I've recently took the time and effort and process a huge number of cybercrime-friendly forum communities by using my employer WhoisXML API's Web Site Screenshot generating API in bulk and here are the results. Enjoy!
Stay tuned!
Friday, July 08, 2022
A Visual Representation of Today's Modern Cybercrime Ecosystem - A Cybercrime-Friendly Forum Communities Screenshots Compilation - An Analysis
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Upcoming Personal Memoir - Official Announcement!
Big news. I've recently decided to convert my personal blog into a pre-order landing page for my 756 pages long upcoming personal memoir in the world of hacking and security circa the 90's up to present day including an elaboration on my security blogging cybercrime research and threat intelligence gathering including OSINT and independent contractor analysis expertise and experience for the purpose of lauching my personal memoir and making it publicly accessible in December, 2021 both in print and in multiple E-book formats for the general public or basically anyone who drops me a line at dancho.danchev@hush.com in terms of possible pre-order where the print version is priced at $35 and the E-book version is priced at $20.
What you can do in order to obtain access to my upcoming memoir? Drop me a line at dancho.danchev@hush.com in terms of possible pre-order including to participate in my pre-order newsletter where I will send you a direct message once the memoir is ready to be released with the official release date scheduled for December, 2021.
Some sample content includes:
Stay tuned!
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Call for Interest - Establishing the Foundations for a Part-Time Project-Based Cybercrime Project Task Force
Dear blog readers,
I wanted to let everyone know that I'm currently busy a temporary part-time project-based task force and I might need your input in terms of a possible Task Force participation in the following categories:
Looking forward to begin working with you.
Stay tuned!
I wanted to let everyone know that I'm currently busy a temporary part-time project-based task force and I might need your input in terms of a possible Task Force participation in the following categories:
- Social Network Analysis
- Technical Collection
- OSINT Enrichment
- Sentiment Analysis
- Statistical Output Based Demographics Research
- OSINT Visualization
Looking forward to begin working with you.
Stay tuned!
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Dancho Danchev's Blog - Soliciting Contributing Writers and Guest Bloggers
Dear blog readers,
As many of you noticed I've recently expanded my blog to include and feature a diverse set of personal research portfolio including additional coverage in a variety of areas and I wanted to let everyone know that I'm currently busy working on an additional set of research articles and new products that I'll publish anytime soon.
I wanted to let everyone know that I'm currently busy soliciting an Open Call for Contributing Writers and Guest Bloggers on one of the industry's leading Security publications - Dancho Danchev's Blog - Mind Streams of Information Security Knowledge on my way to harness the best security and cybercrime researchers including threat intelligence analysts from across the Security Industry who might be interested in a diverse and high-profile set of audience in terms of publishing their opinion thought and general and never-published before security and cybercrime including threat intelligence research.
Who can participate? - Basically everything who can write security articles and security blog posts on various topics including malicious software botnets OSINT methodologies and general cybercrime research including Threat Intelligence analysis.
Looking forward to receiving your response - disruptive.individuals@gmail.com
Stay tuned and I look forward to continue working with you!
As many of you noticed I've recently expanded my blog to include and feature a diverse set of personal research portfolio including additional coverage in a variety of areas and I wanted to let everyone know that I'm currently busy working on an additional set of research articles and new products that I'll publish anytime soon.
I wanted to let everyone know that I'm currently busy soliciting an Open Call for Contributing Writers and Guest Bloggers on one of the industry's leading Security publications - Dancho Danchev's Blog - Mind Streams of Information Security Knowledge on my way to harness the best security and cybercrime researchers including threat intelligence analysts from across the Security Industry who might be interested in a diverse and high-profile set of audience in terms of publishing their opinion thought and general and never-published before security and cybercrime including threat intelligence research.
Who can participate? - Basically everything who can write security articles and security blog posts on various topics including malicious software botnets OSINT methodologies and general cybercrime research including Threat Intelligence analysis.
Looking forward to receiving your response - disruptive.individuals@gmail.com
Stay tuned and I look forward to continue working with you!
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Historical OSINT - The Koobface Gang Mixing Social Engineering Vectors
It's the Facebook message that came from one of your infected friends pointing you to an on purposely created bogus Bloglines blog serving fake YouTube video window, that I have in mind. The Koobface gang has been mixing social engineering vectors by taking the potential victim on a walk through legitimate services in order to have them infected without using any client-side vulnerabilities.For instance, this bogus Bloglines account (bloglines .com/blog/Youtubeforbiddenvideo) has attracted over 150 unique visitors already, part of Koobface's Hi5 spreading campaign (catshof .com/go/hi5.php). The domain is parked at the very same IP that the rest of the central redirection ones in all of Koobface's campaigns are - 58.241.255.37.
Interestingly, since underground multitasking is becoming a rather common practice, the bogus blog has also been advertised within a blackhat SEO farm using the following blogs, currently linking to several hundred bogus Google Groups accounts :bloglines .com/blog/gillehuxeda
bloglines .com/blog/chaneyok
bloglines .com/blog/ramosimeco
bloglines .com/blog/antwanuvfa
bloglines .com/blog/tamaraaqo
bloglines .com/blog/josephyhti
bloglines .com/blog/whiteqivaju
bloglines .com/blog/hayleyem
bloglines .com/blog/tateigyamor
bloglines .com/blog/burnsseuhaqe
bloglines .com/blog/jennaup
bloglines .com/blog/jermainedus
bloglines .com/blog/floydwopew55
bloglines .com/blog/arielehy
bloglines .com/blog/onealqypsu
bloglines .com/blog/mackirma
bloglines.com/blog/breonnazox
bloglines .com/blog/sabrinaxycit
bloglines .com/blog/gloverqy
bloglines .com/blog/lisaurja
bloglines .com/blog/greenefayg18
bloglines .com/blog/craigxiw36
bloglines .com/blog/parsonsdos
bloglines .com/blog/martinsutuz
bloglines .com/blog/deandreefe
bloglines .com/blog/briannetu
bloglines .com/blog/kierailpe
bloglines .com/blog/fordyfo27
bloglines .com/blog/litzyracnuj
bloglines.com/blog/darwinupi57
bloglines .com/blog/bonillavaok
bloglines .com/blog/jennyuxe85
bloglines .com/blog/wilkersonin
bloglines .com/blog/nicolasqydby
bloglines .com/blog/darbyeve
bloglines .com/blog/izaiahro83
bloglines .com/blog/parsonsdos
bloglines .com/blog/fullerjeb81
Abusing legitimate services may indeed get more attention in the upcoming year, following their interest in the practice from the last quarter.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Real-Time OSINT vs Historical OSINT in Russia/Georgia Cyberattacks
The original real-time OSINT analysis of the Russian cyberattacks against Georgia conducted on the 11th of August, not only closed the Russia vs Georgia cyberwar case for me personally, but also, once again proved that real-time OSINT is invaluable compared to historical OSINT using a commercial social network visualization/data mining tool which cannot and will never be able to access the Dark Web, accessible only through real-time CYBERINT practices.
The value of real-time OSINT in such people's information warfare cyberattacks -- with Chinese hacktivists perfectly aware of the meaning of the phrase -- relies on the relatively lower operational security (OPSEC) the initiators of a particular campaign apply at the beginning, so that it would scale faster and attract more participants. What the Russian government was doing is fueling the (cyber) fire - literally, since all it takes for a collectivist socienty's cyber militia to organize, is a "call for action" which was taking place at the majority of forums, with the posters of these messages apparently using a spamming application to achieve better efficiency.The results from 56 days of Project Grey Goose in action got published last week, a project I discussed back in August, point out to the bottom of the food chain in the entire campaign - stopgeorgia.ru :
"Furthermore, coming up with Social Network analysis of the cyberattacks would produce nothing more but a few fancy graphs of over enthusiastic Russian netizen's distributing the static list of the targets. The real conversations, as always, are happening in the "Dark Web" limiting the possibilities for open source intelligence using a data mining software. Things changed, OPSEC is slowly emerging as a concept among malicious parties, whenever some of the "calls for action" in the DDoS attacks were posted at mainstream forums, they were immediately removed so that they don't show up in such academic initiatives"So what's the bottom line? Nothing that I haven't already pointed out back in August : "Report: Russian Hacker Forums Fueled Georgia Cyber Attacks" :
"But experts say evidence suggests that Russian officials did little to discourage the online assault, which was coordinated through a Russian online forum that appeared to have been prepped with target lists and details about Georgian Web site vulnerabilities well before the two countries engaged in a brief but deadly ground, sea and air war."
Some more comments :
"Just because there was no smoking gun doesn't mean there's no connection," said Jeff Carr, the principal investigator of Project Grey Goose, a group of around 15 computer security, technology and intelligence experts that investigated the August attacks against Georgia. "I can't imagine that this came together sporadically," he said. "I don't think that a disorganized group can coalesce in 24 hours with its own processes in place. That just doesn't make sense."
It wouldn't make sense if this was the first time Russian hacktivists are maintaining the same rhythm as real-life events - which of course isn't.Moreover, exactly what would have constituted a "smoking gun" proving that the Russian government was involved in the campaign, remains unknown -- I'm still sticking to my comment regarding the web site defacement creative. If they truly wanted to compromise themselves, they would have cut Georgia off the Internet, at least from the perspective offered by this graph courtesy of the Packet Clearing House speaking for their dependability on Russian ISPs.
As for the script kiddies at stopgeorgia.ru, they were informed enough to feature my research into their "negative public comments section". To sum up - the "DoS battle stations operational in the name of the "Please, input your cause" mentality is always going to be there.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
The DDoS Attack Against Bobbear.co.uk
When you get the "privilege" of getting DDoS-ed by a high profile DDoS for hire service used primarily by cybercriminals attacking other cybercriminals, you're officially doing hell of a good job exposing money laundering scams.The attached screenshot demonstrates how even the relatively more sophisticated counter surveillance approaches taken by a high profile DDoS for hire service can be, and were in fact bypassed, ending up in a real-time peek at how they've dedicated 4 out of their 10 BlackEnergy botnets to Bobbear exclusively.
Perhaps for the first time ever, I come across a related DoS service offered by the very same vendor - insider sabotage on demand given they have their own people in a particular company/ISP in question. Makes you think twice before considering a minor network glitch what could easily turn into a coordinated insider attack requested by a third-party. Moreover, now that I've also established the connection between this DDoS for hire service and one of the command and control locations (all active and online) of one of the botnets used in the Russia vs Georgia cyberattack, the concept of engineering cyber warfare tensions once again proves to be a fully realistic one.
Related posts:
A U.S military botnet in the works
DDoS Attack Graphs from Russia vs Georgia's Cyberattacks
Botnet on Demand Service
OSINT Through Botnets
Corporate Espionage Through Botnets
The DDoS Attack Against CNN.com
A New DDoS Malware Kit in the Wild
Electronic Jihad v3.0 - What Cyber Jihad Isn't
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Who's Behind the GPcode Ransomware?
So, the ultimate question - who's behind the GPcode ransomware? It's Russian teens with pimples, using E-gold and Liberty Reserve accounts, running three different GPcode campaigns, two of which request either $100 or $200 for the decryptor, and communicating from Chinese IPs. Here are all the details regarding the emails they use, the email responses they sent back, the currency accounts, as well their most recent IPs used in the communication :Emails used by the GPcode authors where the infected victims are supposed to contact them :
content715@yahoo.com
saveinfo89@yahoo.com
cipher4000@yahoo.com
decrypt482@yahoo.com
Virtual currency accounts used by the malware authors :
Liberty Reserve - account U6890784
E-Gold - account - 5431725
E-Gold - account - 5437838
Sample response email :
"Next, you should send $100 to Liberty Reserve account U6890784 or E-Gold account 5431725 (www.e-gold.com) To buy E-currency you may use exchange service, see or any other. In the transfer description specify your e-mail. After receive your payment, we send decryptor to your e-mail. For check our guarantee you may send us one any encrypted file (with cipher key, specified in any !_READ_ME_!.txt file, being in the directorys with the encrypted files). We decrypt it and send to you originally decrypted file. Best Regards, Daniel Robertson"
Second sample response email this time requesting $200 :
"The price of decryptor is 200 USD. For payment you may use one of following variants: 1. Payment to E-Gold account 5437838 (www.e-gold.com). 2. Payment to Liberty Reserve account U6890784 (www.libertyreserve.com). 3. If you do not make one of this variants, contact us for decision it. For check our guarantee you may send us ONE any encrypted file. We decrypt it and send to you originally decrypted file. For any questions contact us via e-mail. Best regards. Paul Dyke"
So, you've got two people responding back with copy and paste emails, each of them seeking a different amount of money? Weird. The John Dow-ish Daniel Robertson is emailing from 58.38.8.211 (Liaoning Province Network China Network Communications Group Corporation No.156,Fu-Xing-Men-Nei Street, Beijing 100031), and Paul Dyke from 221.201.2.227(Liaoning Province Network China Network Communications Group Corporation No.156,Fu-Xing-Men-Nei Street, Beijing 100031), both Chinese IPs, despite that these campaigners are Russians.
Here are some comments I made regarding cryptoviral extortion two years ago - Future Trends of Malware (on page 11; and page 21), worth going through.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Who's Behind the Georgia Cyber Attacks?
Of course the Klingons did it, or you were naive enough to even think for a second that Russians were behind it at the first place? Of the things I hate most, it's lowering down the quality of the discussion I hate the most. Even if you're excluding all the factual evidence (Coordinated Russia vs Georgia cyber attack in progress), common sense must prevail.Sometimes, the degree of incompetence can in fact be pretty entertaining, and greatly explains why certain countries are lacking behind others with years in their inability to understand the rules of information warfare, or the basic premise of unrestricted warfare, that there are no rules on how to achieve your objectives.
So who's behind the Georgia cyber attacks, encompassing of plain simple ping floods, web site defacements, to sustained DDoS attacks, which no matter the fact that Geogia has switched hosting location to the U.S remain ongoing? It's Russia's self-mobilizing cyber militia, the product of a collectivist society having the capacity to wage cyber wars and literally dictating the rhythm in this space. What is militia anyway :
"civilians trained as soldiers but not part of the regular army; the entire body of physically fit civilians eligible by law for military service; a military force composed of ordinary citizens to provide defense, emergency law enforcement, or paramilitary service, in times of emergency; without being paid a regular salary or committed to a fixed term of service; an army of trained civilians, which may be an official reserve army, called upon in time of need; the national police force of a country; the entire able-bodied population of a state; or a private force, not under government control; An army or paramilitary group comprised of citizens to serve in times of emergency"Next to the "blame the Russian Business Network for the lack of large scale implementation of DNSSEC" mentality, certain news articles also try to wrongly imply that there's no Russian connection in these attacks, and that the attacks are not "state-sponsored", making it look like that there should be a considerable amount of investment made into these attacks, and that the Russian government has the final word on whether or not its DDoS capabilities empowered citizens should launch any attacks or not. In reality, the only thing the Russian government was asking itself during these attacks was "why didn't they start the attacks earlier?!".
Thankfully, there are some visionary folks out there understanding the situation. Last year, I asked the following question - What is the most realistic scenario on what exactly happened in the recent DDoS attacks aimed at Estonia, from your point of view? and some of the possible answers still fully apply in this situation :
- It was a Russian government-sponsored hacktivism, or shall we say a government-tolerated one
- Too much media hype over a sustained ICMP flood, given the publicly obtained statistics of the network traffic
- Certain individuals of the collectivist Russian society, botnet masters for instance, were automatically recruited based on a nationalism sentiments so that they basically forwarded some of their bandwidth to key web servers
- In order to generate more noise, DIY DoS tools were distributed to the masses so that no one would ever know who's really behind the attacks
- Don't know who did it, but I can assure you my kid was playing !synflood at that time
- Offended by the not so well coordinated removal of the Soviet statue, Russian oligarchs felt the need to send back a signal but naturally lacking any DDoS capabilities, basically outsourced the DDoS attacks
- A foreign intelligence agency twisting the reality and engineering cyber warfare tensions did it, while taking advantage of the momentum and the overall public perception that noone else but the affected Russia could be behind the attacks
- I hate scenario building, reminds me of my academic years, however, yours are pretty good which doesn't necessarily mean I actually care who did it, and pssst - it's not cyberwar, as in cyberwar you have two parties with virtual engagement points, in this case it was bandwidth domination by whoever did it over the other. A virtual shock and awe
- I stopped following the news story by the time every reporter dubbed it the first cyber war, and started following it again when the word hacktivism started gaining popularity. So, hacktivists did it to virtually state their political preferences
Departamental cyber warfare would never reach the flexibity state of people's information warfare where everyone is a cyber warrior given he's empowered with access to the right tools at a particular moment in time.
Related posts:
People's Information Warfare Concept
Combating Unrestricted Warfare
The Cyber Storm II Cyber Exercise
Chinese Hacktivists Waging People's Information Warfare Against CNN
The DDoS Attacks Against CNN.com
China's Cyber Espionage Ambitions
North Korea's Cyber Warfare Unit 121
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Dissecting the Koobface Worm's December Campaign
The Koobface Facebook worm -- go through an assessment of a previous campaign -- is once again making its rounds across social networking sites, Facebook in particular. Therefore, shall we spill a big cup of coffee over the malware campaigners efforts for yet another time? But of course.Key summary points :
- the hosting infrastructure for the bogus YouTube site and the actual binary is provided by several thousand dynamically changing malware infected IPs
- all of the malware infected hosts are serving the bogus YouTube site through port 7777
- the very same bogus domains acting as central redirection points from the November's campaign remain active, however, they've switched hosting locations
- if the visitor isn't coming from where she's supposed to be coming, in this case the predefined list of referrers, a single line of "scan ref" is returned with no malicious content displayed
- the campaign can be easily taken care of at least in the short term, but shutting down the centralized redirection points
What follows are the surprises, namely, despite the fact that Koobface is pitched as a Facebook worm, according to their statistics -- go through a previously misconfigured malware campaign stats -- the majority of unique visitors from the December's campaign appear to have been coming from Friendster. As for the exact number of visitors hitting their web counter, counting as of 7 November 2008, 12:58, with 91,109 unique visitors on on 07 Nov, Fri and another 53,260 on 08 Nov, Sat before the counter was deleted, the cached version of their web counter provides a relatively good sample.On each of the bogus Geocities redirectors, the very same lostart .info/js/gs.js (58.241.255.37) used in the previous campaign, attempts to redirect to find-allnot .com/go/fb.php (58.241.255.37) or to playtable .info/go/fb.php (58.241.255.37), with fb.php doing the referrer checking and redirecting to the botnet hosts magic. Several other well known malware command and control locations are also parked at 58.241.255.37 :
jobusiness .org
a221008 .com
y171108 .com
searchfindand .com
ofsitesearch .com
fashionlineshow .com
anddance .info
firstdance .biz
prixisa .com
danceanddisc .com
finditand .com
findsamthing .com
freemarksearch .com
find-allnot .com
find-here-and-now .com
findnameby .com
anddance .info
These domains, with several exeptions, are actively participating in the campaign, with the easiest way to differentiate whether it's a Facebook or Bebo redirection, remaining the descriptive filenames. For instance, fb.php corresponds to Facebook redirections and be.php corresponding to Bebo redirections (ofsitesearch .com/go/be.php). However, the meat resides within the statistics from their campaign :
Malware serving URLs part of Koobface worm's December's campaign, based on the identical counter used across all the malicious domains :youtube-x-files .com
youtube-go .com
youtube-spy.5x .pl
youtube-files.bo .pl
youtube-media.none .pl
youtube-files.xh .pl
youtube-spy.dz .pl
youtube-files.esite .pl
youtube-spy.bo .pl
youtube-spy.nd .pl
youtube-spy.edj .pl
spy-video.oq .pl
shortclips.bubb .pl
youtubego.cacko .pl
asda345.blogspot .com
uholyejedip556.blogspot .com
ufyaegobeni7878.blogspot .com
uiyneteku20176.blogspot .com
ujoiculehe19984.blogspot .com
uinekojapab29989.blogspot .com
uhocuyhipam13345.blogspot .com
Geocities redirectors participating :
geocities .com/madelineeaton10/index.htm
geocities .com/charlievelazquez10/index.htm
geocities .com/raulsheppard18/index.htm
Sample malware infected hosts used by the redirectors :92.241.134 .41:7777/?ch=&ea=
89.138.171 .49:7777/?ch=&ea=
92.40.34 .217:7777/?ch=&ea=
79.173.242 .224:7777/?ch=&ea=
122.163.103 .91:7777/?ch=&ea=
217.129.155 .36:7777/?ch=&ea=
84.109.169 .124:7777/?ch=&ea=
91.187.67 .216:7777/?ch=&ea=
84.254.51 .227:7777/?ch=&ea=
190.142.5 .32:7777/?ch=&ea=
190.158.102 .246:7777/?ch=&ea=
201.245.95 .86:7777/?ch=&ea=
78.90.85 .7:7777/?ch=&ea=
82.81.25 .144:7777/?ch=&ea=
78.183.143 .188:7777/?ch=&ea=
89.139.86 .88:7777/?ch=&ea=
85.107.190 .105:7777/?ch=&ea=
84.62.84 .132:7777/?ch=&ea=
78.3.42 .99:7777/?ch=&ea=
92.241.137 .158:7777/?ch=&ea=
77.239.21 .34:7777/?ch=&ea=
41.214.183 .130:7777/?ch=&ea=
90.157.250 .133:7777/dt/?ch=&ea=
89.143.27 .39:7777/?ch=&ea=
91.148.112 .179:7777/?ch=&ea=
94.73.0 .211:7777/?ch=&ea=
124.105 .187.176:7777/?ch=&ea=
77.70.108 .163:7777/?ch=&ea=
190.198.162 .240:7777/?ch=&ea=
89.138.23 .121:7777/?ch=&ea=
190.46.50 .103:7777/?ch=&ea=
80.242.120 .135:7777/?ch=&ea=
94.191.140 .143:7777/?ch=&ea=
210.4.126 .100:7777/?ch=&ea=
87.203.145 .61:7777/?ch=&ea=
94.189.204 .22:7777/?ch=&ea=
92.36.242 .47:7777/?ch=&ea=
77.78.197 .176:7777/?ch=&ea=
94.189.149 .231:7777/?ch=&ea=
89.138.102 .243:7777/?ch=&ea=
94.73.0 .211:7777/?ch=&ea=
79.175.101 .28:7777/?ch=&ea=
78.1.251 .26:7777/?ch=&ea=
201.236.228 .38:7777/?ch=&ea=
85.250.190 .55:7777/?ch=&ea=
211.109.46 .32:7777/?ch=&ea=
91.148.159 .174:7777/?ch=&ea=
87.68.71 .34:7777/?ch=&ea=
85.94.106 .240:7777/?ch=&ea=
195.91.82 .18:7777/?ch=&ea=
85.101.167 .197:7777/?ch=&ea=
193.198.167 .249:7777/?ch=&ea=
94.69.130 .191:7777/?ch=&ea=
79.131.26 .192:7777/?ch=&ea=
190.224.189 .24:7777/?ch=&ea=
119.234.7 .230:7777/?ch=&ea=199.203.37 .250:7777/?ch=&ea=
89.142.181 .226:7777/?ch=&ea=
84.110.120 .82:7777/?ch=&ea=
119.234.7 .230:7777/?ch=&ea=
84.110.253 .163:7777/?ch=&ea=
82.81.163 .40:7777/?ch=&ea=
79.179.249 .218:7777/?ch=&ea=
190.224.189 .24:7777/?ch=&ea=
79.179.249 .218:7777/?ch=&ea=
87.239.160 .132:7777/?ch=&ea=
79.113.8 .107:7777/?ch=&ea=
81.18.54 .6:7777/?ch=&ea=
118.169 .173.101:7777/?ch=&ea=
85.216.158 .209:7777/?ch=&ea=
219.92.170 .4:7777/?ch=&ea=
79.130.252 .204:7777/?ch=&ea=
93.136.53 .239:7777/?ch=&ea=
62.0.134 .79:7777/?ch=&ea=
79.138.184 .253:7777/?ch=&ea=
173.16.68 .18:7777/?ch=&ea=
190.155.56 .212:7777/?ch=&ea=
190.20.68 .136:7777/?ch=&ea=
119.235.96 .173:7777/?ch=&ea=
77.127.81 .103:7777/?ch=&ea=
190.132.155 .122:7777/?ch=&ea=
89.138.177 .91:7777/?ch=&ea=
79.178.111 .25:7777/?ch=&ea=
84.109.1 .15:7777/?ch=&ea=
89.0.157. 1:7777/?ch=&ea=
122.53.176 .43:7777/?ch=&ea=
200.77.63 .190:7777/?ch=&ea=
67.225.102 .105:7777/?ch=&ea=
119.94.171 .114:7777/?ch=&ea=
125.212.94 .80:7777/?ch=&ea=
Detection rate for the binary, identical across all infected hosts participating :
flash_update.exe (Win32/Koobface!generic; Win32.Worm.Koobface.W)
Detection rate : 28/38 (73.69%)
File size: 27136 bytes
MD5...: 3071f71fc14ba590ca73801e19e8f66d
SHA1..: 2f80a5b2575c788de1d94ed1e8005003f1ca004d
Koobface's social networks spreading model isn't going away, but it's domains definitely are.
Related posts:
Dissecting the Latest Koobface Facebook Campaign
Fake YouTube Site Serving Flash Exploits
Facebook Malware Campaigns Rotating Tactics
Phishing Campaign Spreading Across Facebook
Large Scale MySpace Phishing Attack
Update on the MySpace Phishing Campaign
MySpace Phishers Now Targeting Facebook
MySpace Hosting MySpace Phishing Profiles
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Comments (Atom)