A Visual Representation of Today's Modern Cybercrime Ecosystem - A Cybercrime-Friendly Forum Communities Screenshots Compilation - An Analysis

I've recently took the time and effort and process a huge number of cybercrime-friendly forum communities by using my employer WhoisXML API's Web Site Screenshot generating API in bulk and here are the results. Enjoy!

Stay tuned!

Continue reading →

Upcoming Personal Memoir - Official Announcement!

Dear blog readers,

Big news. I've recently decided to convert my personal blog into a pre-order landing page for my 756 pages long upcoming personal memoir in the world of hacking and security circa the 90's up to present day including an elaboration on my security blogging cybercrime research and threat intelligence gathering including OSINT and independent contractor analysis expertise and experience for the purpose of lauching my personal memoir and making it publicly accessible in December, 2021 both in print and in multiple E-book formats for the general public or basically anyone who drops me a line at dancho.danchev@hush.com in terms of possible pre-order where the print version is priced at $35 and the E-book version is priced at $20.

What you can do in order to obtain access to my upcoming memoir? Drop me a line at dancho.danchev@hush.com in terms of possible pre-order including to participate in my pre-order newsletter where I will send you a direct message once the memoir is ready to be released with the official release date scheduled for December, 2021.

Some sample content includes:

The Real Story Behind the Scene Circa the 90's - I will do my best to elaborate more on my teenage hacker experience and contributions and actual involvement in the Scene during the infamous hacker spree circa the 90's

An In-Depth Personal Account of a Teenage Hacker Experience - 

The True Story Behind the Rise of Trojan Horse -  

Astalavista.com - The Underground Repositioned - 

What It's Like to Run the Security Industry's Most Popular Publication - 

My Involvement in the Top Secret GCHQ Program Known as "Lovely Horse" - 

The Koobface Botnet Exposed - 

Stay tuned!

Continue reading →

Call for Interest - Establishing the Foundations for a Part-Time Project-Based Cybercrime Project Task Force

Dear blog readers,

I wanted to let everyone know that I'm currently busy a temporary part-time project-based task force and I might need your input in terms of a possible Task Force participation in the following categories:

• Social Network Analysis
• Technical Collection
• OSINT Enrichment
• Sentiment Analysis
• Statistical Output Based Demographics Research
• OSINT Visualization

The project is vetted and invite-only therefore it would be great if you approach me with a brief message at dancho.danchev@hush.com signifying your will and capability to participate in the project with a brief introduction of your background and how you think you might be capable of helping.

Looking forward to begin working with you.

Stay tuned! Continue reading →

Dancho Danchev's Blog - Soliciting Contributing Writers and Guest Bloggers

Dear blog readers,

As many of you noticed I've recently expanded my blog to include and feature a diverse set of personal research portfolio including additional coverage in a variety of areas and I wanted to let everyone know that I'm currently busy working on an additional set of research articles and new products that I'll publish anytime soon.

I wanted to let everyone know that I'm currently busy soliciting an Open Call for Contributing Writers and Guest Bloggers on one of the industry's leading Security publications - Dancho Danchev's Blog - Mind Streams of Information Security Knowledge on my way to harness the best security and cybercrime researchers including threat intelligence analysts from across the Security Industry who might be interested in a diverse and high-profile set of audience in terms of publishing their opinion thought and general and never-published before security and cybercrime including threat intelligence research.

Who can participate? - Basically everything who can write security articles and security blog posts on various topics including malicious software botnets OSINT methodologies and general cybercrime research including Threat Intelligence analysis.

Looking forward to receiving your response - disruptive.individuals@gmail.com

Stay tuned and I look forward to continue working with you! Continue reading →

Historical OSINT - The Koobface Gang Mixing Social Engineering Vectors

It's the Facebook message that came from one of your infected friends pointing you to an on purposely created bogus Bloglines blog serving fake YouTube video window, that I have in mind. The Koobface gang has been mixing social engineering vectors by taking the potential victim on a walk through legitimate services in order to have them infected without using any client-side vulnerabilities.

For instance, this bogus Bloglines account (bloglines .com/blog/Youtubeforbiddenvideo) has attracted over 150 unique visitors already, part of Koobface's Hi5 spreading campaign (catshof .com/go/hi5.php). The domain is parked at the very same IP that the rest of the central redirection ones in all of Koobface's campaigns are - 58.241.255.37.

Interestingly, since underground multitasking is becoming a rather common practice, the bogus blog has also been advertised within a blackhat SEO farm using the following blogs, currently linking to several hundred bogus Google Groups accounts :

bloglines .com/blog/gillehuxeda
bloglines .com/blog/chaneyok
bloglines .com/blog/ramosimeco
bloglines .com/blog/antwanuvfa
bloglines .com/blog/tamaraaqo
bloglines .com/blog/josephyhti
bloglines .com/blog/whiteqivaju
bloglines .com/blog/hayleyem
bloglines .com/blog/tateigyamor
bloglines .com/blog/burnsseuhaqe
bloglines .com/blog/jennaup

bloglines .com/blog/jermainedus
bloglines .com/blog/floydwopew55
bloglines .com/blog/arielehy
bloglines .com/blog/onealqypsu
bloglines .com/blog/mackirma
bloglines.com/blog/breonnazox
bloglines .com/blog/sabrinaxycit
bloglines .com/blog/gloverqy
bloglines .com/blog/lisaurja
bloglines .com/blog/greenefayg18
bloglines .com/blog/craigxiw36
bloglines .com/blog/parsonsdos
bloglines .com/blog/martinsutuz
bloglines .com/blog/deandreefe
bloglines .com/blog/briannetu
bloglines .com/blog/kierailpe
bloglines .com/blog/fordyfo27
bloglines .com/blog/litzyracnuj
bloglines.com/blog/darwinupi57
bloglines .com/blog/bonillavaok
bloglines .com/blog/jennyuxe85
bloglines .com/blog/wilkersonin
bloglines .com/blog/nicolasqydby
bloglines .com/blog/darbyeve
bloglines .com/blog/izaiahro83
bloglines .com/blog/parsonsdos
bloglines .com/blog/fullerjeb81

Abusing legitimate services may indeed get more attention in the upcoming year, following their interest in the practice from the last quarter.
Continue reading →

Real-Time OSINT vs Historical OSINT in Russia/Georgia Cyberattacks

The original real-time OSINT analysis of the Russian cyberattacks against Georgia conducted on the 11th of August, not only closed the Russia vs Georgia cyberwar case for me personally, but also, once again proved that real-time OSINT is invaluable compared to historical OSINT using a commercial social network visualization/data mining tool which cannot and will never be able to access the Dark Web, accessible only through real-time CYBERINT practices.

The value of real-time OSINT in such people's information warfare cyberattacks -- with Chinese hacktivists perfectly aware of the meaning of the phrase -- relies on the relatively lower operational security (OPSEC) the initiators of a particular campaign apply at the beginning, so that it would scale faster and attract more participants. What the Russian government was doing is fueling the (cyber) fire - literally, since all it takes for a collectivist socienty's cyber militia to organize, is a "call for action" which was taking place at the majority of forums, with the posters of these messages apparently using a spamming application to achieve better efficiency.

The results from 56 days of Project Grey Goose in action got published last week, a project I discussed back in August, point out to the bottom of the food chain in the entire campaign - stopgeorgia.ru :

"Furthermore, coming up with Social Network analysis of the cyberattacks would produce nothing more but a few fancy graphs of over enthusiastic Russian netizen's distributing the static list of the targets. The real conversations, as always, are happening in the "Dark Web" limiting the possibilities for open source intelligence using a data mining software. Things changed, OPSEC is slowly emerging as a concept among malicious parties, whenever some of the "calls for action" in the DDoS attacks were posted at mainstream forums, they were immediately removed so that they don't show up in such academic initiatives"

So what's the bottom line? Nothing that I haven't already pointed out back in August : "Report: Russian Hacker Forums Fueled Georgia Cyber Attacks" :

"But experts say evidence suggests that Russian officials did little to discourage the online assault, which was coordinated through a Russian online forum that appeared to have been prepped with target lists and details about Georgian Web site vulnerabilities well before the two countries engaged in a brief but deadly ground, sea and air war."

Some more comments :

"Just because there was no smoking gun doesn't mean there's no connection," said Jeff Carr, the principal investigator of Project Grey Goose, a group of around 15 computer security, technology and intelligence experts that investigated the August attacks against Georgia. "I can't imagine that this came together sporadically," he said. "I don't think that a disorganized group can coalesce in 24 hours with its own processes in place. That just doesn't make sense."

It wouldn't make sense if this was the first time Russian hacktivists are maintaining the same rhythm as real-life events - which of course isn't.

Moreover, exactly what would have constituted a "smoking gun" proving that the Russian government was involved in the campaign, remains unknown -- I'm still sticking to my comment regarding the web site defacement creative. If they truly wanted to compromise themselves, they would have cut Georgia off the Internet, at least from the perspective offered by this graph courtesy of the Packet Clearing House speaking for their dependability on Russian ISPs.

As for the script kiddies at stopgeorgia.ru, they were informed enough to feature my research into their "negative public comments section". To sum up - the "DoS battle stations operational in the name of the "Please, input your cause" mentality is always going to be there.
Continue reading →

The DDoS Attack Against Bobbear.co.uk

When you get the "privilege" of getting DDoS-ed by a high profile DDoS for hire service used primarily by cybercriminals attacking other cybercriminals, you're officially doing hell of a good job exposing money laundering scams.

The attached screenshot demonstrates how even the relatively more sophisticated counter surveillance approaches taken by a high profile DDoS for hire service can be, and were in fact bypassed, ending up in a real-time peek at how they've dedicated 4 out of their 10 BlackEnergy botnets to Bobbear exclusively.

Perhaps for the first time ever, I come across a related DoS service offered by the very same vendor - insider sabotage on demand given they have their own people in a particular company/ISP in question. Makes you think twice before considering a minor network glitch what could easily turn into a coordinated insider attack requested by a third-party. Moreover, now that I've also established the connection between this DDoS for hire service and one of the command and control locations (all active and online) of one of the botnets used in the Russia vs Georgia cyberattack, the concept of engineering cyber warfare tensions once again proves to be a fully realistic one.

Related posts:
A U.S military botnet in the works
DDoS Attack Graphs from Russia vs Georgia's Cyberattacks
Botnet on Demand Service
OSINT Through Botnets
Corporate Espionage Through Botnets
The DDoS Attack Against CNN.com
A New DDoS Malware Kit in the Wild
Electronic Jihad v3.0 - What Cyber Jihad Isn't Continue reading →

Who's Behind the GPcode Ransomware?

So, the ultimate question - who's behind the GPcode ransomware? It's Russian teens with pimples, using E-gold and Liberty Reserve accounts, running three different GPcode campaigns, two of which request either $100 or $200 for the decryptor, and communicating from Chinese IPs. Here are all the details regarding the emails they use, the email responses they sent back, the currency accounts, as well their most recent IPs used in the communication :

Emails used by the GPcode authors where the infected victims are supposed to contact them :
content715@yahoo.com
saveinfo89@yahoo.com
cipher4000@yahoo.com
decrypt482@yahoo.com

Virtual currency accounts used by the malware authors :
Liberty Reserve - account U6890784
E-Gold - account - 5431725
E-Gold - account - 5437838

Sample response email :
"Next, you should send $100 to Liberty Reserve account U6890784 or E-Gold account 5431725 (www.e-gold.com) To buy E-currency you may use exchange service, see or any other. In the transfer description specify your e-mail. After receive your payment, we send decryptor to your e-mail. For check our guarantee you may send us one any encrypted file (with cipher key, specified in any !_READ_ME_!.txt file, being in the directorys with the encrypted files). We decrypt it and send to you originally decrypted file. Best Regards, Daniel Robertson"

Second sample response email this time requesting $200 :
"The price of decryptor is 200 USD. For payment you may use one of following variants: 1. Payment to E-Gold account 5437838 (www.e-gold.com). 2. Payment to Liberty Reserve account U6890784 (www.libertyreserve.com). 3. If you do not make one of this variants, contact us for decision it. For check our guarantee you may send us ONE any encrypted file. We decrypt it and send to you originally decrypted file. For any questions contact us via e-mail. Best regards. Paul Dyke"

So, you've got two people responding back with copy and paste emails, each of them seeking a different amount of money? Weird. The John Dow-ish Daniel Robertson is emailing from 58.38.8.211 (Liaoning Province Network China Network Communications Group Corporation No.156,Fu-Xing-Men-Nei Street, Beijing 100031), and Paul Dyke from 221.201.2.227(Liaoning Province Network China Network Communications Group Corporation No.156,Fu-Xing-Men-Nei Street, Beijing 100031), both Chinese IPs, despite that these campaigners are Russians.

Here are some comments I made regarding cryptoviral extortion two years ago - Future Trends of Malware (on page 11; and page 21), worth going through. Continue reading →

Who's Behind the Georgia Cyber Attacks?

Of course the Klingons did it, or you were naive enough to even think for a second that Russians were behind it at the first place? Of the things I hate  most, it's lowering down the quality of the discussion I hate the most. Even if you're excluding all the factual evidence (Coordinated Russia vs Georgia cyber attack in progress), common sense must prevail.

Sometimes, the degree of incompetence can in fact be pretty entertaining, and greatly explains why certain countries are lacking behind others with years in their inability to understand the rules of information warfare, or the basic premise of unrestricted warfare, that there are no rules on how to achieve your objectives.

So who's behind the Georgia cyber attacks, encompassing of plain simple ping floods, web site defacements, to sustained DDoS attacks, which no matter the fact that Geogia has switched hosting location to the U.S remain ongoing? It's Russia's self-mobilizing cyber militia, the product of a collectivist society having the capacity to wage cyber wars and literally dictating the rhythm in this space. What is militia anyway :

"civilians trained as soldiers but not part of the regular army; the entire body of physically fit civilians eligible by law for military service; a military force composed of ordinary citizens to provide defense, emergency law enforcement, or paramilitary service, in times of emergency; without being paid a regular salary or committed to a fixed term of service; an army of trained civilians, which may be an official reserve army, called upon in time of need; the national police force of a country; the entire able-bodied population of a state; or a private force, not under government control; An army or paramilitary group comprised of citizens to serve in times of emergency"

Next to the "blame the Russian Business Network for the lack of large scale implementation of DNSSEC" mentality, certain news articles also try to wrongly imply that there's no Russian connection in these attacks, and that the attacks are not "state-sponsored", making it look like that there should be a considerable amount of investment made into these attacks, and that the Russian government has the final word on whether or not its DDoS capabilities empowered citizens should launch any attacks or not. In reality, the only thing the Russian government was asking itself during these attacks was "why didn't they start the attacks earlier?!".

Thankfully, there are some visionary folks out there understanding the situation. Last year, I asked the following question - What is the most realistic scenario on what exactly happened in the recent DDoS attacks aimed at Estonia, from your point of view? and some of the possible answers still fully apply in this situation :

- It was a Russian government-sponsored hacktivism, or shall we say a government-tolerated one

- Too much media hype over a sustained ICMP flood, given the publicly obtained statistics of the network traffic

- Certain individuals of the collectivist Russian society, botnet masters for instance, were automatically recruited based on a nationalism sentiments so that they basically forwarded some of their bandwidth to key web servers

- In order to generate more noise, DIY DoS tools were distributed to the masses so that no one would ever know who's really behind the attacks

- Don't know who did it, but I can assure you my kid was playing !synflood at that time

- Offended by the not so well coordinated removal of the Soviet statue, Russian oligarchs felt the need to send back a signal but naturally lacking any DDoS capabilities, basically outsourced the DDoS attacks

- A foreign intelligence agency twisting the reality and engineering cyber warfare tensions did it, while taking advantage of the momentum and the overall public perception that noone else but the affected Russia could be behind the attacks

- I hate scenario building, reminds me of my academic years, however, yours are pretty good which doesn't necessarily mean I actually care who did it, and pssst - it's not cyberwar, as in cyberwar you have two parties with virtual engagement points, in this case it was bandwidth domination by whoever did it over the other. A virtual shock and awe

- I stopped following the news story by the time every reporter dubbed it the first cyber war, and started following it again when the word hacktivism started gaining popularity. So, hacktivists did it to virtually state their political preferences

Departamental cyber warfare would never reach the flexibity state of people's information warfare where everyone is a cyber warrior given he's empowered with access to the right tools at a particular moment in time.

Related posts:
People's Information Warfare Concept
Combating Unrestricted Warfare
The Cyber Storm II Cyber Exercise
Chinese Hacktivists Waging People's Information Warfare Against CNN
The DDoS Attacks Against CNN.com
China's Cyber Espionage Ambitions
North Korea's Cyber Warfare Unit 121

Chinese Hackers Attacking U.S Department of Defense Networks

Electronic Jihad v3.0 - What Cyber Jihad Isn't

Electronic Jihad's Targets List

Teaching Cyber Jihadists How to Hack

Empowering the Script Kiddies

OSINT Through Botnets

Corporate Espionage Through Botnets

Malware Infected Hosts as Stepping Stones

Hacktivism Tensions - Israel vs Palestine Cyberwars

The Current, Emerging, and Future State of Hacktivism

Internet PSYOPS - Psychological Operations

Continue reading →

Dissecting the Koobface Worm's December Campaign

The Koobface Facebook worm -- go through an assessment of a previous campaign -- is once again making its rounds across social networking sites, Facebook in particular. Therefore, shall we spill a big cup of coffee over the malware campaigners efforts for yet another time? But of course.

Only OPSEC-ignorant malware campaigners would leave so much traceable points, in between centralizing the campaign's redirection domains on a single IP. For instance, taking advantage of free web counter whose publicly obtainable statistics -- the account has since been deleted -- allow us to not only measure the clickability of Koobface's campaign, but also, prove that they're actively multitasking by combining blackhat SEO and active spreading across several other social networking sites. Here are some of the key summary points for this campaign :

Key summary points :
- the hosting infrastructure for the bogus YouTube site and the actual binary is provided by several thousand dynamically changing malware infected IPs
- all of the malware infected hosts are serving the bogus YouTube site through port 7777
- the very same bogus domains acting as central redirection points from the November's campaign remain active, however, they've switched hosting locations
- if the visitor isn't coming from where she's supposed to be coming, in this case the predefined list of referrers, a single line of "scan ref" is returned with no malicious content displayed
- the campaign can be easily taken care of at least in the short term, but shutting down the centralized redirection points


What follows are the surprises, namely, despite the fact that Koobface is pitched as a Facebook worm, according to their statistics -- go through a previously misconfigured malware campaign stats -- the majority of unique visitors from the December's campaign appear to have been coming from Friendster. As for the exact number of visitors hitting their web counter, counting as of  7 November 2008, 12:58, with 91,109 unique visitors on on 07 Nov, Fri and another 53,260 on 08 Nov, Sat before the counter was deleted, the cached version of their web counter provides a relatively good sample.

On each of the bogus Geocities redirectors, the very same lostart .info/js/gs.js (58.241.255.37) used in the previous campaign, attempts to redirect to find-allnot .com/go/fb.php (58.241.255.37) or to playtable .info/go/fb.php (58.241.255.37), with fb.php doing the referrer checking and redirecting to the botnet hosts magic. Several other well known malware command and control locations are also parked at 58.241.255.37 :

jobusiness .org
a221008 .com
y171108 .com
searchfindand .com
ofsitesearch .com
fashionlineshow .com
anddance .info
firstdance .biz
prixisa .com
danceanddisc .com
finditand .com
findsamthing .com
freemarksearch .com
find-allnot .com
find-here-and-now .com
findnameby .com
anddance .info

These domains, with several exeptions, are actively participating in the campaign, with the easiest way to differentiate whether it's a Facebook or Bebo redirection, remaining the descriptive filenames. For instance, fb.php corresponds to Facebook redirections and be.php corresponding to Bebo redirections (ofsitesearch .com/go/be.php). However, the meat resides within the statistics from their campaign :

Malware serving URLs part of Koobface worm's December's campaign, based on the identical counter used across all the malicious domains :
youtube-x-files .com
youtube-go .com
youtube-spy.5x .pl
youtube-files.bo .pl
youtube-media.none .pl
youtube-files.xh .pl
youtube-spy.dz .pl
youtube-files.esite .pl
youtube-spy.bo .pl
youtube-spy.nd .pl
youtube-spy.edj .pl
spy-video.oq .pl
shortclips.bubb .pl
youtubego.cacko .pl

asda345.blogspot .com
uholyejedip556.blogspot .com
ufyaegobeni7878.blogspot .com
uiyneteku20176.blogspot .com
ujoiculehe19984.blogspot .com
uinekojapab29989.blogspot .com
uhocuyhipam13345.blogspot .com

Geocities redirectors participating :
geocities .com/madelineeaton10/index.htm
geocities .com/charlievelazquez10/index.htm
geocities .com/raulsheppard18/index.htm

Sample malware infected hosts used by the redirectors :
92.241.134 .41:7777/?ch=&ea=
89.138.171 .49:7777/?ch=&ea=
92.40.34 .217:7777/?ch=&ea=
79.173.242 .224:7777/?ch=&ea=
122.163.103 .91:7777/?ch=&ea=
217.129.155 .36:7777/?ch=&ea=
84.109.169 .124:7777/?ch=&ea=
91.187.67 .216:7777/?ch=&ea=
84.254.51 .227:7777/?ch=&ea=
190.142.5 .32:7777/?ch=&ea=
190.158.102 .246:7777/?ch=&ea=
201.245.95 .86:7777/?ch=&ea=
78.90.85 .7:7777/?ch=&ea=
82.81.25 .144:7777/?ch=&ea=
78.183.143 .188:7777/?ch=&ea=
89.139.86 .88:7777/?ch=&ea=
85.107.190 .105:7777/?ch=&ea=
84.62.84 .132:7777/?ch=&ea=
78.3.42 .99:7777/?ch=&ea=
92.241.137 .158:7777/?ch=&ea=
77.239.21 .34:7777/?ch=&ea=
41.214.183 .130:7777/?ch=&ea=

90.157.250 .133:7777/dt/?ch=&ea=
89.143.27 .39:7777/?ch=&ea=
91.148.112 .179:7777/?ch=&ea=
94.73.0 .211:7777/?ch=&ea=
124.105 .187.176:7777/?ch=&ea=
77.70.108  .163:7777/?ch=&ea=
190.198.162 .240:7777/?ch=&ea=
89.138.23 .121:7777/?ch=&ea=
190.46.50 .103:7777/?ch=&ea=
80.242.120 .135:7777/?ch=&ea=
94.191.140 .143:7777/?ch=&ea=
210.4.126 .100:7777/?ch=&ea=
87.203.145 .61:7777/?ch=&ea=
94.189.204 .22:7777/?ch=&ea=
92.36.242 .47:7777/?ch=&ea=
77.78.197 .176:7777/?ch=&ea=
94.189.149 .231:7777/?ch=&ea=
89.138.102 .243:7777/?ch=&ea=
94.73.0 .211:7777/?ch=&ea=
79.175.101 .28:7777/?ch=&ea=
78.1.251 .26:7777/?ch=&ea=
201.236.228 .38:7777/?ch=&ea=
85.250.190 .55:7777/?ch=&ea=
211.109.46 .32:7777/?ch=&ea=
91.148.159 .174:7777/?ch=&ea=
87.68.71 .34:7777/?ch=&ea=
85.94.106 .240:7777/?ch=&ea=
195.91.82 .18:7777/?ch=&ea=
85.101.167 .197:7777/?ch=&ea=
193.198.167 .249:7777/?ch=&ea=
94.69.130 .191:7777/?ch=&ea=
79.131.26 .192:7777/?ch=&ea=
190.224.189 .24:7777/?ch=&ea=

119.234.7 .230:7777/?ch=&ea=
199.203.37 .250:7777/?ch=&ea=
89.142.181 .226:7777/?ch=&ea=
84.110.120 .82:7777/?ch=&ea=
119.234.7 .230:7777/?ch=&ea=
84.110.253 .163:7777/?ch=&ea=
82.81.163 .40:7777/?ch=&ea=
79.179.249 .218:7777/?ch=&ea=
190.224.189 .24:7777/?ch=&ea=
79.179.249 .218:7777/?ch=&ea=
87.239.160 .132:7777/?ch=&ea=
79.113.8 .107:7777/?ch=&ea=
81.18.54 .6:7777/?ch=&ea=
118.169 .173.101:7777/?ch=&ea=
85.216.158 .209:7777/?ch=&ea=
219.92.170 .4:7777/?ch=&ea=
79.130.252 .204:7777/?ch=&ea=
93.136.53 .239:7777/?ch=&ea=
62.0.134 .79:7777/?ch=&ea=
79.138.184 .253:7777/?ch=&ea=
173.16.68 .18:7777/?ch=&ea=
190.155.56 .212:7777/?ch=&ea=
190.20.68 .136:7777/?ch=&ea=
119.235.96 .173:7777/?ch=&ea=
77.127.81 .103:7777/?ch=&ea=
190.132.155 .122:7777/?ch=&ea=
89.138.177 .91:7777/?ch=&ea=

79.178.111 .25:7777/?ch=&ea=
84.109.1 .15:7777/?ch=&ea=
89.0.157. 1:7777/?ch=&ea=
122.53.176 .43:7777/?ch=&ea=
200.77.63 .190:7777/?ch=&ea=
67.225.102 .105:7777/?ch=&ea=
119.94.171 .114:7777/?ch=&ea=
125.212.94 .80:7777/?ch=&ea=

Detection rate for the binary, identical across all infected hosts participating :
flash_update.exe (Win32/Koobface!generic; Win32.Worm.Koobface.W)
Detection rate : 28/38 (73.69%)
File size: 27136 bytes
MD5...: 3071f71fc14ba590ca73801e19e8f66d
SHA1..: 2f80a5b2575c788de1d94ed1e8005003f1ca004d

Koobface's social networks spreading model isn't going away, but it's domains definitely are.

Related posts:
Dissecting the Latest Koobface Facebook Campaign
Fake YouTube Site Serving Flash Exploits
Facebook Malware Campaigns Rotating Tactics
Phishing Campaign Spreading Across Facebook
Large Scale MySpace Phishing Attack
Update on the MySpace Phishing Campaign
MySpace Phishers Now Targeting Facebook
MySpace Hosting MySpace Phishing Profiles
Continue reading →

Time to Say Goodbye!

Ho, Ho, Ho.

Merry Christmas or Christmas just came in earlier.

This is an official letter to all of my 5.6M readers since December, 2005 including an official letter to the U.S Security Industry including my current colleagues and friends from across the globe including the dark corners of the Web although there's no such thing as a dark corner of the web just like there's no such thing as free lunch including the fact that an OSINT conducted today is a tax payer's dollar saved somewhere.

The big news is this is going to be the last post.

I wanted to say big thanks to everyone who's been following my work even since I originally launched my personal blog back in December, 2005 and to my one and only employer in the world Webroot Inc. for hiring me and bringing me on board which basically resulted in a decent lifestyle for a period of several years including the renovation of my place.

What I'm left with after my retirement? A modest $150 social pension to take care of my mobile and Internet bills including some food which is a great advice for everyone involved in the field to know that it takes a bold man including a one-man show operation to take care of everything and then try to retire.

My advices for everyone in the industry include the following hots tips right and straight from the source:

- never fell victim into the "certificate crowd" myopia and the "more the merrier" mentality be yourself say everything and don't forget to do everything and never take credit for what you're doing and what you've been doing and always say cheers or hi to someone who says hi and cheers to your work and achievement

- don't forget the U.S is secretly hiring security bloggers to jump in the Information Warfare front if there's any which is naturally something that there is but only in case you know what you're up to in terms of getting yourself dazzled and embraced by any of the virtual domain dimensions that you choose for your Information and Cyber Warfare purposes and goal achieving projects

Best wishes to everyone who made it happen. And in a surreal universe remember that "diamonds degrade their quality. Bulletproof hosting services courtesy of the RBN are forever. Grab a copy of memoir from here including from Cryptome.org and consider going thought my research portfolio throughout the years here and stay tuned for the Second Edition of my Cyber Intelligence memoir which will be published in Bulgarian and made available exclusively to Bulgarian readers who might be interested in catching up in terms of what I've been up to during the years.

Don't forget if you ever need me for anything including a project that you want to work with me on including advice or just to say "hi" and thanks for all the hard work or anything in general feel free to drop me a line at dancho.danchev@hush.com which is my email address account which I check 24/7 and I'll make sure to send back a proper response.

Yours sincerely not necessarily exclusively and don't forget that although you know my name you should not necessary do your best to look up my "number".

Continue reading →

Historical OSINT - Profiling a Compilation of Known Apophis Exploit Kit C&C Public Domains - An OSINT Analysis

I've been recently digging into several archives in terms of looking for actionable threat intelligence based on my research circa 2010 with the idea to enrich it in 2022 and collerate it with several of my proprietary databases for threat intelligence and OSINT related materials in terms of fighting and responding to cybercrime hence the results which is an active domain portfolio of Apophis exploit and phishing kit which you can check out in terms of OSINT threat intelligence enrichment.

Sample Apophis C&C domains circa 2010 based on my research include:

hxxp://mystabcounter.info

hxxp://555traff.biz

hxxp://555traff.org

hxxp://555traff.net

hxxp://911traff.com

hxxp://911traff.org

hxxp://911traff.com

hxxp://555traff.ws

hxxp://nod32-spl.net

hxxp://kusik-tusik-trf.com

hxxp://spamh0use.com

hxxp://norton-av2007.com

Sample domain registrant email address account known to have been used in the campaign:

slhdns@gmail.com

Related malicious and fraudulent domains known to have been involved in the campaign include:

hxxp://free-adult-movies.us

hxxp://ellweb.biz

hxxp://flightlesson.us

hxxp://e-on.us

hxxp://masteryourselfandothers.biz

hxxp://sexychannal.biz

hxxp://fkooo.biz

hxxp://le-showroom.biz

hxxp://elwebbz.biz

hxxp://sensorama.us

hxxp://healingmassage.us

hxxp://lisa19.biz

hxxp://free-games-downloads.biz

hxxp://emaszyny.biz

hxxp://free-bizzz.biz

hxxp://ellwebs.biz

hxxp://fsone.us

hxxp://banddindependence.biz

hxxp://freestylecamera.biz

hxxp://wtter.biz

hxxp://little-lolitas.biz

hxxp://a-1express.us

hxxp://sex-total.biz

hxxp://misterfixit.us

hxxp://pantie-fetish.biz

hxxp://wantedbabes.biz

hxxp://papmperedchef.biz

hxxp://webmailccisd.us

hxxp://funi-games.biz

hxxp://karatzikos.biz

hxxp://fuckphotos.biz

hxxp://best-oem-sellers.biz

hxxp://powerstocks.biz

hxxp://connect-group.biz

hxxp://pptsys.biz

hxxp://lambrakis.biz

hxxp://hsmvstatefl.us

hxxp://computerselectronics.us

hxxp://premierprop.biz

hxxp://coloriez.biz

hxxp://crazy-holiday.biz

hxxp://images-porno.biz

hxxp://talentsmodels.biz

hxxp://sukebe.biz

hxxp://taydo.biz

hxxp://texas--holdem.biz

hxxp://mr-rx.biz

hxxp://cptraders.biz

hxxp://financialcareer.biz

hxxp://smallgirls.biz

hxxp://plastercrafts.biz

hxxp://lchs.us

hxxp://poopka.biz

hxxp://solarnet.biz

hxxp://hormonetreatment.us

hxxp://spammed.us

hxxp://photos-pucelles.biz

hxxp://signaturehomesstyles.biz

hxxp://marbleworks.biz

hxxp://simplyuniforms.biz

hxxp://pinballsites.biz

hxxp://cuyahogacouny.us

hxxp://pinkpoodlepets.biz

hxxp://cuyahagacounty.us

hxxp://rachaels.biz

hxxp://kentonkyschools.us

hxxp://iginteinc.biz

hxxp://caimon.us

hxxp://lonestarjewelry.biz

hxxp://vietghost.us

hxxp://igniteing.biz

hxxp://buytickets1.us

hxxp://agame.biz

hxxp://uighurlar.biz

hxxp://joshosler.biz

hxxp://variance.us

hxxp://qudos.biz

hxxp://ketsamil.us

hxxp://quebecauction.biz

hxxp://verumcom.biz

hxxp://privatpornoz.biz

hxxp://trasy.biz

hxxp://fightnight.us

hxxp://trueterm.biz

hxxp://arablusic.us

hxxp://cdcover.us

hxxp://httpimageshack.us

hxxp://iprosper.us

hxxp://prepaid2u.biz

hxxp://kylakeproperty.us

hxxp://printsmart.us

hxxp://inmarcet.biz

hxxp://privatevoicemail.us

hxxp://koicarp.us

hxxp://11burogu.biz

hxxp://traivan.us

hxxp://eroxia.us

hxxp://assmat.biz

hxxp://sauvageonne.biz

hxxp://articlexchange.biz

hxxp://scottsphotography.biz

hxxp://project-management-tools.biz

hxxp://mini-games.biz

hxxp://aqarium-fish.biz

hxxp://imageashack.us

hxxp://beanb.biz

hxxp://rmpnfotec.biz

hxxp://azadari.biz

hxxp://europauto.biz

hxxp://autosourse.biz

hxxp://rowanlaw.us

hxxp://autocadsites.biz

hxxp://renewpcstore.biz

hxxp://whatswhat.us

hxxp://f0reverhealthy.biz

hxxp://boa-constrictor.biz

hxxp://f-chan.us

hxxp://bestemateur.biz

hxxp://everysearch.us

hxxp://wnetwork.biz

hxxp://fanmial.biz

hxxp://brutalfemdom.biz

hxxp://realitywise.biz

hxxp://breadmaker.biz

hxxp://realy-models.biz

hxxp://webform.us

hxxp://lolabbs.biz

hxxp://weknow.us

hxxp://jlove.us

hxxp://zowmebel.biz

hxxp://1001night.biz

hxxp://zodiacpowerring.biz

hxxp://wwwsignaturehomestyles.biz

hxxp://a-deco.biz

hxxp://analized.us

hxxp://ishikari.biz

hxxp://xteenx.biz

hxxp://ffivideo.biz

hxxp://allthingscatholic.us

hxxp://puffgames.biz

hxxp://actiongames.us

hxxp://ffunny-games.biz

hxxp://coasthomes.biz

hxxp://clearhabor.biz

hxxp://at-crew.biz

hxxp://animal-info.biz

hxxp://anoria.biz

hxxp://cl55.biz

hxxp://amitenergy.biz

hxxp://bestcounter.biz

hxxp://bionexus.biz

hxxp://4only.biz

hxxp://bellgard.biz

hxxp://bairo.biz

hxxp://banjosites.biz

hxxp://clthumane.biz

hxxp://autorepairmanuels.biz

hxxp://city-info.biz

hxxp://anywhere-wireless.biz

hxxp://casadellabomboniera.biz

hxxp://centerforrenewal.biz

hxxp://cuteloblog.biz

hxxp://buckneranimalclinic.biz

hxxp://bona-stto.biz

hxxp://1sp.biz

hxxp://easycalender.biz

hxxp://etudiantes-vicieuses.biz

hxxp://fannygames.biz

hxxp://bizibypass.biz

hxxp://ddl-warez.biz

hxxp://fainmail.biz

hxxp://farmersandmerchantsbank.biz

hxxp://atomakayan.biz

hxxp://youxxx.us

hxxp://wmata.us

hxxp://mailarlingtonva.us

hxxp://sexyblackpussy.biz

hxxp://funnygamse.biz

hxxp://funnygaes.biz

hxxp://freetgp.biz

hxxp://www4usonly.biz

hxxp://hena.biz

hxxp://gentrees.biz

hxxp://ignitein.biz

hxxp://hentai-movie.biz

hxxp://igniteic.biz

hxxp://headcutterssalon.biz

hxxp://fuunny-games.biz

hxxp://igniteenergy.biz

hxxp://hrna.biz

hxxp://free-voyeur-cam.biz

hxxp://goldenretire.biz

hxxp://inkkraft.biz

hxxp://heproject.biz

hxxp://funny-gemes.biz

hxxp://ice-out.biz

hxxp://adogslife.biz

hxxp://alterego3d.biz

hxxp://americanriverbikes.biz

hxxp://ecstazy.biz

hxxp://harna.biz

hxxp://africantradebeads.biz

hxxp://funy-game.biz

hxxp://free-gay-movies.biz

hxxp://inginteinc.biz

hxxp://wwwsexbabes.biz

hxxp://wwwmoscarossa.biz

hxxp://wwwsearch.biz

hxxp://funygame.biz

hxxp://fuuny-game.biz

hxxp://e-dict.biz

hxxp://interskay.biz

hxxp://bbw-fat-woman.biz

hxxp://sexbabs.biz

hxxp://youniquedesigns.biz

hxxp://visiongloval.biz

hxxp://seekme.biz

hxxp://pamperedcheff.biz

hxxp://streetdrugs.biz

hxxp://northportrealtor.biz

hxxp://young-peaches.biz

hxxp://boysvids.us

hxxp://coolchasers.us

hxxp://avse.us

hxxp://clearsil.us

hxxp://celebmovie.us

hxxp://myffl.biz

hxxp://sexbabez.biz

hxxp://sexbabies.biz

hxxp://free-search.biz

hxxp://free-voyeur-web.biz

hxxp://sukuname.biz

hxxp://mattun.biz

hxxp://wmclick.biz

hxxp://jun1.biz

hxxp://try-this-search.biz

hxxp://best-search.us

hxxp://topkds.biz

hxxp://traffmoney.biz

hxxp://no-nudes.biz

hxxp://ownmyhome.us

hxxp://teenboyboy.biz

hxxp://may5.biz

hxxp://kisslola.biz

hxxp://mature-sex-pic.biz

hxxp://logocorean.biz

hxxp://medsbymail.biz

hxxp://melissacam.biz

hxxp://mcommuniti.biz

hxxp://katreen.biz

hxxp://nextdoorteens.us

hxxp://viasatelital.us

hxxp://onestoplettingshop.biz

hxxp://hotmapouka.biz

hxxp://agsoftware.biz

hxxp://bun1.biz

hxxp://bsabikesites.biz

hxxp://fragments.biz

hxxp://lovely-nymphets.biz

hxxp://proliferator.biz

hxxp://puertolaboca.us

hxxp://blackandpussy.biz

hxxp://ford-dealers.biz

hxxp://hlplmanhds.biz

hxxp://baosteel.biz

hxxp://begard.biz

hxxp://erotik-geschichten.biz

hxxp://djahmet.biz

hxxp://fonny-games.biz

hxxp://togetherwestand.us

hxxp://fantasy4u.us

hxxp://tympani.us

hxxp://victoryautosales.us

hxxp://veld.us

hxxp://hartlandschool.us

hxxp://whisperedsecrets.us

hxxp://receptor.us

hxxp://sese.us

hxxp://industrialwoodproducts.us

hxxp://cutyourexpenses.us

hxxp://first-school.us

hxxp://cutexpenses.us

hxxp://future4.us

hxxp://tvdirectory.us

hxxp://fashioncamp.us

hxxp://madebyyou.us

hxxp://justleather.us

hxxp://iamhot.us

hxxp://datedetective.us

hxxp://phonetranslators.us

hxxp://eurosport.us

hxxp://lloll.us

hxxp://embelsira.us

hxxp://mainsqueezelove.biz

hxxp://privatporn.biz

hxxp://porn-photo.biz

hxxp://radim.us

hxxp://porn-fotos.biz

hxxp://niceleads.biz

hxxp://spaceresort.us

hxxp://filmscore.us

hxxp://hatachi.us

hxxp://lanciasites.biz

hxxp://needcracks.us

hxxp://muddle.us

hxxp://negaheno.biz

hxxp://truyennguoilon.us

hxxp://net-gams.biz

hxxp://videospornoblog.biz

hxxp://chezbaycakes.biz

hxxp://vb3.biz

hxxp://n0-ip.biz

hxxp://nailwarehouse.biz

hxxp://mynameislolita.biz

hxxp://mountainlakeresort.us

hxxp://hardcore-family-incest.biz

hxxp://hi-web.biz

hxxp://passace.com

hxxp://smartergirl.com

hxxp://howtofixyourharley.com

hxxp://sirevil.us

hxxp://mychices.biz

hxxp://sfondipc.biz

hxxp://wealth-4-u.biz

hxxp://avenge.biz

hxxp://arlingonva.us

hxxp://americawide.us

hxxp://11xp.us

hxxp://arlintonva.us

hxxp://animefans.us

hxxp://genescan.us

hxxp://hallmarkkeepsake.com

hxxp://sundaramusic.com

hxxp://gros-culs.biz

hxxp://moneyconnection.biz

hxxp://graephillips.biz

hxxp://wwwbiehealth.us

hxxp://hollywoodmadam.us

hxxp://enblock.biz

hxxp://oynuyoruz.biz

hxxp://sexbabys.biz

hxxp://nop-ip.biz

hxxp://klinische-forschung.biz

hxxp://grupxtrem.biz

hxxp://vestalgirls.biz

hxxp://nudeliving.us

hxxp://buellsites.biz

hxxp://mcclaincountyassessor.us

hxxp://went2.us

hxxp://mcpsk12md.us

hxxp://muenzversand.biz

hxxp://nighteen.biz

hxxp://customelectronics.us

hxxp://hocsinhvn.biz

hxxp://city-realtor.biz

hxxp://no-p.biz

hxxp://transsahara.biz

hxxp://net-ganes.biz

hxxp://bevardclerk.us

hxxp://netgamez.biz

hxxp://healthfoodsstore.us

hxxp://hiphopcharts.us

hxxp://ebookgenerator.biz

hxxp://ni-ip.biz

hxxp://dataspot.biz

hxxp://moregirls.biz

hxxp://uscharts.us

hxxp://pampredchef.biz

hxxp://carefreehomesep.us

hxxp://fuun-games.biz

hxxp://kellyeducationalservices.us

hxxp://hollywoodsbest.us

hxxp://vintage-furniture.us

hxxp://pamperedche.biz

hxxp://cinacast.us

hxxp://gethitsfrom.us

hxxp://celebrityfuckfest.biz

hxxp://gentle-boys.biz

hxxp://trique-porno.biz

hxxp://pamperedchf.biz

hxxp://carwithheart.biz

hxxp://pamparedchef.biz

hxxp://soccersites.biz

hxxp://pamperchief.biz

hxxp://cutmyexpenses.us

hxxp://girlsseekingboys.com

hxxp://curiosity-shop.biz

hxxp://pamperedcef.biz

hxxp://thebookpeddler.us

hxxp://ozgurboard.us

hxxp://deshimasala.biz

hxxp://pamepredchef.biz

hxxp://shopedmap.biz

hxxp://goshoppingnow.biz

hxxp://dailycash.biz

hxxp://pamoeredchef.biz

hxxp://sleepygirls.us

hxxp://sexpain.biz

hxxp://japanese-kimonos.biz

hxxp://kwbw.biz

hxxp://knifesites.biz

hxxp://top-girlie.biz

hxxp://pcconnect.biz

hxxp://tiket2u.biz

hxxp://magicvideo.biz

hxxp://tankslapper.biz

hxxp://wolrdventures.biz

hxxp://555traff.biz

hxxp://assitante-maternelle.biz

hxxp://ambitenrgy.biz

hxxp://wcw2008.com

hxxp://yourxxxblog.biz

hxxp://ls-dreams.biz

hxxp://deai-joho.biz

hxxp://theadvanced348pills.biz

hxxp://privatporns.biz

hxxp://worldaventures.biz

hxxp://max-models.biz

hxxp://majornet.biz

hxxp://worldventrures.biz

hxxp://realincome4realpeople.biz

hxxp://miffi.biz

hxxp://lolitaskingdom.biz

hxxp://ratemyass.biz

hxxp://themillenium.biz

hxxp://love2005.biz

hxxp://worldventuers.biz

hxxp://worldventues.biz

hxxp://provoke.biz

hxxp://realadvanced348pills.biz

hxxp://wwwpartylite.biz

hxxp://armorgames.biz

hxxp://lampsites.biz

hxxp://labtesting.biz

hxxp://zagevqsoii.biz

hxxp://wwwherna.biz

hxxp://wwwsmartvalue.biz

hxxp://premierorlandoshow.biz

hxxp://xtremescooters.biz

hxxp://pharmaceu.biz

hxxp://patylite.biz

hxxp://pianosites.biz

hxxp://xgarden.biz

hxxp://xmature.biz

hxxp://wwwpamperedchef.biz

hxxp://logocorea.biz

hxxp://traffstats.biz

hxxp://myspaze.biz

hxxp://smartvalu.biz

hxxp://myangelfuns.biz

hxxp://pfshop.biz

hxxp://sinon.biz

hxxp://partylight.biz

hxxp://piscali.biz

hxxp://ventriloserver.biz

hxxp://vintage-lingerie.biz

hxxp://busybee-discounts.biz

hxxp://mycoices.biz

hxxp://tstats.biz

hxxp://rmpinfotecc.biz

hxxp://ruslolitas.biz

hxxp://only4us.biz

hxxp://rmpinfote.biz

hxxp://mo-ip.biz

hxxp://pamperechef.biz

hxxp://superfreak.biz

hxxp://mychoises.biz

hxxp://pamperedcheif.biz

hxxp://rock0em.biz

hxxp://videonymphets.biz

hxxp://lovers-lane.biz

hxxp://rmpinfotac.biz

hxxp://wisconsinapartment.biz

hxxp://sweet-girls.biz

hxxp://pameredchef.biz

hxxp://whiteslave.biz

hxxp://herohona.biz

hxxp://minecharm.biz

hxxp://skysat.biz

hxxp://boxmain.biz

hxxp://dynds.biz

hxxp://dremer.biz

hxxp://dragonpalace.biz

hxxp://doina-sirbu.biz

hxxp://4useonly.biz

hxxp://cccp-top.biz

hxxp://panoromicworld.biz

hxxp://ganntproject.biz

hxxp://sextop.biz

hxxp://pamperedhef.biz

hxxp://virtualzone.biz

hxxp://serendipityboutique.biz

hxxp://photololita.biz

hxxp://parylite.biz

hxxp://rmpinfotce.biz

hxxp://partlite.biz

hxxp://panperedchef.biz

hxxp://sexlagoon.biz

hxxp://mcmmunity.biz

hxxp://statrafongon.biz

hxxp://stockservice.biz

hxxp://jobsinmotors.biz

hxxp://torrent-portal.biz

hxxp://simwork.biz

hxxp://simmaster.biz

hxxp://partyite.biz

hxxp://opse.biz

hxxp://shocknews.biz

hxxp://worldvenures.biz

hxxp://funnigames.biz

Sample malicious MD5s known to have been involved in the campaign include:

375e8a6dd1b666f09f3602ed2e8e05eb

4634d5e104a26616b6666a43b5b1416c

014a6e2a4cc62df769c923f236f2934e

c7a2350a62497f743401946fd63ca25b

b118c68b72595f9c15bdce8fc77fea37

a616b67adbdad8870e751384dd070db5

ccd7b6b6a59bb9925e0af66d60de1e6d

d4627cf4de6a5905dde5df2e69f8944b

0de4b76312dc01ff2d2f473465020619

5ca52919915bbad976fef4165b3f4800

381b27cb8b9976e6820345a49d93fc3b

3cab5169156f2d062b84c519cf2b1802

bbf664bd279580aa717fcff0246b762c

06d0c3af7b80ea0001a5270d59348282

e4e494eff71ad9f14b1a369522fb4c94

Stay tuned!

Continue reading →

Search Engine for Hackers/Analysts/Bloggers/OSINT Analysts and Threat Intelligence Experts! Here We Go!

Dear blog readers,

This is Dancho. I wanted to take the time and effort and introduce you to my latest project which is a publicly accessible search engine for hackers security analysts security bloggers OSINT analysts and threat intelligence analysts that are looking for a custom-based search engine to serve all of their security and research needs taking advantage of high-quality security and threat intelligence resources.

My primary idea behind launching and managing this project would be to maintain it on a daily basis with real-time high quality resources where I hope that you'll find the actual community driven search engine relevant and informative.

Stay tuned!

Continue reading →