MW-Blog

The last weeks of the last year were very busy which was seen in lack of posts. I decided to take a little look back at last year to see what all happened. (more…)

After a few news sites picked up the entries on the suspicious TOR nodes I’ve had a few queries on the issue. (more…)

I decided to do some more digging on the TOR network to see whether there really are exit-nodes doing MITM attacks. As a target site, I picked up my home computer that had an SSL enabled server. (more…)

As most, if not everyone, know TOR is a network of proxies designed to give some privacy and anonymity to it’s users. Lately TOR has been in the news for quite a bit since a swedish hacker managed to sniff a huge load of user accounts and passwords belonging to foreign embassies. (more…)

The guy(s) behind the Virut botnet have been doing their malicious deeds for a long time now. What puzzles me is that they are still using the same domain names as they did ages ago (zief.pl, ircgalaxy.pl and so on). There’s also some connection between the Virut gang and RBN, the blackest of the black ISPs.

So, I decided to dig in a bit to see if I could locate anything. First of all, one the guys running zief.pl and ircgalaxy.pl goes under the nickname xmax.

Here’s some info on him:

He’s a half-op on PolNet (forum.ircnet.pl)
Birthdate claimed to be 17 Lut 1989 (February 17th 1989)
Name and surname: Max S (from Jabberpl)
Where: Kamienna Góra (from FCLiverPool.pl)

Email addresses:

xmax@canpol.pl
xmax@chrome.pl

Interestingly, canpol.pl redirects to softland.pl

LINKS:

http://forum.ircnet.pl/profile.php?mode=viewprofile&u=369&sid=8be147989567657c04b4504b0fa25eba
http://xmax.jogger.pl
http://www.last.fm/user/xmax/
http://jaggedalliance.pl/forum/profiles/814.htm
http://www.kamienna-gora.pl/en/index.html
Google cache hit in fcliverpool.pl
http://grono.net/pub/u/4424/

Ok, let’s move on. Another guy involved with zief.pl and ircgalaxy.pl goes under the nickname adx. He also seems to be an asm-whiz. Here’s some information on him:

Nickname: adx
Realname: Piotr Niżyński
Where: Warszawa (Warsaw)

Email Addresses:

adx@zief.pl
adx@crashnet.pl
adx@bezduszni.pl
adx@irc7.pl

Various links:

http://forum.ircnet.pl/viewtopic.php?p=19908&sid=c1b71d4a7e8d00c3db973dba524c7ac1
http://209.85.129.104/search?q=cache:kbBMbZ7QY8cJ:www.ksiazki.com/pl.irc_60.html+adx+zief&hl=fi&ct=clnk&cd=2&gl=fi
http://www.antywir.pl/post1039.html
http://www.adx.irc7.pl/
http://forum.ircnet.pl/profile.php?mode=viewprofile&u=740&sid=e3c8945c1eb2468be559683659f49586
http://www.grupy.waw.pl/stats-21961.html

I’ll try to see if I can dig something up a little later, but meanwhile you can check this out:

http://209.85.129.104/search?q=cache:mgPye9UW60UJ:www.htn.pl/index.html%3Fid%3D8+%22Piotr+Ni%C5%BCy%C5%84ski%22&hl=fi&ct=clnk&cd=10&gl=fi

Seems that the guys might be running a legitimate cover on their operations.

If you know a capable contact inside the Polish police forces you might point them to some of the information seen here. It would be high time to get these guys off the market.

Even though this is a late warning, take heed.

If you are running TrendMicro installations that haven’t been patched in a while please patch them soon :) There’s already malwares that exploit the vulnerable installations.

I’ve launched a forum concentrating on malwares, packers and reverse engineering. The forums can be reached here:

http://www.teamfurry.com/index.php

If you have any questions on any of the topics handled here or any other questions relating to them send your queries to the forum. Also, as a result of craploads of automated comment spam bombarding the blog, commenting will be disabled. Any comments to blog entries can be submitted to the forums in it’s own board.

Just noticed several pump&dump scams that dropped in my inbox. The attachment seems to be usually named “detail invoice” or “detail report<random numbers>, and being in the Excel .xls format. (more…)

I’m seeking 1 or 2 person(s) to write entries here. I don’t need the typical BS entries that plaque the blogs (”This week, I’ve been mostly eating thawed chickens”, anyone?) What I need is someone who loves to pick packers and malwares apart and who is prepared and capable of putting the process into writing. There are no quotas to meet in writing: write what you want when you want as long as it’s got something to do with malwares / packers / reverse engineering, and as long as you don’t do anything illegal. So, if you have the morals and integrity as well as capability, contact me with a short introduction of yourself: what you do and so on. And add a few links or snippets of what you’ve written. Mails should be sent to toni(_at_)teamfurry.com

Cheers!

You might have heard of a malware called Nuclear Grabber before. It’s a nasty trojan, written by a russian malware writer called Corpse, that’s designed to be a flexible data stealing platform. Nuclear Grabber is sold on a russian site for a hefty price, and each sold version is unique and private. (more…)