The crusaders' note : When #malware infector goes to Cloud - Part 2 : Amazon-AWS loaded with Trojan Bank Spy/Downloaders

Amazon-AWS, a famous Cloud, is loaded with Trojan Banking Malwares which found injected via some users like: junormario, flashssa, twttreng etc etc...Infection dates are from October 27th to NOW. And these links of infection is found in spam emails already, means is in the wild/on going scheme! These trojan were found with the direct link/url download or with the IFRAME pattern. Moreover most infected download is on HTTPS..The analysis details case by case is obviously don't need for these infection,...

Read More

The crusaders' note : Suspected JS/RunForrestRun aka PseudoRandom's NEW bad actor scheme is on going..

Following the previous blog posts, the cases of PseudoRandom or JS/RunForrestRun infector, in this Crusade we found the new bad actor's scheme is spreading new infection using this malicious obfuscation random infector. We released the details in our pastebin here: --->>[PASTEBIN], and will summarize the details as per follows: NEW infectors is popping up since Oct26th as per below urls:h00p://fig.is/2010/12/ny-heimasi??a-felags-islenskra-gigtarl??kna/?kna/feedh00p://fig.is/2012/01/althjodlegt-thing-um-scleroderma/feedh00p://fig.is/2010/12/ny-heimasi??a-felags-islenskra-gigtarl??kna/feedh00p://fig.is/2010/12/ny-heimasi%C3%B0a-felags-islenskra-gigtarl%C3%A6kna/?kna/feedh00p://fig.is/2010/12/ny-heimasi?kna/feedh00p://www.imaginactionstunts.com/calendar/pasth00p://www.imaginactionstunts.com/action-team/profil-mathieu-ledoux/feed/h00p://www.imaginactionstunts.com/action-team/profil-sebastien-rouleau/feedh00p://www.imaginactionstunts.com/action-team/profil-mike-chute/feedh00p://www.imaginactionstunts.com/action-team/profil-thomas-liccionih00p://www.imaginactionstunts.com/action-team/profil-jean-sebastien-cote/feed/h00p://www.imaginactionstunts.com/action-team/profil-stephane-lefebvre/feed/h00p://browsersphere.com/h00p://suesat-recycle.com/plugins/system/rokbox/rokbox.jsh00p://www.cityenvies.com/h00p://icaihyd.org/js/stepcarousel.jsh00p://isveren.net/organize_sanayi_bolgelerih00p://www.anteaagency.cz/js/jquery.colorbox-min.jsh00p://idealbench.com/js/bottom.js...

Read More

The crusaders' note: Found the CNC of TrojDownloader/Backdoor/Spy in GoDaddy

We know how GoDaddy is quite popular to be used as victim of infector, but this time we found the rare case which showing hard proof that GoDaddy is being used as CNC server of the Trojan which Download other stuff, implementing Backdoor and Spying/send information to CNC. It is well written in our pastebin here:--->>[PASTEBIN] so I'm not going to repeat writing it again here. but I pasted below the GoDaddy CNC PoC only: ==================================NETWORK TRAFFIC DETAILS=================================...

Read More

The crusaders' note : New BHEK2 actor spreads Zbot P2P sets

Went home after a full week work-trip made me in the mood to decode malwares. Rest a while and went straight to start crusade in #MalwareMustDie.This weekend we found many interesting things, one of them is as per written in this title.Most of the details is already written well in our pastebin here:--->>[PASTEBIN]Please see the pastebin data before you continue. So this blog is about the conclusion,...

Read More

(Updated) A tale of mass infection of BHEK2 "border.htm" during ddos storm - Changes in JAR detected - Payload : Cridex - Malware Crusaders Logs

This post is dedicated to the wonderful individuals, came from varied countries and cultures, gathered to be together to push infection of malware down to the very minimum level of infection by agressively researching new infections during their rest/private time in weekends. This is the story of #MalwareMustDie, the malware crusaders with its Team Work Report: It is a quicky, and since the bad...

Read More

BBC Watchdog crew sink teeth into dodgy PC repair shops

The reputation of the UK's computer repair industry took another hammering last week following a BBC Watchdog investigation into two Worcestershire-based computer repair firms.The flagship consumer affairs programme looked into Click 4 PC and Click Computers in response to reports from viewers about missing personal data, botched repairs and a computer being held to ransom. The subsequent...

Read More

Decoding Multilayer JavaScript Packed Deobfuscation Code - Daily Log of Malware Crusaders..

We are following infection case that hit Japan recently announced in 0day.jp blog-->>[CASE: OCJP-074]. I don't think we are "that bad" in decoding JavaScript obfuscation, but I am telling you it will come to a headache sometimes. In this case we are describing the not-so-easy-to-be cracked malware obfuscation code which after being obfuscated was also being packed with JavaScript packer tools,...

Read More

Evil App: Russian FruitNinja - #Android Backdoor Analysis

This is a contribution of our #MalwareMustDie fellow researcher during his crusading against malware, a research material for the android malware complete from evil code analysis down to its crime aspect which linked to the SMS fraud and more. This post is also a cross post from (checkmate); done by Sanoop Thomas (@s4n7h0) from InR Labs of NII Consulting. All right reserved to the author.The research...

Read More

Dear pkware.com, STOP SPAMMING!

Ever since InfoSec, I've been getting spam from PKware.com, despite several emails to them politely asking them not to, and despite clicking their unsubscription link, which is rather hillarious in itself, given I never subscribed in the first place (don't normally click unsubscription links if I've never subscribed in the first place, only did in this case, because I knew where they got the...

Read More

Churchcastle Limited fined by regulator, Phonepayplus

UK premium-line regulator PhonepayPlus has slapped Churchcastle Limited with the largest fine it has dished to date, ruling the phone-quiz host guilty of misleading and bamboozling callers with impenetrable terms and conditions.After it received 15 complaints, PhonepayPlus found Churchcastle guilty of targeting the elderly, keeping them hanging on the line at up to £1.53 a minute, inducing t...

Read More

Outlook Export v0.1.11

I needed a little break from work, so decided to sort out a few things in Outlook Export.First and foremost, the About dialog has been updated.Secondly, v0.1.11 now includes a work-around for Runtime error 462 "The remote server machine does not exist or is unavailable".Third, when exporting, duplicates are now removed (were meant to have been anyway, but for some reason, it was ignoring...

Read More

ATTN: kcsoftwares.com

I recently had an e-mail from Kyle at kcsoftwares.com, regarding his sites listing in hpHosts.Sadly, OVH are still blocking my emails, and as he used OVH for his mail server, my reply to his email got blocked as well (blocked emails to OVH show as a timeout when attempting to send the email to addresses using their mail server - rather annoying given other mail servers at least send a reject...

Read More

[Updated] Fuzzy in Manual Cracking New PseudoRandom (JS/runforestrun?xxx=) Infector

Tired from lack of sleeping for weekend server-deployment in IDC, arrived home and just join #MalwareMustDie hunting session. Somehow I found myself tracing the latest infections spread by JS/runforestrun?xxx= infection, and found some new information, which I don't think my usually pastebin info-sharing will be enough to express it, so I write in this blog.I am half sleepy writing this, so if I miss...

Read More

hpHosts Updated: 05/10/2012

The hpHOSTS Hosts file has been updated. There is now a total of 184,831 listed hostsnames.If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)Latest Updated: 05/10/2012 23:15Last Verified: 04/10/2012 12:00Download hpHosts now!http://hosts-file.net/?s=Downl...

Read More

FTC launches international crackdown on tech support scammers

The Federal Trade Commission has launched a major international crackdown on tech support scams in which telemarketers masquerade as major computer companies, con consumers into believing that their computers are riddled with viruses, spyware and other malware, and then charge hundreds of dollars to remotely access and “fix” the consumers’ computers.At the request of the FTC, a U.S. District...

Read More

Blackhole exploit: Compromised sites

Looking at a recent case of a compromised site, I noticed something rather surprising - they're not even bothering to try and make the code difficult to decode. I'm pondering of course, the thought that this is deliberate, due to the changes in v2.0 of the Blackhole exploit (others have already written about that [1] [2], so won't go into that here), but even if this is the case, the choice of...

Read More

Next hpHosts release, VB2012

As some of you know, I've been in the US for VB2012 and to visit the chaps and chapesses at the Malwarebytes HQ since September 24th, got back around mid-day on the 30th.First and foremost, I'd like to say thank you to those involved in VB2012, as it was fantastic. Indeed, the only things I didn't like, were the bleedin heat (felt like I was melting), and the lack of both wifi and plug sockets...

Read More

[Updated] How EVIL the PHP/C99Shell can be? From SQL Dumper, Hacktools, to Trojan Distributor Future?

*) This post is dedicated to MalwareMustDie Malware Crusaders team involved!Maybe some of you read our previous blog (HERE) when we cracked last encrypted code used by gang of Pbot malware.Recently we're on the Exploit Kit, but during last hunt we had in #MalwareMustDie, sniper team aimed different infector's vector. For example, in previous blog (HERE) we nailed a Shanghai Chinese individual who...

Read More