Posts archive: 2013
- Dec 29 - MMD-0012-2013 - ARP Spoofing Malware Infection Project Disclosure
- Dec 29 - MMD-0011-2013 - Let's be more serious about (mitigating) DNS Amp ELF hack attack
- Dec 11 - BotConf 2013 - #Kelihos: Payload+Domain Analysis, Actor's ID Disclosure, Stopping Payload (as Crime PoC)
- Dec 03 - #Tango Down of 2,989 (allowed to release: 311) Malicious domains Related to Kelihos Reseller
- Nov 13 - MMD #Tango Down of 44 + 19 + 75 CryptoLocker CnC Domains
- Nov 08 - A Step by Step Decoding Guide for CookieBomb's (as Front-end) Latest Threat, with Evil ESD.PHP Redirection (as the Back-end)
- Nov 05 - MMD-0010-2013 - Wordpress Hack Case: Site's Credential Stealer with New ASCII Obfuscation in POST Destination URL
- Nov 02 - MMD-0009-2013 - RunForrestRun DGA "Comeback" with new obfuscation
- Nov 02 - How bad an IP's Reputation can be? A story of: 22.214.171.124 & 126.96.36.199 (park domains)
- Oct 21 - MMD-0008-2013 - What's Behind the #w00tw00t Attack
- Oct 12 - Intelligence report. Beware: Trojan7sec, A wolf in sheep's skin
- Oct 10 - MMD-0007-2013 - KINS? No! PowerZeuS, yes! Source Code for View & Download
- Oct 07 - ...And (again!) ZeroAccess/Sirefef is NOT Dead (yet!)
- Sep 21 - MMD-0006-2013 - Rogue 302-Redirector "Cushion Attack", an attempt to evade IDS/IPS
- Sep 09 - MMD-0005-2013 - A Leaked Malvertisement, Cutwail+BHEK & Triple Payloads of "Syria Campaign"
- Aug 08 - The result on 48hours+ in battle with Kelihos < request for FURTHER block/dismantle cooperation & support. #Tango is going down..
- Aug 02 - MMD-0004-2013 - "You hacked.. we cracked" - "WP Super Cache" & Glazunov EK
- Jul 25 - #Alert! #Facebook scam emails that will lead you to #Blackhole EK (188.8.131.52, GoDaddy/Linode)
- Jul 25 - Suspension announcement of 97 .RU domains (registered in REGGI.RU) used by Kelihos Crime Group to spread payload via Red Kit Exploit Pack
- Jul 23 - MMD-0003-2013 - First "comeback" of the .RU RunForrestRun's DGA with 365 domains infector (ALIVE!)
- Jul 23 - What is behind #CookieBomb attack? (by @malm0u53)
- Jul 21 - Some encoding note(s) on modified #CookieBomb attack's obfuscated injection code
- Jul 19 - #Alert - Kelihos payload download zone in .RU 93 domains still ALIVE - RedKit EK #malware distribution!
- Jul 19 - MMD-0002-2013 - How Cutwail and other SpamBot can fool (spoof) us?
- Jul 17 - MMD-0001-2013 - Proof of Concept of "CookieBomb" code injection attack
- Jun 29 - Suspension announcement of 61 unique domains used by Blackhole Exploit Kit ("closest" type) Crime Group operated on 184.108.40.206 (Russia)
- Jun 24 - Knockin' on Neutrino Exploit Kit's door.. (where is "that" PluginDetect 0.8.0 ??)
- Jun 07 - MMD-0000-2013 - Malware Infection Alert on Plesk/Apache Remote Code Execution zeroday vulnerability
- Jun 05 - A mistery of Malware URL "cnt.php" Redirection Method with Apache's mod_rewrite.c's RewriteCond in .htaccess
- Jun 04 - Case of Pony downloading ZeuS via Passworded Zip Attachment of Malvertisement Campaign
- Jun 03 - Full disclosure of 309 Bots/Botnet Source Codes Found via Germany Torrent
- May 30 - Another story of Unix Trojan: Tsunami/Kaiten.c (IRC/Bot) w/ Flooder, Backdoor at a hacked xBSD
- May 29 - A story of a Spam Botnet Cutwail Trojan - Via fake Paypal's spam link w/redirector (220.127.116.11) backboned by BHEK2 (18.104.22.168)
- Apr 25 - CNC analysis of Citadel Trojan Bot-Agent - Part 2: Understanding its stealer functionalities by decoding the configs
- Apr 21 - (Peeling + Exposal) Kelihos via Redkit, mass-infection threat following unfortnate US disaster news..
- Apr 15 - #Howto - Analysis infection of RedKit sourced at 22.214.171.124 via OS X/Mountain Lion
- Apr 08 - CNC analysis of Citadel Trojan Bot-Agent - Part 1: with Wireshark
- Apr 05 - Mistery of unknown EK using JAR exploit with Hidden Class & XOR-Encoded Embedded RansomWare
- Mar 26 - Announce of Multiple Malware Domains Deactivation March, 2013 - The "Operation Tango Down"
- Mar 24 - The Evil Came Back: Darkleech's Apache Malware Module: Recent Infection, Reversing, Prevention & Source Details
- Mar 07 - Fake Adobe Flash Updater in 126.96.36.199 - Win32/Fareit downloads Win32/Medfos (to then download OTHER malware at Megaupload.com)
- Mar 05 - Case: "*.RU:8080/*/column.php", Hey Stealer! What do you want to steal today? Keywords: #Cridex #Fareit #Naunet
- Feb 21 - Hulk and Malware Crusaders vs FakeAV scandsk.exe (Win32/Simda Backdoor Downloader)
- Feb 20 - Blackhole NOW served Cridex combo with Ransomware rotated with GeoIP - Changes in credential crime scheme (powered by NAUNET.RU)
- Feb 10 - "Confirmed ITW" CVE-2013-0634 This LadyBoyle is not nice at all.
- Feb 06 - Blackhole of "/closest/" version with an infection of Trojan ZeroAccess (alias MaxPlus, Sirefef) w/Recycler Variant
- Feb 03 - The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)
- Feb 02 - Peeking at Anon JDB Exploit Kit JAR infectors (212,7,192,100/jdb/lib/java/lives/xxx) - Story continues, many more Payloads came up!
- Jan 31 - Peeking at Anon JDB Exploit Kit infector (188.8.131.52/jdb/inf.php?id=xxx) with AV verdicted called "DarkKomet", but actually a NayraBOT/AryaNBot an IRC Backdoor USB Worm
- Jan 29 - CrimeBoss landing page and its Jar infector
- Jan 27 - Hulk teams up with the Malware Crusaders to smash The CrimeBoss! (infector abrahamspath.org.uk//cb.php)
- Jan 27 - A Guide to flush Blackhole payloads (Cridex dropped Fareit case)
- Jan 27 - When the PWS Stealer try to improve their way to steal... a story of Cridex/PWS Fareit (via Blackhole EK at eziponoma.ru:8080)
- Jan 20 - A case of "Buggy Ransomware" with Backdoor, Spyware (is an Andromeda + Botnet CnC) Infection via Apache's Blackhole Exploit Kit
- Jan 18 - Cridex + Fareit Infection Analysis - "dozakialko.ru:8080" A Credential Stealer Case
- Jan 14 - Flushing, Peeling and Understanding the Cool Exploit Kit infection
- Jan 14 - Decoding #Guide: Double Obfuscation Blackhole Exploit Kit Landing Page (re-upload issue)
- Jan 13 - Some De-obfuscation notes on CritXPack Exploit Kit at root(.)kaovo.com
- Jan 12 - Trojan VBS/Bicololo at infected WordPress
- Jan 12 - Once upon a time with another Red Kit infection & its Payload
- Jan 11 - A double hit - PC Trojan W32/VBS Bicololo and Mobile Java Android/Trojan SMS Apps via a hacked Wordpress site
- Jan 10 - Let's say Hello! to Impact Exploit Kit w/ RansomWare Infector
- Jan 04 - A PBot (PHP + Perl Backdoor IRC Bot + Network Attack Tool) Infection on hegeman.com