Upcoming Personal Memoir - Official Announcement!

Dear blog readers,

Big news. I've recently decided to convert my personal blog into a pre-order landing page for my 756 pages long upcoming personal memoir in the world of hacking and security circa the 90's up to present day including an elaboration on my security blogging cybercrime research and threat intelligence gathering including OSINT and independent contractor analysis expertise and experience for the purpose of lauching my personal memoir and making it publicly accessible in December, 2021 both in print and in multiple E-book formats for the general public or basically anyone who drops me a line at dancho.danchev@hush.com in terms of possible pre-order where the print version is priced at $35 and the E-book version is priced at $20.

What you can do in order to obtain access to my upcoming memoir? Drop me a line at dancho.danchev@hush.com in terms of possible pre-order including to participate in my pre-order newsletter where I will send you a direct message once the memoir is ready to be released with the official release date scheduled for December, 2021.

Some sample content includes:

The Real Story Behind the Scene Circa the 90's - I will do my best to elaborate more on my teenage hacker experience and contributions and actual involvement in the Scene during the infamous hacker spree circa the 90's

An In-Depth Personal Account of a Teenage Hacker Experience - 

The True Story Behind the Rise of Trojan Horse -  

Astalavista.com - The Underground Repositioned - 

What It's Like to Run the Security Industry's Most Popular Publication - 

My Involvement in the Top Secret GCHQ Program Known as "Lovely Horse" - 

The Koobface Botnet Exposed - 

Stay tuned!

Continue reading →

Call for Interest - Establishing the Foundations for a Part-Time Project-Based Cybercrime Project Task Force

Dear blog readers,

I wanted to let everyone know that I'm currently busy a temporary part-time project-based task force and I might need your input in terms of a possible Task Force participation in the following categories:

• Social Network Analysis
• Technical Collection
• OSINT Enrichment
• Sentiment Analysis
• Statistical Output Based Demographics Research
• OSINT Visualization

The project is vetted and invite-only therefore it would be great if you approach me with a brief message at dancho.danchev@hush.com signifying your will and capability to participate in the project with a brief introduction of your background and how you think you might be capable of helping.

Looking forward to begin working with you.

Stay tuned! Continue reading →

Dancho Danchev's Blog - Soliciting Contributing Writers and Guest Bloggers

Dear blog readers,

As many of you noticed I've recently expanded my blog to include and feature a diverse set of personal research portfolio including additional coverage in a variety of areas and I wanted to let everyone know that I'm currently busy working on an additional set of research articles and new products that I'll publish anytime soon.

I wanted to let everyone know that I'm currently busy soliciting an Open Call for Contributing Writers and Guest Bloggers on one of the industry's leading Security publications - Dancho Danchev's Blog - Mind Streams of Information Security Knowledge on my way to harness the best security and cybercrime researchers including threat intelligence analysts from across the Security Industry who might be interested in a diverse and high-profile set of audience in terms of publishing their opinion thought and general and never-published before security and cybercrime including threat intelligence research.

Who can participate? - Basically everything who can write security articles and security blog posts on various topics including malicious software botnets OSINT methodologies and general cybercrime research including Threat Intelligence analysis.

Looking forward to receiving your response - disruptive.individuals@gmail.com

Stay tuned and I look forward to continue working with you! Continue reading →

Historical OSINT - The Koobface Gang Mixing Social Engineering Vectors

It's the Facebook message that came from one of your infected friends pointing you to an on purposely created bogus Bloglines blog serving fake YouTube video window, that I have in mind. The Koobface gang has been mixing social engineering vectors by taking the potential victim on a walk through legitimate services in order to have them infected without using any client-side vulnerabilities.

For instance, this bogus Bloglines account (bloglines .com/blog/Youtubeforbiddenvideo) has attracted over 150 unique visitors already, part of Koobface's Hi5 spreading campaign (catshof .com/go/hi5.php). The domain is parked at the very same IP that the rest of the central redirection ones in all of Koobface's campaigns are - 58.241.255.37.

Interestingly, since underground multitasking is becoming a rather common practice, the bogus blog has also been advertised within a blackhat SEO farm using the following blogs, currently linking to several hundred bogus Google Groups accounts :

bloglines .com/blog/gillehuxeda
bloglines .com/blog/chaneyok
bloglines .com/blog/ramosimeco
bloglines .com/blog/antwanuvfa
bloglines .com/blog/tamaraaqo
bloglines .com/blog/josephyhti
bloglines .com/blog/whiteqivaju
bloglines .com/blog/hayleyem
bloglines .com/blog/tateigyamor
bloglines .com/blog/burnsseuhaqe
bloglines .com/blog/jennaup

bloglines .com/blog/jermainedus
bloglines .com/blog/floydwopew55
bloglines .com/blog/arielehy
bloglines .com/blog/onealqypsu
bloglines .com/blog/mackirma
bloglines.com/blog/breonnazox
bloglines .com/blog/sabrinaxycit
bloglines .com/blog/gloverqy
bloglines .com/blog/lisaurja
bloglines .com/blog/greenefayg18
bloglines .com/blog/craigxiw36
bloglines .com/blog/parsonsdos
bloglines .com/blog/martinsutuz
bloglines .com/blog/deandreefe
bloglines .com/blog/briannetu
bloglines .com/blog/kierailpe
bloglines .com/blog/fordyfo27
bloglines .com/blog/litzyracnuj
bloglines.com/blog/darwinupi57
bloglines .com/blog/bonillavaok
bloglines .com/blog/jennyuxe85
bloglines .com/blog/wilkersonin
bloglines .com/blog/nicolasqydby
bloglines .com/blog/darbyeve
bloglines .com/blog/izaiahro83
bloglines .com/blog/parsonsdos
bloglines .com/blog/fullerjeb81

Abusing legitimate services may indeed get more attention in the upcoming year, following their interest in the practice from the last quarter.
Continue reading →

Real-Time OSINT vs Historical OSINT in Russia/Georgia Cyberattacks

The original real-time OSINT analysis of the Russian cyberattacks against Georgia conducted on the 11th of August, not only closed the Russia vs Georgia cyberwar case for me personally, but also, once again proved that real-time OSINT is invaluable compared to historical OSINT using a commercial social network visualization/data mining tool which cannot and will never be able to access the Dark Web, accessible only through real-time CYBERINT practices.

The value of real-time OSINT in such people's information warfare cyberattacks -- with Chinese hacktivists perfectly aware of the meaning of the phrase -- relies on the relatively lower operational security (OPSEC) the initiators of a particular campaign apply at the beginning, so that it would scale faster and attract more participants. What the Russian government was doing is fueling the (cyber) fire - literally, since all it takes for a collectivist socienty's cyber militia to organize, is a "call for action" which was taking place at the majority of forums, with the posters of these messages apparently using a spamming application to achieve better efficiency.

The results from 56 days of Project Grey Goose in action got published last week, a project I discussed back in August, point out to the bottom of the food chain in the entire campaign - stopgeorgia.ru :

"Furthermore, coming up with Social Network analysis of the cyberattacks would produce nothing more but a few fancy graphs of over enthusiastic Russian netizen's distributing the static list of the targets. The real conversations, as always, are happening in the "Dark Web" limiting the possibilities for open source intelligence using a data mining software. Things changed, OPSEC is slowly emerging as a concept among malicious parties, whenever some of the "calls for action" in the DDoS attacks were posted at mainstream forums, they were immediately removed so that they don't show up in such academic initiatives"

So what's the bottom line? Nothing that I haven't already pointed out back in August : "Report: Russian Hacker Forums Fueled Georgia Cyber Attacks" :

"But experts say evidence suggests that Russian officials did little to discourage the online assault, which was coordinated through a Russian online forum that appeared to have been prepped with target lists and details about Georgian Web site vulnerabilities well before the two countries engaged in a brief but deadly ground, sea and air war."

Some more comments :

"Just because there was no smoking gun doesn't mean there's no connection," said Jeff Carr, the principal investigator of Project Grey Goose, a group of around 15 computer security, technology and intelligence experts that investigated the August attacks against Georgia. "I can't imagine that this came together sporadically," he said. "I don't think that a disorganized group can coalesce in 24 hours with its own processes in place. That just doesn't make sense."

It wouldn't make sense if this was the first time Russian hacktivists are maintaining the same rhythm as real-life events - which of course isn't.

Moreover, exactly what would have constituted a "smoking gun" proving that the Russian government was involved in the campaign, remains unknown -- I'm still sticking to my comment regarding the web site defacement creative. If they truly wanted to compromise themselves, they would have cut Georgia off the Internet, at least from the perspective offered by this graph courtesy of the Packet Clearing House speaking for their dependability on Russian ISPs.

As for the script kiddies at stopgeorgia.ru, they were informed enough to feature my research into their "negative public comments section". To sum up - the "DoS battle stations operational in the name of the "Please, input your cause" mentality is always going to be there.
Continue reading →

The DDoS Attack Against Bobbear.co.uk

When you get the "privilege" of getting DDoS-ed by a high profile DDoS for hire service used primarily by cybercriminals attacking other cybercriminals, you're officially doing hell of a good job exposing money laundering scams.

The attached screenshot demonstrates how even the relatively more sophisticated counter surveillance approaches taken by a high profile DDoS for hire service can be, and were in fact bypassed, ending up in a real-time peek at how they've dedicated 4 out of their 10 BlackEnergy botnets to Bobbear exclusively.

Perhaps for the first time ever, I come across a related DoS service offered by the very same vendor - insider sabotage on demand given they have their own people in a particular company/ISP in question. Makes you think twice before considering a minor network glitch what could easily turn into a coordinated insider attack requested by a third-party. Moreover, now that I've also established the connection between this DDoS for hire service and one of the command and control locations (all active and online) of one of the botnets used in the Russia vs Georgia cyberattack, the concept of engineering cyber warfare tensions once again proves to be a fully realistic one.

Related posts:
A U.S military botnet in the works
DDoS Attack Graphs from Russia vs Georgia's Cyberattacks
Botnet on Demand Service
OSINT Through Botnets
Corporate Espionage Through Botnets
The DDoS Attack Against CNN.com
A New DDoS Malware Kit in the Wild
Electronic Jihad v3.0 - What Cyber Jihad Isn't Continue reading →

Who's Behind the GPcode Ransomware?

So, the ultimate question - who's behind the GPcode ransomware? It's Russian teens with pimples, using E-gold and Liberty Reserve accounts, running three different GPcode campaigns, two of which request either $100 or $200 for the decryptor, and communicating from Chinese IPs. Here are all the details regarding the emails they use, the email responses they sent back, the currency accounts, as well their most recent IPs used in the communication :

Emails used by the GPcode authors where the infected victims are supposed to contact them :
content715@yahoo.com
saveinfo89@yahoo.com
cipher4000@yahoo.com
decrypt482@yahoo.com

Virtual currency accounts used by the malware authors :
Liberty Reserve - account U6890784
E-Gold - account - 5431725
E-Gold - account - 5437838

Sample response email :
"Next, you should send $100 to Liberty Reserve account U6890784 or E-Gold account 5431725 (www.e-gold.com) To buy E-currency you may use exchange service, see or any other. In the transfer description specify your e-mail. After receive your payment, we send decryptor to your e-mail. For check our guarantee you may send us one any encrypted file (with cipher key, specified in any !_READ_ME_!.txt file, being in the directorys with the encrypted files). We decrypt it and send to you originally decrypted file. Best Regards, Daniel Robertson"

Second sample response email this time requesting $200 :
"The price of decryptor is 200 USD. For payment you may use one of following variants: 1. Payment to E-Gold account 5437838 (www.e-gold.com). 2. Payment to Liberty Reserve account U6890784 (www.libertyreserve.com). 3. If you do not make one of this variants, contact us for decision it. For check our guarantee you may send us ONE any encrypted file. We decrypt it and send to you originally decrypted file. For any questions contact us via e-mail. Best regards. Paul Dyke"

So, you've got two people responding back with copy and paste emails, each of them seeking a different amount of money? Weird. The John Dow-ish Daniel Robertson is emailing from 58.38.8.211 (Liaoning Province Network China Network Communications Group Corporation No.156,Fu-Xing-Men-Nei Street, Beijing 100031), and Paul Dyke from 221.201.2.227(Liaoning Province Network China Network Communications Group Corporation No.156,Fu-Xing-Men-Nei Street, Beijing 100031), both Chinese IPs, despite that these campaigners are Russians.

Here are some comments I made regarding cryptoviral extortion two years ago - Future Trends of Malware (on page 11; and page 21), worth going through. Continue reading →

Who's Behind the Georgia Cyber Attacks?

Of course the Klingons did it, or you were naive enough to even think for a second that Russians were behind it at the first place? Of the things I hate  most, it's lowering down the quality of the discussion I hate the most. Even if you're excluding all the factual evidence (Coordinated Russia vs Georgia cyber attack in progress), common sense must prevail.

Sometimes, the degree of incompetence can in fact be pretty entertaining, and greatly explains why certain countries are lacking behind others with years in their inability to understand the rules of information warfare, or the basic premise of unrestricted warfare, that there are no rules on how to achieve your objectives.

So who's behind the Georgia cyber attacks, encompassing of plain simple ping floods, web site defacements, to sustained DDoS attacks, which no matter the fact that Geogia has switched hosting location to the U.S remain ongoing? It's Russia's self-mobilizing cyber militia, the product of a collectivist society having the capacity to wage cyber wars and literally dictating the rhythm in this space. What is militia anyway :

"civilians trained as soldiers but not part of the regular army; the entire body of physically fit civilians eligible by law for military service; a military force composed of ordinary citizens to provide defense, emergency law enforcement, or paramilitary service, in times of emergency; without being paid a regular salary or committed to a fixed term of service; an army of trained civilians, which may be an official reserve army, called upon in time of need; the national police force of a country; the entire able-bodied population of a state; or a private force, not under government control; An army or paramilitary group comprised of citizens to serve in times of emergency"

Next to the "blame the Russian Business Network for the lack of large scale implementation of DNSSEC" mentality, certain news articles also try to wrongly imply that there's no Russian connection in these attacks, and that the attacks are not "state-sponsored", making it look like that there should be a considerable amount of investment made into these attacks, and that the Russian government has the final word on whether or not its DDoS capabilities empowered citizens should launch any attacks or not. In reality, the only thing the Russian government was asking itself during these attacks was "why didn't they start the attacks earlier?!".

Thankfully, there are some visionary folks out there understanding the situation. Last year, I asked the following question - What is the most realistic scenario on what exactly happened in the recent DDoS attacks aimed at Estonia, from your point of view? and some of the possible answers still fully apply in this situation :

- It was a Russian government-sponsored hacktivism, or shall we say a government-tolerated one

- Too much media hype over a sustained ICMP flood, given the publicly obtained statistics of the network traffic

- Certain individuals of the collectivist Russian society, botnet masters for instance, were automatically recruited based on a nationalism sentiments so that they basically forwarded some of their bandwidth to key web servers

- In order to generate more noise, DIY DoS tools were distributed to the masses so that no one would ever know who's really behind the attacks

- Don't know who did it, but I can assure you my kid was playing !synflood at that time

- Offended by the not so well coordinated removal of the Soviet statue, Russian oligarchs felt the need to send back a signal but naturally lacking any DDoS capabilities, basically outsourced the DDoS attacks

- A foreign intelligence agency twisting the reality and engineering cyber warfare tensions did it, while taking advantage of the momentum and the overall public perception that noone else but the affected Russia could be behind the attacks

- I hate scenario building, reminds me of my academic years, however, yours are pretty good which doesn't necessarily mean I actually care who did it, and pssst - it's not cyberwar, as in cyberwar you have two parties with virtual engagement points, in this case it was bandwidth domination by whoever did it over the other. A virtual shock and awe

- I stopped following the news story by the time every reporter dubbed it the first cyber war, and started following it again when the word hacktivism started gaining popularity. So, hacktivists did it to virtually state their political preferences

Departamental cyber warfare would never reach the flexibity state of people's information warfare where everyone is a cyber warrior given he's empowered with access to the right tools at a particular moment in time.

Related posts:
People's Information Warfare Concept
Combating Unrestricted Warfare
The Cyber Storm II Cyber Exercise
Chinese Hacktivists Waging People's Information Warfare Against CNN
The DDoS Attacks Against CNN.com
China's Cyber Espionage Ambitions
North Korea's Cyber Warfare Unit 121

Chinese Hackers Attacking U.S Department of Defense Networks

Electronic Jihad v3.0 - What Cyber Jihad Isn't

Electronic Jihad's Targets List

Teaching Cyber Jihadists How to Hack

Empowering the Script Kiddies

OSINT Through Botnets

Corporate Espionage Through Botnets

Malware Infected Hosts as Stepping Stones

Hacktivism Tensions - Israel vs Palestine Cyberwars

The Current, Emerging, and Future State of Hacktivism

Internet PSYOPS - Psychological Operations

Continue reading →

Dissecting the Koobface Worm's December Campaign

The Koobface Facebook worm -- go through an assessment of a previous campaign -- is once again making its rounds across social networking sites, Facebook in particular. Therefore, shall we spill a big cup of coffee over the malware campaigners efforts for yet another time? But of course.

Only OPSEC-ignorant malware campaigners would leave so much traceable points, in between centralizing the campaign's redirection domains on a single IP. For instance, taking advantage of free web counter whose publicly obtainable statistics -- the account has since been deleted -- allow us to not only measure the clickability of Koobface's campaign, but also, prove that they're actively multitasking by combining blackhat SEO and active spreading across several other social networking sites. Here are some of the key summary points for this campaign :

Key summary points :
- the hosting infrastructure for the bogus YouTube site and the actual binary is provided by several thousand dynamically changing malware infected IPs
- all of the malware infected hosts are serving the bogus YouTube site through port 7777
- the very same bogus domains acting as central redirection points from the November's campaign remain active, however, they've switched hosting locations
- if the visitor isn't coming from where she's supposed to be coming, in this case the predefined list of referrers, a single line of "scan ref" is returned with no malicious content displayed
- the campaign can be easily taken care of at least in the short term, but shutting down the centralized redirection points


What follows are the surprises, namely, despite the fact that Koobface is pitched as a Facebook worm, according to their statistics -- go through a previously misconfigured malware campaign stats -- the majority of unique visitors from the December's campaign appear to have been coming from Friendster. As for the exact number of visitors hitting their web counter, counting as of  7 November 2008, 12:58, with 91,109 unique visitors on on 07 Nov, Fri and another 53,260 on 08 Nov, Sat before the counter was deleted, the cached version of their web counter provides a relatively good sample.

On each of the bogus Geocities redirectors, the very same lostart .info/js/gs.js (58.241.255.37) used in the previous campaign, attempts to redirect to find-allnot .com/go/fb.php (58.241.255.37) or to playtable .info/go/fb.php (58.241.255.37), with fb.php doing the referrer checking and redirecting to the botnet hosts magic. Several other well known malware command and control locations are also parked at 58.241.255.37 :

jobusiness .org
a221008 .com
y171108 .com
searchfindand .com
ofsitesearch .com
fashionlineshow .com
anddance .info
firstdance .biz
prixisa .com
danceanddisc .com
finditand .com
findsamthing .com
freemarksearch .com
find-allnot .com
find-here-and-now .com
findnameby .com
anddance .info

These domains, with several exeptions, are actively participating in the campaign, with the easiest way to differentiate whether it's a Facebook or Bebo redirection, remaining the descriptive filenames. For instance, fb.php corresponds to Facebook redirections and be.php corresponding to Bebo redirections (ofsitesearch .com/go/be.php). However, the meat resides within the statistics from their campaign :

Malware serving URLs part of Koobface worm's December's campaign, based on the identical counter used across all the malicious domains :
youtube-x-files .com
youtube-go .com
youtube-spy.5x .pl
youtube-files.bo .pl
youtube-media.none .pl
youtube-files.xh .pl
youtube-spy.dz .pl
youtube-files.esite .pl
youtube-spy.bo .pl
youtube-spy.nd .pl
youtube-spy.edj .pl
spy-video.oq .pl
shortclips.bubb .pl
youtubego.cacko .pl

asda345.blogspot .com
uholyejedip556.blogspot .com
ufyaegobeni7878.blogspot .com
uiyneteku20176.blogspot .com
ujoiculehe19984.blogspot .com
uinekojapab29989.blogspot .com
uhocuyhipam13345.blogspot .com

Geocities redirectors participating :
geocities .com/madelineeaton10/index.htm
geocities .com/charlievelazquez10/index.htm
geocities .com/raulsheppard18/index.htm

Sample malware infected hosts used by the redirectors :
92.241.134 .41:7777/?ch=&ea=
89.138.171 .49:7777/?ch=&ea=
92.40.34 .217:7777/?ch=&ea=
79.173.242 .224:7777/?ch=&ea=
122.163.103 .91:7777/?ch=&ea=
217.129.155 .36:7777/?ch=&ea=
84.109.169 .124:7777/?ch=&ea=
91.187.67 .216:7777/?ch=&ea=
84.254.51 .227:7777/?ch=&ea=
190.142.5 .32:7777/?ch=&ea=
190.158.102 .246:7777/?ch=&ea=
201.245.95 .86:7777/?ch=&ea=
78.90.85 .7:7777/?ch=&ea=
82.81.25 .144:7777/?ch=&ea=
78.183.143 .188:7777/?ch=&ea=
89.139.86 .88:7777/?ch=&ea=
85.107.190 .105:7777/?ch=&ea=
84.62.84 .132:7777/?ch=&ea=
78.3.42 .99:7777/?ch=&ea=
92.241.137 .158:7777/?ch=&ea=
77.239.21 .34:7777/?ch=&ea=
41.214.183 .130:7777/?ch=&ea=

90.157.250 .133:7777/dt/?ch=&ea=
89.143.27 .39:7777/?ch=&ea=
91.148.112 .179:7777/?ch=&ea=
94.73.0 .211:7777/?ch=&ea=
124.105 .187.176:7777/?ch=&ea=
77.70.108  .163:7777/?ch=&ea=
190.198.162 .240:7777/?ch=&ea=
89.138.23 .121:7777/?ch=&ea=
190.46.50 .103:7777/?ch=&ea=
80.242.120 .135:7777/?ch=&ea=
94.191.140 .143:7777/?ch=&ea=
210.4.126 .100:7777/?ch=&ea=
87.203.145 .61:7777/?ch=&ea=
94.189.204 .22:7777/?ch=&ea=
92.36.242 .47:7777/?ch=&ea=
77.78.197 .176:7777/?ch=&ea=
94.189.149 .231:7777/?ch=&ea=
89.138.102 .243:7777/?ch=&ea=
94.73.0 .211:7777/?ch=&ea=
79.175.101 .28:7777/?ch=&ea=
78.1.251 .26:7777/?ch=&ea=
201.236.228 .38:7777/?ch=&ea=
85.250.190 .55:7777/?ch=&ea=
211.109.46 .32:7777/?ch=&ea=
91.148.159 .174:7777/?ch=&ea=
87.68.71 .34:7777/?ch=&ea=
85.94.106 .240:7777/?ch=&ea=
195.91.82 .18:7777/?ch=&ea=
85.101.167 .197:7777/?ch=&ea=
193.198.167 .249:7777/?ch=&ea=
94.69.130 .191:7777/?ch=&ea=
79.131.26 .192:7777/?ch=&ea=
190.224.189 .24:7777/?ch=&ea=

119.234.7 .230:7777/?ch=&ea=
199.203.37 .250:7777/?ch=&ea=
89.142.181 .226:7777/?ch=&ea=
84.110.120 .82:7777/?ch=&ea=
119.234.7 .230:7777/?ch=&ea=
84.110.253 .163:7777/?ch=&ea=
82.81.163 .40:7777/?ch=&ea=
79.179.249 .218:7777/?ch=&ea=
190.224.189 .24:7777/?ch=&ea=
79.179.249 .218:7777/?ch=&ea=
87.239.160 .132:7777/?ch=&ea=
79.113.8 .107:7777/?ch=&ea=
81.18.54 .6:7777/?ch=&ea=
118.169 .173.101:7777/?ch=&ea=
85.216.158 .209:7777/?ch=&ea=
219.92.170 .4:7777/?ch=&ea=
79.130.252 .204:7777/?ch=&ea=
93.136.53 .239:7777/?ch=&ea=
62.0.134 .79:7777/?ch=&ea=
79.138.184 .253:7777/?ch=&ea=
173.16.68 .18:7777/?ch=&ea=
190.155.56 .212:7777/?ch=&ea=
190.20.68 .136:7777/?ch=&ea=
119.235.96 .173:7777/?ch=&ea=
77.127.81 .103:7777/?ch=&ea=
190.132.155 .122:7777/?ch=&ea=
89.138.177 .91:7777/?ch=&ea=

79.178.111 .25:7777/?ch=&ea=
84.109.1 .15:7777/?ch=&ea=
89.0.157. 1:7777/?ch=&ea=
122.53.176 .43:7777/?ch=&ea=
200.77.63 .190:7777/?ch=&ea=
67.225.102 .105:7777/?ch=&ea=
119.94.171 .114:7777/?ch=&ea=
125.212.94 .80:7777/?ch=&ea=

Detection rate for the binary, identical across all infected hosts participating :
flash_update.exe (Win32/Koobface!generic; Win32.Worm.Koobface.W)
Detection rate : 28/38 (73.69%)
File size: 27136 bytes
MD5...: 3071f71fc14ba590ca73801e19e8f66d
SHA1..: 2f80a5b2575c788de1d94ed1e8005003f1ca004d

Koobface's social networks spreading model isn't going away, but it's domains definitely are.

Related posts:
Dissecting the Latest Koobface Facebook Campaign
Fake YouTube Site Serving Flash Exploits
Facebook Malware Campaigns Rotating Tactics
Phishing Campaign Spreading Across Facebook
Large Scale MySpace Phishing Attack
Update on the MySpace Phishing Campaign
MySpace Phishers Now Targeting Facebook
MySpace Hosting MySpace Phishing Profiles
Continue reading →

Time to Say Goodbye!

Ho, Ho, Ho.

Merry Christmas or Christmas just came in earlier.

This is an official letter to all of my 5.6M readers since December, 2005 including an official letter to the U.S Security Industry including my current colleagues and friends from across the globe including the dark corners of the Web although there's no such thing as a dark corner of the web just like there's no such thing as free lunch including the fact that an OSINT conducted today is a tax payer's dollar saved somewhere.

The big news is this is going to be the last post.

I wanted to say big thanks to everyone who's been following my work even since I originally launched my personal blog back in December, 2005 and to my one and only employer in the world Webroot Inc. for hiring me and bringing me on board which basically resulted in a decent lifestyle for a period of several years including the renovation of my place.

What I'm left with after my retirement? A modest $150 social pension to take care of my mobile and Internet bills including some food which is a great advice for everyone involved in the field to know that it takes a bold man including a one-man show operation to take care of everything and then try to retire.

My advices for everyone in the industry include the following hots tips right and straight from the source:

- never fell victim into the "certificate crowd" myopia and the "more the merrier" mentality be yourself say everything and don't forget to do everything and never take credit for what you're doing and what you've been doing and always say cheers or hi to someone who says hi and cheers to your work and achievement

- don't forget the U.S is secretly hiring security bloggers to jump in the Information Warfare front if there's any which is naturally something that there is but only in case you know what you're up to in terms of getting yourself dazzled and embraced by any of the virtual domain dimensions that you choose for your Information and Cyber Warfare purposes and goal achieving projects

Best wishes to everyone who made it happen. And in a surreal universe remember that "diamonds degrade their quality. Bulletproof hosting services courtesy of the RBN are forever. Grab a copy of memoir from here including from Cryptome.org and consider going thought my research portfolio throughout the years here and stay tuned for the Second Edition of my Cyber Intelligence memoir which will be published in Bulgarian and made available exclusively to Bulgarian readers who might be interested in catching up in terms of what I've been up to during the years.

Don't forget if you ever need me for anything including a project that you want to work with me on including advice or just to say "hi" and thanks for all the hard work or anything in general feel free to drop me a line at dancho.danchev@hush.com which is my email address account which I check 24/7 and I'll make sure to send back a proper response.

Yours sincerely not necessarily exclusively and don't forget that although you know my name you should not necessary do your best to look up my "number".

Continue reading →

Historical OSINT - Profiling a Compilation of Known Apophis Exploit Kit C&C Public Domains - An OSINT Analysis

I've been recently digging into several archives in terms of looking for actionable threat intelligence based on my research circa 2010 with the idea to enrich it in 2022 and collerate it with several of my proprietary databases for threat intelligence and OSINT related materials in terms of fighting and responding to cybercrime hence the results which is an active domain portfolio of Apophis exploit and phishing kit which you can check out in terms of OSINT threat intelligence enrichment.

Sample Apophis C&C domains circa 2010 based on my research include:

hxxp://mystabcounter.info

hxxp://555traff.biz

hxxp://555traff.org

hxxp://555traff.net

hxxp://911traff.com

hxxp://911traff.org

hxxp://911traff.com

hxxp://555traff.ws

hxxp://nod32-spl.net

hxxp://kusik-tusik-trf.com

hxxp://spamh0use.com

hxxp://norton-av2007.com

Sample domain registrant email address account known to have been used in the campaign:

slhdns@gmail.com

Related malicious and fraudulent domains known to have been involved in the campaign include:

hxxp://free-adult-movies.us

hxxp://ellweb.biz

hxxp://flightlesson.us

hxxp://e-on.us

hxxp://masteryourselfandothers.biz

hxxp://sexychannal.biz

hxxp://fkooo.biz

hxxp://le-showroom.biz

hxxp://elwebbz.biz

hxxp://sensorama.us

hxxp://healingmassage.us

hxxp://lisa19.biz

hxxp://free-games-downloads.biz

hxxp://emaszyny.biz

hxxp://free-bizzz.biz

hxxp://ellwebs.biz

hxxp://fsone.us

hxxp://banddindependence.biz

hxxp://freestylecamera.biz

hxxp://wtter.biz

hxxp://little-lolitas.biz

hxxp://a-1express.us

hxxp://sex-total.biz

hxxp://misterfixit.us

hxxp://pantie-fetish.biz

hxxp://wantedbabes.biz

hxxp://papmperedchef.biz

hxxp://webmailccisd.us

hxxp://funi-games.biz

hxxp://karatzikos.biz

hxxp://fuckphotos.biz

hxxp://best-oem-sellers.biz

hxxp://powerstocks.biz

hxxp://connect-group.biz

hxxp://pptsys.biz

hxxp://lambrakis.biz

hxxp://hsmvstatefl.us

hxxp://computerselectronics.us

hxxp://premierprop.biz

hxxp://coloriez.biz

hxxp://crazy-holiday.biz

hxxp://images-porno.biz

hxxp://talentsmodels.biz

hxxp://sukebe.biz

hxxp://taydo.biz

hxxp://texas--holdem.biz

hxxp://mr-rx.biz

hxxp://cptraders.biz

hxxp://financialcareer.biz

hxxp://smallgirls.biz

hxxp://plastercrafts.biz

hxxp://lchs.us

hxxp://poopka.biz

hxxp://solarnet.biz

hxxp://hormonetreatment.us

hxxp://spammed.us

hxxp://photos-pucelles.biz

hxxp://signaturehomesstyles.biz

hxxp://marbleworks.biz

hxxp://simplyuniforms.biz

hxxp://pinballsites.biz

hxxp://cuyahogacouny.us

hxxp://pinkpoodlepets.biz

hxxp://cuyahagacounty.us

hxxp://rachaels.biz

hxxp://kentonkyschools.us

hxxp://iginteinc.biz

hxxp://caimon.us

hxxp://lonestarjewelry.biz

hxxp://vietghost.us

hxxp://igniteing.biz

hxxp://buytickets1.us

hxxp://agame.biz

hxxp://uighurlar.biz

hxxp://joshosler.biz

hxxp://variance.us

hxxp://qudos.biz

hxxp://ketsamil.us

hxxp://quebecauction.biz

hxxp://verumcom.biz

hxxp://privatpornoz.biz

hxxp://trasy.biz

hxxp://fightnight.us

hxxp://trueterm.biz

hxxp://arablusic.us

hxxp://cdcover.us

hxxp://httpimageshack.us

hxxp://iprosper.us

hxxp://prepaid2u.biz

hxxp://kylakeproperty.us

hxxp://printsmart.us

hxxp://inmarcet.biz

hxxp://privatevoicemail.us

hxxp://koicarp.us

hxxp://11burogu.biz

hxxp://traivan.us

hxxp://eroxia.us

hxxp://assmat.biz

hxxp://sauvageonne.biz

hxxp://articlexchange.biz

hxxp://scottsphotography.biz

hxxp://project-management-tools.biz

hxxp://mini-games.biz

hxxp://aqarium-fish.biz

hxxp://imageashack.us

hxxp://beanb.biz

hxxp://rmpnfotec.biz

hxxp://azadari.biz

hxxp://europauto.biz

hxxp://autosourse.biz

hxxp://rowanlaw.us

hxxp://autocadsites.biz

hxxp://renewpcstore.biz

hxxp://whatswhat.us

hxxp://f0reverhealthy.biz

hxxp://boa-constrictor.biz

hxxp://f-chan.us

hxxp://bestemateur.biz

hxxp://everysearch.us

hxxp://wnetwork.biz

hxxp://fanmial.biz

hxxp://brutalfemdom.biz

hxxp://realitywise.biz

hxxp://breadmaker.biz

hxxp://realy-models.biz

hxxp://webform.us

hxxp://lolabbs.biz

hxxp://weknow.us

hxxp://jlove.us

hxxp://zowmebel.biz

hxxp://1001night.biz

hxxp://zodiacpowerring.biz

hxxp://wwwsignaturehomestyles.biz

hxxp://a-deco.biz

hxxp://analized.us

hxxp://ishikari.biz

hxxp://xteenx.biz

hxxp://ffivideo.biz

hxxp://allthingscatholic.us

hxxp://puffgames.biz

hxxp://actiongames.us

hxxp://ffunny-games.biz

hxxp://coasthomes.biz

hxxp://clearhabor.biz

hxxp://at-crew.biz

hxxp://animal-info.biz

hxxp://anoria.biz

hxxp://cl55.biz

hxxp://amitenergy.biz

hxxp://bestcounter.biz

hxxp://bionexus.biz

hxxp://4only.biz

hxxp://bellgard.biz

hxxp://bairo.biz

hxxp://banjosites.biz

hxxp://clthumane.biz

hxxp://autorepairmanuels.biz

hxxp://city-info.biz

hxxp://anywhere-wireless.biz

hxxp://casadellabomboniera.biz

hxxp://centerforrenewal.biz

hxxp://cuteloblog.biz

hxxp://buckneranimalclinic.biz

hxxp://bona-stto.biz

hxxp://1sp.biz

hxxp://easycalender.biz

hxxp://etudiantes-vicieuses.biz

hxxp://fannygames.biz

hxxp://bizibypass.biz

hxxp://ddl-warez.biz

hxxp://fainmail.biz

hxxp://farmersandmerchantsbank.biz

hxxp://atomakayan.biz

hxxp://youxxx.us

hxxp://wmata.us

hxxp://mailarlingtonva.us

hxxp://sexyblackpussy.biz

hxxp://funnygamse.biz

hxxp://funnygaes.biz

hxxp://freetgp.biz

hxxp://www4usonly.biz

hxxp://hena.biz

hxxp://gentrees.biz

hxxp://ignitein.biz

hxxp://hentai-movie.biz

hxxp://igniteic.biz

hxxp://headcutterssalon.biz

hxxp://fuunny-games.biz

hxxp://igniteenergy.biz

hxxp://hrna.biz

hxxp://free-voyeur-cam.biz

hxxp://goldenretire.biz

hxxp://inkkraft.biz

hxxp://heproject.biz

hxxp://funny-gemes.biz

hxxp://ice-out.biz

hxxp://adogslife.biz

hxxp://alterego3d.biz

hxxp://americanriverbikes.biz

hxxp://ecstazy.biz

hxxp://harna.biz

hxxp://africantradebeads.biz

hxxp://funy-game.biz

hxxp://free-gay-movies.biz

hxxp://inginteinc.biz

hxxp://wwwsexbabes.biz

hxxp://wwwmoscarossa.biz

hxxp://wwwsearch.biz

hxxp://funygame.biz

hxxp://fuuny-game.biz

hxxp://e-dict.biz

hxxp://interskay.biz

hxxp://bbw-fat-woman.biz

hxxp://sexbabs.biz

hxxp://youniquedesigns.biz

hxxp://visiongloval.biz

hxxp://seekme.biz

hxxp://pamperedcheff.biz

hxxp://streetdrugs.biz

hxxp://northportrealtor.biz

hxxp://young-peaches.biz

hxxp://boysvids.us

hxxp://coolchasers.us

hxxp://avse.us

hxxp://clearsil.us

hxxp://celebmovie.us

hxxp://myffl.biz

hxxp://sexbabez.biz

hxxp://sexbabies.biz

hxxp://free-search.biz

hxxp://free-voyeur-web.biz

hxxp://sukuname.biz

hxxp://mattun.biz

hxxp://wmclick.biz

hxxp://jun1.biz

hxxp://try-this-search.biz

hxxp://best-search.us

hxxp://topkds.biz

hxxp://traffmoney.biz

hxxp://no-nudes.biz

hxxp://ownmyhome.us

hxxp://teenboyboy.biz

hxxp://may5.biz

hxxp://kisslola.biz

hxxp://mature-sex-pic.biz

hxxp://logocorean.biz

hxxp://medsbymail.biz

hxxp://melissacam.biz

hxxp://mcommuniti.biz

hxxp://katreen.biz

hxxp://nextdoorteens.us

hxxp://viasatelital.us

hxxp://onestoplettingshop.biz

hxxp://hotmapouka.biz

hxxp://agsoftware.biz

hxxp://bun1.biz

hxxp://bsabikesites.biz

hxxp://fragments.biz

hxxp://lovely-nymphets.biz

hxxp://proliferator.biz

hxxp://puertolaboca.us

hxxp://blackandpussy.biz

hxxp://ford-dealers.biz

hxxp://hlplmanhds.biz

hxxp://baosteel.biz

hxxp://begard.biz

hxxp://erotik-geschichten.biz

hxxp://djahmet.biz

hxxp://fonny-games.biz

hxxp://togetherwestand.us

hxxp://fantasy4u.us

hxxp://tympani.us

hxxp://victoryautosales.us

hxxp://veld.us

hxxp://hartlandschool.us

hxxp://whisperedsecrets.us

hxxp://receptor.us

hxxp://sese.us

hxxp://industrialwoodproducts.us

hxxp://cutyourexpenses.us

hxxp://first-school.us

hxxp://cutexpenses.us

hxxp://future4.us

hxxp://tvdirectory.us

hxxp://fashioncamp.us

hxxp://madebyyou.us

hxxp://justleather.us

hxxp://iamhot.us

hxxp://datedetective.us

hxxp://phonetranslators.us

hxxp://eurosport.us

hxxp://lloll.us

hxxp://embelsira.us

hxxp://mainsqueezelove.biz

hxxp://privatporn.biz

hxxp://porn-photo.biz

hxxp://radim.us

hxxp://porn-fotos.biz

hxxp://niceleads.biz

hxxp://spaceresort.us

hxxp://filmscore.us

hxxp://hatachi.us

hxxp://lanciasites.biz

hxxp://needcracks.us

hxxp://muddle.us

hxxp://negaheno.biz

hxxp://truyennguoilon.us

hxxp://net-gams.biz

hxxp://videospornoblog.biz

hxxp://chezbaycakes.biz

hxxp://vb3.biz

hxxp://n0-ip.biz

hxxp://nailwarehouse.biz

hxxp://mynameislolita.biz

hxxp://mountainlakeresort.us

hxxp://hardcore-family-incest.biz

hxxp://hi-web.biz

hxxp://passace.com

hxxp://smartergirl.com

hxxp://howtofixyourharley.com

hxxp://sirevil.us

hxxp://mychices.biz

hxxp://sfondipc.biz

hxxp://wealth-4-u.biz

hxxp://avenge.biz

hxxp://arlingonva.us

hxxp://americawide.us

hxxp://11xp.us

hxxp://arlintonva.us

hxxp://animefans.us

hxxp://genescan.us

hxxp://hallmarkkeepsake.com

hxxp://sundaramusic.com

hxxp://gros-culs.biz

hxxp://moneyconnection.biz

hxxp://graephillips.biz

hxxp://wwwbiehealth.us

hxxp://hollywoodmadam.us

hxxp://enblock.biz

hxxp://oynuyoruz.biz

hxxp://sexbabys.biz

hxxp://nop-ip.biz

hxxp://klinische-forschung.biz

hxxp://grupxtrem.biz

hxxp://vestalgirls.biz

hxxp://nudeliving.us

hxxp://buellsites.biz

hxxp://mcclaincountyassessor.us

hxxp://went2.us

hxxp://mcpsk12md.us

hxxp://muenzversand.biz

hxxp://nighteen.biz

hxxp://customelectronics.us

hxxp://hocsinhvn.biz

hxxp://city-realtor.biz

hxxp://no-p.biz

hxxp://transsahara.biz

hxxp://net-ganes.biz

hxxp://bevardclerk.us

hxxp://netgamez.biz

hxxp://healthfoodsstore.us

hxxp://hiphopcharts.us

hxxp://ebookgenerator.biz

hxxp://ni-ip.biz

hxxp://dataspot.biz

hxxp://moregirls.biz

hxxp://uscharts.us

hxxp://pampredchef.biz

hxxp://carefreehomesep.us

hxxp://fuun-games.biz

hxxp://kellyeducationalservices.us

hxxp://hollywoodsbest.us

hxxp://vintage-furniture.us

hxxp://pamperedche.biz

hxxp://cinacast.us

hxxp://gethitsfrom.us

hxxp://celebrityfuckfest.biz

hxxp://gentle-boys.biz

hxxp://trique-porno.biz

hxxp://pamperedchf.biz

hxxp://carwithheart.biz

hxxp://pamparedchef.biz

hxxp://soccersites.biz

hxxp://pamperchief.biz

hxxp://cutmyexpenses.us

hxxp://girlsseekingboys.com

hxxp://curiosity-shop.biz

hxxp://pamperedcef.biz

hxxp://thebookpeddler.us

hxxp://ozgurboard.us

hxxp://deshimasala.biz

hxxp://pamepredchef.biz

hxxp://shopedmap.biz

hxxp://goshoppingnow.biz

hxxp://dailycash.biz

hxxp://pamoeredchef.biz

hxxp://sleepygirls.us

hxxp://sexpain.biz

hxxp://japanese-kimonos.biz

hxxp://kwbw.biz

hxxp://knifesites.biz

hxxp://top-girlie.biz

hxxp://pcconnect.biz

hxxp://tiket2u.biz

hxxp://magicvideo.biz

hxxp://tankslapper.biz

hxxp://wolrdventures.biz

hxxp://555traff.biz

hxxp://assitante-maternelle.biz

hxxp://ambitenrgy.biz

hxxp://wcw2008.com

hxxp://yourxxxblog.biz

hxxp://ls-dreams.biz

hxxp://deai-joho.biz

hxxp://theadvanced348pills.biz

hxxp://privatporns.biz

hxxp://worldaventures.biz

hxxp://max-models.biz

hxxp://majornet.biz

hxxp://worldventrures.biz

hxxp://realincome4realpeople.biz

hxxp://miffi.biz

hxxp://lolitaskingdom.biz

hxxp://ratemyass.biz

hxxp://themillenium.biz

hxxp://love2005.biz

hxxp://worldventuers.biz

hxxp://worldventues.biz

hxxp://provoke.biz

hxxp://realadvanced348pills.biz

hxxp://wwwpartylite.biz

hxxp://armorgames.biz

hxxp://lampsites.biz

hxxp://labtesting.biz

hxxp://zagevqsoii.biz

hxxp://wwwherna.biz

hxxp://wwwsmartvalue.biz

hxxp://premierorlandoshow.biz

hxxp://xtremescooters.biz

hxxp://pharmaceu.biz

hxxp://patylite.biz

hxxp://pianosites.biz

hxxp://xgarden.biz

hxxp://xmature.biz

hxxp://wwwpamperedchef.biz

hxxp://logocorea.biz

hxxp://traffstats.biz

hxxp://myspaze.biz

hxxp://smartvalu.biz

hxxp://myangelfuns.biz

hxxp://pfshop.biz

hxxp://sinon.biz

hxxp://partylight.biz

hxxp://piscali.biz

hxxp://ventriloserver.biz

hxxp://vintage-lingerie.biz

hxxp://busybee-discounts.biz

hxxp://mycoices.biz

hxxp://tstats.biz

hxxp://rmpinfotecc.biz

hxxp://ruslolitas.biz

hxxp://only4us.biz

hxxp://rmpinfote.biz

hxxp://mo-ip.biz

hxxp://pamperechef.biz

hxxp://superfreak.biz

hxxp://mychoises.biz

hxxp://pamperedcheif.biz

hxxp://rock0em.biz

hxxp://videonymphets.biz

hxxp://lovers-lane.biz

hxxp://rmpinfotac.biz

hxxp://wisconsinapartment.biz

hxxp://sweet-girls.biz

hxxp://pameredchef.biz

hxxp://whiteslave.biz

hxxp://herohona.biz

hxxp://minecharm.biz

hxxp://skysat.biz

hxxp://boxmain.biz

hxxp://dynds.biz

hxxp://dremer.biz

hxxp://dragonpalace.biz

hxxp://doina-sirbu.biz

hxxp://4useonly.biz

hxxp://cccp-top.biz

hxxp://panoromicworld.biz

hxxp://ganntproject.biz

hxxp://sextop.biz

hxxp://pamperedhef.biz

hxxp://virtualzone.biz

hxxp://serendipityboutique.biz

hxxp://photololita.biz

hxxp://parylite.biz

hxxp://rmpinfotce.biz

hxxp://partlite.biz

hxxp://panperedchef.biz

hxxp://sexlagoon.biz

hxxp://mcmmunity.biz

hxxp://statrafongon.biz

hxxp://stockservice.biz

hxxp://jobsinmotors.biz

hxxp://torrent-portal.biz

hxxp://simwork.biz

hxxp://simmaster.biz

hxxp://partyite.biz

hxxp://opse.biz

hxxp://shocknews.biz

hxxp://worldvenures.biz

hxxp://funnigames.biz

Sample malicious MD5s known to have been involved in the campaign include:

375e8a6dd1b666f09f3602ed2e8e05eb

4634d5e104a26616b6666a43b5b1416c

014a6e2a4cc62df769c923f236f2934e

c7a2350a62497f743401946fd63ca25b

b118c68b72595f9c15bdce8fc77fea37

a616b67adbdad8870e751384dd070db5

ccd7b6b6a59bb9925e0af66d60de1e6d

d4627cf4de6a5905dde5df2e69f8944b

0de4b76312dc01ff2d2f473465020619

5ca52919915bbad976fef4165b3f4800

381b27cb8b9976e6820345a49d93fc3b

3cab5169156f2d062b84c519cf2b1802

bbf664bd279580aa717fcff0246b762c

06d0c3af7b80ea0001a5270d59348282

e4e494eff71ad9f14b1a369522fb4c94

Stay tuned!

Continue reading →

Search Engine for Hackers/Analysts/Bloggers/OSINT Analysts and Threat Intelligence Experts! Here We Go!

Dear blog readers,

This is Dancho. I wanted to take the time and effort and introduce you to my latest project which is a publicly accessible search engine for hackers security analysts security bloggers OSINT analysts and threat intelligence analysts that are looking for a custom-based search engine to serve all of their security and research needs taking advantage of high-quality security and threat intelligence resources.

My primary idea behind launching and managing this project would be to maintain it on a daily basis with real-time high quality resources where I hope that you'll find the actual community driven search engine relevant and informative.

Stay tuned!

Continue reading →

Seeking Cyber Security and Threat Intelligence Experts To Work On Collaborative Sharepoint and Microsoft Access Cyber Threat Actor Database! Approach Me Today!

Dear blog readers,

Here's the big news and I sincerely hope that you'll approach me at dancho.danchev@hush.com to discuss this project where the ultimate goal would be to come up with a commercial database including the necessary daily and weekly including monthly updates in terms of high-quality data and information on the bad guys including their online infrastructure including detailed information on their online whereabouts in a structured Microsoft Access database which we can eventually convert into a Windows Application where the ultimate goal would be to come up the actual information at the first place and then possibly introduce an API which other users can use including users who might want to purchase the full database. Feel like joining the project and working with me on the initial project taxonomy including to join the actual data entry process in your free time? Drop me a line at dancho.danchev@hush.com

Stay tuned!

Continue reading →

Rogue iFrame Injected Web Sites Lead to the AndroidOS/FakeInst/Trojan-SMS.J2ME.JiFake Mobile Malware

A currently ongoing malicious campaign relying on injected iFrames at legitimate Web sites, successfully segments mobile traffic, and exposes mobile users to fraudulent legitimately looking variants of the AndroidOS/FakeInst/Trojan-SMS.J2ME.JiFake mobile malware.

Let's dissect the campaign, expose the domains portfolio currently/historically known to have been involved in this campaign, as well as list all the malicious MD5s known to have been pushed by it.

iFrame injected domains containing the mobile traffic segmentation script parked on the same IP:
asphalt7-android.org - 93.170.109.193
fifa12-android.org
gta3-android.org
fruit-ninja-android.org
wildblood-android.org
osmos-android.org
moderncombat-android.org
minecraft-android.org
googlanalytics.ws
getinternet.ws
ddlloads.com
googlecount.ws
opera-com.com
opgrade.ws
statuses.ws
ya-googl.ws
yadirect.ws
yandex-google.ws

Sample mobile malware MD5s pushed by the campaign:
MD5: e77f3bffe18fb9f5a1b1e5e6a0b8aaf8
MD5: 5fb4cc0b0d8dfe8011c44f97c6dd0aa2
MD5: 9348b5a13278cc101ae95cb2a88fe403
MD5: f4966c315dafa7e39ad78e31e599e8d0
MD5: 6f839dd29d2c7807043d06ba19e9c916
MD5: 8cfebfa7175e6e9a10e2a9ade4d87405
MD5: 4e5af55dd6a310bced83eb08c9a635b3

Phone back location: hxxp://depositmobi.com/getTask.php/task=updateOpening&s= - 93.170.107.130

Parked on the same IP (93.170.107.130) are also the following domains participating in the campaign's infrastructure:
123diskapp.com
1gameminecraft.ru
2010mobile.ru
absex.ru
ammla.info
and4mobiles.ru
android-apk-file.ru
android-games-skachat.ru.com
android-key.ru
android-market-apk.ru
android-market-cools.ru
android-vk.com
android7s.ru
androidcool.tk
androiderus.com
androidnns.ru
androidone.net
androidperfomance.com
androids-market.ru
androidupos.ru
24-android.ru
online-android.ru
moiandroid.ru
ktozdesj.ru
super-androids.ru

The following malicious mobile malware MD5s are known to have phoned back to the same IP in the past:
MD5: 572b07bd031649d4a82bb392156b25c6
MD5: 9685ff439e610fa8f874bf216fa47eee
MD5: 6d9dd3c9671d3d88f16071f1483faa12
MD5: 276b77b3242cb0f767bfba0009bcf3e7
MD5: aefdbdee7f873441b9d53500e1af34fa

What's also worth emphasizing on is that we've also got a decent number of malicious Windows samples known to have phoned back to the same IP in the past, presumably in an attempt by fellow cybercriminals to monetize the traffic through an affiliate program.
MD5: bac8f2c5d0583ee8477d79dc52414bf5
MD5: a1ae35eadf7599d2f661a9ca7f0f2150
MD5: 419fdb78356eaf61f9445cf828b3e5cf
MD5: abce96eaa7c345c2c3a89a8307524001
MD5: 93d11dc11cccc5ac5a1d57edce73ea07
MD5: 53bbad9018cd53d16fb1a21bd4738619
MD5: 15f3eca26f6c8d12969ffb1dbeead236
MD5: 72c6c14f9bab8ff95dbaf491f2a2aff6
MD5: a282b40d654fee59a586b89a1a12cac2
MD5: e0798c635d263f15ab54a839bf6bac7f
MD5: 7b1d8820cc012deac282fc72471310bd
MD5: 21fdbb9e9e13297ae12768764e169fb4
MD5: 47fa4a3a7d94dad9fac1cbdc07862496
MD5: 5e9321027c73175cf6ff862019c90af7
MD5: cfbaccc61dc51b805673000d09e99024
MD5: 8bc4dd1aff76fd4d2513af4538626033
MD5: f6a622f76b18d3fa431a34eb33be4619
MD5: c068d11293fc14bebdf3b3827e0006ac
MD5: d68338a37f62e26e701dfe45a2f9cbf2
MD5: e1c9562b6666d9915c7748c25376416f
MD5: 1dccd14b23698ecc7c5a4b9099954ae4
MD5: 47601e9f8b624464b63d499af60f6c18

Actual download location of a sample mobile malware sample:
hxxp://mediaworks3.com/getfile.php?dtype=dle&u=getfl&d=FLVPLayer - 78.140.131.124

The following mobile malware serving domains are also known to have responded to the same IP (78.140.131.124) in the past:
4apkser.ru
absex.ru
agw-railway.com
androedis.ru
android-apk-file.ru
android-update.name
android6s.ru
android7s.ru
androidappfile.name
androidaps.ru
androidbizarre.com
androidilve.ru
androidovnloads.com
androidupss.ru
apk-load.ru
apkzona.ru
bali-special.ru
com-opera.com
dml-site.ru
download-opera.com

As well as the following malicious MD5s:
MD5: 8cfebfa7175e6e9a10e2a9ade4d87405
MD5: 4e5af55dd6a310bced83eb08c9a635b3

Thanks to the commercial availability of DIY iFrame injecting platforms, the current commoditization of hacked/compromised accounts across multiple verticals, the efficiency-oriented mass SQL injection campaigns, as well as the existence of beneath the radar malvertising campaigns, cybercriminals are perfectly positioned to continue monetizing mobile traffic for fraudulent/malicious purposes.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Bogus "Shocking Video" Content at Scribd Exposes Malware Monetization Scheme Through Parked Domains

Bogus content populating Scribd, centralized malicious/typosquatted/parked domains/fraudulent infrastructure, combined with dozens of malware samples phoning back to this very same infrastructure to monetize the fraudulently generated traffic, it doesn't get any better than this, does it?

URL redirection chain:
hxxp://papaver.in/shocking/scr68237 -> hxxp://dsnetservices.com/?epl=98EbooDNwLit-qQViA4tbYD7JMZAQuEUyV387pMYNBODms0CdAg9qAe5QvBgKTO6xW6jHW1iYo5F8yDIvYx
7Aavd8wLHmZwHDIltbG4Eta-GVtiO3i9LlnzyK0YgWmT2BOaEeaipahFlE8yB7mCEBrQzXXtQBVUSIMGIEwTo9iUp0IyDUOM
0mZKYzSpf6qGlAAgYN_vvwAA4H8BAABAgFsLAADgPokxWVMmWUExNmhaQqAAAADw -> monetization through Google/MSN

 


Domain names reconnaissance:
papaver.in - 69.43.161.176 - Email: belcanto@hushmail.com - Belcanto Investment Group
dsnetservices.com - 208.73.211.152 - Email: admin@overseedomainmanagement.com - Oversee Domain Management, LLC

 
The following related domains are also registered with the same email (belcanto@hushmail.com):
4cheapsmoke.com
777payday.com
aboutforexincome.com
agroindusfinance.com
atvcrazy.com
bbbamericashop.com
bizquipleasing.com
cashforcrisis.com
cashmores-caravans.com
cashswim.com
cheapbuyworld.com
cheaptobbacco.com
cheapuc.com
debtheadaches.com
debtonatorct.com
gcecenter.com
goldforcashevents.com
studioshc.com
thestandardjournal.com
travelgurur.com
atlanticlimos.net
bethelgroup.net
caravanningnews.net
casting-escort.net
cheapersales.net
couriernetwork.net
dragonarttattoo.net
girlgeniusonline.net
madameshairbeauty.net
manchester-escort.net
mygirlythings.net
vocabhelp.net
cheapmodelships.com
financialdebtfree.com
mskoffice.com
cashacll.com
apollohealthinsurance.com
nieportal.com
playfoupets.com
wducation.com
carwrappingtorino.net
crewealexultras.net
diamondsmassage.net
isleofwightferries.org
migliojewellery.org
mind-quad.org
moneyinfo.us
2daysdietslim.com
999cashlline.com
capitalfinanceome.com
capitlefinanceone.com
captialfinanceone.com
carehireinsurance.com
cashadvaceusa.com
cashadvancesupprt.com
cashdayday.com
cashgftingxpress.com
cashginie.com
cashsoltionsuk.com
cathayairlinescheapfare.com
cheapaddidastops.com
cheapaparmets.com
cheapariaoftguns.com
cheapcheapcompters.com
cheapdealsinmalta.com
cheapdealsorlando.com
cheapeestees.com
cheapetickete.com
cheapeygptholidays.com
cheapfaresairlines.com
cheap-flighs.com
cheapflyithys.com
cheapfreestylebmx.com
cheapgoldjewelery.com
cheaphnoels.com
cheapholidaysites.com
cheaphotellakegeorge.com
cheaplawnbowls.com
cheapm1a1airsoft.com
cheapmetalsticksdiablo.com
cheapmpwers.com
cheapmsells.com
cheapotickeds.com
cheapottickets.com
cheapprotien.com
cheapryobicordlesstools.com
cheap-smell.com
cheapsmellscom.com
cheapsmes.com
cheapsscents.com
cheapstockers.com
cheapsummerdresser.com
cheaptents4sale.com
cheaptertextbooks.com
cheaptikesps.com
cheaptrainfairs.com
cheaptstickts.com
cheaptunictops.com
cheapuksupplement.com
cheapversaceclothes.com
cheapviagra4u.com
cliutterdiet.com
cocheaptickets.com
dailcheapreads.com
dcashstudious.com
debtinyou.com
diabetesdietsplans.com
dietaetreino.com
dietcetresults.com
dietcheff.com
dietdessertndgos.com
dietemaxbrasil.com
dietopan.com
discoveryremortgages.com
dmrbikescheap.com
ferrrycheap.com
financeblogspace.com
firstleasingcompanyofindia.com
firstresponcefinance.com
forexdirecotery.com
forexfacdary.com
foreximegadroid.com
forextrading2u.com
iitzcash.com
insanelycheapfights.com
insurancenbanking.com
inevenhotel.net
islamic-bank.us
italyonlinebet.com
m3motorsite.com

Out of the hundreds of domains known to have phoned back to the same IP in the past, the following are particularly interesting:
motors.shop.ebay.com-cars-trucks-9722711.1svvo.net
motors.shop.ebay.com-trucks-cars-922.1svvo.net
paupal.it
paypa.com.login.php.nahda-online.com
paypal-secure.bengalurban.com
paypal.com-cgi.bin-webscr.cmd.login.submit-dispatch.5885d80a.13c0db1f8.e263663.d3faee.38deaa3.e263663.login.submit.3.webrocha.com
paypal.com-cgi.bin-webscr.cmd.login.submit-dispatch.5885d80a.13c0db1f8.e263663.d3faee.38deaa3.e263663.login.submit.4.webrocha.com
paypal.com.update.service.cgi.bin.webscr.cmd.login-submit.modernstuf.com
paypal.com.update.service.cgi.bin.webscr.cmd.login.submit.modernstuf.com
paypal.com.us.cgi-bin.webscr-cmd.login-run.dispatch.5885d80a13c0db1f8e263663d3faee8d43b1bb6ca6ed6aee8d43b16cv27bc.
darealsmoothvee.com
paypal.it.bengalurban.com

Malicious MD5s known to have made HTTP (monetization) requests to the same IP (69.43.161.176):
MD5: 7fa7500cd90bd75ae52a47e5c18ba800
MD5: 84b28cf33dee08531a6ece603ca92451
MD5: f04ce06f5b1c89414cb1ff9219401a0e
MD5: b2019625e4fd41ca9d70b07f2038803e
MD5: 6cfb98ac63b37c20529c43923bcb257c
MD5: 04641dbafe3d12b00a6b0cd84fba557f
MD5: 02476b31f2cdc2b02b8ef1e0072d4eb2
MD5: 0d5a69fa766343f77630aa936bb64722
MD5: 57f7520b3958031336822926ed0d10b5
MD5: 00d08b163a86008cbe3349e4794ae3c0
MD5: 8dd2223da1ad1a555361c67794eb7e24
MD5: 737309010740c2c1fba3d989233c199c
MD5: eb3043e13dd8bb34a4a8b75612fe401e
MD5: eb4737492d9abcc4bd43b12305c4b2fc
MD5: 6257b9c3239db33a6c52a8ecb2135964
MD5: 481366b6e867af0d47a6642e07d61f10
MD5: d58b7158b3b1fb072098dba98dd82ed5
MD5: 9dd425b00b851f6c63ae069abbbec037
MD5: 6b0c07ce5ff1c3a47685f7be9793dce5
MD5: b2b5e82177a3beb917f9dd1a9a2cf91c
MD5: 05070da990475ac3e039783df4e503bc
MD5: c332dd499cdba9087d0c4632a76c59f0
MD5: 0768764fbbeb84daa5641f099159ee7f
MD5: 843b44c77e47680aa4b274eee1aad4e7
MD5: 36f92066703690df1c11570633c93e73
MD5: 0504b00c51b0d96afd3bea84a9a242a2
MD5: 8b0de5eabc27d37fa97d2b998ffd841a
MD5: 2944b1437d1e8825585eea3737216776
MD5: fa13c7049ae14be0cf2f651fb2fa74ba
MD5: ba5e47e0ed7b96a34b716caee0990ea3
MD5: e67e56643f73ed3f6027253d9b5bdfac
MD5: 8b0de5eabc27d37fa97d2b998ffd841a
MD5: 2944b1437d1e8825585eea3737216776
MD5: 0ab654850416e347468a02ca5a369382
MD5: 4e372e5d1e2bd3fa68b85f6d1f861087
MD5: 696a9b85230a315cfe393d9335cae770
MD5: 04343c3269c33a5613ac5860ddb2ab81
MD5: 384a496cd4c2bc1327c225e19edbee54
MD5: a44b2380cdac36f9dfb460f8fbff3714
MD5: 9e2a83adb079048d1c421afaf56a73a6
MD5: e377c7ad8ab55226e491d40bf914e749
MD5: 46c7c70e30495b4b60be1c58a4397320
MD5: 841890281b7216e8c8ea1953b255881e
MD5: 4392f490e6ee553ff7a7b3c4bd1dd13f
MD5: eeeda63bec6d2704cf6f77f2fb8431cd
MD5: b68e183884ce980e300c93dfa375bb1f
MD5: 7990fb5c676bbcd0a6168ea0f8a0c1d7
MD5: adc250439474d38212773e161dadd6b4
MD5: 075ae09c016df3c7eb3d402d96fc2528
MD5: d03b5bf4a905879d9b93b6e81fc1ca55
MD5: 00c62c8a9f2cf7140b67acec477e6a14
MD5: b228fae216a9564192fa2153ae911d54
MD5: 2f778fc3a22b7d5feb0a357c850bdd0d
MD5: 9080f3a0dfde30aa8afa64f7c3f5d79a
MD5: 526c1f10f94544344de12abec96cf96f
MD5: 4d8ddc8d5f6698a6690985ca86b3de00
MD5: 1a7bb0c9b79d1604b4de5b0015202d02
MD5: 528be69afad5a5e6beb7b40aeb656160
MD5: 1769f1b5beae58c09e5e1aac9249f5de
MD5: 6fb86421ea607ed6c912a3796739ce9b
MD5: 22e36b887946e457964a2a28a756a1cd
MD5: 31a7816a1458321736979e0cfdd3d20f
MD5: 113572249856fc5f2848d1add06dc758
MD5: a8a002732c5a4959afbf034d37992b5d
MD5: 413a9116362ab8fb9ba622cc98c788b1
MD5: 4abb29fe3ec3239d93f7adbc8cb70259
MD5: 989bea3435e5ac5b8951baa07d356526
MD5: 9a966076f114fbffc5cdbf5a90b3fd01
MD5: 14e64da2094ab1aae13d162107c504ec
MD5: 96bb6df37daef5b8de39ceae1e3a7396
MD5: d864369a0e8687ad3f89b693be84c8eb
MD5: 26b8b2c06e1604daee6bfe783a82479e
MD5: 63b922c94338862e7b9605546af2ef14
MD5: 19ba1497f088d850bd3902288bb3bd92
MD5: 96bb6df37daef5b8de39ceae1e3a7396
MD5: d864369a0e8687ad3f89b693be84c8eb
MD5: 26b8b2c06e1604daee6bfe783a82479e

Malicious MD5s known to have made HTTP (monetization) requests to the same IP (208.73.211.152):
MD5: db0aac72ed6d56497e494418132d7a41
MD5: aa47bd20f8a00e354633d930a3ebcb19
MD5: a957e914f697639df7dfb8483a88483b
MD5: a0b7b01a0574106317527e436e515fd3
MD5: 3d0d834fe7ca583ca6ed056392f4413d
MD5: fa342104b329978cba33639311afe446
MD5: f3b3e8b98bdfb6673da6d39847aec1b3
MD5: 3ef52b2fd086094b591eb01bc32947c8
MD5: 128e70484a9f19ab9096fb9b1969bf89
MD5: ee7dc2d2c7d33855b4dd86ae6243ad22
MD5: 6fc317b6f66d73903ffe8d12df72e5f7
MD5: 3800a4a6d6620aa15db7ea717b4d10f5
MD5: 830bbfcaa499de30ab08a510ce4cbba2
MD5: 085afd7f26f388bd62bc53ed430fbbc6
MD5: 3035e120ce08f1824817e0d6eaecc806
MD5: d4db511618c52272e58f4c334414ed6e
MD5: dc4ab086d50dcdcd5ae060acfe9bddca
MD5: c2bc9e266857537699fd10142658bf31
MD5: 9e6ab643d34a6c37b6150aeb8a2e5adb
MD5: b6bb96470ef67c26c0a0e8a4d145c169
MD5: f5aa326e0b5322d7ac47a379e1e1c1f8
MD5: dc0f5c01d8deaabe9d57d31f9daf50b9
MD5: 4a42c42e7acd9ff32ebb18efc2d5b801
MD5: a254b2824867e05d52c60e0464121588
MD5: 7e612f7ac81ccddb368d3c9e47c9942a
MD5: 66cec28f23b692ff2019c70a76894c41

This case is a great example of one of the core practices when profiling cybercrime incidents and campaigns -> sample everything, as what you're originally seeing is just the tip of the iceberg.

Related posts:
Click Fraud, Botnets and Parked Domains - All Inclusive
A Commercial Click Fraud Tool

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →