Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Thursday, July 07, 2011

Summarizing ZDNet's Zero Day Posts for June

The following is a brief summary of all of my posts at ZDNet's Zero Day for June. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:

01. 'Hot Lesbian Video - Rihanna and Hayden Panettiere' scam on Facebook leads to Mac malware
02. Sony Europe hacked by Lebanese grey hat hacker
03. Spamvertised United Parcel Service emails lead to scareware
04. The most common iPhone passcodes
05. AutoRun malware infections declining
06. 'McDonald's Free Dinner Day' emails lead to scareware
07. Two DDoS attacks hit Network Solutions
08. 'The Creator of LulzSec arrested in London' scam spreading on Facebook
09. Federal Reserve themed emails lead to ZeuS crimeware
10. 'Photographer commited SUICIDE 3 days after shooting THIS video!' scam spreading on Facebook

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Wednesday, June 08, 2011

Summarizing ZDNet's Zero Day Posts for May

The following is a brief summary of all of my posts at ZDNet's Zero Day for May. You can subscribe to my personal RSS feed, Zero Day's main feed, or follow me on Twitter:

Monday, May 30, 2011

Keeping Money Mule Recruiters on a Short Leash - Part Nine

The following brief summarizes currently active money mule recruitment web sites, actively recruiting money mules for the processing of fraudulently obtained funds.

Currently active sites residing within AS42708, PORTLANE Network www.portlane.com; AS29713, INTERPLEXINC Interplex LLC; AS38913, Enter-Net-Team-AS; AS24940, HETZNER-AS Hetzner Online:
ATLANTALTD-UK.CC - 193.105.134.233
ATLANTA-LTD-UK.NET - 78.46.105.205 - Email: admin@atlanta-ltd-uk.net
3ATLANTA-UK.COM - 193.105.134.233
BLITZNET-GROUPINC.CC - 78.46.105.205 - Email: admin@derwart-group.at
5DALI-STYLE.COM - 98.141.220.117
DALISTYLE-GROUP.CC - 98.141.220.118 - Email: tolls@mailti.com
DERWOODE-GROUP.COM - 98.141.220.117
DERWOODE-GROUP.NET - 98.141.220.117
GLACIS-GROUPLLC.COM - 193.105.134.232
1GLACISGROUP-LLC.NET - 193.105.134.233
IT-AMIRA.NET - 86.55.210.3 - Email: support@it-amira.net
ITAMIRA-DE.COM - 86.55.210.6 - Email: admin@itamira-de.com
ITSERV-DE.CO - 78.46.105.205 - Email: admin@itserv-de.co
IT-SERVICELTD.BE - 78.46.105.205
KADE-GROUP.COM - 86.55.210.4 - Email: admin@kade-group.com
MASTERART-GROUP.COM - 98.141.220.116 - Email: east@mail13.com
MENDRYLTD.COM - 98.141.220.117 - Email: admin@mendryltd.com
MENZEL-GROUP.TV - 98.141.220.118 - Email: admin@devotion-company.com
MITISSANSERVICE-GROUP-LTD.CC - 98.141.220.117 - Email: berra@cutemail.org
MITISSANSERVICEGROUP-LTD.COM - 98.141.220.117 - Email: alibi@mailae.com
oregonltd-uk.cc - 86.55.210.5 - Email: cause@ca4.ru
PARLEN-GROUPLLC.COM - 98.141.220.118 - Email: admin@parlen-groupllc.com
PARLENGROUPLLC.NET - 98.141.220.114
PARLEN-GROUP-USA.COM - 98.141.220.118
quad-groupuk.cc - 86.55.210.6 - Email: prissy@mailae.com
QUAD-GROUPUK.CC - 86.55.210.6 - Email: prissy@mailae.com
QUAD-IT-GROUP.COM - 193.105.134.232 - Email: admin@quad-it-group.com
QUINTAGROUP.CC - 98.141.220.117 - Email: cola@mailae.com
QUINTA-GROUPUS.COM - 98.141.220.118 - Email: admin@quinta-groupus.com
QUINTA-LLC.NET - 98.141.220.118 - Email: admin@quinta-llc.net
REXTECHINNOVATION.COM - 98.141.220.118 - Email: admin@rextechinnovation.com
REXTECHLTD.CC - 98.141.220.115 - Email: blurt@fxmail.net
REXTECHLTD-US.COM - 98.141.220.118 - Email: admin@rextechltd-us.com
SPECIAL-ART-LTD.COM - 193.105.134.233 - Email: admin@special-art-ltd.com
SPECIAL-ART-UK.CC - 193.105.134.234
SUBLIME-LTD.NET - 98.141.220.118 - Email: admin@sublime-ltd.net
TARGETMARKETGROUP-LLC.CC - 98.141.220.117 - Email: admin@targetmarketgroup-llc.cc
TAZPROGLTD-US.COM - 98.141.220.117 - Email: admin@tazprogltd-us.co
VNSPROJECT-DE.CC - 78.46.105.205 - Email: admin@vnsproject-de.cc
VORTEXLLC-UK.COM - 193.105.134.232 - Email: admin@vortexllc-uk.com
VORTEX-LLC-UK.NET - 193.105.134.230 - Email: admin@vortex-llc-uk.net

Dancho Danchev

Keeping Money Mule Recruiters on a Short Leash - Part Nine

Dancho Danchev

Thursday, May 26, 2011

A Peek Inside the Vertex Net Loader

It appears that the author of the of the DarkComet RAT has been keeping himself rather busy.

In early-stage development (currently in BETA), the Vertex Net Loader is your typical web-based command and control malware loader, worth keeping an eye on.

More details:
Info on the loader:
This is the small program that will send/retrieve info from/to the web panel , it is like the server part of a RAT. The loader is coded in C++. Size unpacked is ~100kb , compressed is very small and still stable. I choose C++ as the language for this project cause i code C++ since a long time but i never release some security soft, so as a friend said it is a shame to have a knowledge in C++ and don’t use it instead of Delphi all the time. Also C++ is faster and more stable than any other language.

Features of the loader:
- Send message box
- Execute any kind of commands
- close loader process
- Download files and execute them
- Get the process list
- Get the modules list from PID
- Set the keylogger status ON/OFF
- Retrieve the keylogger logs
- Read the file content and retrieve it
- Uninstall the loader
- Httpflood same technologies as i used for DarkComet that is very powerfull
- Remote shell
- Visit any webpage

Upcoming features:
- FWB
- More commands
- Panel Installer
- More possibilities in the webpanel
- User manager in the panel
- Plugins support
- and more.