[Full-disclosure] Who's Behind the Koobface Botnet? - An OSINT Analysis
Hi everyone, In this post, I will perform an OSINT analysis, exposing one of the key botnet masters behind the infamous Koobface botnet, that I have been extensively profiling and infiltrating since day one. I will include photos of the botnet master, his telephone numbers, multiple email addresses, license plate for a BMW, and directly connect him with the infrastructure -- now offline or migrated to a different place -- of Koobface 1.0. The analysis is based on a single mistake that the botnet master made - namely using his personal email for registering a domain parked within Koobface's command and control infrastructure, that at a particular moment in time was directly redirecting to the ubiquitous fake Youtube page pushed by the Koobface botnet. http://ddanchev.blogspot.com/2012/01/whos-behind-koobface-botnet-osint.html Regards -- Dancho Danchev Cyber Threats/CyberCrime Analyst | Security Blogger, ZDNet at CBS Interactive | Securiy Blogger at Webroot Personal Blog: http://ddanchev.blogspot.com ZDNet Blog: http://blogs.zdnet.com/security Webroot Blog: http://blog.webroot.com Twitter: http://twitter.com/danchodanchev LinkedIn: http://nl.linkedin.com/in/danchodanchev Facebook: http://facebook.com/dancho.danchev Skype ID: dancho_danchev_ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Exposing the Market for Stolen Credit Cards Data
What's the average price for a stolen credit card? How are prices shaped within the cybercrime ecosystem? Can we talk about price discrimination within the underground marketplace? Just how easy is to purchase stolen credit cards known as dumps or full dumps, nowadays? In this intelligence brief, I will expose the market for stolen credit cards data, by profiling 20 gateways for processing of fraudulently obtained financial data. Key summary points: - Tens of thousands of stolen credit cards a.k.a. dumps and full dumps offered for sale in a DIY market fashion - The majority of the carding sites are hosted in the Ukraine and the Netherlands - Liberty Reserve is the payment option of choice for the majority of the portals - Four domains are using Yahoo accounts and one using Live.com account for domain registration - Four of the domains are using identical name servers - Each DIY gateway for processing of fraudulently obtained financial data has a built-in credit cards checker or offers links to external sites performing the service - Several of the fraudulent gateways offered proxies-as-a-service, allowing cybercriminals to hide their real IPs by using the malware infected hosts as stepping stones Reference: http://ddanchev.blogspot.com/2011/10/exposing-market-for-stolen-credit-cards.html Regards -- Dancho Danchev Cyber Threats/CyberCrime Analyst | Security Blogger, ZDNet at CBS Interactive Personal Blog: http://ddanchev.blogspot.com ZDNet Blog: http://blogs.zdnet.com/security Twitter: http://twitter.com/danchodanchev LinkedIn: http://nl.linkedin.com/in/danchodanchev Facebook: http://facebook.com/dancho.danchev Skype ID: dancho_danchev_ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Inside India’s CAPTCHA Solvi ng Economy
Hello, The following article aims to expose a booming CAPTCHA solving economy in India, employing thousands of legitimate data processing workers, whose business model is already being abused by cybercriminals paying pocket money for using it : Let's analyze the shady data processing economy of India, discuss exclusive photos of Indian workers breaking MySpace and Google CAPTCHAs, and take a tour inside the web applications of several Bangladesh based franchises, whose team of almost 1,000 international workers is actively soliciting deals for breaking Craigslist, Gmail, Yahoo, MySpace, YouTube and Facebook's CAPTCHA, promising to deliver 250k solved CAPTCHAs per day on a $2 for a 1000 solved CAPTCHAs rate. One of the services in question is the India based decaptcher.com, which will allow you to retrieve its API once you putIndia CAPTCHA breakers money in their PayPal account. http://blogs.zdnet.com/security/?p=1835 Regards -- Dancho Danchev Cyber Threats Analyst/Blogger http://ddanchev.blogspot.com http://blogs.zdnet.com/security http://windowsecurity.com/Dancho_Danchev ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Coordinated Russia vs Georgia cyber attack in progress
Hello, The following factual analysis is a complete account of the events that took place during the weekend in regard to Russia's self-mobilization of Internet users in an attempt to coordinate and launch a cyber attack against Georgia's Internet infrastructure, and limit the Georgian government's ability to disseminate information on the events taking place inside the country. The attacks are ongoing despite the ceasefire. http://blogs.zdnet.com/security/?p=1670 Regards -- Dancho Danchev Cyber Threats Analyst/Blogger http://ddanchev.blogspot.com http://blogs.zdnet.com/security http://windowsecurity.com/Dancho_Danchev ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Gmail, Yahoo and Hotmail’s CAPTCHA broken by spammers
Hello, Breaking Gmail, Yahoo and Hotmail's CAPTCHAs, has been an urban legend for over two years now, with do-it-yourself CAPTCHA breaking services, and proprietary underground tools assisting spammers, phishers and malware authors into registering hundreds of thousands of bogus accounts for spamming and fraudulent purposes. This post intends to make this official, by covering an underground service offering thousands of already registered Gmail, Yahoo and Hotmail accounts for sale, with new ones registered every second clearly indicating the success rate of their CAPTCHA breaking capabilities at these services : http://blogs.zdnet.com/security/?p=1418 Regards -- Dancho Danchev Cyber Threats Analyst/Blogger http://ddanchev.blogspot.com http://blogs.zdnet.com/security http://windowsecurity.com/Dancho_Danchev ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ICANN and IANA’s domains hij acked by Turkish hacking group
Hello, The official domains of ICANN, the Internet Corporation for Assigned Names and Numbers, and IANA, the Internet Assigned Numbers Authority were hijacked earlier today, by the NetDevilz Turkish hacking group which also hijacked Photobucket's domain on the 18th of June. http://blogs.zdnet.com/security/?p=1356 Regards -- Dancho Danchev Cyber Threats Analyst/Blogger http://ddanchev.blogspot.com http://blogs.zdnet.com/security http://windowsecurity.com/Dancho_Danchev ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Who's Behind the GPcode Ransomware?
Hello, The following is an OSINT analysis aiming to assist in tracking down the malware authors behind GPcode who seem be to be building custom decryptors, next to issuing a universal one which can be used to decrypt anything ever encrypted by them. Who's behind the GPcode ransomware? It's Russian teens with pimples, using E-gold and Liberty Reserve accounts, running three different GPcode campaigns, two of which request either $100 or $200 for the decryptor, and communicating from Chinese IPs. Here are all the details regarding the emails they use, the email responses they sent back, the currency accounts, as well their most recent IPs used in the communication. http://ddanchev.blogspot.com/2008/06/whos-behind-gpcode-ransomware.html http://blogs.zdnet.com/security/?p=1259 Regards -- Dancho Danchev Cyber Threats Analyst/Blogger http://ddanchev.blogspot.com http://blogs.zdnet.com/security http://windowsecurity.com/Dancho_Danchev ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Assessing the Flash Zero Day Malware Campaign
In regard to the currently active malware campaign exploiting a zero day vulnerability in Adobe Flash player, the following assessment provides a detailed analysis of the situation, including malicious domains to block, detectio rates for the exploit, and the passwords stealers served on behalf of Chinese blackhats, as well as establishing the connection between this incident and several of domains used in the ongoing SQL injection attacks : http://ddanchev.blogspot.com/2008/05/malware-attack-exploiting-flash-zero.html Regards -- Dancho Danchev Cyber Threats Analyst/Blogger http://windowsecurity.com/Dancho_Danchev http://ddanchev.blogspot.com http://blogs.zdnet.com/security ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Redmond Magazine SQL Injected by Chinese Hacktivists
Hello, It appears that Redmond - The Independent Voice of the Microsoft IT Community, formerly known as Microsoft Certified Professional Magazine is currently flagged as a badware site, and third-party exploit detection tools are also detecting internal pages as exploit hosting ones, in this particular case Mal/Badsrc-A. Redmond Developer News and Redmond Channel Partner Online are also affected. An analysis is available at : http://blogs.zdnet.com/security/?p=1118 Regards -- Dancho Danchev Cyber Threats Analyst/Blogger http://ddanchev.blogspot.com http://windowsecurity.com/Dancho_Danchev ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] The DDoS Attacks Against CNN
Hello, This is a complete account of the events, statements, attack techniques and actual tools used in the recent attacks against CNN.com on behalf of Chinese hacktivists. http://ddanchev.blogspot.com/2008/04/ddos-attack-against-cnncom.html http://ddanchev.blogspot.com/2008/04/chinese-hacktivists-waging-peoples.html Regards -- Dancho Danchev Cyber Threats Analyst/Blogger http://ddanchev.blogspot.com http://windowsecurity.com/Dancho_Danchev ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Massive IFRAME SEO Poisoning Attack Continuing
Following last week's, massive SEO poisoning combined with IFRAME injections due to input validation flaws at sites with high pageranks, these are the very latest high profile sites successfully injected with IFRAMES forwarding to the rogue security software and Zlob malware variants like the one in the previous campaigns are : USAToday.com, ABCNews.com, News.com, Target.com, Packard Bell.com, Walmart.com, Rediff.com, MiamiHerald.com, Bloomingdales.com, PatentStorm.us, WebShots.com, Sears.com, Forbes.com, Ugo.com, Bartleby.com, Linkedwords.com, Circuitcity.com, Allwords.com, Blogdigger.com, Epinions.com, Buyersindex.com, Jcpenney.com, Nakido.com, Uvm.edu, hobbes.nmsu.edu, jurist.law.pitt.edu, boisestate.edu And this is the latest assessment of the situation in terms of the malware served and the domains/IPs involved : http://ddanchev.blogspot.com/2008/03/massive-iframe-seo-poisoning-attack.html Regards -- Dancho Danchev Cyber Threats Analyst/Blogger http://ddanchev.blogspot.com http://windowsecurity.com/Dancho_Danchev ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] More High Profile Sites IFRAME Injected
The ongoing monitoring of this campaign reveals that the group is continuing to expand the campaign, introducing over a hundred new bogus .info domains acting as traffic redirection points to the campaigns hardcoded within the secondary redirection point, in this case radt.info where a new malware variant of Zlob is attempting to install though an ActiveX object. Sample domains targeted within the past 48 hours : lib.ncsu.edu; fulldownloads.us; cso.ie; dblife.cs.wisc.edu; www-history.mcs.st-andrews.ac.uk; ehawaii.gov; timeanddate.com; boisestate.edu; aoa.gov; gustavus.edu; archive.org; gsbapps.stanford.edu; bushtorrent.com; ccie.com; uvm.edu; thehipp.org; mnsu.edu; camajorityreport.com; medicare.gov; usamriid.army.mil http://ddanchev.blogspot.com/2008/03/more-high-profile-sites-iframe-injected.html Regards -- Dancho Danchev Cyber Threats Analyst/Blogger http://ddanchev.blogspot.com http://windowsecurity.com/Dancho_Danchev ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Wired.com and History.com Getting RBN-ed
Monitoring last week's IFRAME injection attack at high page rank-ed sites, reveals a simple truth, that persistent simplicity seems to work. The attack is still ongoing, this time successfully injecting a multitude of new domains into Wired Magazine, and History.com's search engines, which are again caching anything submitted, particularly not validated input to have the malicious parties in the face of the RBN introducing a new malware, in between the pharmaceutical scams that they serve on the basis of an affiliation model. http://ddanchev.blogspot.com/2008/03/wiredcom-and-historycom-getting-rbn-ed.html Regards -- Dancho Danchev Cyber Threats Analyst/Blogger http://ddanchev.blogspot.com http://windowsecurity.com/Dancho_Danchev ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] More CNET Sites Under IFRAME Attack
With the recent IFRAME injection attack targeting ZDNet Asia, by abusing the site's search engine caching capabilities in a combination with the lack of input sanitization, several more CNET Networks' web properties besides ZDNet Asia, namely, TV.com, News.com and MySimon.com are currently getting targeted using the same technique to inject the IFRAMEs and have the sites cache and locally host the results. The following assessement outlines the IPs and domains used in the IFRAMEs, the domains and IPs hosting the rogue anti-virus and anti-spyware applications, as well as the detection rates of the applications. http://ddanchev.blogspot.com/2008/03/more-cnet-sites-under-iframe-attack.html Regards -- Dancho Danchev Cyber Threats Analyst/Blogger http://ddanchev.blogspot.com http://windowsecurity.com/Dancho_Danchev ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDNet Asia and TorrentReactor IFRAME-ed
An in-depth overview of a currently active malware IFRAME campaign, that's targeting ZDNet Asia and TorrentReactor's search engine optimization practices of generating, and locally caching the search queries pages, thereby positioning the now cached popular keywords with the IFRAME between the first ten to twenty search results, taking advantage of the sites' high page ranks. The current state of the exploitation technique used, allows the malicious parties to basically inject as many, and as diverse keywords, presumebly taking advantage of today's world events. Sample redirects, lead me to known Russian Business Network netblocks and ex-customers in the face of rogue anti-virus and any-spyware applications, as well as fake codecs. http://ddanchev.blogspot.com/2008/03/zdnet-asia-and-torrentreactor-iframe-ed.html Regards -- Dancho Danchev Cyber Threats Analyst/Blogger http://ddanchev.blogspot.com http://windowsecurity.com/Dancho_Danchev ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Malicious Advertisements Serving Domains
Hello, These are some of the domains behind the recent malicious advertising campaigns pushing rogue SWF ads. Besides being connected, the majority of ad campaigns point to RBN's customers' base as well. http://ddanchev.blogspot.com/2008/02/malicious-advertising-malvertising.html Here's another such malicious ecosystem based on an affiliate model, where participating sites serve malware on behalf of the fake advertising agency : http://ddanchev.blogspot.com/2008/02/serving-malware-through-advertising.html Regards, Dancho ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Large Scale MySpace Phishing Attack
In need of a creative phishing campaign of the year? Try this, perhaps the largest phishing attack spoofing MySpace and collecting all the login details at a central location, that's been active for over a month, and continues to be. A Chinese phishing group has come up with legitimate looking MySpace profiles (profile.myspace.com) in the form of subdomains at their original .cn domains, and by doing so achieve its ultimate objective - establish trust through typosquatting, remain beneath the security vendors radar by comment spamming the URLs inside MySpace, and obtain the login details of everyone who got tricked. Complete assessment in the form of domains and URLs participating, as well as the message used per domain for the internal comment spam campaign, is available here : http://ddanchev.blogspot.com/2007/11/large-scale-myspace-phishing-attack.html Regards, Dancho ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Dissecting The Electronic Jihad v3.0
Screenshots, checksums, detection rates, main campaign URL, and target synchronization URLs -- now offline -- included. Key point : the central update locations at the al-jinan.net domain are down, and so are the several others included, so you have a situation where forums and people start recommending the tool, they obtained it before the site was shut down, but couldn't get the targets to be attacked list Electronic Jihad v3.0 http://ddanchev.blogspot.com/2007/11/electronic-jihad-v30-what-cyber-jihad.html Electronic Jihad v2.0 http://ddanchev.blogspot.com/2007/08/cyber-jihadist-dos-tool.html Regards, Dancho ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Google Hacking for MPacks, Zunkers and WebAttackers
The following are IPs and domain names currently or historically used to host MPack, WebAttacker and Zunker control panels as well as live exploit URLs within the packs. Some are down, others are still accessible, the rest are publicly cached. If index.php doesn't exist, admin.php or zu.php act as the default admin panel. http://ddanchev.blogspot.com/2007/09/google-hacking-for-mpacks-zunkers-and.html Regards, Dancho ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Graphs of Storm Worm's Fast Flux Networks
Here are some handy graphs of Storm Worm's use of fast-flux networks generated during the last several hours acting as great examples of how diverse malware CC has become : http://ddanchev.blogspot.com/2007/09/storm-worms-fast-flux-networks.html Regards, Dancho ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Popular Malware Kits and Tools
The following are links to some of the currently popular malware kits in action, as well as several misc tools, with assessments of the malicious URLs, detection rates, and related screenshots that were obtained : The Nuclear Malware Kit http://ddanchev.blogspot.com/2007/08/nuclear-malware-kit.html The IcePack in Action http://ddanchev.blogspot.com/2007/07/icepack-malware-kit-in-action.html The WebAttacker in Action http://ddanchev.blogspot.com/2007/05/webattacker-in-action.html Massive Embedded Web Attack in Italy - MPack http://ddanchev.blogspot.com/2007/06/massive-embedded-web-attack-in-italy.html http://ddanchev.blogspot.com/2007/07/malware-embedded-sites-increasing.html The RootLauncher Kit http://ddanchev.blogspot.com/2007/02/rootlauncher-kit.html DIY Phishing Kit http://ddanchev.blogspot.com/2007/08/diy-phishing-kits.html A Cyber Jihadist DoS Tool http://ddanchev.blogspot.com/2007/08/cyber-jihadist-dos-tool.html A Commercial Click Fraud Tool http://ddanchev.blogspot.com/2007/08/commercial-click-fraud-tool.html The BlackSun Bot - Web based Bot http://ddanchev.blogspot.com/2007/04/shots-from-malicious-wild-west-sample_7672.html The Cyber Bot - Web based Bot http://ddanchev.blogspot.com/2007/04/shots-from-malicious-wild-west-sample_20.html The RAT- DIY Keylogger http://ddanchev.blogspot.com/2007/03/shots-from-malicious-wild-west-sample_3723.html A Malware Loader for Sale http://ddanchev.blogspot.com/2007/05/malware-loader-for-sale.html Yet Another Malware Cryptor In the Wild http://ddanchev.blogspot.com/2007/05/yet-another-malware-cryptor-in-wild.html DIY Malware Droppers in the Wild http://ddanchev.blogspot.com/2007/06/diy-malware-droppers-in-wild.html More Malware Crypters for Sale http://ddanchev.blogspot.com/2007/07/more-malware-crypters-for-sale.html A Multi-Feature Malware Crypter http://ddanchev.blogspot.com/2007/07/multi-feature-malware-crypter.html Regards, Dancho ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Analyses of Cyber Jihadist Forums and Blogs
Where are cyber jihadists linking to, outside their online communities? Which are the most popular file sharing and video hosting services used to spread propaganda, training material and communicate with each other? What are their favorite blogs, and international news sources? How does the Internet look like through the eyes of the cyber jihadist? This post will provide links to cyber jihadist communities, with the idea to aggregate a decent sample of how cyber jihadists use, and abuse the Internet to achieve their objectives. It is based on external URLs extraction of over 5,000 web pages directly related to cyber jihadist communities. http://ddanchev.blogspot.com/2007/08/analyses-of-cyber-jihadist-forums-and.html Regards, Dancho ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
