A Visual Representation of Today's Modern Cybercrime Ecosystem - A Cybercrime-Friendly Forum Communities Screenshots Compilation - An Analysis

0
July 08, 2022

I've recently took the time and effort and process a huge number of cybercrime-friendly forum communities by using my employer WhoisXML API's Web Site Screenshot generating API in bulk and here are the results. Enjoy!















































































































































































































































































































































































































































































































































































































































Stay tuned!
Continue reading →

Upcoming Personal Memoir - Official Announcement!

0
July 08, 2022

Dear blog readers,

Big news. I've recently decided to convert my personal blog into a pre-order landing page for my 756 pages long upcoming personal memoir in the world of hacking and security circa the 90's up to present day including an elaboration on my security blogging cybercrime research and threat intelligence gathering including OSINT and independent contractor analysis expertise and experience for the purpose of lauching my personal memoir and making it publicly accessible in December, 2021 both in print and in multiple E-book formats for the general public or basically anyone who drops me a line at dancho.danchev@hush.com in terms of possible pre-order where the print version is priced at $35 and the E-book version is priced at $20.

What you can do in order to obtain access to my upcoming memoir? Drop me a line at dancho.danchev@hush.com in terms of possible pre-order including to participate in my pre-order newsletter where I will send you a direct message once the memoir is ready to be released with the official release date scheduled for December, 2021.

Some sample content includes:

  • The Real Story Behind the Scene Circa the 90's - I will do my best to elaborate more on my teenage hacker experience and contributions and actual involvement in the Scene during the infamous hacker spree circa the 90's
  • An In-Depth Personal Account of a Teenage Hacker Experience - 
  • The True Story Behind the Rise of Trojan Horse -  
  • Astalavista.com - The Underground Repositioned - 
  • What It's Like to Run the Security Industry's Most Popular Publication - 
  • My Involvement in the Top Secret GCHQ Program Known as "Lovely Horse" - 
  • The Koobface Botnet Exposed - 

    • Stay tuned!
    Continue reading →

    Call for Interest - Establishing the Foundations for a Part-Time Project-Based Cybercrime Project Task Force

    July 08, 2022
    Dear blog readers,

    I wanted to let everyone know that I'm currently busy a temporary part-time project-based task force and I might need your input in terms of a possible Task Force participation in the following categories:
    • Social Network Analysis
    • Technical Collection
    • OSINT Enrichment
    • Sentiment Analysis
    • Statistical Output Based Demographics Research
    • OSINT Visualization
    The project is vetted and invite-only therefore it would be great if you approach me with a brief message at dancho.danchev@hush.com signifying your will and capability to participate in the project with a brief introduction of your background and how you think you might be capable of helping.

    Looking forward to begin working with you.

    Stay tuned! Continue reading →

    Dancho Danchev's Blog - Soliciting Contributing Writers and Guest Bloggers

    July 08, 2022
    Dear blog readers,

    As many of you noticed I've recently expanded my blog to include and feature a diverse set of personal research portfolio including additional coverage in a variety of areas and I wanted to let everyone know that I'm currently busy working on an additional set of research articles and new products that I'll publish anytime soon.

    I wanted to let everyone know that I'm currently busy soliciting an Open Call for Contributing Writers and Guest Bloggers on one of the industry's leading Security publications - Dancho Danchev's Blog - Mind Streams of Information Security Knowledge on my way to harness the best security and cybercrime researchers including threat intelligence analysts from across the Security Industry who might be interested in a diverse and high-profile set of audience in terms of publishing their opinion thought and general and never-published before security and cybercrime including threat intelligence research.

    Who can participate? - Basically everything who can write security articles and security blog posts on various topics including malicious software botnets OSINT methodologies and general cybercrime research including Threat Intelligence analysis.

    Looking forward to receiving your response - disruptive.individuals@gmail.com

    Stay tuned and I look forward to continue working with you! Continue reading →

    Historical OSINT - The Koobface Gang Mixing Social Engineering Vectors

    July 08, 2022
    It's the Facebook message that came from one of your infected friends pointing you to an on purposely created bogus Bloglines blog serving fake YouTube video window, that I have in mind. The Koobface gang has been mixing social engineering vectors by taking the potential victim on a walk through legitimate services in order to have them infected without using any client-side vulnerabilities.

    For instance, this bogus Bloglines account (bloglines .com/blog/Youtubeforbiddenvideo) has attracted over 150 unique visitors already, part of Koobface's Hi5 spreading campaign (catshof .com/go/hi5.php). The domain is parked at the very same IP that the rest of the central redirection ones in all of Koobface's campaigns are - 58.241.255.37.

    Interestingly, since underground multitasking is becoming a rather common practice, the bogus blog has also been advertised within a blackhat SEO farm using the following blogs, currently linking to several hundred bogus Google Groups accounts :

    bloglines .com/blog/gillehuxeda
    bloglines .com/blog/chaneyok
    bloglines .com/blog/ramosimeco
    bloglines .com/blog/antwanuvfa
    bloglines .com/blog/tamaraaqo
    bloglines .com/blog/josephyhti
    bloglines .com/blog/whiteqivaju
    bloglines .com/blog/hayleyem
    bloglines .com/blog/tateigyamor
    bloglines .com/blog/burnsseuhaqe
    bloglines .com/blog/jennaup

    bloglines .com/blog/jermainedus
    bloglines .com/blog/floydwopew55
    bloglines .com/blog/arielehy
    bloglines .com/blog/onealqypsu
    bloglines .com/blog/mackirma
    bloglines.com/blog/breonnazox
    bloglines .com/blog/sabrinaxycit
    bloglines .com/blog/gloverqy
    bloglines .com/blog/lisaurja
    bloglines .com/blog/greenefayg18
    bloglines .com/blog/craigxiw36
    bloglines .com/blog/parsonsdos
    bloglines .com/blog/martinsutuz
    bloglines .com/blog/deandreefe
    bloglines .com/blog/briannetu
    bloglines .com/blog/kierailpe
    bloglines .com/blog/fordyfo27
    bloglines .com/blog/litzyracnuj
    bloglines.com/blog/darwinupi57
    bloglines .com/blog/bonillavaok
    bloglines .com/blog/jennyuxe85
    bloglines .com/blog/wilkersonin
    bloglines .com/blog/nicolasqydby
    bloglines .com/blog/darbyeve
    bloglines .com/blog/izaiahro83
    bloglines .com/blog/parsonsdos
    bloglines .com/blog/fullerjeb81

    Abusing legitimate services may indeed get more attention in the upcoming year, following their interest in the practice from the last quarter.
    Continue reading →

    Real-Time OSINT vs Historical OSINT in Russia/Georgia Cyberattacks

    July 08, 2022
    The original real-time OSINT analysis of the Russian cyberattacks against Georgia conducted on the 11th of August, not only closed the Russia vs Georgia cyberwar case for me personally, but also, once again proved that real-time OSINT is invaluable compared to historical OSINT using a commercial social network visualization/data mining tool which cannot and will never be able to access the Dark Web, accessible only through real-time CYBERINT practices.

    The value of real-time OSINT in such people's information warfare cyberattacks -- with Chinese hacktivists perfectly aware of the meaning of the phrase -- relies on the relatively lower operational security (OPSEC) the initiators of a particular campaign apply at the beginning, so that it would scale faster and attract more participants. What the Russian government was doing is fueling the (cyber) fire - literally, since all it takes for a collectivist socienty's cyber militia to organize, is a "call for action" which was taking place at the majority of forums, with the posters of these messages apparently using a spamming application to achieve better efficiency.

    The results from 56 days of Project Grey Goose in action got published last week, a project I discussed back in August, point out to the bottom of the food chain in the entire campaign - stopgeorgia.ru :

    "Furthermore, coming up with Social Network analysis of the cyberattacks would produce nothing more but a few fancy graphs of over enthusiastic Russian netizen's distributing the static list of the targets. The real conversations, as always, are happening in the "Dark Web" limiting the possibilities for open source intelligence using a data mining software. Things changed, OPSEC is slowly emerging as a concept among malicious parties, whenever some of the "calls for action" in the DDoS attacks were posted at mainstream forums, they were immediately removed so that they don't show up in such academic initiatives"

    So what's the bottom line? Nothing that I haven't already pointed out back in August : "Report: Russian Hacker Forums Fueled Georgia Cyber Attacks" :

    "But experts say evidence suggests that Russian officials did little to discourage the online assault, which was coordinated through a Russian online forum that appeared to have been prepped with target lists and details about Georgian Web site vulnerabilities well before the two countries engaged in a brief but deadly ground, sea and air war."

    Some more comments :

    "Just because there was no smoking gun doesn't mean there's no connection," said Jeff Carr, the principal investigator of Project Grey Goose, a group of around 15 computer security, technology and intelligence experts that investigated the August attacks against Georgia. "I can't imagine that this came together sporadically," he said. "I don't think that a disorganized group can coalesce in 24 hours with its own processes in place. That just doesn't make sense."

    It wouldn't make sense if this was the first time Russian hacktivists are maintaining the same rhythm as real-life events - which of course isn't.

    Moreover, exactly what would have constituted a "smoking gun" proving that the Russian government was involved in the campaign, remains unknown -- I'm still sticking to my comment regarding the web site defacement creative. If they truly wanted to compromise themselves, they would have cut Georgia off the Internet, at least from the perspective offered by this graph courtesy of the Packet Clearing House speaking for their dependability on Russian ISPs.

    As for the script kiddies at stopgeorgia.ru, they were informed enough to feature my research into their "negative public comments section". To sum up - the "DoS battle stations operational in the name of the "Please, input your cause" mentality is always going to be there.
     Continue reading →

    The DDoS Attack Against Bobbear.co.uk

    July 08, 2022
    When you get the "privilege" of getting DDoS-ed by a high profile DDoS for hire service used primarily by cybercriminals attacking other cybercriminals, you're officially doing hell of a good job exposing money laundering scams.

    The attached screenshot demonstrates how even the relatively more sophisticated counter surveillance approaches taken by a high profile DDoS for hire service can be, and were in fact bypassed, ending up in a real-time peek at how they've dedicated 4 out of their 10 BlackEnergy botnets to Bobbear exclusively.

    Perhaps for the first time ever, I come across a related DoS service offered by the very same vendor - insider sabotage on demand given they have their own people in a particular company/ISP in question. Makes you think twice before considering a minor network glitch what could easily turn into a coordinated insider attack requested by a third-party. Moreover, now that I've also established the connection between this DDoS for hire service and one of the command and control locations (all active and online) of one of the botnets used in the Russia vs Georgia cyberattack, the concept of engineering cyber warfare tensions once again proves to be a fully realistic one.

    Related posts:
    A U.S military botnet in the works
    DDoS Attack Graphs from Russia vs Georgia's Cyberattacks
    Botnet on Demand Service
    OSINT Through Botnets
    Corporate Espionage Through Botnets
    The DDoS Attack Against CNN.com
    A New DDoS Malware Kit in the Wild
    Electronic Jihad v3.0 - What Cyber Jihad Isn't Continue reading →

    Who's Behind the GPcode Ransomware?

    July 08, 2022
    So, the ultimate question - who's behind the GPcode ransomware? It's Russian teens with pimples, using E-gold and Liberty Reserve accounts, running three different GPcode campaigns, two of which request either $100 or $200 for the decryptor, and communicating from Chinese IPs. Here are all the details regarding the emails they use, the email responses they sent back, the currency accounts, as well their most recent IPs used in the communication :

    Emails used by the GPcode authors where the infected victims are supposed to contact them :
    content715@yahoo.com
    saveinfo89@yahoo.com
    cipher4000@yahoo.com
    decrypt482@yahoo.com

    Virtual currency accounts used by the malware authors :
    Liberty Reserve - account U6890784
    E-Gold - account - 5431725
    E-Gold - account - 5437838

    Sample response email :
    "Next, you should send $100 to Liberty Reserve account U6890784 or E-Gold account 5431725 (www.e-gold.com) To buy E-currency you may use exchange service, see or any other. In the transfer description specify your e-mail. After receive your payment, we send decryptor to your e-mail. For check our guarantee you may send us one any encrypted file (with cipher key, specified in any !_READ_ME_!.txt file, being in the directorys with the encrypted files). We decrypt it and send to you originally decrypted file. Best Regards, Daniel Robertson"

    Second sample response email this time requesting $200 :
    "The price of decryptor is 200 USD. For payment you may use one of following variants: 1. Payment to E-Gold account 5437838 (www.e-gold.com). 2. Payment to Liberty Reserve account U6890784 (www.libertyreserve.com). 3. If you do not make one of this variants, contact us for decision it. For check our guarantee you may send us ONE any encrypted file. We decrypt it and send to you originally decrypted file. For any questions contact us via e-mail. Best regards. Paul Dyke"

    So, you've got two people responding back with copy and paste emails, each of them seeking a different amount of money? Weird. The John Dow-ish Daniel Robertson is emailing from 58.38.8.211 (Liaoning Province Network China Network Communications Group Corporation No.156,Fu-Xing-Men-Nei Street, Beijing 100031), and Paul Dyke from 221.201.2.227(Liaoning Province Network China Network Communications Group Corporation No.156,Fu-Xing-Men-Nei Street, Beijing 100031), both Chinese IPs, despite that these campaigners are Russians.

    Here are some comments I made regarding cryptoviral extortion two years ago - Future Trends of Malware (on page 11; and page 21), worth going through. Continue reading →

    Who's Behind the Georgia Cyber Attacks?

    July 08, 2022
    Of course the Klingons did it, or you were naive enough to even think for a second that Russians were behind it at the first place? Of the things I hate  most, it's lowering down the quality of the discussion I hate the most. Even if you're excluding all the factual evidence (Coordinated Russia vs Georgia cyber attack in progress), common sense must prevail.

    Sometimes, the degree of incompetence can in fact be pretty entertaining, and greatly explains why certain countries are lacking behind others with years in their inability to understand the rules of information warfare, or the basic premise of unrestricted warfare, that there are no rules on how to achieve your objectives.

    So who's behind the Georgia cyber attacks, encompassing of plain simple ping floods, web site defacements, to sustained DDoS attacks, which no matter the fact that Geogia has switched hosting location to the U.S remain ongoing? It's Russia's self-mobilizing cyber militia, the product of a collectivist society having the capacity to wage cyber wars and literally dictating the rhythm in this space. What is militia anyway :

    "civilians trained as soldiers but not part of the regular army; the entire body of physically fit civilians eligible by law for military service; a military force composed of ordinary citizens to provide defense, emergency law enforcement, or paramilitary service, in times of emergency; without being paid a regular salary or committed to a fixed term of service; an army of trained civilians, which may be an official reserve army, called upon in time of need; the national police force of a country; the entire able-bodied population of a state; or a private force, not under government control; An army or paramilitary group comprised of citizens to serve in times of emergency"

    Next to the "blame the Russian Business Network for the lack of large scale implementation of DNSSEC" mentality, certain news articles also try to wrongly imply that there's no Russian connection in these attacks, and that the attacks are not "state-sponsored", making it look like that there should be a considerable amount of investment made into these attacks, and that the Russian government has the final word on whether or not its DDoS capabilities empowered citizens should launch any attacks or not. In reality, the only thing the Russian government was asking itself during these attacks was "why didn't they start the attacks earlier?!".

    Thankfully, there are some visionary folks out there understanding the situation. Last year, I asked the following question - What is the most realistic scenario on what exactly happened in the recent DDoS attacks aimed at Estonia, from your point of view? and some of the possible answers still fully apply in this situation :

    - It was a Russian government-sponsored hacktivism, or shall we say a government-tolerated one

    - Too much media hype over a sustained ICMP flood, given the publicly obtained statistics of the network traffic

    - Certain individuals of the collectivist Russian society, botnet masters for instance, were automatically recruited based on a nationalism sentiments so that they basically forwarded some of their bandwidth to key web servers

    - In order to generate more noise, DIY DoS tools were distributed to the masses so that no one would ever know who's really behind the attacks

    - Don't know who did it, but I can assure you my kid was playing !synflood at that time

    - Offended by the not so well coordinated removal of the Soviet statue, Russian oligarchs felt the need to send back a signal but naturally lacking any DDoS capabilities, basically outsourced the DDoS attacks

    - A foreign intelligence agency twisting the reality and engineering cyber warfare tensions did it, while taking advantage of the momentum and the overall public perception that noone else but the affected Russia could be behind the attacks

    - I hate scenario building, reminds me of my academic years, however, yours are pretty good which doesn't necessarily mean I actually care who did it, and pssst - it's not cyberwar, as in cyberwar you have two parties with virtual engagement points, in this case it was bandwidth domination by whoever did it over the other. A virtual shock and awe

    - I stopped following the news story by the time every reporter dubbed it the first cyber war, and started following it again when the word hacktivism started gaining popularity. So, hacktivists did it to virtually state their political preferences

    Departamental cyber warfare would never reach the flexibity state of people's information warfare where everyone is a cyber warrior given he's empowered with access to the right tools at a particular moment in time.

    Related posts:
    People's Information Warfare Concept
    Combating Unrestricted Warfare
    The Cyber Storm II Cyber Exercise
    Chinese Hacktivists Waging People's Information Warfare Against CNN
    The DDoS Attacks Against CNN.com
    China's Cyber Espionage Ambitions
    North Korea's Cyber Warfare Unit 121
    Continue reading →

    Dissecting the Koobface Worm's December Campaign

    July 08, 2022
    The Koobface Facebook worm -- go through an assessment of a previous campaign -- is once again making its rounds across social networking sites, Facebook in particular. Therefore, shall we spill a big cup of coffee over the malware campaigners efforts for yet another time? But of course.

    Only OPSEC-ignorant malware campaigners would leave so much traceable points, in between centralizing the campaign's redirection domains on a single IP. For instance, taking advantage of free web counter whose publicly obtainable statistics -- the account has since been deleted -- allow us to not only measure the clickability of Koobface's campaign, but also, prove that they're actively multitasking by combining blackhat SEO and active spreading across several other social networking sites. Here are some of the key summary points for this campaign :

    Key summary points :
    - the hosting infrastructure for the bogus YouTube site and the actual binary is provided by several thousand dynamically changing malware infected IPs
    - all of the malware infected hosts are serving the bogus YouTube site through port 7777
    - the very same bogus domains acting as central redirection points from the November's campaign remain active, however, they've switched hosting locations
    - if the visitor isn't coming from where she's supposed to be coming, in this case the predefined list of referrers, a single line of "scan ref" is returned with no malicious content displayed
    - the campaign can be easily taken care of at least in the short term, but shutting down the centralized redirection points


    What follows are the surprises, namely, despite the fact that Koobface is pitched as a Facebook worm, according to their statistics -- go through a previously misconfigured malware campaign stats -- the majority of unique visitors from the December's campaign appear to have been coming from Friendster. As for the exact number of visitors hitting their web counter, counting as of  7 November 2008, 12:58, with 91,109 unique visitors on on 07 Nov, Fri and another 53,260 on 08 Nov, Sat before the counter was deleted, the cached version of their web counter provides a relatively good sample.

    On each of the bogus Geocities redirectors, the very same lostart .info/js/gs.js (58.241.255.37) used in the previous campaign, attempts to redirect to find-allnot .com/go/fb.php (58.241.255.37) or to playtable .info/go/fb.php (58.241.255.37), with fb.php doing the referrer checking and redirecting to the botnet hosts magic. Several other well known malware command and control locations are also parked at 58.241.255.37 :

    jobusiness .org
    a221008 .com
    y171108 .com
    searchfindand .com
    ofsitesearch .com
    fashionlineshow .com
    anddance .info
    firstdance .biz
    prixisa .com
    danceanddisc .com
    finditand .com
    findsamthing .com
    freemarksearch .com
    find-allnot .com
    find-here-and-now .com
    findnameby .com
    anddance .info

    These domains, with several exeptions, are actively participating in the campaign, with the easiest way to differentiate whether it's a Facebook or Bebo redirection, remaining the descriptive filenames. For instance, fb.php corresponds to Facebook redirections and be.php corresponding to Bebo redirections (ofsitesearch .com/go/be.php). However, the meat resides within the statistics from their campaign :

    Malware serving URLs part of Koobface worm's December's campaign, based on the identical counter used across all the malicious domains :
    youtube-x-files .com
    youtube-go .com
    youtube-spy.5x .pl
    youtube-files.bo .pl
    youtube-media.none .pl
    youtube-files.xh .pl
    youtube-spy.dz .pl
    youtube-files.esite .pl
    youtube-spy.bo .pl
    youtube-spy.nd .pl
    youtube-spy.edj .pl
    spy-video.oq .pl
    shortclips.bubb .pl
    youtubego.cacko .pl

    asda345.blogspot .com
    uholyejedip556.blogspot .com
    ufyaegobeni7878.blogspot .com
    uiyneteku20176.blogspot .com
    ujoiculehe19984.blogspot .com
    uinekojapab29989.blogspot .com
    uhocuyhipam13345.blogspot .com

    Geocities redirectors participating :
    geocities .com/madelineeaton10/index.htm
    geocities .com/charlievelazquez10/index.htm
    geocities .com/raulsheppard18/index.htm

    Sample malware infected hosts used by the redirectors :
    92.241.134 .41:7777/?ch=&ea=
    89.138.171 .49:7777/?ch=&ea=
    92.40.34 .217:7777/?ch=&ea=
    79.173.242 .224:7777/?ch=&ea=
    122.163.103 .91:7777/?ch=&ea=
    217.129.155 .36:7777/?ch=&ea=
    84.109.169 .124:7777/?ch=&ea=
    91.187.67 .216:7777/?ch=&ea=
    84.254.51 .227:7777/?ch=&ea=
    190.142.5 .32:7777/?ch=&ea=
    190.158.102 .246:7777/?ch=&ea=
    201.245.95 .86:7777/?ch=&ea=
    78.90.85 .7:7777/?ch=&ea=
    82.81.25 .144:7777/?ch=&ea=
    78.183.143 .188:7777/?ch=&ea=
    89.139.86 .88:7777/?ch=&ea=
    85.107.190 .105:7777/?ch=&ea=
    84.62.84 .132:7777/?ch=&ea=
    78.3.42 .99:7777/?ch=&ea=
    92.241.137 .158:7777/?ch=&ea=
    77.239.21 .34:7777/?ch=&ea=
    41.214.183 .130:7777/?ch=&ea=

    90.157.250 .133:7777/dt/?ch=&ea=
    89.143.27 .39:7777/?ch=&ea=
    91.148.112 .179:7777/?ch=&ea=
    94.73.0 .211:7777/?ch=&ea=
    124.105 .187.176:7777/?ch=&ea=
    77.70.108  .163:7777/?ch=&ea=
    190.198.162 .240:7777/?ch=&ea=
    89.138.23 .121:7777/?ch=&ea=
    190.46.50 .103:7777/?ch=&ea=
    80.242.120 .135:7777/?ch=&ea=
    94.191.140 .143:7777/?ch=&ea=
    210.4.126 .100:7777/?ch=&ea=
    87.203.145 .61:7777/?ch=&ea=
    94.189.204 .22:7777/?ch=&ea=
    92.36.242 .47:7777/?ch=&ea=
    77.78.197 .176:7777/?ch=&ea=
    94.189.149 .231:7777/?ch=&ea=
    89.138.102 .243:7777/?ch=&ea=
    94.73.0 .211:7777/?ch=&ea=
    79.175.101 .28:7777/?ch=&ea=
    78.1.251 .26:7777/?ch=&ea=
    201.236.228 .38:7777/?ch=&ea=
    85.250.190 .55:7777/?ch=&ea=
    211.109.46 .32:7777/?ch=&ea=
    91.148.159 .174:7777/?ch=&ea=
    87.68.71 .34:7777/?ch=&ea=
    85.94.106 .240:7777/?ch=&ea=
    195.91.82 .18:7777/?ch=&ea=
    85.101.167 .197:7777/?ch=&ea=
    193.198.167 .249:7777/?ch=&ea=
    94.69.130 .191:7777/?ch=&ea=
    79.131.26 .192:7777/?ch=&ea=
    190.224.189 .24:7777/?ch=&ea=

    119.234.7 .230:7777/?ch=&ea=
    199.203.37 .250:7777/?ch=&ea=
    89.142.181 .226:7777/?ch=&ea=
    84.110.120 .82:7777/?ch=&ea=
    119.234.7 .230:7777/?ch=&ea=
    84.110.253 .163:7777/?ch=&ea=
    82.81.163 .40:7777/?ch=&ea=
    79.179.249 .218:7777/?ch=&ea=
    190.224.189 .24:7777/?ch=&ea=
    79.179.249 .218:7777/?ch=&ea=
    87.239.160 .132:7777/?ch=&ea=
    79.113.8 .107:7777/?ch=&ea=
    81.18.54 .6:7777/?ch=&ea=
    118.169 .173.101:7777/?ch=&ea=
    85.216.158 .209:7777/?ch=&ea=
    219.92.170 .4:7777/?ch=&ea=
    79.130.252 .204:7777/?ch=&ea=
    93.136.53 .239:7777/?ch=&ea=
    62.0.134 .79:7777/?ch=&ea=
    79.138.184 .253:7777/?ch=&ea=
    173.16.68 .18:7777/?ch=&ea=
    190.155.56 .212:7777/?ch=&ea=
    190.20.68 .136:7777/?ch=&ea=
    119.235.96 .173:7777/?ch=&ea=
    77.127.81 .103:7777/?ch=&ea=
    190.132.155 .122:7777/?ch=&ea=
    89.138.177 .91:7777/?ch=&ea=

    79.178.111 .25:7777/?ch=&ea=
    84.109.1 .15:7777/?ch=&ea=
    89.0.157. 1:7777/?ch=&ea=
    122.53.176 .43:7777/?ch=&ea=
    200.77.63 .190:7777/?ch=&ea=
    67.225.102 .105:7777/?ch=&ea=
    119.94.171 .114:7777/?ch=&ea=
    125.212.94 .80:7777/?ch=&ea=

    Detection rate for the binary, identical across all infected hosts participating :
    flash_update.exe (Win32/Koobface!generic; Win32.Worm.Koobface.W)
    Detection rate : 28/38 (73.69%)
    File size: 27136 bytes
    MD5...: 3071f71fc14ba590ca73801e19e8f66d
    SHA1..: 2f80a5b2575c788de1d94ed1e8005003f1ca004d

    Koobface's social networks spreading model isn't going away, but it's domains definitely are.

    Related posts:
    Dissecting the Latest Koobface Facebook Campaign
    Fake YouTube Site Serving Flash Exploits
    Facebook Malware Campaigns Rotating Tactics
    Phishing Campaign Spreading Across Facebook
    Large Scale MySpace Phishing Attack
    Update on the MySpace Phishing Campaign
    MySpace Phishers Now Targeting Facebook
    MySpace Hosting MySpace Phishing Profiles
     Continue reading →
    Subscribe to: Comments (Atom)