Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Monday, April 09, 2012

Summarizing Webroot's Threat Blog Posts for March

The following is a brief summary of all of my posts at Webroot's Threat Blog for March, 2012. You can subscribe to my Webroot's Threat Blog RSS Feed or follow me on Twitter:

01. New service converts malware-infected hosts into anonymization proxies
02. Spamvertised ‘Temporary Limit Access To Your Account’ emails lead to Citi phishing emails
03. A peek inside the Darkness (Optima) DDoS Bot
04. Research: proper screening could have prevented 67% of abusive domain registrations
05. Spamvertised ‘Your accountant license can be revoked’ emails lead to client-side exploits and malware
06. Spamvertised ‘Google Pharmacy’ themed emails lead to pharmaceutical scams
07. Research: U.S accounts for 72% of fraudulent pharmaceutical orders
08. Millions of harvested U.S government and U.S military email addresses offered for sale
09. Spamvertised ‘Your tax return appeal is declined’ emails serving client-side exploits and malware
10. Malicious USPS-themed emails circulating in the wild
11. Spamvertised LinkedIn notifications serving client-side exploits and malware
12. Tens of thousands of web sites affected in ongoing mass SQL injection attack
13. Spamvertised Verizon-themed ‘Your Bill Is Now Available’ emails lead to ZeuS crimeware
14. Spamvertised ‘Scan from a Hewlett-Packard ScanJet’ emails lead to client-side exploits and malware

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Summarizing ZDNet's Zero Day Posts for March

The following is a brief summary of all of my posts at ZDNet's Zero Day for March, 2012. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:

01. New Mac OS X malware variant spotted in the wild
02. Researchers intercept targeted malware attack against Tibetan organizations
03. Skype vouchers themed site serving client-side exploits and malware
04. Stratfor subscribers targeted by passwords-stealing malicious emails
05. Spoofed LinkedIn emails serving client-side exploits
06. Fake YouTube sites target Syrian activists with malware
07. New Mac OS X malware variant spotted in the wild
08. Spamvertised 'DHL Tracking Notification' emails serve malware
09. Compromised WordPress sites serving client-side exploits and malware
10. 'Pixmania.com payment order detail' themed emails serving SpyEye crimeware
11. Fake 'Roar of the Pharaoh' Android game spreads premium-rate SMS trojan
12. Research: Many mobile password managers offer false feeling of security
13. Targeted Pro-Tibetan malware attacks hit Mac OS X users
14. Opera for Mac OS X patches 6 security holes
15. Cybercriminals use Twitter, LinkedIn, Baidu, MSDN as command and control infrastructure
16. Facebook phishing attack targets Syrian activists

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev

Wednesday, March 07, 2012

Summarizing Webroot's Threat Blog Posts for February

The following is a brief summary of all of my posts at Webroot's Threat Blog for February, 2012. You can subscribe to my Webroot's Threat Blog RSS Feed or follow me on Twitter:

01. Research: Google’s reCAPTCHA under fire
02. Spamvertised ‘You have 1 lost message on Facebook’ campaign leads to pharmaceutical scams
03. A peek inside the Smoke Malware Loader
04. Researchers spot Citadel, a ZeuS crimeware variant
05. Researchers intercept two client-side exploits serving malware campaigns
06. Pharmaceutical scammers launch their own Web contest
07. The United Nations hacked, Team Poison claims responsibility
08. Report: Internet Explorer 9 leads in socially-engineered malware protection
09. Twitter adds HTTPS support by default
10. Spamvertised “Hallmark ecard” campaign leads to malware
11. Report: 3,325% increase in malware targeting the Android OS
12. Why relying on antivirus signatures is simply not enough anymore
13. Researchers intercept malvertising campaign using Yahoo’s ad network
14. A peek inside the Ann Malware Loader
15. Spamvertised ‘Termination of your CPA license’ campaign serving client-side exploits
16. How cybercriminals monetize malware-infected hosts
17. A peek inside the Elite Malware Loader
18. BlackHole exploit kits gets updated with new features

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev

Summarizing ZDNet's Zero Day Posts for February

The following is a brief summary of all of my posts at ZDNet's Zero Day for February, 2012. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:

01. Spamvertised 'Tax information needed urgently' emails lead to malware
02. Researchers spot a fake version of Temple Run on Android's Market
03. Which are the most commonly observed Web exploits in the wild?
04. Cryptome.org hacked, serving client-side exploits
05. Report: third party programs rather than Microsoft programs responsible for most vulnerabilities
06. Anonymous launches 'Operation Global Blackout', aims to DDoS the Root Internet servers
07. Report: malware pushed by affiliate networks remains the primary growth factor of the cybercrime ecosystem
08.Cutwail botnet resurrects, launches massive malware campaigns using HTML attachments
09. New Mac OS X trojan spotted in the wild
10. Spamvertised 'Scan from a HP OfficeJet' emails lead to exploits and malware
11. XSS Flaw discovered in Skype's Shop, user accounts targeted

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev

Thursday, February 02, 2012

Summarizing Webroot's Threat Blog Posts for January

The following is a brief summary of all of my posts at Webroot's Threat Blog for January, 2012. You can subscribe to my Webroot's Threat Blog RSS Feed or follow me on Twitter:

01. Millions of harvested emails offered for sale
02. Email hacking for hire going mainstream
03. Mass SQL injection attack affects over 200,000 URLs
04. A peek inside the PickPocket Botnet
05. A peek inside the Cythosia v2 DDoS Bot
06. Google announces new anti-malware features in Chrome
07. Adobe issues a patch for critical security holes in Reader and Acrobat
08. Inside a clickjacking/likejacking scam distribution platform for Facebook
09. Zappos.com hacked, 24 million users affected
10. Inside AnonJDB – a Java based malware distribution platforms for drive-by downloads
11. How malware authors evade antivirus detection
12. A peek inside the Umbra malware loader
13. How phishers launch phishing attacks
14. Researchers intercept a client-side exploits serving malware campaign
15. A peek inside the uBot malware bot
16. Cisco releases ‘Cisco Global Threat Report’ for 4Q11
17. Cybercriminals generate malicious Java applets using DIY tools

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev

Wednesday, February 01, 2012

Summarizing ZDNet's Zero Day Posts for January

The following is a brief summary of all of my posts at ZDNet's Zero Day for January, 2012. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:

01. 'Most beautiful' scams proliferate on Facebook
02. Android users hit by scareware scam
03. 'Remove Facebook Timeline' themed scam circulating on Facebook
04. Fake Kim Jong-il video distributing malware
05. Researchers spot pharmaceutical spam campaign using QR Codes
06. Report: Conficker and AutoRun infections proliferating
07. Researchers spot scammers using fake browser plug-ins
08. New variants of premium rate SMS trojan 'RuFraud' detected in the wild
09. Research: Spammers actively harvesting emails from Twitter in real-time
10. DreamHost hacked, mass password-reset issued

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev

Monday, January 09, 2012

Who's Behind the Koobface Botnet? - An OSINT Analysis

It's full disclosure time.

In this post, I will perform an OSINT analysis, exposing one of the key botnet masters behind the infamous Koobface botnet, that I have been extensively profiling and infiltrating since day one. I will include photos of the botnet master, his telephone numbers, multiple email addresses, license plate for a BMW, and directly connect him with the infrastructure -- now offline or migrated to a different place -- of Koobface 1.0.

The analysis is based on a single mistake that the botnet master made - namely using his personal email for registering a domain parked within Koobface's command and control infrastructure, that at a particular moment in time was directly redirecting to the ubiquitous fake Youtube page pushed by the Koobface botnet.

Let's start from the basics. Here's an excerpt from a previous research conducted on the Koobface botnet:

However, what the Koobface gang did was to register a new domain and use it as Koobface C&C again parked at the same IP, which remains active - zaebalinax.com Email: krotreal@gmail.com - 78.110.175.15 - in particular zaebalinax.com/the/?pid=14010 which is redirecting to the Koobface botnet. Two more domains were also registered and parked there, u15jul .com and umidsummer .com - Email: 2009polevandrey@mail.ru which remain in stand by mode at least for the time being.

The Koobface botnet master's biggest mistake is using the Koobface infrastructure for hosting a domain that was registered with the botnet master's personal email address. In this case that zaebalinax.com and krotreal@gmail.com. zaebalinax.com is literally translated to "Gave up on Linux". UPDATED: Multiple readers have to contacted me to point out that zaebalinax is actually translated to "f*ck you all" or "you all are p*ssing me off".

The same email krotreal@gmail.com was used to advertise the sale of Egyptian Sphynx kittens on 05.09.2007:

The following telephone belonging to Anton was provided - +79219910190. The interesting part is that the same telephone was also used in another advertisement, this time for the sale of a BMW:

Photos of the BMW, offered for sale, by the same Anton that was using the Koobface infrastructure to host zaebalinax.com Email: krotreal@gmail.com:

License plane for Anton's newest BMW:

Upon further analysis, it becomes evident that his real name is Anton Nikolaevich Korotchenko (Антон Николаевич Коротченко). Here are more details of this online activities:

Real name: Anton Nikolaevich Korotchenko (Антон Николаевич Коротченко)
City of origin: St. Petersburg
Primary address: Omskaya st. 26-61; St. Petersburg; Leningradskaya oblast,197343
Associated phone numbers obtained through OSINT analysis, not whois records:
+79219910190
+380505450601
050-545-06-01
ICQ - 444374
Emails: krotreal@yahoo.com
krotreal@gmail.com
krotreal@mail.ru
krotreal@livejournal.com
newfider@rambler.ru
WM identification (WEB MONEY) : 425099205053
Twitter account: @KrotReal; @Real_Koobface
Flickr account: KrotReal
Vkontakte.ru Account: KrotReal; tonystarx
Foursquare Account: KrotReal

Photos of Koobface botnet's master Anton Nikolaevich Korotchenko (Антон Николаевич Коротченко):