Suspension announcement of 61 unique domains used by Blackhole Exploit Kit ("closest" type) Crime Group operated on 80.78.247.114 (Russia)

MalwareMustDie, NPO, during its research activities, is following the process of suspension malware bad domains as important milestones in malware fighting steps. is also publicly releasing some of suspension domains in the "Operation Tango Down" [What is TangoDown?] as a public announcement. The current report is a fast and successful suspension process, as a good coordination between members who...

Read More

Knockin' on Neutrino Exploit Kit's door.. (where is "that" PluginDetect 0.8.0 ??)

Summary of infection chainsThis is going to be a long writing, but the weekdays has been started.. so does the daily work and they go first in #MalwareMustDie, NPO rules, so please allow me to split this post into two parts, this is the important part..Found this EK in the progress of infection; URI reference, landing page & malicious obfuscation code used are showing Neutrino Exploit Kit traces,...

Read More

[INFO] (more) Email server issues

If you've tried emailing me in the last 24 hours, you've probably noticed my incoming mail server once again, has issues. No clue what those issues actually are, Domain Monster have advised they're looking into it.Needless to say, I can't receive emails at present I'm afraid. Can still be reached via the several forums I frequent/own/manage.References:http://hphosts.blogspot.co.uk/2013/...

Read More

Dear Hostcomm.ru - seriously?

I sent an abuse report recently (the report in this case, was actually sent to r01.ru, but r01.ru = hostcomm.ru), as I do several hundred times per day, and a few minutes ago, this arrived;** Автоматическое сообщениеВаша заявка была расценена как спам. Это означает, что дальнейшая обработказаявки прекращена. Если вы считаете, что это произошло по ошибке, пожалуйста,свяжитесь с нами по...

Read More

Advisory & Malware Infection Alert on Plesk/Apache Remote Code Execution zeroday vulnerability

Summary:This zeroday PoC (thank to KingCope for announcing the zeroday, a great share!) is bringing a huge impact in the worse timing of malware web infection trends, which the botnet via file injection already ITW & spotted (salute to RepoCERT) so we find it necessary to quick posting the vulnerability clarification here (via @unixfreaxjp), and a short memo in here about this threat due to mitigate...

Read More

dDos: it-mate.co.uk, forum.avantbrowser.com server

You've probably noticed by now that the server that houses it-mate.co.uk and forum.avantbrowser.com (amongst others), is down and has been for at least 48-72 hours or there abouts. The reason I'm told, is the server is still under a dDos attack.No idea who is responsible at this point, or why, and am waiting for the host to send me further details. In short, once I know - you wi...

Read More

A mistery of Malware URL "cnt.php" Redirection Method with Apache's mod_rewrite.c's RewriteCond in .htaccess

SummaryTo be honest, since knowing that most of linux malware are blocking my IP & and my country's access, I changed my strategy to invite and trap them with the honeypot method for a dummy server to let them come and attack. (I think) I was preparing it good.. but after some time without anything happened I was thinking this strategy wasn't working well AAND...! Today by swatch script poke me...

Read More

Case of Pony downloading ZeuS via Passworded Zip Attachment of Malvertisement Campaign

Is a workdays so I can not post much so please bear with the below short analysis. But today I can't get rid of my curiosity when reading Mr. Conrad Longmore's newest post on Dynamoo Blog (nice report!) about the malvertisement with encrypted/passworded zip attachment (here's the link -->>[Dynamoo Blog]). I got lucky to have the similar sample by today's date in my honeypot as per following...

Read More

Full disclosure of 309 Bots/Botnet Source Codes Found via Germany Torrent

BackgroundIf you see the post's title well, this post is as per it is. A shocky, and took us a long time to confirm the source code one by one until we are pretty sure that the data is valid. The data was found by our team member (thank's for the great and swift follow) after receiving an anonymous hint, it was found a torrent account which lead to a file-share contains these malicious contents....

Read More