Cookie Consent by Free Privacy Policy Generator ๐Ÿ“Œ MMD-0046-2015 - (Recent and new) Kelihos CNC activity XXXX(censored)

๐Ÿ  Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeitrรคge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden รœberblick รผber die wichtigsten Aspekte der IT-Sicherheit in einer sich stรคndig verรคndernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch รผbersetzen, erst Englisch auswรคhlen dann wieder Deutsch!

Google Android Playstore Download Button fรผr Team IT Security



๐Ÿ“š MMD-0046-2015 - (Recent and new) Kelihos CNC activity XXXX(censored)


๐Ÿ’ก Newskategorie: Video
๐Ÿ”— Quelle: blog.malwaremustdie.org

Background

Note: This is the modified post of the original post, sensitive data were censored for the "security reason". Please read "between the lines". I am sorry and thank you. - God bless them who read the codes - @unixfreaxjp Tue Dec 22 16:56:01 JST 2015

Most of fellow malware and botnet researchers in security communities know the term of "kelihos botnet". Many of us find it interesting to be studied. The botnet exists for a long time until now, and surviving many take down and disruption efforts, yet it is still in operation until now [link].

MalwareMustDie group has a "Kelihos Operation" in a small dedicated unit to research this threat and we tried to be responsible in disclosing the botnet malicious distribution scheme and its payloads in 2013, and we presented the talk about it at the BotConf in 2013 [link]. The team was following the threat ever since by tireless efforts to report and try to support regional jurisdiction to stop the botnet's further malicious activity. And believe me, MalwareMustDie is aiming a way further than just a whack-a-mole actions that some industries and researchers think we were, the disclosure that we had on the case, and this post is a proof of our hard work for it.

Even physical action(s) was conducted by law (with hat tips of the great work of GroupIB friends [link]) for the effort to end this "legacy" for good, the herder who is a notorious cyber criminal [link][link][link] knows how to bent the law, and is back on operation, with some improvement in the botnet itself.

In the Q3 and Q4 in this year there are strong distribution [link] of Kelihos binaries from several "major" Exploit Kits [link], implying the effort of the herder to expand the botnet. And following that time frame several botnet malicious campaigns were also started to be detected under a very short infection uptime and was carefully planned in aiming specific regional target on a specific operating system platform. Afterward, just recently. there are events of "disruption activities" was occurred in the botnet, which has boosted the botnet's access revocation, technical changes, updates on versions and security improvements to be better than before (i.e.in: domains, encryption, payloads, name servers & http services etc) without really reducing its P2P peers activity significantly, hence the botnet is still on operation but not as "greedy" like we've seen it before in 2012 and 2013.

The recent development is urging me on behalf of operation unit in our Kelihos team, to disclose as "responsible" as possible several new updates in information that maybe can be used and linked by law enforcement effort to build a new cyber criminal case for this well known bot herder.

We thanked gentlemen/ladies for the hard work they shared together in effort to stop the threat (this credit list is not only MMD members but contributors are included)

@VriesHd @Malwageddon @Set_Abominae @DhiaLite @malm0u53 @Xylit0l@ConradLongmore @s4n7h0 @essachin 
@sempersecurus @JC_SoCal @ChristiaanBeek @unixfreaxjp @lvdeijk @wirehack7 @wopot @kafeine
These are the people who stick together still and contribute very hard effort of the case with the separate specialties. I myself is in charge for the CNC & infrastructure investigation for the threat, and this writing is mostly based on that specific territory, so I tried to write it without revealing much OpSec of my other team mats in various section. So, the post will not reveal all details of operational aspect, since there are many more "bigger deal" that has to be kept close for the further investigation. You can feel free to contact us via twitter DM if somehow I may can assist you more on the issue.

Kelihos FUD (Fully UnDetected) check scheme

Generally speaking: As this botnet concept is peer to peer, it uses encrypted communication one-to-one basis that redundantly connected to the targeted/instructed peers specified from the central command. The central pushes commands to the infected peers by working in rings of encryption layers, which is varied in encryption to each level, and the peers in each group can reply a pong in generic protocol in "a state" that can be notified by the highest central. This is a way of the botnet can be "steered" to aim specific territory like this example [link] and to launch a specific spam and/or traffic redirection campaigns (the example is in the next paragraph), or to avoid several networks, or "activated / deactivated" activities on some region. In this paragraph I am in purpose omitting various function details that the botnet has (dns/http/blacklist/p2p crypt/spam modules/etc etc).

As peering-functionality is important to the kelihos botnet. the herder is using a known FUD checking service to make sure the main botnet nodes is free from detection, with checking security industry's mitigation/protection signatures [link], by rapidly monitoring detection ratio of the: (1) Binary payloads, (2) IP addresses of Kelihos job server's and main communication peers, (3) and CNC hosts, (4) the web html pages contains javascript, installed in peers that is distributed for supporting several malicious operations (i.e.: click fraud, redirectors, malware infection, spam sites, etc). The herder never keeps the detection ratio high and only picking several important nodes in the botnet to have the lowest detection ratio as possible, and also trying very hard to keep the job servers and CNC of Kelihos to have detection score to be close to zero.

Kelihos is a botnet as service which is having its own function to spread its threat activity, mainly by spam email from its original spam module, which are controlled directly by the herder to aim to specific region(s) or by redirection scheme. Several scheme of recent distribution spotted in this functionality is as per following illustrations: [pump-and-dump] [malicious JS redirector] [URL link basis] [script spam] [pay per click] [regional targeted spam] etc (malware related spam can not be disclosed in here).

To be noted: There are top central operation servers which the herder operated separately and unlisted to the checks. Thus,the botnet is never involving CNC layer or upper layer directly to the distributional layer of the payload, but passing the "delivery" to the infected proxy peers (read: DHCP/ADSL infected PC connected to the internet behind the routers) which makes harder to proof its maliciousness, even though these upper layers nodes are having a very important role in steer malicious activity in the infected peers.

The checking scheme of the botnet peers is where actually the vector we used to dig up the connection to the source of the threat, so I will not have to disclose the domains, payloads, encryption, campaigns or other opsec related work details.

The Kelihos CNC in AS19318(US) at YYYYY(censored)

Inside of the category of (3) stated in above section, it was spotted CNC IP listed as per checked in a scheme below:

These are the IP registered to these two dedicated hosts: dsys417.server-1.biz and dsys418.server-1.biz as per checked below, physically located in New Jersey, United States.

{ "ip": "206.72.206.74-78",
"hostname": "dsys418.server-1.biz",
"ip": "66.45.241.130-134",
"hostname": "dsys417.server-1.biz",
"city": "Secaucus",
"region": "New Jersey",
"country": "US",
"loc": "40.7895,-74.0565",
"org": "AS19318 NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC",
"postal": "07094" }
The data above in form of textual per prefix/routes networking used:
66.45.241.130|dsys417.server-1.biz.|19318 | 66.45.224.0/19 | (censored) | US | interserver.net | Interserver Inc
66.45.241.131||19318 | 66.45.224.0/19 | (cencored) | US | interserver.net | Interserver Inc
66.45.241.132||19318 | 66.45.224.0/19 | (cencored) | US | interserver.net | Interserver Inc
66.45.241.133||19318 | 66.45.224.0/19 | (cencored) | US | interserver.net | Interserver Inc
66.45.241.134||19318 | 66.45.224.0/19 | (cencored) | US | interserver.net | Interserver Inc
206.72.206.74|dsys418.server-1.biz|19318 | 206.72.192.0/20 | (cencored) | US | interserver.net | Interserver Inc
206.72.206.75||19318 | 206.72.192.0/20 | (cencored) | US | interserver.net | Interserver Inc
206.72.206.76||19318 | 206.72.192.0/20 | (cencored) | US | interserver.net | Interserver Inc
206.72.206.77||19318 | 206.72.192.0/20 | (cencored) | US | interserver.net | Interserver Inc
206.72.206.78||19318 | 206.72.192.0/20 | (cencored) | US | interserver.net | Interserver Inc

The checks are so important for these IPs on its two hosts, that the herder is running it in frequency of average 16 times per hour, in hourly basis, for each host, by using the remote API provided by the FUD check service for the purpose. As evidence I snipped a small portion as below:

To proof the solidity of the data presented, this original picture shows many authentic details:

Since the front end has payment records captured, it's not that difficult to know that the herder want to keep on doing this at least until the early of this December 2015 [link]

I think up to this point we are all agreed about the US basis 10(ten) IP addresses above are specifically checked by the kelihos herder for its FUD purpose, together with executable binaries of the botnet, the script saved in HTML files in the peers and other minor matters.
But then questions raised up: Who owns those IPs? How can Kelihos botnet herder get the US IP addresses from the first place? Is HE the same person as we announced in 2013?
The next section will be the disclosure of all the questions above plus the ownership information.

The herder data dug from these 10 IP

Before I went to BotConf in 2013, we (MalwareMustDie operations in Germany and Netherland) launched effort [link] [link] and we "paralized" their payload scheme↓ too -

#MalwareMustDie - #Kelihos #Botnet is Paralyzed now, snapshot 1 Russian infected IP is ZERO (pic) #MoronzISCryingHard pic.twitter.com/15NLbYzCJw

— ☩MalwareMustDie (@MalwareMustDie) December 2, 2013
..and we stop the payload of Kelihos for some days, and with the help from good fellows from McAfee and LeaseWeb together we took down dedicated servers that was used to run as Kelihos mother ships (You will see some video about that in 2013's link above). It was taking down Kelihos like 5 days without payloads, and successfully PoC some evidence of the botnet with disrupting the herder at the same time.

It won't take long for the herder to quickly revive the botnet. And that was the time when the 10 IP described above was born. During the reviving period the bot herder was renting two dedicated servers from "regname.biz (owner of server-1.biz)" via QQQQQQ(cencored) service, and there is an evidence of payment request from the service to the herder and it looks like this:

If you are making an account of any hoster service, for them to contact you it will be needed the XXXXX(censored) data of yours. Apparently the XXXXX(censored) used for contact communication in arranging these servers are matched to the XXXXX(censored) registered as contact information in the FUD check system described above [link] that is connected to his main CNC for binary checking.

Well, okay, what is the proof that the 10 IP addresses are owned by a person who is using XXXXX(censored) too?
Let's see the explanation below...

Under a good legal cooperation the picture of the herder's rented dedicated server details in the XXXX(cencored) account can be achieved, in this service..in the billing history, the invoices shown in the last two transaction of renting servers are the first initiation payment done by the herder, as per seen in the previous data, see the invoice number and the contents which will be perfectly matched to what the payment request document also stated.

The two dedicated servers are keeping on renewal until at the time I wrote this post, one would find this evidence in the recent details like below in the system:

And these 10 IP addresses are the IP addresses of what two hosts are serving. Even though hoster system need to hover mouse/pointer to see these details, one can make the screenshot as per below to managed captured data as proof, these two hosts are the ones responsible to the 10 IP addresses in United states that was used by kelihos herder, under the same XXXXX(censored) contact account, which is obviously belong to the kelihos botnet herder.

As per every online basis system, the profile setting part is exists, and beyond any doubt one can see the same XXXXX(censored) is used, while accessing that part :-)

Who's is this herder? Not the same guy?

It is proven by this vector too that the herder is having the same ID that we presented in BotConf in 2013, unless you can say that this bot herder is sharing the XXXXX(censored) that is used to arrange dedicated servers of more than 15 IPs of CNC..and to check the FUD of the malware payload+IP ..to a common good public citizen that is "innocently" use the same XXXXX(censored), without being worry this "innocent man" will go to police to report all of the herder's crime.

And we thank you to the Shell Club Smart Russia database to help us in pointing the correct identification and location via (XXXXX/censored) of the person who is responsible of Kelihos malicious services like: malicious redirect, clickfraud, spams and malware infections behind the botnet. From this point it's the law enforcement matter to conduct the cyber crime investigation further.

The VERY important P2P peers IP, job servers IP and CNC IP of Kelihos

This is actually the most important part. Below is the list of the Kelihos upper infrastructure layer. I will not openly explain which IP is doing what. But for the safeness of our internet we suggest you strongly to neutralize the listed hosts and block them during the process. The 10 IP addresses listed above is included in the list. The list is sorted one since 2013 until today. An IOC to share the list to each entities would be nice follow for this post. And if you need to have the historical basis data please contact us, with sending message in the comment as usual with stated yourself+entity email address. PS: There are many data can be shared to law enforcement only.

109.87.199.28|28.199.87.109.triolan.net.|13188 | 109.87.199.0/24 | BANKINFORM | UA | triolan.net | Content Delivery Network Ltd
118.160.178.92|118-160-178-92.dynamic.hinet.net.|3462 | 118.160.0.0/16 | HINET | TW | hinet.net | Data Communication Business Group
121.52.159.143|free-iub.edu.pk.|45773 | 121.52.159.0/24 | HECPERN-AS | PK | pern.pk | Pern-Pakistan Education & Research Network is an
126.48.37.45|softbank126048037045.bbtec.net.|17676 | 126.48.0.0/16 | GIGAINFRA | JP | softbankbb.co.jp | Japan Nation-Wide Network Of SoftBank BB Corp.
151.0.40.22||45025 | 151.0.40.0/21 | EDN | UA | lir.net.ua | Online Technologies LTD
159.224.159.161|161.159.224.159.triolan.net.|13188 | 159.224.158.0/23 | BANKINFORM | UA | triolan.net | Content Delivery Network Ltd
175.209.240.53||4766 | 175.208.0.0/13 | KIXS-AS | KR | kt.com | Korea Telecom
176.103.48.27||48031 | 176.103.48.0/20 | XSERVER-IP-NETWORK | UA | brindirect.com | PE Ivanov Vitaliy Sergeevich
176.103.54.73||48031 | 176.103.48.0/20 | XSERVER-IP-NETWORK | UA | brindirect.com | PE Ivanov Vitaliy Sergeevich
176.103.55.73||48031 | 176.103.48.0/20 | XSERVER-IP-NETWORK | UA | brindirect.com | PE Ivanov Vitaliy Sergeevich
176.61.167.245|cable-korisnici-Lukavac-245.167.61.176.BHB.BA.|57397 | 176.61.167.0/24 | BHB-CABLE-TV-BIH | AT | jm-data.at | JM-DATA GmbH
176.73.239.93||16010 | 176.73.128.0/17 | CAUCASUSONLINEAS | GE | caucasus.net | Caucasus Online Ltd.
176.73.248.151||16010 | 176.73.128.0/17 | CAUCASUSONLINEAS | GE | caucasus.net | Caucasus Online Ltd.
176.8.113.143|176-8-113-143-broadband.kyivstar.net.|15895 | 176.8.0.0/16 | KSNET | UA | kyivstar.ua | Kyivstar PJSC
176.8.70.239|176-8-70-239-lzv.broadband.kyivstar.net.|15895 | 176.8.0.0/16 | KSNET | UA | kyivstar.ua | Kyivstar PJSC
178.137.29.163|178-137-29-163-broadband.kyivstar.net.|15895 | 178.137.0.0/16 | KSNET | UA | kyivstar.ua | Kyivstar PJSC
178.54.39.16|unallocated.sta.synapse.net.ua.|29107 | 178.54.0.0/17 | SYNAPSE | UA | synapse.net.ua | Open JSC Stock Company Sater
186.115.146.227||3816 | 186.115.144.0/21 | COLOMBIA | CO | - | Rapidotolima
186.34.172.184||6535 | 186.34.0.0/16 | Telmex | CL | telmex.com | Telmex Chile S.A HFC
188.138.227.43|188-138-227-43.starnet.md.|31252 | 188.138.128.0/17 | STARNET | MD | starnet.md | StarNet S.R.L
193.126.181.18||2860 | 193.126.0.0/16 | NOS_COMUNICACOES | PT | nos.pt | Nos Comunicacoes S.A.
193.203.51.47||48031 | 193.203.48.0/22 | XSERVER-IP-NETWORK | UA | brindirect.com | PE Ivanov Vitaliy Sergeevich
193.28.179.38|hostby.isp4you.cz.|58146 | 193.28.179.0/24 | SVOD | RU | - | Svod ltd.
193.28.179.39|hostby.isp4you.cz.|58146 | 193.28.179.0/24 | SVOD | RU | - | Svod ltd.
193.28.179.40|hostby.isp4you.cz.|58146 | 193.28.179.0/24 | SVOD | RU | - | Svod ltd.
194.146.199.200||21261 | 194.146.196.0/22 | STELS | UA | nadolinskiy.dn.ua | Stels ISP Ltd
195.140.160.46||48964 | 195.140.160.0/22 | ENTERRA | UA | abcname.net | Datasfera LTD
195.18.14.96||196638 | 195.18.12.0/22 | PROMTELECOM | UA | promtele.com | OJSC Promtelecom
196.218.187.142|host-196.218.187.142-static.tedata.net.|8452 | 196.218.0.0/16 | TE | EG | tedata.net | TE Data
201.187.15.184||14117 | 201.187.0.0/20 | Telefonica | CL | telsur.cl | Telefonica del Sur S.A.
201.219.169.169|vm-customer-201-219-169-169.megacable.com.ar.|28015 | 201.219.169.0/24 | MERCO | AR | megacable.com.ar | Merco Comunicaciones
206.72.206.74||19318 | 206.72.192.0/20 | XXXX(cencored) | US | interserver.net | Interserver Inc
206.72.206.75||19318 | 206.72.192.0/20 | XXXX(cencored) | US | interserver.net | Interserver Inc
206.72.206.76||19318 | 206.72.192.0/20 | XXXX(cencored) | US | interserver.net | Interserver Inc
206.72.206.77||19318 | 206.72.192.0/20 | XXXX(cencored) | US | interserver.net | Interserver Inc
206.72.206.78||19318 | 206.72.192.0/20 | XXXX(cencored) | US | interserver.net | Interserver Inc
211.120.158.247|zaqd3789ef7.zaq.ne.jp.|9617 | 211.120.128.0/19 | ZAQ | JP | jcom.co.jp | J:COM West Co. Ltd.
212.55.75.70|212-55-75-70.dynamic-pool.kanev.mclaut.net.|25133 | 212.55.74.0/23 | MCLAUT | UA | mclaut.in.ua | LLC Mclaut-Invest
213.111.223.250|250.223-pool.nikopol.net.|44924 | 213.111.192.0/18 | MAINSTREAM | UA | nikopol.net | PP MainStream
219.124.22.175|c022175.net219124.cablenet.ne.jp.|9378 | 219.124.16.0/21 | CABLENET | JP | cablenet.ne.jp | Jcom Kawaguchitoda Co. Ltd.
31.131.122.246|cl122-246.dhcp.multinet.ua.|41871 | 31.131.112.0/20 | RTL | UA | multinet.ua | Locom LLC
37.1.200.161||50673 | 37.1.200.0/21 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
37.1.202.195||50673 | 37.1.200.0/21 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
37.1.203.237||50673 | 37.1.200.0/21 | SERVERIUS | NL | 3nt.com | 3nt solutions LLP
37.229.178.56|37-229-178-56-broadband.kyivstar.net.|15895 | 37.229.0.0/16 | KSNET | UA | kyivstar.ua | Kyivstar PJSC
46.118.63.149|SOL-FTTB.149.63.118.46.sovam.net.ua.|15895 | 46.118.0.0/15 | KSNET | UA | golden-telecom.com | Golden Telecom
46.160.115.217|46.160.115.217.format-tv.net.|6712 | 46.160.114.0/23 | FORMAT-TV | UA | maxnet.ua | Maxnet Telecom Ltd
46.219.55.66|46.219.55.66.freenet.com.ua.|31148 | 46.219.55.0/24 | FREENET | UA | freenet.com.ua | Freenet Ltd.
46.63.32.75|pool-46-63-32-75.x-city.ua.|51784 | 46.63.32.0/21 | X-CITY | UA | x-city.ua | X-City Ltd.
5.105.56.87|5-105-56-87.mytrinity.com.ua.|43554 | 5.105.0.0/16 | CDS | UA | mytrinity.com.ua | Cifrovye Dispetcherskie Sistemy
5.178.184.197||28751 | 5.178.128.0/18 | CAUCASUS-NET | GE | caucasus.net | Caucasus Online Ltd.
5.248.243.45|5-248-243-45-broadband.kyivstar.net.|15895 | 5.248.0.0/16 | KSNET | UA | kyivstar.ua | Kyivstar PJSC
66.45.241.130|dsys417.server-1.biz.|19318 | 66.45.224.0/19 | XXXX(cencored) | US | interserver.net | Interserver Inc
66.45.241.131||19318 | 66.45.224.0/19 | XXXX(cencored) | US | interserver.net | Interserver Inc
66.45.241.132||19318 | 66.45.224.0/19 | XXXX(cencored) | US | interserver.net | Interserver Inc
66.45.241.133||19318 | 66.45.224.0/19 | XXXX(cencored) | US | interserver.net | Interserver Inc
66.45.241.134||19318 | 66.45.224.0/19 | XXXX(cencored) | US | interserver.net | Interserver Inc
77.109.23.44|77-109-23-44.dynamic.peoplenet.ua.|42396 | 77.109.20.0/22 | PPLNETUA | UA | 3gmobile.com.ua | PJSC Telesystems of Ukraine
77.121.44.40|dhcp-pool.net-77.121.44.host-40.sev.sevcable.net.|35680 | 77.121.32.0/19 | LINIATEL | UA | volia.net | Kyivski Telekomunikatsiyni Merezhi LLC
77.121.86.143|77-121-86-143.dynamic.kits.zp.ua.|25229 | 77.121.80.0/21 | VOLIA | UA | volia.net | Kyivski Telekomunikatsiyni Merezhi LLC
77.122.234.122|dynamic-77-122-234-122.ricona.net.ua.|25229 | 77.122.192.0/18 | VOLIA | UA | volia.net | Kyivski Telekomunikatsiyni Merezhi LLC
82.79.127.7|82-79-127-7.alexandria.rdsnet.ro.|8708 | 82.76.0.0/14 | RCS | RO | rdsnet.ro | RCS & RDS Business
89.137.97.166||6830 | 89.137.0.0/16 | LGI | AT | upcnet.ro | UPC Romania CLUJ-NAPOCA
89.185.30.21|CPE257021.tvcom.net.ua.|34092 | 89.185.24.0/21 | TVCOM | UA | tvcom.net.ua | TVCOM Ltd.
89.35.41.171|host-static-89-35-41-171.moldtelecom.md.|8926 | 89.35.40.0/21 | MOLDTELECOM | MD | moldtelecom.md | Societatea pe Actiuni Moldtelecom
89.41.38.24|24.38.41.89.panevo.ro.|35421 | 89.41.36.0/22 | PANELECTRO | RO | panevo.ro | SC Pan Electro SRL
93.177.178.40|host-93-177-178-40.customer.co.ge.|28751 | 93.177.160.0/19 | CAUCASUS-NET | GE | caucasus.net | Caucasus Online Ltd.
94.176.116.122|122.116.176.94.globnet.md.|48331 | 94.176.116.0/24 | GLOBNET | RO | globnet.md | S.C. Globnet S.R.L.
94.240.163.235||41232 | 94.240.160.0/19 | SSN | UA | flagman.zp.ua | TOV Flagman Telecom
94.76.78.20|94.76.78.20.freenet.com.ua.|31148 | 94.76.78.0/24 | FREENET | UA | freenet.com.ua | Freenet Ltd.
95.26.143.146|95-26-143-146.broadband.corbina.ru.|8402 | 95.26.0.0/15 | CORBINA | RU | beeline.ru | Beeline Broadband
95.65.55.6|95-65-55-6.starnet.md.|31252 | 95.65.0.0/17 | STARNET | MD | starnet.md | StarNet S.R.L
The snip of recent checked important IP addresses (in historical):

Follow up

With the good help from friends in EmergingThreat, the herder can kiss his botnet CNC traffic to its peers a goodbye from now on.

Epilogue

@MalwareMustDie "Whatever the LORD pleases, He does, In heaven and in earth, in the seas and in all deeps." Psalm 135:6

— ☩MalwareMustDie (@MalwareMustDie) December 21, 2015

This post is as a new additional "sin" for ↓this cyber crook↓ against our internet services.
Only a stupid fool like ↑this herder makes same mistakes over and over.

ZZZZZZZZZZZZZZZZZZ(censored).

The botherder closed the CNC servers disclosed in this post

If you have doubt of any truth stated in this post, see yourself the reaction of the botherder after we released this disclosure, the botherder had closed the account of the dedicated servers mentioned in this post (it was much more viewable before the censorship request received) in December 2015 after the original post was published online. Some PoC of this paragraph is the information below:

Good people always win against the badness. Because God above blessed us to think peacefully of some steps further than malicious cyber actors do.

#MalwareMustDie!

...













๐Ÿ“Œ Werkstatt: Pina baut eine OX-CNC โ€” Tag 10 โ€” cnc.js installieren und die erste Frรคsbahn


๐Ÿ“ˆ 40.26 Punkte

๐Ÿ“Œ netbeans-mmd-plugin bis 1.4.3 MMD File Import Request XXE erweiterte Rechte


๐Ÿ“ˆ 34.66 Punkte

๐Ÿ“Œ netbeans-mmd-plugin up to 1.4.3 MMD File Import Request XML External Entity


๐Ÿ“ˆ 34.66 Punkte

๐Ÿ“Œ Significant Increase in Kelihos Botnet Activity


๐Ÿ“ˆ 31.81 Punkte

๐Ÿ“Œ Significant Increase in Kelihos Botnet Activity


๐Ÿ“ˆ 31.81 Punkte

๐Ÿ“Œ AAXX-XXXX: TA14-353A YARA Rules Update


๐Ÿ“ˆ 27.88 Punkte

๐Ÿ“Œ Samsung SmartThings Hub STH-ETH-250 0.20.17 Video-Core Process /cameras/XXXX/clips HTTP Request memory corruption


๐Ÿ“ˆ 27.88 Punkte

๐Ÿ“Œ Samsung SmartThings Hub STH-ETH-250 0.20.17 /cameras/XXXX/clips memory corruption


๐Ÿ“ˆ 27.88 Punkte

๐Ÿ“Œ Samsung SmartThings Hub 0.20.17 Video-Core Process /cameras/XXXX/clips memory corruption


๐Ÿ“ˆ 27.88 Punkte

๐Ÿ“Œ Samsung SmartThings Hub 0.20.17 Video-Core Process /cameras/XXXX/clips memory corruption


๐Ÿ“ˆ 27.88 Punkte

๐Ÿ“Œ Samsung SmartThings Hub STH-ETH-250 0.20.17 Video-Core HTTP Server /cameras/XXXX/clips memory corruption


๐Ÿ“ˆ 27.88 Punkte

๐Ÿ“Œ How does rpm xxxx.deb would works?


๐Ÿ“ˆ 27.88 Punkte

๐Ÿ“Œ PSA: Twitch's 'Activity Sharing' Feature Exposes Your Activity By Default


๐Ÿ“ˆ 21.47 Punkte

๐Ÿ“Œ PSA: Twitch's 'Activity Sharing' Feature Exposes Your Activity By Default


๐Ÿ“ˆ 21.47 Punkte

๐Ÿ“Œ Medium CVE-2022-31528: Bonn activity maps annotation tool project Bonn activity maps annotation tool


๐Ÿ“ˆ 21.47 Punkte

๐Ÿ“Œ [webapps] GLPI Activity v3.1.0 - Authenticated Local File Inclusion on Activity plugin


๐Ÿ“ˆ 21.47 Punkte

๐Ÿ“Œ GitLab: Guests Will Disclose the Private Project Full Activity Via Project Activity Feeds


๐Ÿ“ˆ 21.47 Punkte

๐Ÿ“Œ #0daytoday #GLPI Activity v3.1.0 - Authenticated Local File Inclusion on Activity plugin Vulnerabil [#0day #Exploit]


๐Ÿ“ˆ 21.47 Punkte

๐Ÿ“Œ A deeper insight into the CloudWizard APTโ€™s activity revealed a long-running activity


๐Ÿ“ˆ 21.47 Punkte

๐Ÿ“Œ Regarding Kelihos Research


๐Ÿ“ˆ 21.08 Punkte

๐Ÿ“Œ [Slide|Video] Kelihos & Peter Severa; the "All Out" version


๐Ÿ“ˆ 21.08 Punkte

๐Ÿ“Œ Regarding Kelihos Research


๐Ÿ“ˆ 21.08 Punkte

๐Ÿ“Œ Kelihos Botnet Triples Its Size in Just 24 Hours


๐Ÿ“ˆ 21.08 Punkte

๐Ÿ“Œ US targets Kelihos botnet after Russian's arrest in Spain


๐Ÿ“ˆ 21.08 Punkte

๐Ÿ“Œ Spanish cops snatch suspected top spammer as US moves against Kelihos botnet


๐Ÿ“ˆ 21.08 Punkte

๐Ÿ“Œ Kelihos Analysis - Part 1


๐Ÿ“ˆ 21.08 Punkte

๐Ÿ“Œ Kelihos Botnet Triples Its Size in Just 24 Hours


๐Ÿ“ˆ 21.08 Punkte

๐Ÿ“Œ [Slide] The Kelihos & Severa; the "All Out" version


๐Ÿ“ˆ 21.08 Punkte

๐Ÿ“Œ [Slide|Video] Kelihos & Peter Severa; the "All Out" version


๐Ÿ“ˆ 21.08 Punkte

๐Ÿ“Œ Nach Hacker-Festnahme: FBI will Kelihos-Botnetz endgรผltig stilllegen


๐Ÿ“ˆ 21.08 Punkte

๐Ÿ“Œ Nach Hacker-Festnahme: FBI will Kelihos-Botnetz endgรผltig stilllegen


๐Ÿ“ˆ 21.08 Punkte

๐Ÿ“Œ Spammerโ€™s Arrest Puts End to Kelihos Botnet


๐Ÿ“ˆ 21.08 Punkte

๐Ÿ“Œ Kelihos Analysis - Part 1


๐Ÿ“ˆ 21.08 Punkte

๐Ÿ“Œ The Kelihos Botnet


๐Ÿ“ˆ 21.08 Punkte

๐Ÿ“Œ [Slide] The Kelihos & Severa; the "All Out" version


๐Ÿ“ˆ 21.08 Punkte

matomo