@yahoo.com
bumgli .us - Email: coobybrown3@gmail.com
cqxuhk .us - 95.168.172.203 - Email: michaelkoontzutae@yahoo.com
dfkghdf .us - 212.95.58.49 - Email: umora@live.com
dfwdowrly .us - Email: orest@hotmail.ru
edtbcm .us - 95.168.172.198 - Email: warrenskinnerumpi@yahoo.com
edu4life .us - Email - joh.n.ebrilo@gmail.com

fc4oih .us - 95.168.172.187 - Email: florencemclaughlinovpp@yahoo.com
fcbcwo .us - 89.149.216.146 - Email: dorisnaupkou@yahoo.com
fpq58z .us - 95.168.172.205 - Email: thomassoileautysz@yahoo.com
fzjt82 .us - 95.168.172.188 - maryevansarpl@yahoo.com
gfor8g .us - Email: christopherdockinsptdg@yahoo.com
gotpig .us - Email: BeatriceJBrown@text2re.com
hhjsuuy .us - 217.20.117.198 - Email: jarovv@gmail.com
hk2april .us - 78.159.122.123 - Email: zainez@gmail.com
hk3april .us - 78.159.122.137 - Email: zainez@gmail.com
hno6sh .us - 89.149.238.12 - Email: alfredmeadenzcy@yahoo.com
i2u6nr .us - 95.168.172.202 - Email: jameshendricksxuwg@yahoo.com
ik3trends .us - 88.214.198.14 - Email: akililewis@gmail.com
itn92j .us - Email: nicholasmanoicdmg@yahoo.com
j4vre4 .us - bettyfavorsiqzv@yahoo.com
kzq2i2 .us - 89.149.229.157 - Email: robertmitchellrswv@yahoo.com

l5ykp6 .us - 95.168.172.195 - Email: chrishuntpjzc@yahoo.com
lh85uk .us - 95.168.172.200 - Email: susannelsonggyp@yahoo.com
lp24april .us - 89.149.228.129 - Email: ramerod@gmail.com
m9nvzp .us - 89.149.216.50 - Email: jenniferduncanakcq@yahoo.com
mm00april .us - 212.95.55.115 - Email: brevno3@gmail.com
mm99april .us - 78.159.122.91 - Email: brevno3@gmail.com
n5y3m8 .us - 89.149.243.86 - Email: imogenegreenrqqr@yahoo.com
na8nw2 .us - 89.149.216.146 - Email: jeremyfitchcupl@yahoo.com
oag3h8 .us - 95.168.172.200 - Email: susanspidelesig@yahoo.com
po1april .us - 212.95.55.138 - Email: preadzz@gmail.com
po3april .us - 78.159.122.93 - Email: preadzz@gmail.com
pp6sqo .us - 95.168.172.197 - Email: connierobertsolni@yahoo.com
pr061r .us - 89.149.216.146 - Email: shirleywardauof@yahoo.com
qdhccy .us - Email: shark@nightmail.ru
qq338p .us - 89.149.221.36 - Email: debragonzalezyplu@yahoo.com

repszp .us - 89.149.221.36 - Email: christinamerrillzzhd@yahoo.com
rrgtnm .us - 95.168.172.203 - Email: josephelliskozc@yahoo.com
rt658y .us - 89.149.207.33 - Email: luannamcgeeiqwb@yahoo.com
rzi6rj .us - 95.168.172.189 - Email: leatriceporterlhbz@yahoo.com
scsrn8 .us - 95.168.172.201 - Email: donnabrownpgpa@yahoo.com
t9xu44 .us - 95.168.172.194 - Email: robertbissettezeub@yahoo.com
trfddp .us - 89.149.243.89 - Email: davidwilliamsqljt@yahoo.com
up3xv7 .us - Email: dennismontantecoco@yahoo.com
vecy5r .us - Email: merlynsmithsqxm@yahoo.com
vlj5jn .us - 95.168.172.196 - Email: angelostewartqfoq@yahoo.com
vr31qo .us - 95.168.172.199 - Email: christinearcherzhqz@yahoo.com
wk7iie .us - 95.168.172.204 - Email: jewellnakashimalgny@yahoo.com
x2ar3e .us - Email: bobbielopezeits@yahoo.com
xe24py .us - 89.149.243.138 - Email: johnbarberprfi@yahoo.com
xecuk8 .us - 95.168.172.194 - Email: lutheralfaronloz@yahoo.com
yl8ais .us - 89.149.216.147 - Email: meredithflackflub@yahoo.com
yqfvp4 .us - 78.159.96.84 - Email: julierussellnnro@yahoo.com
zvlewrms .us - Email: ygovoruhin@list.ru
zxe11d .us - 95.168.172.195 - Email: christopherlewisxghb@yahoo.com
zy7itf .us - 89.149.207.244 - Email: cindyruizixqr@yahoo.com

13news.doesntexist .com
13news.hobby-site .com
17news.endofinternet .net
18news.homeftp .org
19news.blogdns .com
19news.dnsdojo .org
19news.gotdns .com
19news.kicks-ass .org
19news.servebbs .com
22news.blogdns .com
creditratingguide. hobby-site.com
disneyearrings .hobby-site.com
flatbellydiet .hobby-site.com
hydrangacutflowers .hobby-site.com
isa-geek .org
mxzsaw .hobby-site.com
mysteryterms .hobby-site.com

The rotated scareware/fake security software domains include: scan-antispyware-4pc .com - parked at 195.88.81.93 the same portfolio of fake security software domains which I warned that by blocking you would proactively protect your customers from black hat SEO campaigns - like this one for instance
pcvistaxpcodec .com
onlinevirus-scannerv2 .com
av-antispyware .com
scan-antispy-4pc .com
fastviruscleaner .com
securityhelpcenter .com
scan-antispy-4pc .com
scanner-work-av .com
scanner-antispy-av-files .com
adwarealert .com
proantispyware .com

Download locations/related fake codec redirections:
winpcdown10 .com (194.165.4.77)
suckitnow1 .com
winpcdown99 .com
loyaldown99 .com
codecxpvista .com
wincodecupdate .com
velzevuladmin .com
tubeloyaln .com
wedare.tubeloyaln .com
lamer.tubeloyaln .com
billingpayment.netcodecs.tubeloyaln .com
videosz.tubeloyaln .com
loyal-porno .com - the same domain was recently exposed in the same blackhat SEO campaign
win-pc-defender .com
codecvistaz .com
loyalvideoz .com

Sample detection rates:
litetubevideoz .net/codec/277.exe - detection rate
winpcdown99 .com/pcdef.exe - detection rate
winpcdown99 .com/file.exe - detection rate
setup.adwarealert .com/setupxv.exe - detection rate
files.scanner-antispy-av-files .com/exe/setup_200093_1_1.exe - detection rate

Monitoring of the campaign would continue.

Related posts:
Dissecting the Bogus LinkedIn Profiles Malware Campaign
Bogus LinkedIn Profiles Redirect to Malware and Rogue Security Software
Blackhat SEO Redirects to Malware and Rogue Software
The Invisible Blackhat SEO Campaign
Attack of the SEO Bots on the .EDU Domain
p0rn.gov - The Ongoing Blackhat SEO Operation
The Continuing .Gov Blackat SEO Campaign
The Continuing .Gov Blackhat SEO Campaign - Part Two
Rogue RBN Software Pushed Through Blackhat SEO
Massive Blackhat SEO Targeting Blogspot
Blackhat SEO Campaign at The Millennium Challenge Corporation
Continue reading →

A CCDCOE Report on the Cyber Attacks Against Georgia

April 16, 2009

Following the coverage of my "Coordinated Russia vs Georgia cyber attack in progress" research in the Georgian government's official report "Russian Cyberwar on Georgia" (on page 4), I was very excited to find out that a report by NATO's Cooperative Cyber Defense Centre of Excellence entitled "Cyber Attacks Against Georgia: Legal Lessons Identified" and authored by Eneken Tikk, Kadri Kaska, Kristel Rünnimeri, Mari Kert, Anna-Maria Talihärm, Liis Vihul, is not only quoting me extensively, but has also reproduced the entire research within the Annexes.

Looks great!

Recommended reading:
DDoS Attack Graphs from Russia vs Georgia's Cyberattacks
The Russia vs Georgia Cyber Attack
Pro-Israeli (Pseudo) Cyber Warriors Want your Bandwidth
People's Information Warfare Concept
Combating Unrestricted Warfare
The Cyber Storm II Cyber Exercise
Chinese Hacktivists Waging People's Information Warfare Against CNN
The DDoS Attacks Against CNN.com
China's Cyber Espionage Ambitions
North Korea's Cyber Warfare Unit 121
Chinese Hackers Attacking U.S Department of Defense Networks

Electronic Jihad v3.0 - What Cyber Jihad Isn't

Electronic Jihad's Targets List

A Cyber Jihadist DoS Tool

Teaching Cyber Jihadists How to Hack

Empowering the Script Kiddies

OSINT Through Botnets

Corporate Espionage Through Botnets

Malware Infected Hosts as Stepping Stones

Hacktivism Tensions - Israel vs Palestine Cyberwars

The Current, Emerging, and Future State of Hacktivism

Internet PSYOPS - Psychological Operations

Continue reading →

A Diverse Portfolio of Fake Security Software - Part Nineteen

April 16, 2009

You know things are getting out of hand when the scareware ecosystem scales to the point when typosquatted scareware domains offering removal services for the very same scareware distributed under multiple brands.

In response to the potential Conficker-ization of the scareware business, part nineteen of the Diverse Portfolio of Fake Security Software is the most massive update since the series started, and with a reason - to squeeze the cybercrime ecosystem, and ruin their malicious economies of scale revenue generation approaches.

Here are the most recent additions, with their associated registrant emails for clustering, cross-checking, and case building purposes:

vundofixtool .com (174.132.250.194)
remove-winpc-defender .com
remove-virus-melt .com
remove-ultra-antivir-2009 .com
remove-ultra-antivirus-2009 .com
remove-total-security .com
remove-system-guard .com
remove-spyware-protect-2009 .com
remove-spyware-protect .com
remove-spyware-guard .com
remove-personal-defender .com
remove-ms-antispyware .com
remove-malware-defender .com
remove-ie-security .com
remove-av360 .com
remove-antivirus-360 .com
remove-a360 .com
av360removaltool .com
antivirus360remover .com
remove-winpc-defender .com
remove-virus-melt .com
remove-virus-alarm .com
remove-ultra-antivirus-2009 .com
remove-ultra-antivir-2009 .com
remove-total-security .com

gotipscan .com (66.197.154.199) Robert Sampson Email: bausness@gmail.com
scanline6 .com
scanstep6 .com
scanbest6 .com
goscandata .com
goscanhigh .com
true6scan .com
any6scan .com
golitescan .com
gofanscan .com
gotipscan .com
gostarscan .com
goluxscan .com
goonlyscan .com
scan6step .com
goscanstep .com
scan6fast .com
scanline6 .info
scanlog6 .info
linescan6 .info
mainscan6 .info
log6scan .info
main6scan .info

addedantiviruslive .com (94.247.2.215) Administrative Email: werracruz99008@gmail.com
searchrizotto .com
easyaddedantivirus .com
yourcountedantivirus .com
av-plus-support .com
yourguardonline .cn
easydefenseonline .cn
bestprotectiononline .cn
yourguardstore .cn
examinepoisonstore .cn
freecoverstore .cn
myexaminevirusstore .cn
bestexaminedisease .cn
yourfriskdisease .cn
friskdiseaselive .cn
bestdefenselive .cn
bigprotectionlive .cn
bigcoverlive .cn
easyserviceprotection .cn
easypersonalprotection .cn
myascertainpoison .cn
yourguardpro .cn
refugepro .cn
mycheckdiseasepro .cn
yourcheckpoisonpro .cn
bigdefense2u .cn
newguard4u .cn
mydefense4u .cn
bestcover4u .cn

fullsecurityshield .com (209.44.126.14) Gregory Bershk Email: bershkapull@gmail.com
greatsecurityshield .com
trustsecurityshield .com
anytoplikedsite .com
topsecurityapp .com
inetsecuritycenter .com
securitytopagent .com
thebestsecurityspot .com
topsecurity4you .com
fullandtotalsecurity .com

extrantivirus.com (94.75.209.11)
rapid-antivir-2009.com
rapid-antivir2009.com
rapidantivirus2009.com
rapidantivirus09.com
rapidantivirus.com
ultraantivirus2009.com
soft-traffic.com
seresult.com is a traffic management domain for the campaign (e.g seresult .com/go.php?id=3466)

greatstabilitytraceonline .com (94.247.3.4) Jacquelyn Jain Email: jacquelynjjain@gmail.com
beststabilityscan .com
beststabilityscans .com
esnetscanonline .com
greatstabilitytraceonline .com
greatvirusscan .com
networkstabilitytrace .com
onlinestabilityscanada .com
protectionexamine .com
quickstabilityscan .com
safetyexamine .com
stabilityinetscan .com
stabilitysolutionslook .com
swiftsafetyexamine .com
webprotectionscan .com
webwidesecurity .com

scanmix4 .com (63.146.2.92) Clifford Barton Email: learnico@gmail.com

bestscan7 .com
goscandata .com
scan7live .com
new7scan .com
godatascan .com
gosidescan .com
goluxscan .com
goonlyscan .com
goscanstep .com
scantool4 .info
newscan4 .info
scannew4 .info
tool4scan .info

exstra-av-scanner .net (78.26.179.237) Joan Oglesby Email: extra.antivirus@gmail.com
msantivir-storage .com
ms-antivirus-storage .com
goodproantispyware .com
ms-antivir-scan .com
anispy-storage-ms .com
ms-av-storage-best .com
antivir-scanner-ms-av .com

msscan-files-antivir .com (195.88.81.93)
hot-girl-sex-tube .com
msscan-files-antivir .com
msscanner-top-av .com
msscanner-files-av .com
antivir-4pc-ms-av .com

Twitter Worm Mikeyy Keywords Hijacked to Serve Scareware

April 15, 2009

Not necessarily in real-time (Syndicating Google Trends Keywords for Blackhat SEO) but scareware/fake security software distributors quickly attempted to capitalize on the anticipated traffic related to this weekend's Twitter XSS worm StalkDaily/Mikeyy.

What's particularly interesting about this campaign, is not the fact that all of the currently active domains are operated by the same individual/group of individuals or that their blackhat SEO farms are growing to cover a much wider portfolio of keywords.

It's a tiny usa.js script (e.g my1.dynalias .org/usa.js) hosted on all of the domains, which takes advantage of a simple evasive practice - referrer checking in order to serve or not to serve the malicious content.

For instance, deobfuscated the script checks whether the user is coming from the following search engines var se = new Array("google", "msn", "aol.com", "yahoo", " comcast"); if (document.referrer)ref = document.referrer;. If the user/researcher is basically wandering around, a blackhat SEO page with no malicious redirections would be served.

The following are all of the currently active and participating domains/subdomains:
tran.tr.ohost .de
actual.homelinux .com
achyutheil.ac.ohost .de
aprln.getmyip .com
east.homeftp .org
my1.dynalias .org
my2.dynalias .org
my3.dnsalias .org
my5.webhop .org

The redirection process consists of two layers. The first one is redirecting to hjgf .ru/go.php?sid=5 (88.214.198.25) and then to msscan-files-antivir .com (195.88.81.93), and the second one takes place through a well known malicious doorway redirecting domain hqtube .com/to_traf_holder.html (88.85.66.116) that either serves a fake codec that's dropping the scareware, or the scareware itself from files.ms-load-av .com. The rest of the scareware/fake security software domains participating in the campaigns are as follows:

msscan-files-antivir .com (195.88.81.93) - Coi Carol Email: car0sta0@gmail.com
hot-girl-sex-tube .com - Erica Thomas Email: gerrione@gmail.com
msscan-files-antivir .com
msscanner-top-av .com - Mui Arnold Email: arnoebr@gmail.com
msscanner-files-av .com
antivir-4pc-ms-av .com - Jason Munguia Email: jasmung@gmail.com

The bottom line - the campaign looks like a typical event-based blackhat SEO portfolio diversification practice. Continue reading →

Conficker's Scareware/Fake Security Software Business Model

April 14, 2009

It doesn't take a rocket scientist to conclude that sooner or later the people behind the Conficker botnet had to switch to monetization phase, and start earning revenue by using well proven business models within the cybercrime ecosystem.

Interestingly -- at least for the time being -- there's no indication of mainstream advertising propositions offering partitioned pieces of the botnet, managed fast-fluxing services (Managed Fast Flux Provider; Managed Fast Flux Provider - Part Two), hosting of scams and spam, examples of which we've already seen related cases where a money mule recruitment agency was using ASProx's fast-flux network services, next to Srizbi's botnet managed spam service propositions.

How come? Pretty simple, starting from the fact that scareware/fake security software as a monetization process remains the most liquid and efficiently monetized asset the underground economy has at its disposal. The scheme is so efficient that the money circulating within the affiliate networks are often an easy way for cybercriminals to quickly money launder large amounts of money in a typical win-win revenue sharing scheme.

The Conficker gang is monetization-aware, that's for sure. But they forget a simple fact - that in a cybercrime ecosystem visibility is not just proportional with decreased OPSEC (Violating OPSEC for Increasing the Probability of Malware Infection), but also, that despite their risk-decreasing revenue sharing model, the "follow the money trail" practice becomes more and more relevant.

The most recent variant (Net-Worm.Win32.Kido.js) is the group's second attempt to monetize the botnet, following by the original Conficker variant's traffic converter connection pushing fake security software. According to Aleks Gostev at Kaspersky Labs:

"One of the files is a rogue antivirus app, which we detect as FraudTool.Win32.SpywareProtect2009.s. The first version of Kido, detected back in November 2008, also tried to download fake antivirus to the infected machine. And once again, six months later, we’ve got unknown cybercriminals using the same trick. The rogue software, SpywareProtect2009, can be found on spy-protect-2009.com., spywrprotect-2009.com, spywareprotector-2009.com."

Regular researchers/law enforcement followers of the Diverse Portfolio of Fake Security Software series are pretty familiar with the SpywareProtect brand. Therefore, it's time to familiarize ourselves with the rogue SpywareProtect through the revenue earning scheme the latest Conficker variant is using. Among the currently active/recently registered SpywareProtect portfolios are managed by Geraldevich Viktus Email: krutoymen2009@inbox.ru and conveniently just like Kaspersky states, are all parked in Ukraine.

In case you remember according to SRI International's Analysis of the Conficker worm, the authors did signal a national preference since the first release "randomly generates IP addresses to search for additional victims, filtering Ukraine IPs based on the GeoIP database." and also "Conficker A incorporates a Ukraine-avoidance routine that causes the process to suicide if the keyboard language layout has been set to Ukrainian." followed by a third Ukrainian lead, namely the fact that "on 27 December 2008 we stumbled upon two highly suspicious connection attempts that might link us to the malware authors. Specifically, we observed two Conficker B URL requests sent to a Conficker A Internet rendezvous point: * Connection 1: 81.23.XX.XX - Kyivstar.net, Kiev, Ukraine; Connection 2: 200.68.XX.XXX - Alternativagratis.com, Buenos Aires, Argentina."

SpywareProtect's current portfolio is hosted in Ukraine as follows:
spy-wareprotector2009 .com (94.232.248.53) Ukraine Bastion Trade Group, AS48841, EUROHOST-AS Eurohost LLC
spyware-protector-2009 .com
spy-protect-2009 .com
spywprotect .com

The second portfolio is also parked in Ukraine as follows:
sysguard2009 .com (195.245.119.131) AS34187, RENOME-AS Renome-Service: Joint Multimedia Cable Network Odessa, Ukraine
swp2009 .com
spwrpr2009 .com
alsterstore .com
adwareguard .net

In a typical multitasking fashion, a connection between some of these very latest SpywareProtect portfolios (e.g spywrprotect-2009 .com) can be established with Zeus crimeware campaigns, since particular droppers have been known to have been installing the scareware next to Zeus crimeware used to be hosted at the following locations:

capitalex .ws/adv.bin (213.155.10.176)
cashtor .net/tor22/tor.bin (91.193.108.222)
goldarea .biz/adv.bin (91.197.130.39)

It's also worth pointing out that every time the Conficker authors claim their payments from the affiliate network in question, they expose themselves which makes me wonder one thing. Are the hardcore Conficker authors directly earning revenue out of the scareware, or are they basically partitioning the botnet and selling it to someone who's monetizing it and naturally breaking-even out of their investment?

In a network whose activities will inevitably start converging with the rest of the cybercrime ecosystem's participants' activities -- the Waledac connection -- it's crucual to keep the track-down-and-prosecute process as simple as possible. In this case - the Conficker authors'/customers of their botnet services asset liquidity obsession, may easily end up in someone's $250k reward claim. Patience is a virtue. Continue reading →

A Diverse Portfolio of Fake Security Software - Part Eighteen

April 08, 2009

With Microsoft's latest Security Intelligence Report indicating that scareware/fake security software continues growing, it's worth exposing some of the currently circulating rogue security software domains, their registrants, and the usual "Deja Vu" moment putting the spotlight on well-known RBN web properties, whose exposure demonstrates that some of the groups that I've been tracking are still alive and kicking, but this time are much more actively monetizing their cybercrime committing capabilities.

avs-online-scan .org (209.250.241.164) Oleg Bajenov Email: oleg.bajenov@gmail.com
av-lookup .org
am-scan .com
system-scan-1 .biz
sys-scanner-1 .biz
sys-scan-wiz .biz
scanner-wiz-1 .com

webwidesecurity .com (94.247.3.3) Rosalind Lewis Email: RosalindRLewis@text2re.com
webprotectionscan .com
greatvirusscan .com
beststabilityscans .com

todaybestscan .com (174.129.241.185; 174.129.244.106; 209.44.126.14) Elliott Cameron Email: support@zitoclick.com; Anatolij Andreev Email: yeep33@gmail.com
thebestsecurityspot .com
securitytopagent .com
inetsecuritycenter .com
fullandtotalsecurity .com
activesecurityshield .com
getpcguard .com
websecurityvoice .com
onlinescanservice .com
scanalertspage .com
scanbaseonline .com
bestsecurityupdate .com
getsecuritywall .com
bestfiresfull .com
initialsecurityscan .com
websecuritymaster .com
runpcscannow .com
thegreatsecurity .com
truescansecurity .com
checkonlinesecurity .com
spy-protector-pro .com

DNS servers of notice:
ns1.ahuliard .com
ns2.ahuliard .com
ns1.fuckmoneycash .com
ns2.fuckmoneycash .com
ns1.zitodns .com
ns2.zitodns .com

Now comes the deja vu moment. At 174.129.241.185 and 174.129.244.106 we also have parked ilovemyloves .com one of the domains used in the iFrame attack during the "Possibility Media's Malware Fiasco" back in 2007 which was then parked at the RBN's HostFresh ifrastructure (58.65.239.28). Behind the malware campaign back then was the New Media Malware Gang" (Part Three; Part Two and Part One) which was not only using RBN services, but was directly cooperating with the Storm Worm authors. Among their most recent campaigns was the groups direct involvement in the malware campaigns at the Azerbaijanian Embassies in Pakistan and Hungary.

It gets even more interesting to see what they're up to in 2009, considering the fact that they have also parked domains used (174.129.241.185 and 174.129.244.106) in currently ongoing Facebook phishing campaign, which is switching themes from Match.com to Classmates.com :

facebook.shared.id-pegxaaei62.emberuiweb .765access.com
facebook.shared.id-0izlud0w6j.launchpad .765access.com
facebook.shared.id-6oxyclcpus.initiated .765access.com
facebook.shared.id-6xcse5q79c.usermanage .765access.com
facebook.shared.id-9q0bfta8bf.login .765access.com
facebook.shared.id-l8rz3d87j7.processlogon .765access.com
facebook.shared.id-m071qcxkf3.version .765access.com
facebook.shared.id-ao7zx28bhw.identification .765access.com
facebook.shared.id-usxeye68vn.secureconnection .765access.com
facebook.shared.id-lc9i4p09yi.disbursements .765access.com
facebook.shared.id-6y8nzpemkx.securedocuments .765access.com
facebook.shared.id-0u1o0e9gyj.cebmainservlet .765access.com
facebook.shared.id-4b16kzpiuk.ceptservlet .765access.com
facebook.shared.id-xqa6odo94z.content .765access.com
facebook.shared.id-5u10q3vp8q.completeserv .765access.com
facebook.shared.id-ql2fzhydat.intvitation .9845account.com
facebook.shared.id-5ajv5861qd.securedocuments .9845account.com
facebook.shared.id-3dcznhmord.statement .9845account.com
facebook.shared.id-o6lo04atww.statement .9845account.com

The group has clearly diversified its activities, but continues relying on its well known portfolio of domains as a foundation.

Related posts:
A Diverse Portfolio of Fake Security Software - Part Seventeen
A Diverse Portfolio of Fake Security Software - Part Sixteen
A Diverse Portfolio of Fake Security Software - Part Fifteen
A Diverse Portfolio of Fake Security Software - Part Fourteen
A Diverse Portfolio of Fake Security Software - Part Thirteen
A Diverse Portfolio of Fake Security Software - Part Twelve
A Diverse Portfolio of Fake Security Software - Part Eleven
A Diverse Portfolio of Fake Security Software - Part Ten
A Diverse Portfolio of Fake Security Software - Part Nine
A Diverse Portfolio of Fake Security Software - Part Eight
A Diverse Portfolio of Fake Security Software - Part Seven
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software
Continue reading →

Inside a Zeus Crimeware Developer's To-Do List

April 08, 2009

Every then and now I get asked a similar question in regard to crimeware kits - which is the latest version of a particular crimeware/web malware exploitation kit?

The short answer is - I don't know. And I don't know not because I'm a victim of an outdated situational awareness, but due to the fact that nowadays third-party developers are so actively tweaking it that coming up with a version number would be inaccurate from my perspective. Therefore, whenever I provide such a version number, I try to emphasize and provide practical examples of how the current decentralization of coding from the core authors to third-party developers and, of course, scammers brand jacking the Zeus brand, is making the answer a little bit more complex than it may seem at the first place.

For instance, cybercriminals themselves have been capitalizing on this situation during the last two quarters, by speculating with the version numbers and offering backdoored copies of non-existent Zeus releases, in a attempt to hijack their Zeus botnets at a later stage -- a practice that phishers have been taking advantage of for a while. Anyway, once I'm able to sort of cluster a particular third-party developer's persistence in tweaking the Zeus crimeware kit, an interesting picture emerges. For instance, a team member from a third-party developer of backend systems for botnets that came up with the built-in MP3 player in a Zeus release, is also directly involved in developing the backend system and GUI for the Chimera botnet which the British Broadcasting Corporation purchased last month.

Let's discuss the way the version number system in the Zeus crimeware, before we take a peek at a recent CHANGELOG, and a future TO-DO list from one of the third-party developers. Zeus version a.b.c.d means that change in A stands for a complete change in the bot, B stands for major changes that make previous bot versions incompatible, C stands for modifications and performance boosting, and D is a prophylactic change in order to avoid antivirus solutions from detecting it.

The Q&A applied in Zeus can be easily seen by taking a peek at some of the changes that took place in December, 2008 :

"Change 10.12.2008
- Documentation will no longer be available in a CHM format, instead in a plain-text format
- The bot is a now able to receive commands not only by using the send command function, but also during requests for files and logs changes
- Local data requests to the server and the configuration file can be encrypted with RC4 key depending on your choice
- In order to decrease the load on the server, a fully updated bot-to-server and server-to-bot communication protocol is introduced

Change 20.12.2008
- Small error fixed when sending reports
- The size of the report cannot exceed 550 characters
- Error fixed in the bot due to low timeout for sending POST requests resulting in dropping requests for log files bigger than 1 MB

Change 2.03.2009
- Changed the default cryptor routines
- Updated process of building the bot
- Optimized compressed of the binary
- Rewritten the process of assembling the configuration file
- Changed the MyMSQL tables
- Fixed fonts in the panel due to bogus displaying of characters
- Updated Geolocation database"

The following "To-Do" list, pretty similar to another one which I discussed last year (A Botnet Master's To-Do List). What's to come in the Zeus crimeware kit, at least courtesy of a sampled third-party developer? The following features have been in the works for several months now:

"- Compatibility with Windows Vista and Windows 7
- Improved WinAPI hooking
- Random generation of configuration files to avoid generic detection"
- Console-based builder
- Version supporing x86 processors
- Full IPv6 support
- Detailed statistics on antivirus software and firewalls installed on the infected machines"

The Zeus crimeware is not going away from the radar anytime soon, and the main reason for that is not the fact that its exclusive features outperform the ones in the Limbo crimeware and the Adrenalin crimeware, but due to the fact that Zeus has a much bigger fan base, and well established third-party community around it.

Image courtesy of Abuse.ch's Zeus Tracker -- the one that got DDoS-ed in February due to its apparent usefulness.

Related posts:
Crimeware in the Middle - Limbo
Crimeware in the Middle - Adrenalin
Crimeware in the Middle - Zeus
76Service - Cybercrime as a Service Going Mainstream
Zeus Crimeware as a Service Going Mainstream
Modified Zeus Crimeware Kit Gets a Performance Boost
Modified Zeus Crimeware Kit Comes With Built-in MP3 Player
Zeus Crimeware Kit Gets a Carding Layout
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
Continue reading →

Bogus LinkedIn Profiles Redirect to Malware and Rogue Security Software

April 01, 2009

From the automatically registered bogus LinkedIn profiles promoting pharmaceuticals campaign in February, to January's malware campaign redirecting to malware Zlob variants and rogue security software, the malware gang behind both of these campaigns is once again showcasing its persistence.

It gets even more interesting when a direct connection between January's, this very latest campaign, and the most recent massive comment-spam attack at Digg.com, is established since the very same malware domains are participating in all of the campaigns (e.g funkytube .net)

Bogus LinkedIn profiles for March:
linkedin .com/in/keeleyhazellsextape
linkedin .com/in/minimesextape
linkedin .com/in/lindsaylohansextape1
linkedin .com/in/vernetroyersextape
linkedin.com/in/freejennifertoasteetoofsex
linkedin .com/in/parishiltonsextapeq
linkedin .com/in/britneyspearssextapeq
linkedin .com/in/carmenelectra
linkedin .com/in/halleberrysexscene
linkedin .com/pub/dir/tila tequila/sex
linkedin .com/in/carmenelectrasex1
linkedin .com/in/carmenelectrasexscene1
linkedin .com/pub/dir/jennifer%20aniston/sex%20scene
linkedin .com/in/lindsaylohansex1
linkedin.com/in/olsentwinsnude
linkedin.com/in/keiraknightleynude
linkedin.com/in/christinaaguileradirrty1
linkedin.com/pub/dir/emma watson/wearing
linkedin.com/in/trishstratusnude
linkedin.com/pub/dir/ellen degeneres/gay
linkedin.com/in/angelinajolienaked1
linkedin.com/in/carmenelectranaked1
linkedin.com/pub/dir/tila tequila/porn
linkedin.com/pub/dir/emma watson/porn

linkedin.com/pub/dir/disney's raven/symone nude
linkedin .com/pub/dir/olsen twins/camel toe
linkedin .com/in/aliciamachadodesnuda
linkedin .com/pub/dir/leighton meester/nude
linkedin .com/in/katehudsonnude
linkedin .com/in/jenniferanistonbangs1
linkedin .com/in/hilaryduffnude2
linkedin .com/in/adriennebailonnaked
linkedin .com/in/jennifermorrisonnude1
linkedin .com/in/jenniferlopezdesnuda
linkedin .com/in/jennifergarnernude1
linkedin .com/in/aishwaryaraiwearingnothing
linkedin .com/in/isprinceharrygay
linkedin .com/in/vanessahudgensnude
linkedin .com/in/mariahcareynude1
linkedin .com/pub/dir/olsen twins/nudity
linkedin .com/pub/dir/denise richards/naked
linkedin .com/pub/dir/kate mara/naked
linkedin .com/in/carmencocks1
linkedin .com/in/ravensymonebreast
linkedin .com/in/adriennebailonnudephotos
linkedin .com/pub/dir/shakira/nude
linkedin .com/in/jenniferanistonnude
linkedin .com/in/emmawatsonkissingsomeone

Using a celebrities theme, all of these bogus accounts are linking to the same malware serving domains. The following central redirectors :
oymomahon .com/fathulla/11.html
oymomahon .com/mirolim-video/3.html
oymomahon .com/paqi-video/28.html
muse.100-celebrities .com/paqi-video/1.html
nahyu .org/xxxx/
1k .pl/nufexz

are then redirecting to another set of fake codec domains :
xretrotube .com
globextubes .com
globalstube2009 .com
globerstube .com
spywareremover21 .com
antispyscanner13 .com
privacyscanner15 .com
easywinscanner17 .com
systemscanner19 .com
sgviralscan .com

to ultimately direct the visitor to the actual binaries:
nahyu .org/xxx/video/teens_fuck_orgy11.mpeg.exe - detection rate
loyaldown99 .com/codec/186.exe - detection rate
kol-development .com/viewtubesoftware.40012.exe - detection rate

Despite the fact that real-time/event-based blackhat search engine optimization is gaining popularity these days, blackhat SEO in its very nature relies on huge bogsus content farms, using a diverse theme-based set of content, usually generated in an automated fashion. Real-time blackhat SEO or standard volume-based blackhat SEO as a tactic of choice? Does it really matter given that from the perspective of tactical warfare, combining well proven tactics results in high click-through/infection rates for the campaigns in question.

Related posts:
Blackhat SEO Redirects to Malware and Rogue Software
The Invisible Blackhat SEO Campaign
Attack of the SEO Bots on the .EDU Domain
p0rn.gov - The Ongoing Blackhat SEO Operation
The Continuing .Gov Blackat SEO Campaign
The Continuing .Gov Blackhat SEO Campaign - Part Two
Rogue RBN Software Pushed Through Blackhat SEO
Massive Blackhat SEO Targeting Blogspot
Blackhat SEO Campaign at The Millennium Challenge Corporation

Fake Porn Sites Serving Malware
Fake Porn Sites Serving Malware - Part Two
Fake Celebrity Video Sites Serving Malware
Fake Celebrity Video Sites Serving Malware - Part Two
Fake Celebrity Video Sites Serving Malware - Part Three
The Template-ization of Malware Serving Sites
The Template-ization of Malware Serving Sites - Part Two
A Portfolio of Fake Video Codecs Continue reading →

Diverse Portfolio of Fake Security Software - Part Seventeen

March 31, 2009

The following are some of the currently active/about to go online rogue security software domains, and their associated payment gateways exposed in the spirit of the Diverse Portfolio of Fake Security Software series. During the past two months, an obvious migration of well known Russian Business Network customers continues taking place, with their portfolios of malicious campaigns currently parked several ISPs. zlkon.lv (DATORU EXPRESS SERVISS Ltd (AS12553 PCEXPRESS-AS) remaining the ISP of choice for the time being, in the context of rogue security software.

mydwnld .com (94.102.51.14; 88.198.8.15; 94.102.51.14)
desktoprepairpackage .com
malwareremovingtool .com
spywareprotectiontool .com
pcantimalwaresolution .com
pcsolutionshelp .com
removespywarethreats .com

yournetcheckonline .com (94.247.2.215)
bestnetcheckonline .com
easynetcheckonline .com
yourwebexamine .com
bestwebexamine .com
easywebexamine .com
yourinternetexamine .com
myinternetexamine .com
linkcanlive .com
yourwebscanlive .com
easywebscanlive .com
internethomecheck .com
websecurecheck .com
websportscheck .com
websmartcheck .com
yournetascertain .com
yournetcheckpro .com
bestwebscanpro .com
security-check-center .com
downloadantivirusplus .com
theantivirusplus .com
myantivirusplus .com
safeyouthnet .com
av-plus-support .com

antispywareproupdates .com (94.76.213.227) Jeanne M Bartels Email: dev@angelespd.com
microsoft.infosecuritycenter .com
microsoft.softwaresecurityhelp .com
professionalupdateservice .com
platinumsecurityupdate .com
platinumsecurityupdate .com
antispywarequickupdates .com (78.137.168.33)

paymentsystemonline .com (213.239.210.54) Jerom M Collins Email: admin@routerpayments.com
liveupdatesoftware .com
royalsoftwareupdate .com
protectionsoftwarecheck .com
securitysoftwarecheck .com
privateupdatesystem .com
updatesoftwarecenter .com
updateprotectioncenter .com
updatepcsecuritycenter .com
powerdownloadserver .com
rapidsoftwareupdates .com
professionalsoftwareupdates .com
allsoftwarepayments .com
powerfullantivirusproduct .com
securedprostatsupdates .cn

Summarizing Zero Day's Posts for March

March 31, 2009

The following is a brief summary of all of my posts at ZDNet's Zero Day for March. You can also go through previous summaries for February, January, December, November, October, September, August and July, as well as subscribe to my personal RSS feed or Zero Day's main feed.

Notable articles include: Inside BBC's Chimera botnet and Study: IE8's SmartScreen leads in malware protection.

01. Conficker worm to DDoS legitimate sites in March
02. Bad, bad, cybercrime-friendly ISPs!
03. Google downplays severity of Gmail CSRF flaw
04. USAID.gov compromised, malware and exploits served
05. International Kaspersky sites susceptible to SQL injection attacks
06. New study details the dynamics of successful phishing
07. BBC team buys a botnet, DDoSes security company Prevx
08. Comcast responds to passwords leak on Scribd
09. Diebold ATMs infected with credit card skimming malware
10. Ex-botnet master hired by TelstraClear
11. Study: IE8's SmartScreen leads in malware protection
12. Scareware meets ransomware: "Buy our fake product and we'll decrypt the files"
13. Inside BBC's Chimera botnet Continue reading →

A Diverse Portfolio of Fake Security Software - Part Sixteen

March 26, 2009

The following are some of the very latest typosquatted rogue security software domains pushed through blackhat SEO, web site compromises, and systematic abuse of legitimate Web 2.0 services.

yourstabilitysystem .com (209.44.126.14)
onlinescanservice .com
scanalertspage .com
getscanonline .com
bestfiresfull .com
yourstabilitysystem .com
mostpopularscan .com
vistastabilitynow .com
scanvistanow .net
vistastabilitynow .net

central-scan .com (212.117.165.126) Maureen Whelan Email: maureenwhelanjr@googlemail.com
royalsoftwareupdate .com
uptodate-protection .com
updatesoftwarecenter .com
webscannertools .com

protectprivacy18 .com (209.249.222.48) Arnes Skopec Email: arnessl2370@gmail.com
malwarescanner20 .com
antispyscanner13 .com
privacyscanner15 .com
easywinscanner17 .com
systemscanner19 .com

malwaredefender2009 .com (67.43.237.75) Josef Branc Email: jsfsl2341@googlemail.com
systemguard2009 .com
systemguard2009m .com

angantivirus-2009 .com (70.38.73.26)
angantivirus2009 .com

check-ms-antivirus .com (78.26.179.131) Brett Quihuiz Email: BrettQuihuiz@gmail.com
ms-loads-av .com (78.26.179.137) Hou Stephen Email: StepDunnu@gmail.com
secure-data-group .com (209.8.45.147) Joseph Barnes Email: jhbarnes40@gmail.com

dlmaldef09 .com (67.43.237.78) Josef Branc Email: jsfsl2341@googlemail.com
dlsgd3 .com
getsgd3 .com
getsysgd09 .com
getmaldef09 .com
dlsg09 .com
getsg09 .com

Embassy of Portugal in India Serving Malware

March 25, 2009

Yet another embassy web site is falling victim into a malware attack serving Adobe exploits to its visitors. As of last Friday, the official web site of the Embassy of Portugal in India has been compromised (embportindia.co.in). Who's behind the attack? Interestingly, that's the very same group that compromised the Azerbaijanian Embassies in Pakistan and Hungary earlier this month. Assessing this campaign once again establishes a direct connection with the Rusian Business Network's pre-shutdown netblocks and static locations.

The very same domain using the same web traffic redirection script, used in the malware campaigns at the Azerbaijanian Embassies in Pakistan and Hungary, can be found at the Portugal embassy's web site. betstarwager .cn/in.cgi?cocacola84 redirects to ghrgt.hostindianet .com/index.php?cocacola84 (94.247.3.151) where Multiple Adobe Reader and Acrobat buffer overflows are served :

zzzz.hostindianet .com/load.php?id=4 -> ghrgt.hostindianet .com/cache/readme.pdf
zzzz.hostindianet .com/load.php?id=5 -> ghrgt.hostindianet .com/cache/flash.swf

The second iFramed domain ntkrnlpa .cn/rc/ (159.226.7.162) has a juicy history linking it to previous campaigns. In February, 2008, an anti-malware vendor's site (AvSoft Technologie) was iFramed with the iFrame back then (ntkrnlpa .info/rc/?i=1) pointing to the Russian Business Network's original netblock It gets even more interesting when you take into consideration the fact that ntkrnlpa.info was also sharing ifrastructure with zief.pl, among the most widely abused domains in the recent Google Trends keywords hijacking campaigns. Zief.pl is also service of choice for certain campaigns of the Virut malware family, irc.zief.pl in particular.

It gets even more malicious considering that on the same IP (ntkrnlpa .cn/rc/ 159.226.7.162) where one of the malware domains in the embassy's campaign is parked, we can easily spot domains (baidu-baiduxin3 .cn for instance) that were participating in last year's IE7 massive zero day exploit serving campaign. Moreover, in a typical multitasking stage, the cybercriminals behind the campaign are also hosting Zeus crimeware campaigns on it.

A reincarnation of a well known RBN domain, confirmed participation at related compromises of embassy web sites by the same group, sharing ifrastructure with domains from a massive IE7 ex-zero day attack and hosting Zeus crimeware command and control locations -underground multitasking at its best.

Related posts:
Ethiopian Embassy in Washington D.C Serving Malware
USAID.gov compromised, malware and exploits served
Azerbaijanian Embassies in Pakistan and Hungary Serving Malware
Embassy of India in Spain Serving Malware
Embassy of Brazil in India Compromised
The Dutch Embassy in Moscow Serving Malware
U.S Consulate in St. Petersburg Serving Malware
Syrian Embassy in London Serving Malware
French Embassy in Libya Serving Malware
Continue reading →

Crimeware in the Middle - Limbo

March 19, 2009

While you were out - "Cybercrime-as-a-Service is finally taking off" and a $400 will get you in the hacking business. Such a mentality speaks for an outdated situational awareness.

Cybercrime as a service originally started in the form of "value-added" post-purchase services, the now ubiquitous lower detection rate management for a malware binary, and anti-abuse domain hosting for the command and control interface, several years ago. As far as the $400 required as an entry barrier into cybercrime no longer exists. In reality, pirated copies each and every web malware exploitation kit including the proprietary crimeware kits are becoming more widespread these days.

The cybercrime economy has not only matured into a sophisticated services-driven marketplace a long time ago, but also, nowadays we can clearly see how standardizing the exploitation approach is inevitably resulting in efficiencies -- think web malware exploitation kits with diverse exploits sets and massive SQL injection attacks. The underground economy is in fact so vibrant, that the existing monoculture on the crimeware front is already allowing cybercriminals to hijack the crimeware botnets of other cybercriminals unaware of the fact that they're running an oudated copy of their kit.

Followed by Zeus and Adrenalin, it's time to profile Limbo, an alternative crimeware kit that's been publicly available for purchase since 2007. Interestingly, none of these kits can compare to the current market share of Zeus, perhaps the most popular crimeware kit these days, a development largely driven by the community build around Zeus, and the major enhancements introduced within the kit on behalf of third-party developers.

Here's what Limbo is all about:

"It works on the principle of the add-in to Internet Explorer, not visible in the processes to make the logs being hidden from the firewall redirector, and other programs to monitor network activity. Supplied as a loader, which is removed after the launch, unpacks itself and make all necessary entries in the registry. When you first start IE it cleans Cookies, reads Protected Storage (Autosaved passwords in IE, Outlook passwords, etc.) Whenever a user visits the monitored sites, Limbo intercepts the parameters which are later on transmitted to the server once the user presses the browser key.

Commands:
- Update the binary
- Launch arbitrary exe file
- Update configurator (xml file available)
- Cleaning Cookies
- Remove Limbo
- Theft of keys for Bank of America, as well as the keys of those banks that have moved to a system of keys
- Exclude all the keys for Bank of America, as well as other banks of keys (control questions asked again, and you can intercept the answers to them)
- Add to your hosts - to block a certain site (it seems as if it does not boot at all)
- Reboot Windows
- Destroy Windows

Main features:
- Grabs data from forms, including data around forms (all in a row or a pattern described in the configuration file)
- Logging of keystrokes in the browser, at the time when the user enters something in the edit form (it is sometimes useful - for example when the entered data is encrypted after submit form)
- Logging of virtual keyboards (universal technology was developed for the Turkish and Australian banks)
- Theft of keys (Bank of America, as well as other banks, whose protection is key-based) - are in the archive, the archive is created from the user on the computer.
- Delete key (Bank of America, as well as other banks, whose protection is built based on keys) - it is useful to force the user to enter answers to security questions
- Scam page redirection (the fake of same page with the substitution of the address bar of IE and the status bar on infected hosts)
- Harvesting of emails (including the address book user) - by request includes this possibility
- Set the filter for sites that do not need to intercept
- Simple injects-based system (paste your text input field on a particular site - for example, to ask for a pin Holder)
- Smart injects system - blocking form until user input is not injected into the data fields (checking for the count-woo characters of their type - the numbers or letters)
- TANs grabbing - vital for the German sites

Paid only features:
- A hidden transfer (transfer of command from the admin panel) - HARD-sharpen under one bank
- Autocomplete of hijacked session (eg when a user makes a transfer, useful if the transfer requires the SMS confirmation. Strictly tied to a particular bank only.

PHP based admin includes:
- Mapping of users to the admin
- Directing teams selected users
- Delete commands and users
- Showing the status of the command
- Mapping and IP users
- Ability to delete tax
- Display the size of logs
- Search for logs
- Archiving of logs
- Filter by country
- Possibility of sending logs to email
- Statistics on infection
- View collected emails
- The giving of the notes selected users
- The last call
- Displaying a page by page (say 200 records per page)
- An opportunity to log everything in one file (optional)
- Sorting of logs according to different criteria
- Delete all logs
- Have the opportunity to log into mysql, as well as the ability to search for him there is (an order of magnitude faster search)

These commands are downloaded to the host after a certain period of time and performed in the admin panel you can see the status of commands for a specific user - download \ downloaded but not executed \ implemented."

With crimeware in the middle, no SSL/two-factor based authentication can ensure a non-transparent to the eyes of the cybercriminal transaction.

Related posts:
Crimeware in the Middle - Adrenalin
Crimeware in the Middle - Zeus
76Service - Cybercrime as a Service Going Mainstream
Zeus Crimeware as a Service Going Mainstream
Modified Zeus Crimeware Kit Gets a Performance Boost
Modified Zeus Crimeware Kit Comes With Built-in MP3 Player
Zeus Crimeware Kit Gets a Carding Layout
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
Continue reading →