Oh dear ... Yelena Mizulina out does Cameron!

Just when you thought it couldn't get stupider than Cameron' imposing of the smut ban in the UK, this Russian politico has decided to out-do Cameron in the "yep, we can be even more brainless!".http://www.theregister.co.uk/2013/07/29/russia_to_ban_swearing_on_social_networks_good_luck/This woman has clearly never seen some of the Russian and Ruskranian blackhat forums I monitor (or for that...

Read More

[ALERT] Fake Google Chrome, and yet more malicious SysTweak shenanigans again

Looking up the POST beep codes for a Sony Vaio, led me to a thread on sevenforums.com a few minutes ago, which rather disgustingly (I'd say surprising, but I'm not surprised by SysTweaks ongoing badness anymore - they've been at it so long), led to 4 more examples, of misleading advertising, one belonging to Spark Trust, and 3 others belonging to SysTweak.The first [1] of these, is at least...

Read More

#Alert! #Facebook scam emails that will lead you to #Blackhole EK (162.216.18.169, GoDaddy/Linode)

Note: I wrote this post as a quick note to raise this threat's awareness, a warning note for Facebook users; Thus a PoC to be used as verdict for shutdown purpose of the related domain and IP, so I am sorry if you did not find any deep analysis this time. We received tons of fake Facebook notification email spams with the three themes pattern: (1)Asking you about Facebook password changes, (2)"Your...

Read More

Suspension announcement of 97 .RU domains (registered in REGGI.RU) used by Kelihos Crime Group to spread payload via Red Kit Exploit Pack

MalwareMustDie, NPO, during its research activities, is following the process of suspension malware bad domains as important milestones in malware fighting steps. is also publicly releasing some of suspension domains in the "Operation Tango Down" [What is TangoDown?] as a public announcement. This time we are shutting down the Kelihos Trojan payload download server's used 97 .RU domains, which was...

Read More

The come back of the .RU RunForrestRun's DGA with 365 domains infector (ALIVE!)

I came into infection site spotted in Japan network as per snapshot below:Which is a site to guide and introduce works for the lady workers, and that site is having infection of the obfuscation code of the RunForrestRun a DGA .RU domain-base malware infection. We are having experiences with this DGA from the day one we started malwaremustdie, so if you search for RunforrestRun keyword in our blog...

Read More

What is behind #CookieBomb attack? (by @malm0u53)

You know me as @malm0u53 crusade member of MalwareMustDie. I would write about what #CookieBomb code injection's attack can actually damage and infect our system with this investigation report. I saw a wide spread infection of code injection reported in here, and decided to help the investigation: RT @unixfreaxjp: @Secluded_Memory you know I would if i could, I cant now, grab it from my prev.tweets,...

Read More

Alert: (Yet more) misleading adverts [iLivid, Tuguu]

One of these days (yep, day dreaming again), I'll go on a little virtual walk, and not bounce off of misleading adverts such as the following. All were found in the usual places (adf.ly, adfoc.us) and sites engaged in scamming (watchfreemovies.ch - found whilst investigating another site).The award for the most disgusting scareware advert goes surprise surprise, to SysTweak - who are...

Read More

Some encoding note(s) on modified #CookieBomb attack's obfuscated injection code

We posted the attack related to this injection code in many web pages as per posted here: -->>[previous post], I called this as #CookieBomb attack, it uses the obfuscation JavaScript to burp the hidden redirection via IFRAME and the cookie condition to be used as a ticket for malware infection further maliciousre direction. This post is an additional note of a recent updates of injection code...

Read More

#Alert - Kelihos payload download zone in .RU 93 domains still ALIVE - RedKit EK #malware distribution!

We detected massive infection of RedKit in Japan as per posted by our Japanese team here -->>[0day.jp]The Red Kit attack was targeting innocent popular sites like site of happiness relation of mother and child and the office document navigation as per snapshot below (we detected 54 sites of 214 urls are infected): And after cracking the exploit code we found these are the payload used:and We...

Read More

How bad the Cutwail and other SpamBot can fool (spoof) us?

As per title says, the answer is VERY bad and nasty. I took my bitter pill by analyzing this case, it is important for sharing this information since there are very lack of these in the internet, so I dare myself to write this analysis experience. Yesterday we came into a spam malvertisement of login credential stealer (Trojan Win32/Fareit) which looks like sent from an infected PC in a local network...

Read More