Darkleech – malicious Apache mod anti-forensics – client-side.


I wrote about Darkleech last year, and one of questions remain  – among anti-forensics features of it, that seller declared, were:

– frame delivered to unique users only, no frame on repeat. 

So – How it looks like for victim and how implemented?

Since than Linux/Chapro.A was posted in SecLists and  analysed by Kaspersky and ESET.

Afterwards Eric Romang provided some details, that it appear to be version of Darkleech module.

And here it appear again: UnixFreaxJP blog report about massive attack on Japanese segment of Internet.

Well, It’s time to see, is it DarkLeech and how anti-forensics implemented there from client PoV 🙂

Ok. Let’s see on any of servers that in list:

Read more…

Cool Exploit Kit – “We Try harder!”


Heh, when I am sick – it’s time to hunt…


Temperature: 37.8 C

Local Time: 23:00

Mood: [censored]

Test machine: fully updated (pdf, flash, java up to 7.u17)

Live Exploit Kits in list: 5

What we testing:

How dangerous can be surfing for those who follow best practices – at least performing updates.


All behavior among tested Exploit Kits, can be described as:

– If plugin-detect present, than system realize that no vulnerable plugins detected, and

– no exploit served at all [Safe End]

– last available Java exploit served. [Fail]

– If plugin-detect not present, than all available exploits execute and fail.

* Sometimes LibTiff exploit crash the PDF plugin, once Java cause error message appears…

Bottom line – if machine is up to date – well, leave it, there are plenty of easy targets around. 

Except for Cool Exploit Kit. Let me show You some fun stuff there… 

Read more…

Security is everyone’s concern, or why Blacklisting fail.


“Democracy is the worst form of government, except for all those other forms that have been tried from time to time.” (Winston Churchill)

I wrote huge philosophic part here… But then – I realized, that too much ideology already dumped into Net, no need to add.

So – see mr. Churchill quote and add “BlackListing” instead of “Democracy” << this is exactly my point.

And making long story short – in providing protection against malware – blacklisting fail.

Why? Simple.

Blacklisting – “…a blacklist or block list is a basic access control mechanism that allows through all elements (email addresses, users, URLs, etc.), except those explicitly mentioned. Those items on the list are denied access…” (WikiPedia.org)

So, basically, how it should work:

1. Someone detect that IP x.x.x.x or domain badassmalwarehomepage.com is spreading malware, got Exploit Kit installed or some other malicious activity detected

2. IP or domain list added to blacklist – now all software that work with that blacklist, protected from entering this bad site.

3. Internet Safe! (Yeah… )

And how it works now:

1. Malicious IP or domain detected. It take some time to detect new attack, discover all infectors, gather all evidence and prepare to be reported

2. IP\domain reported. There are plenty of different lists, each have it rules. Take some time to re-check and add to list – otherwise it can be used for malicious purposes. 

3. Clients not up to date, lists delivered from time to time, check with list take time and traffic. And bottom line – in fastest way it take 2-3 days to get stuff done. Attacker already got profit, monetized and planning new attack. 

Nothing new for many of You, and as I said – it’d terrible solution, but we dont have another now.

But wait – it even worse 🙂

Malware don’t need to have it’s own IP\domain exposed to victims, or even malware researchers, on any level. Let me show You, how. 

Read more…

Tags :     

CrimeBoss Exploit Kit – Java CVE-2013-0422 + SE tricks :)


CrimeBoss EK already known, described and You may see it here:



So I will not paste all details step-by-step. Who interested – see it here.

What was interesting in this case in particular – Java exploit, that  try to convince victim, that it is Adobe Flash Player . 🙂


Not new, actually, You right. @kafeine recently posted some details about similar behavior of recent Java exploit in Popads EK.

So – as You may see, idea appear to spread among other malware spreaders as well. 🙂

Actually, if You press “Cancel” in this point, no harm done to Your machine (if Java is up to date).

If Java is outdated – 2 additional exploits served as well.

Here samples on VT:




Bin [6/46]

That’s all

Stay safe




Portal TDS – walking after “Monster”


Another day, another attack on internet surfers 🙂

But this time some new piece of software used..

It call itself  “Portal TDS – You monster v 2.02

List of detected links on URLQuery1 or URLQuery2 (looks like not yet in list of known TDS patterns?)

TDS Administrator login page:


Read more…

List of compromised domains [2725] that spread RedKit EK.


Hi all, folks.

Need Your help.

For last few month we were looking former Redkit spreading all over, using compromised websites to get into victim machines.

At this point, united tracker results indicate that at least 2725 unique domains were compromised and participated in Redkit spreading from 11.11.2012 till 31.01.2013

Since I literally have no free time to manage all cleanup process and no resources to provide support to owners of those web-resources (major part of them even not respond to mail), here is list 

Please note, that this list not 100% solid, there were few changes in Exploit Kit spreading system that tracking agent need to be reconfigured, but bottom line is – its at least 90% accurate.

Some domains were cleaned up, some – abused and took down by hoster company or owner. Most of listed hosts still infected, I assume. And since MDS system reuse them frequently, once they’ll appear to be malicious again. Please act accordingly.

In case Your website listed in here:

Removal instructions [for site\host\shared hosting services Owners]:

1. Search for .htaccess files and php.ini or .user.ini files in root directories, check them for mod_rewrite.c entries (see more details here)

2. Clean  files attached in mod_rewrite.c section of .htaccess

3. Hire security professional that will harden Your website\service to prevent future intrusions. If not – malware will return. 

Stay Safe!



Inside “4 horses club” malware >> social details :)


It’s too big for twitter, so I post it as separate blog post.

Some time ago I posted info about ransomware from “4 horses club”. Grab it HERE.

Here is login page of this Aff program for partners (click for bigger pic)


Read more…

Reveton.N malware – Safe Mode included.


Reveton.N malware quite known recently, it’s Ransomeware that lock Your PC and demand money.

See Microsoft Encyclopedia for screenshots and some details about it.

interesting is, that most of  removal instructions that Google found start from Boot in “Safe mode”

And my sample from 2 days ago infect victim in way, that in “Safe mode” nice window that demand money, reappear (!)

Ok, how?

Simple, actually. It inject itself into WMI service, as ServiceDLL both in ControlSet001 and ControlSet003

Local path of DLL is victim current %TEMP% folder

So, updated cleanup instructions for Reveton.N malware:

1. Reboot and press F8, choose “Safe mode with command prompt” and boot with Your current user

2. In command prompt (black window) type in

cd %TEMP%

and press Enter

then type in

del /q *.dll

and press Enter

type in

shutdown /r /f /t 00

press Enter

Computer will restart

3. Download proper antivirus and clean Your computer with it from all other malware You have on Your PC. 

Stay Safe!






SPL exploit kit – now with CVE-2013-0422


Once in few days  I see some new stuff (for me, of course) and Google cannot answer me with enough details 🙂

So URLquery named it SPL Exploit kit, and almost no additional info about it present. Weird? Yep.

So me and @nsmfoo had  a look at it, to see what we can learn.

Well, first of all, as I understand, name to this EK was given based on some tech specs, that return in each installation detected. Since then tech details slightly changed, but major idea is the same.

Ok, lets begin…

Read more…

Tags :     

YAPS.py 0.3 released – Python script to upload samlpes to VirusTotal


Finished automation of a process to upload samples from multiple trackers.

Hope You can add it to Your systems and daily jobs.

History, requirements and installation – see here

Link to getYAPS.py

don’t forget to remove _.txt )

What added: 

1. Added check of sample, if it already present on VirusTotal database. If so – just data dumped to log

2. If sample not present – it uploaded to VirusTotal.

3. All info about samples: Is sample new, SHA256 hash, detect ratio and URL to review – dumped to vtlog.txt at same dir

4. Comments added – in case You need to comment samples. by default enabled on already detected samples. Edit comment variable if needed. Currently there is a problem to comment just submitted file – will be solved.

5. All this within ToS of VirusTotal and thx to them for good tool 🙂

Hope it useful not to me 🙂

Stay Safe