Security is everyone’s concern, or why Blacklisting fail.


“Democracy is the worst form of government, except for all those other forms that have been tried from time to time.” (Winston Churchill)

I wrote huge philosophic part here… But then – I realized, that too much ideology already dumped into Net, no need to add.

So – see mr. Churchill quote and add “BlackListing” instead of “Democracy” << this is exactly my point.

And making long story short – in providing protection against malware – blacklisting fail.

Why? Simple.

Blacklisting – “…a blacklist or block list is a basic access control mechanism that allows through all elements (email addresses, users, URLs, etc.), except those explicitly mentioned. Those items on the list are denied access…” (

So, basically, how it should work:

1. Someone detect that IP x.x.x.x or domain is spreading malware, got Exploit Kit installed or some other malicious activity detected

2. IP or domain list added to blacklist – now all software that work with that blacklist, protected from entering this bad site.

3. Internet Safe! (Yeah… )

And how it works now:

1. Malicious IP or domain detected. It take some time to detect new attack, discover all infectors, gather all evidence and prepare to be reported

2. IP\domain reported. There are plenty of different lists, each have it rules. Take some time to re-check and add to list – otherwise it can be used for malicious purposes. 

3. Clients not up to date, lists delivered from time to time, check with list take time and traffic. And bottom line – in fastest way it take 2-3 days to get stuff done. Attacker already got profit, monetized and planning new attack. 

Nothing new for many of You, and as I said – it’d terrible solution, but we dont have another now.

But wait – it even worse 🙂

Malware don’t need to have it’s own IP\domain exposed to victims, or even malware researchers, on any level. Let me show You, how. 

Read more…

Tags :     

List of compromised domains [2725] that spread RedKit EK.


Hi all, folks.

Need Your help.

For last few month we were looking former Redkit spreading all over, using compromised websites to get into victim machines.

At this point, united tracker results indicate that at least 2725 unique domains were compromised and participated in Redkit spreading from 11.11.2012 till 31.01.2013

Since I literally have no free time to manage all cleanup process and no resources to provide support to owners of those web-resources (major part of them even not respond to mail), here is list 

Please note, that this list not 100% solid, there were few changes in Exploit Kit spreading system that tracking agent need to be reconfigured, but bottom line is – its at least 90% accurate.

Some domains were cleaned up, some – abused and took down by hoster company or owner. Most of listed hosts still infected, I assume. And since MDS system reuse them frequently, once they’ll appear to be malicious again. Please act accordingly.

In case Your website listed in here:

Removal instructions [for site\host\shared hosting services Owners]:

1. Search for .htaccess files and php.ini or .user.ini files in root directories, check them for mod_rewrite.c entries (see more details here)

2. Clean  files attached in mod_rewrite.c section of .htaccess

3. Hire security professional that will harden Your website\service to prevent future intrusions. If not – malware will return. 

Stay Safe!



Refresh HTTP header in EK Landing Page, or “200% success attack”


Yesterday,  some brief review of casual threat draw my attention by serving two different Exploit Kits  landing pages thru one include.

Actually, its not new, because there was multiple attempts to increase surface of attack by bot-masters.

Among those methods:

1. Include different injections into hacked server webpages [lame, but worked :)]

2. Use legit or barely-legit TDS (Sutra\SimpleTDS) to route traffic based on internal rules to different Exploit Kits page

3. Using various client-server solutions (scripts with embedded algorithm of traffic forward) with internal capability of routing traffic.

Here is another one 🙂 And it based on very popular in marketing formula “2 in 1”

Look at recent response from Exploit Kit (RedKit in this case)

GET h00p://

Ok, You say, what interesting in this (yeah-yeah, some changes in RedKit landing page, I saw them too 🙂 ) look at HTTP header!

Refresh: 20; URL=h00p://link_2_malware.domain/links/1.php

This is something new (for me, at least).

Let’s look at HTTP_Headers cheat sheet.

So, in simple words it command to browser: stay on this page 20 seconds, then move to next link.

Next link is BlackHole2 EK, that lead us to Kelihos.F variants  droppers.

Technically, it not route traffic between different ExploitKits, it literally infect victim twice:

1. Redkit Drop it’s payload in first 20 seconds.

2. After 20 seconds, victim redirected to BlackHole2 EKand infected again.

Have to say, that it’s common practice, to rent “installs” of malware on infected machines, to increase “return” ratio. But method is new, so be aware and stay protected 🙂

Stay Safe!





RedKit EK Return – 10 days that…


Well, If You not yet aware, former Redkit is back.

There were rumours here and there about it been abandoned, or closed. But – at 11.11.2012 I saw it myself alive 🙂

Here is a result of monitoring of RedKit EK in his return.

Have a sit and read. I hope this story will provide You some details in time-line of events between 05 and 15 of Nov. 2012

Read more…

Tags :     

Redkit Exploit Kit: upgrades in anti-forensics.


Since major news of last weeks is fron-the-scratch update of BlackHole to version 2, I was waiting response from rivals.

And after week –  Former RedKit Exploit Kit change the mojo

But at that time I still had no full picture. Now post updated, as You may see.

And here – detailed analyses of recent anti-forensics features (for now):)

Disclamer: All links provided lead to lists of malicious or potentially malicious resources. Do not click there on any link, or don’t run any file, without proper knowledge, env prepared and skills trained.

Read more…

Former RedKit Exploit Kit change the mojo? [updated]


Looks like Exploit Kid, that formally known as RedKit, changed the Mojo 🙂

Read more…

Tags :   

RedKit EK & SpamBot, hiding after “Sony” brand


Another case, thanks to @malwaremustdie , appeared as a side-result of some more global research.

As You may know (or not), You can lease botnet for Your needs. DDOS, software installations, socks bots, trojans etc – all You like to load on multiple computers can be done via leased botnet. It looks like here we have such case.

Disclamer: All links provided lead to lists of malicious or potentially malicious resources. Do not click there on any link, or don’t run any file, without proper knowledge, env prepared and skills trained.

Read more…

SimpleTDS as part of RedKit Exploit Kit


Another Malware Distribution System, SimpleTDS (named after URLQuery), appeared at horizon today morning.

As I found at the end – it was part (integrated or attached in this case) of known RedKit EK – thx to @kafeine blog post “CVE-2012-4681 – Redkit Exploit Kit – I want Porche Turbo”

Disclamer: All links provided lead to lists of malicious or potentially malicious resources. Do not click there on any link, or don’t run any file, without proper knowledge, env prepared and skills trained.

Well, it was a morning… 🙂

Read more…