Who DDoS-ed Georgia/Bobbear.co.uk and a Multitude of Russian Homosexual Sites in 2009? - An OSINT Analysis

NOTE:

I took these screenshots circa 2009.

UPDATE:

Here are some of the related botnet C&C server domains known to have been involved in the campaign:

hxxp://cxim.inattack.ru/www3/www/

hxxp://i.clusteron.ru/bstatus.php

hxxp://203.117.111.52/www7/www/getcfg.php (cxim.inattack.ru)

hxxp://cxim.inattack.ru/www2/www/stat.php

hxxp://cxim.inattack.ru/www3/www/stat.php

hxxp://cxim.inattack.ru/www4/www/stat.php

hxxp://cxim.inattack.ru/www5/www/stat.php

hxxp://cxim.inattack.ru/www6/www/stat.php

hxxp://finito.fi.funpic.org/black/stat.php

hxxp://logartos.org/forum/stat.php - 195.24.78.242

hxxp://weberror.cn/be1/stat.php

hxxp://prosto.pizdos.net/_lol/stat.php

hxxp://h278666y.net/www/stat.php - 72.233.60.254

I've decided to share this post including related screenshots and technical details with the idea to inspire everyone to continue doing their research including cyber attack and campaign tracking and monitoring including cyber attack and cyber attack campaign attribution efforts.

Back in 2009 there was a major speculation that Russia indeed launched a massive DDoS (Distributed Denial of Service) attack against Georgia which was in fact true. What was particularly interesting about this campaign was the fact that the same DDoS for hire including the managed DDoS service that was behind the attack was also observed to launch related DDoS attack campaigns against bobbear.co.uk including a multi-tude of Russian homosexual Web sites where the actual Web sites indeed posted a message back then on their official Web sites signaling the existence of the DDoS attack targeting their Web sites.

Who was behind the campaigns? An image is worth a thousand words including the actual use of the original Maltego Community Edition back then which used to produce outstanding results in a variety of cases and cyber attack incidents and campaigns.

Sample screenshots include:

Sample DDoS C&C domains known to have been involved in the campaign include:

hxxp://emultrix.org

hxxp://yandexshit.com

hxxp://ad.yandexshit.com

hxxp://a-nahui-vse-zaebalo-v-pizdu.com

hxxp://killgay.com

hxxp://ns1.guagaga.net

hxxp://ns2.guagaga.net

hxxp://ohueli.net

hxxp://pizdos.net

Sample DDoS C&C domain URLs known to have been involved in the campaign include:

hxxp://a-nahui-vse-zaebalo-v-pizdu.com/a/nahui/vse/zaebalo/v/pizdu/

hxxp://prosto.pizdos.net/_lol/

Related domains known to have been involved in the campaign include:

hxxp://candy-country.com

hxxp://best-info.in

hxxp://megadwarf.com.com 

hxxp://good412.com

hxxp://oceaninfo.co.kr

hxxp://kukutrustnet777.info

hxxp://kukutrustnet888.info

hxxp://kukutrustnet987.info

hxxp://asjdiweur87wsdcnb.info

hxxp://pedmeo222nb.info

hxxp://gondolizo18483.info

hxxp://technican.w.interia.pl

hxxp://pzrk.ru

hxxp://bpowqbvcfds677.info

hxxp://bmakemegood24.com

hxxp://bperfectchoice1.com

hxxp://bcash-ddt.net

hxxp://bddr-cash.net

hxxp://bxxxl-cash.net

hxxp://balsfhkewo7i487fksd.info

hxxp://buynvf96.info

hxxp://httpdoc.info

hxxp://piceharb.com

hxxp://ultra-shop.biz

hxxp://googlets.info

hxxp://kokaco.info

hxxp://simdream.info

hxxp://simdream.biz

hxxp://lamour.ws

hxxp://prosto.pizdos.net

hxxp://vse.ohueli.net

hxxp://uploder.ws

hxxp://oole.biz

hxxp://yandexshit.com

hxxp://emultrix.org

hxxp://snail.pc.cz

hxxp://bibi.hamachi.cc

hxxp://killgay.com

hxxp://installs.bitacc.com

hxxp://hg7890.com

hxxp://dungcoivb.googlepages.com

hxxp://toggle.com 

hxxp://nhatquanglan2.0catch.com

hxxp://svxela.com

hxxp://united-crew.org

Sample malicious MD5s known to have been involved in the campaign include:

MD5: cde613793e24508f32c38249d396f686

MD5:f13e24a0d7372e096392855d423db4da

MD5:ac43d13455ef4ba50ed522e4a54137dc

MD5:e729f992bea0896f104742e5cbc522c2

MD5:88bed9482f6e0578b59710c41ab890d7

MD5:0472379daba0ab1abee7468786a0953a

MD5:7507022e3cab75888ea960fb48476f2d

MD5:0fd3521e3e150f45a7b243de8760d74d

MD5:ad4007f5ee084e27f7149a98dfa469ba

MD5:d2b08dfcd438d8c106f9be5157553454

MD5:cd193c00728634b6ac3f91c0c5bcf196

MD5:8f69e9577380fd9ba37c1d0d9d5603c4

MD5:eea49d19db46f2cb8767270b019a427a

MD5:372db70ffa24bc0e1bc0ceb2375537b0

MD5:a738127a58985d233e52ee1eacce1bab

MD5:51a33d949644923332f192346aa38569

MD5:f47315c7623954c18c8ce83231044ab4

MD5:21823675dc1cc678ae28228bbfbdf9e2

MD5:38ed6d225770518deedae8c906d11d6c

MD5:b37e79d7ae5315d1479fc140ec8f049e

MD5:39a0f4c388d18b67ebed3c8c1b29dc4e

09f89b063f884b11fdf785e7eab8548b

MD5:ce2e644d48492dd254149b51a0d32fe7

MD5:25c65d3634ee36b1c99a45ce3d5f8fdc

MD5:e5950a5269c79a7e0158814749f3effc

MD5:561002ecbef499fc0624cedaacd81066

MD5:f6fe1019d426535765ae3800eafb7b9b

MD5:a4f51e896be7e9f5474d24e0c20b0d24

MD5:0d294580dafad0a16849fae4af757c3b

MD5:1ad98858daf6d7f570918b4c3402d824

MD5:0230f77066c14f50b42f32bcb195c8a3

MD5:95158942a3b730307abbd863a0cc6ab6

MD5:f5c9d013f0e363f1eab616e3a97b83cd

MD5:ad0bf946c3e415d9b7842326afb11b90

MD5:03d7957bf93b01365ec16ef9bf6bccc1

MD5:bb2ffbccce05868adf958d90f458d970

MD5:25a9e89e00798cdd8e358f29524b2539

MD5:a3b69591bc5bce27100fe18deaf97a99

MD5:1f2836f33ff85a814e3fb6e17e1b9cc9

Related domains known to have involved in the campaign include:

hxxp://ohueli.net

hxxp://emultrix.org

hxxp://lamour.ws

Related domain C&C server URLs known to have been involved in the campaign include:

hxxp://pzrk.ru/logo4.gif?1395a=80218&id=2378151660

hxxp://pzrk.ru/logo4.gif?12a76=76406&id=2626553800

hxxp://aapowqbvcfds677.info/?fd1c=64796&id=2378151660

hxxp://c34.statcounter.com/counter.php?sc_project=3034266&java=0&security=297102af&invisible=0

hxxp://jbalbfhkewo7i487fksd.info/?41d39=269625&id=241094347

hxxp://32106.bpowqbvcfds677.info/?32106=205062&id=241094347

hxxp://abpowqbvcfds677.info/?323d5=205781&id=241094347

hxxp://macedonia.my1.ru/mainh.gif?32905=207109&id=241094347

hxxp://good412.com/c.bin

hxxp://www.good412.com/c.bin

hxxp://www.f5ds1jkkk4d.info/?id25765twcvqr41865&rnd=70609

hxxp://bpowqbvcfds677.info/?32145=205125&id=2507836605

hxxp://pzrk.ru/logo4.gif?361b9=221625&id=2578125312

hxxp://abpowqbvcfds677.info/?324fe=206078&id=2507836605

hxxp://bbaakemegood24.com/?33a7a=211578&id=2578125312

hxxp://32319.bpowqbvcfds677.info/?32319=205593&id=2507836605

hxxp://jbalbfhkewo7i487fksd.info/?40f2f=266031&id=2507836605

hxxp://aapowqbvcfds677.info/?32452=205906&id=2507836605

hxxp://ww11.bbeakemegood24.com/

hxxp://macedonia.my1.ru/mainh.gif?13033=77875&id=2456212732

hxxp://bbaakemegood24.com/?12d83=77187&id=2623433696

hxxp://jrsx.jre.net.cn/logos.gif?135ef=79343&id=2456212732

hxxp://pzrk.ru/logo4.gif?142ef=82671&id=2623433696

hxxp://bbaakemegood24.com/?1a3cc=107468&id=2456212732

hxxp://17a3c.bpowqbvcfds677.info/?17a3c=96828&id=2551547297

hxxp://bbaakemegood24.com/?1d200=119296&id=2551547297

hxxp://pzrk.ru/logo4.gif?18b43=101187&id=2551547297

hxxp://aapowqbvcfds677.info/?17b74=97140&id=2551547297

hxxp://technican.w.interiowo.pl/tanga.gif?12f67=77671&id=2378151660

hxxp://pacwebco.com/logost.gif?13081=77953&id=2626553800

hxxp://abpowqbvcfds677.info/?fd8a=64906&id=2378151660

hxxp://bbaakemegood24.com/?11298=70296&id=2626553800

hxxp://perevozka-gruzov.ru/ft.gif?17318=95000&id=2503118808

hxxp://jbalbfhkewo7i487fksd.info/?21f55=139093&id=2378151660

hxxp://bbaakemegood24.com/?111ed=70125&id=2503118808

hxxp://pacwebco.com/logost.gif?109ce=68046&id=2503118808

hxxp://perevozka-gruzov.ru/as.gif?17961=96609&id=2503118808

Stay tuned!

Continue reading →

My New RSS Feed - Part Two

Dear blog readers,

I've decided to let everyone know that my new RSS feed is also available in XML and JSON.

Enjoy!

Continue reading →

Exposing "Emennet Pasargad/Eeleyanet Gostar/Net Peygard Samavat" Iran-Based Company on FBI's Most Wanted Cybercriminals List - An OSINT Analysis

I've recently came across this IC3 notification on Emennet Pasargad also known as Emennet Pasargad or Net Peygard Samavat and I've decided to further enrich the actual technical information provided with the idea to assist everyone in their cyber attack and cyber campaign attribution efforts.

Sample URL known to have been involved in the campaign:

hxxp://eeleyanet.ir - 5.144.130.40

Sample screenshots include:

Sample related personally identifiable email address accounts known to have been involved in related campaigns include:

sidafin@mihanmail.ir

safary.mansoor@gmail.com

support@yahoolinkexchange.com

faranakbehjati@yahoo.com

amirhaghighi2014@yahoo.com

h.boloukat@gmail.com

Rahimi@Live.com

Stay tuned!

Continue reading →

Spotting Moguls - An Analysis

NOTE:

I wrote this blog post in 2007.

What's so bad in being a mogul?

• Moguls are boring
• Moguls are predictable
• Moguls are biased
• Moguls often use their company's over-valued financial performance -- excluding the initial investment -- as a speaking platform
• If Moguls blog, it would be on the Insecurities of Sun Tanning and everything in between
• Moguls conveniently "exclude the middle" taking credit for the Moon's announcing phrases
• Moguls often whine when they should scream
• Moguls preach, rather than teach
• Moguls neatly restart the threat cycle of a particular threat in a mostly self-serving manner
• Moguls spend too much time not just looking into the mirror, but talking to its reflection
• Moguls are bad the way synthetic drugs are, and with the time you don't have a choice buto start listing to "those voices" -- rats have big ears.
• Moguls are a bad, yet amusing necessary evil, one that must be professionally dealt with.
• Even more amusing they become, as they start baby booming.

Stay tuned!

Continue reading →

Ten Signs It's a Slow News Week - An Analysis

NOTE:

I wrote this blog post in 2007. 

• Articles starting that malware increased 450% during the last quarter - of course it's supposed to increase given the automated polymorphism they've achieved thereby having anti virus vendors spend more money on infrastructure to analyze it
• Articles starting that spam and malware attacks will increase and get more sophisticated

• Articles discussing a new malware spreading around instant messaging networks -- psst they're hundreds of them currently spreading

• Articles discussing how signature based malware scanning is next while an anti virus vendor's ad is rotating on the right side of the article

• Articles commenting on an exploit code for a high risk vulnerability made public -- it's been usually circulating around VIP underground forums weeks before it made to the mainstream media, with script kiddies leaking it to other script kiddies

• Articles pointing out how phishers started targeting a specific company

• Article emphasizing on how mobile malware will take over the world, despite that there no known outbreaks currently active in the wild

• Articles pointing out that having a firewall and an updated anti virus software is important

• Articles discussing which OS is the most secure one

• Articles mentioning the percentage increase in the thousands of spam and phishing emails for the last quarter

Stay tuned!

Continue reading →

Bureaucratic Warfare Against Unrestricted Warfare - An Analysis

NOTE:

I wrote this blog post in 2007.

In a people's information warfare scenario, the masses of end users wanting to contribute bandwidth being recruited on a nationalism level, will simply infect themselves with malware courtesy of the technical crowd possessing the capabilities to come up with such a malware. In an arrogant people's information warfare, the technical crowd or the "bot source compilers generation" will not just distribute DoS attack tools and a targets list, they will backdoor the DoS tool itself, just like the case with this tool which I believe was distributed during the frontal hacktivism attack. 

Moreover, it wasn't a cyberwar, as it any type of war you have both sided loosing or gaining tactical advantage, it was a virtual "shock and awe".

Stay tuned!

Continue reading →

The U.S is Facing a Cyber Warfare Doctrine Crisis - An Analysis

NOTE:

I wrote this blog post in 2007.

Is it just me, or I get depressed when I come across the words - U.S Cyber Command, Twiki.net and serial entrepreneur in the same article? Someone once said that in the long term mega corporations and governments will be mainly involved in Talent Wars, and he was right. After reading this article, I bet that Chinese cyber warriors will issue an email to their internal mailing list entitled "The Depressing State of the U.S's Cyber Warfare Doctrine" and someone will respond "What Cyber Warfare Doctrine?!". Cutting the sarcasm, this is either a sophisticated PSYOPS to on purposely let others underestimate the Cyber Command's upcoming decentralization point in history, or Human Resources department in the rush to meet a deadline.

Great stuff, so if every agency is doing whatever every agency feels like doing, you'll have several agencies collecting intelligence on the same individual/group of individuals, who will inevitably end up in a situation where they'll be collecting raw and unique to them only data, one that some of the other agencies would have already obtained and marked as outdated and irrelevant under the current circumstances.

Why the emphasis on decentralization, when it should be on distributed management as a concept?

How can you centralize your opponents when they've already reached the unrestricted warfare stage, and have long been envisioning the potential of people's information warfare?

I guess that is the core of decentralized management is that everyone is doing whatever he feels like doing.

Stay tuned!

Continue reading →

Should a Country Physically Bomb the Source of the Cyber Attack? - An Analysis

NOTE:

I wrote this post in 2007.

It all started with the basic speculation that a superpower should aim to physically bomb the source of the cyber attack.

Here are some thoughts:

- physically bomb the source of the attack is not a metaphor, its an indication of the wrongly understood situational awareness

- install a hxxp://makelovenotspam.com type of screensaver on each and every U.S government PC, have it periodically obtain the last list of hosts to be attacked, obtained from a central Target List repository

- if the U.S is to attack those attacking the U.S, a third party interested in taking advantage of the U.S's bandwidth and know-how would easily make it look like someone else is attacking the U.S and have the U.S attack the third party enemies

- the myth of lining up your army, and waiting for the other army to appear at a particular battlefield doesn't exist in a cyber guerilla information warfare, where you're the visible target, and your enemy is everywhere. 

- each and every of the comments regarding the stereotyped type of adversary talk like the adversary has a home address, physical headquarters

- there's no physical location to be bombed, there's no IP to be DDoS-ed since it's not theirs, there's no home PC of the commander to take control of.

The bottom line, some of the most insightful and visionary for decades to come cyber warfare research papers I've ever read, were written by U.S army researchers. However, as if pretty much everything else in life, those who don't know are usually the one holding up the positions where they're supposed to know more than everyone, and exactly the opposite.

Stay tuned!

Continue reading →

A Pragmatic Cyberwarfare Doctrine - What Money Cannot Buy - An Analysis

NOTE:

I wrote this post in 2007. These are basically some notes that I took on the emerging back then cyber warfare doctrine problem that the U.S was facing.

Key summary points:

- never let an insider do an outsider's job

-the convergence of conventional military capabilities and asymmetric warfare

- bombing the source of the attack means, you'll have a U.S strategic bomber bombing a place somewhere in the U.S.

- subverting the enemy without fighting

- cyberwarfare attack from inside the fortification

- virtual cyber warfare competitions in a controlled environment

When you dedicate the largest proportion to keep up with the conventional military arms race, it's the superpower, or a third world country that would defeat your entire conventional military arsenal by not even confronting with it, and thus, by lacking the point of engagement render it useless in the sense of directly bypassing it.

Stay tuned!

Continue reading →

The Most Wanted Cyber Jihadist - An Analysis

NOTE:

I wrote this post in 2007.

This would have been an important blog post if cyber jihad were to be a issue that can be personalized, however, the reality as always has to do with another perspective, which in cyber jihad's case is diversification, localization of knowledge, and a knowledge-driven cyber jihadist communities itself. 

My point is that this guy should not be considered as the public face of cyber jihad, now that he's no longer active as a cyber jihadist, he's a cyber martyr that will be inspiring another generation of wannabe cyber jihadists to come.

Here's the article:

"In addition, Tsouli Irhabi used countless other web sites as free hosts for material that the jihadists needed to upload and share. The true extent of his material distribution network is still not known. He is credited with the large scale distribution of a film produced by Zarqawi called "All Is for Allah's Religion. His arrest struck a significant blow to al Qaeda’s cyber terrorism weaponry. With cyber weaponry only requiring widely available knowledge and skills and the only equipment required a computer that can be purchased anywhere, cyber weapons proliferation cannot be controlled."

My favorite quote - "With cyber weaponry only requiring widely available knowledge and skills and the only equipment required a computer that can be purchased anywhere, cyber weapons proliferation cannot be controlled. These facts coupled with the recent cyber attacks on utilities that blackout cities and regions show this is a serious threat."

Wait a sec. PSYOPS is a practice by itself which in this case aims to increase the investments made into securing the critical infrastructure of a country, one that I bet even the bad guys stopped targeting due to the logical nature of the attack? It is such a practice. Moreover, remember another such PSYOPS practice, namely the desired "media-echo" effect achieved?

Stay tuned!

Continue reading →

Leadership Basics - An Analysis

NOTE:

I wrote this article back in 2007. Here's the achive.

Jefrey Pfeffer's Business 2.0 columns always load me with self-esteem, and provoke me to go beyond the patters of success, the ones I'm aware of. Integrity is an important quality, and so it adaptability and the enlightment of constant self-development.

I tend to have developed this internal Early Warning System for tensions. What does this mean? I use a cheap hushmail account, blogspot as a blogging platform, as I'm indeed trying to prove something - it's not about the blogging platform, it's not about being a domainer, it's all about the knowledge. Respect to HD Moore for still sticking to his black background, exactly the same one I was using for several months.

The chase of an utopian dream - perfection is a never ending driving force, you know you can never be perfect, since it's hard to define, but the constant idea of trying to achieve something unachievable might indeed lead you somewhere.

The ultimate question - what do others think about me? how would I be remembered when I'm gone? is where the problem starts. Being remembered means you're already gone.

There are three different dimensions of the "I", the one you really are,  the one you want to me, and the one the people perceive you as. You'd better focus more who you actually are so you can do better, and who you want to be, than ending up as being anything else but "someone else's expectation", more or less a transparent hologram of other people wanted you to be.

What would others say? What if they don't like it? What if it undermines my confidence in myself at the end of the day? Being hated, or having a "fan club" means you're definitely up to something, all you need to break through is believing it.

Hanging out with the winners of the day is an every day reality, but the reality is that the true cyberpunks often hang outside at a party or con, far away from the populist speeches, and yet another 10k keynote mind-provoker. Still in need of a real-life story? Try Jessus, who was supposed to hang out with the posers, the ones that supposedly excelled in the society at the period of time, still he was dining with the opposite parties.

To me, it's always a matter of perspective and a vision.

Reaching the "Trust no one" stage in your life means you're definitely up to something, and most importantly had the courage to raise above, the consequences among the knives flying around, behind, and above you, are the opportunity costs you have sacrificed due to your behavior such as less time spent on chasing chicky chicks for instance.

People easily forget themselves in the euphoria of temporary success, and while even the fact of forgetting yourself means you used to be someone, this desperate cry for self-awareness in itself is a pitiful personal milestone.

Don't fight for appraisal, but learn to praise yourself, be interested, not interesting, break out of definitions, and question everything, even yourself.

Continue reading →

Cyber Intelligence - Personal Memoir - Grab a Copy Today!

This summary is not available. Please click here to view the post. Continue reading →