Well, it was gone for a while, and here it back 🙂

Email message sample:



Actually code looks like:



Attack, actually, run for about 48 hours already at least. You may see traces of it on URLQuery [36 entries by now]

When clicked – lead to BHEK2



BHEK2 payload – Cridex [22/46] and Fareit.

Second binary is interesting one, yes 🙂 Wait for updates.

Stay safe!


Tags :   

Portal TDS – walking after “Monster”


Another day, another attack on internet surfers 🙂

But this time some new piece of software used..

It call itself  “Portal TDS – You monster v 2.02

List of detected links on URLQuery1 or URLQuery2 (looks like not yet in list of known TDS patterns?)

TDS Administrator login page:


Read more…

Refresh HTTP header in EK Landing Page, or “200% success attack”


Yesterday,  some brief review of casual threat draw my attention by serving two different Exploit Kits  landing pages thru one include.

Actually, its not new, because there was multiple attempts to increase surface of attack by bot-masters.

Among those methods:

1. Include different injections into hacked server webpages [lame, but worked :)]

2. Use legit or barely-legit TDS (Sutra\SimpleTDS) to route traffic based on internal rules to different Exploit Kits page

3. Using various client-server solutions (scripts with embedded algorithm of traffic forward) with internal capability of routing traffic.

Here is another one 🙂 And it based on very popular in marketing formula “2 in 1”

Look at recent response from Exploit Kit (RedKit in this case)

GET h00p://michellechaso.co.uk/hmiq.htm

Ok, You say, what interesting in this (yeah-yeah, some changes in RedKit landing page, I saw them too 🙂 ) look at HTTP header!

Refresh: 20; URL=h00p://link_2_malware.domain/links/1.php

This is something new (for me, at least).

Let’s look at HTTP_Headers cheat sheet.

So, in simple words it command to browser: stay on this page 20 seconds, then move to next link.

Next link is BlackHole2 EK, that lead us to Kelihos.F variants  droppers.

Technically, it not route traffic between different ExploitKits, it literally infect victim twice:

1. Redkit Drop it’s payload in first 20 seconds.

2. After 20 seconds, victim redirected to BlackHole2 EKand infected again.

Have to say, that it’s common practice, to rent “installs” of malware on infected machines, to increase “return” ratio. But method is new, so be aware and stay protected 🙂

Stay Safe!





All roads lead to Kelihos.F Backdoor


Among many cases that were closed recently, one I want to share with You.

All started from one strange iframe


What strange about it?

Read more…

BlackHole Exploit Kit v2 – payload delivery exposed.


Last month was literally dedicated to BlackHole2 upgrade, announced by Paunch (see more details here)

Now, after 3 weeks, InfoSec world full of articles and screen-shots, internal statistic etc. Mystery solved? Nope. Because if so – then we should have reliable protection against it, easy way to detect and take-it-down.

Detect ratio is still below any reasonable numbers, and this mean that anti-forensics features still wait to be published. 🙂

Note: All my research and conclusions based on findings of mine, or with help of my Friends, whom I credit in each research. I do not use “Internal Sources”in my posts, even if I have them 🙂 I may do mistake, and If You have facts or information that prove me wrong – mail\twitt\IM me and lets look at it together.

Disclamer: All links provided lead to malicious or potentially malicious resources. Do not click there on any link, or don’t run any file, without proper knowledge, env prepared and skills trained.

Ok, let’s rock. 🙂

Read more…

BlackHole Exploit Kit 2.0 – anti-forensics features announced


So, major news in malware world today – release of BlackHole Exploit Kit ver 2.0, announced by Paunch at the morning.

Full text of Advertisement You may read in Russian and translated english at Kafeine’s blog

Since my part of the interest is anti-forensics features, let’s see, what exactly Paunch ad disclose:

Read more…