Announce of Multiple Malware Domains Deactivation March, 2013 - The "Operation Tango Down"

We are releasing announce of the suspension of 263 malware domains as latest result of Operation Tango Down [What is TangoDown?] as per below details. The current suspension is the work under good coordination between security researchers who spotted the threat, our PiC in charge (thank's to ‏@essachin) and the related registrant who help to the suspension and banning procedure process accordingly....

Read More

The Evil Came Back: Darkleech's Apache Malware Module: Recent Infection, Reversing, Prevention & Source Details

With the help of Malware Researchers, & solid coordination with authorities and admins involved we successfully stopped the mass attack of current threat which damaged hundreds of Linux Apache web servers within 2 weeks infection periods. I thank you for authority who finally approved MalwareMustDie released the know how for this threat by this simple post. Credit list is written under this post....

Read More

Misleading marketing (yet again): InstallQ, Amonetize, bechiroapps.com

I know this isn't a surprise anymore, but it still annoys the hell out of me.Whilst following a malware trail, I found 3 more examples of misleading marketing. One of them on depositfiles.com, and 2 of them on zippyshare.com. In all 3 cases, the route went through adsmarket.com (also not a surprise).First we have a fake flash player. This was loaded by;hxxp://www76.zippyshare.com/pop.jsp...

Read More

Fake Adobe Flash Updater in 173.246.102.2 - Win32/Fareit downloads Win32/Medfos (to then download OTHER malware at Megaupload.com)

This story is all started from an EK landing page at:"h00p://17.247nycr.com/news/breaks-harmless.php"in the IP: 173.246.102.2At the below network registration: NetRange: 173.246.96.0 - 173.246.111.255CIDR: 173.246.96.0/20OriginAS: AS29169NetName: GANDI-NET-DC1-1NetHandle: NET-173-246-96-0-1Parent: NET-173-0-0-0-0NetType: Direct AllocationComment: ...

Read More

Case: "*.RU:8080/*/column.php", Hey Stealer! What do you want to steal today? Keywords: #Cridex #Fareit #Naunet

*) This is my last post for this infection, FYI: we went far too long trying to keep things right.. Today we detected malware infection campaign created by the same bad actors we always follow. The below URL was setup for Password/Credential stealer (PWS) Trojan via spam email as per reported in fellow researcher's Mr. Conrad Longmore in "Dynamoo Blog" posts→[here] and [here]: h00p://forumla.ru:8080/forum/links/column.phph00p://forumny.ru:8080/forum/links/column.phph00p://forum-ny.ru:8080/forum/links/column.phph00p://forum-la.ru:8080/forum/links/column.phph00p://foruminanki.ru:8080/forum/links/column.phph00p://forumilllionois.ru:8080/forum/links/column.phph00p://210.71.250.131:8080/forum/links/column.phph00p://198.104.62.49:8080/forum/links/column.php...

Read More

[INFO] vURL server offline

Just a note folks, the vURL server will be offline for another hour or two, to allow for essential maintenance.Sites affected:vurldissect.co.ukapk.it-mate.co.ukavant.it-mate.co.ukbartware.it-mate.co.ukbughunter.it-mate.co.ukdnsbh.it-mate.co.ukhostsman.it-mate.co.uknaomi.it-mate.co.uksupport.it-mate.co.uktemp.it-mate.co.ukhelenbenoist.co.ukashsofdev.tk8gc.comSorry for the...

Read More