Malware hunt – wildfowl to find


More than twice for the last 24 hours I was asked the non-trivial question:

Where do You find the targets for the malware hunt, if You’re not a  part of the big team, malware researcher or not own a honeynet.

Actually, if You do want to fight a malware, IMHO it is very useful to have a honey-pot system, or, at least, be in security business somehow. It will provide You a non-stop flow of the malicious targets to review. But if  You not, and You still want to help?

Disclamer: All links provided lead to lists of malicious or potentially malicious resources. Do not click there on any link, or don’t run any file, without proper knowledge, env prepared and skills trained.

Well, here are the few links, that  aggregate latest known threats, that You can practice on:

Read more…

JavaScript PluginDetect is in the Past.


Well, I am sick again, alone at home, so looking for something to dig in…

And, as it appear to be, there is always something interesting happened.

If You familiar with ExploitKits, You know, that major feature of traffic filter is – PluginDetect.

It is JS script with huge amount of features, provided by legit and respectful authors.

Main usage for malicious purposes – detect an outdated plug-ins to serve “working” exploits for successful infection of a victim.

Size  – about 45-65 Kb in plain text, in altered\obfuscated mode can reach 110-130 Kb of JavaScript.

It also known to be part of malicious applications,  and triggered respectively. There are products, that emulate JS, provide fake responses to PluginDetect to bypass it successfully.

Well, bottom line – it’s quite a mess to use it for traffic filtering.

But there are other ways, always…

Read more…

Darkleech – malicious Apache mod anti-forensics – client-side.


I wrote about Darkleech last year, and one of questions remain  – among anti-forensics features of it, that seller declared, were:

– frame delivered to unique users only, no frame on repeat. 

So – How it looks like for victim and how implemented?

Since than Linux/Chapro.A was posted in SecLists and  analysed by Kaspersky and ESET.

Afterwards Eric Romang provided some details, that it appear to be version of Darkleech module.

And here it appear again: UnixFreaxJP blog report about massive attack on Japanese segment of Internet.

Well, It’s time to see, is it DarkLeech and how anti-forensics implemented there from client PoV 🙂

Ok. Let’s see on any of servers that in list:

Read more…

Do You live in ‘bad_country’? :D [updated1]


If You looking for info about Exploit Kits – move on, there is nothing about them here

Here – unknown for me TDS (traffic distribution system), that used in recent huge attack on hacked websites customers.

This is how it looks like:

Juicy, You say? iframe, looks like lead to MDS that will finally 302 us to weaponized page of ExploitKit:)

Read more…

DarkLeech – malware mod for Apache.


It was expected, actually…

But – from the beginning.

Few last weeks I read about some strange malicious activity on Apache servers (

Iframe with malicious code was injected in multiple pages of Apache server dynamically.

Standard cleanup was not helpful at all, multiple co-located hosts were infected the same way.

Any website, moved to new server, became clean << When I saw this, it became obvious, that compromise is part of web-server itself, not per site.

So – I made a little research, and found  new product on black market, that You may be interested in 🙂

Read more…

“Security Shield” Fake Antivirus


Since all the IT world busy with new release of BHEK, here some not BHEK stuff Ж)

Start point was sent by the friend with remark – “…maybe BHEK2”?

Let’s see 🙂

Read more…

BlackHole Exploit Kit 2.0 – anti-forensics features announced


So, major news in malware world today – release of BlackHole Exploit Kit ver 2.0, announced by Paunch at the morning.

Full text of Advertisement You may read in Russian and translated english at Kafeine’s blog

Since my part of the interest is anti-forensics features, let’s see, what exactly Paunch ad disclose:

Read more…

SimpleTDS as part of RedKit Exploit Kit


Another Malware Distribution System, SimpleTDS (named after URLQuery), appeared at horizon today morning.

As I found at the end – it was part (integrated or attached in this case) of known RedKit EK – thx to @kafeine blog post “CVE-2012-4681 – Redkit Exploit Kit – I want Porche Turbo”

Disclamer: All links provided lead to lists of malicious or potentially malicious resources. Do not click there on any link, or don’t run any file, without proper knowledge, env prepared and skills trained.

Well, it was a morning… 🙂

Read more…

Malware delivery system – few recent tricks


Malware Delivery Systems, or Loaders, responsibly to deliver malicious exe\dll to victim.

Each day,  malware creators implement new tricks to harden analysis and detection of malware hosts by automated systems, and each day malware hunters follow them to the end step by step 🙂

here is some example of such walk 🙂

Read more…

What is “Dedic”?


Well, if You speak Russian and in computer crimes world from any side, You know what  I am talking about. If not – here are brief look at what it is, what purposes and why named this way.

Read more…