I spotted a nice incoming link regarding The Onion Router (TOR). This time an exit-node was caught modifying SMTP server capabilities, stripping out the TLS capability (encryption) so that connecting clients will be forced to send out everything as clear-text.
The MBR rootkit has been in the news a bit lately. Packing ancient evil, the beast modifies the MBR (Master Boot Record) to bootstrap itself and to rootkit the whole Operating System. (more…)
[quote]
TV presenter Jeremy Clarkson has lost money after publishing his bank details in his newspaper column.
The Top Gear host revealed his account numbers after rubbishing the furore over the loss of 25 million people’s personal details on two computer discs.
He wanted to prove the story was a fuss about nothing.
But Clarkson admitted he was “wrong” after he discovered a reader had used the details to create a £500 direct debit to the charity Diabetes UK.
[/quote]
You can view the whole article here.
The last weeks of the last year were very busy which was seen in lack of posts. I decided to take a little look back at last year to see what all happened. (more…)
After a few news sites picked up the entries on the suspicious TOR nodes I’ve had a few queries on the issue. (more…)
I decided to do some more digging on the TOR network to see whether there really are exit-nodes doing MITM attacks. As a target site, I picked up my home computer that had an SSL enabled server. (more…)
As most, if not everyone, know TOR is a network of proxies designed to give some privacy and anonymity to it’s users. Lately TOR has been in the news for quite a bit since a swedish hacker managed to sniff a huge load of user accounts and passwords belonging to foreign embassies. (more…)
The guy(s) behind the Virut botnet have been doing their malicious deeds for a long time now. What puzzles me is that they are still using the same domain names as they did ages ago (zief.pl, ircgalaxy.pl and so on). There’s also some connection between the Virut gang and RBN, the blackest of the black ISPs.
So, I decided to dig in a bit to see if I could locate anything. First of all, one the guys running zief.pl and ircgalaxy.pl goes under the nickname xmax.
Here’s some info on him:
He’s a half-op on PolNet (forum.ircnet.pl)
Birthdate claimed to be 17 Lut 1989 (February 17th 1989)
Name and surname: Max S (from Jabberpl)
Where: Kamienna Góra (from FCLiverPool.pl)
Email addresses:
xmax@canpol.pl
xmax@chrome.pl
Interestingly, canpol.pl redirects to softland.pl
LINKS:
http://forum.ircnet.pl/profile.php?mode=viewprofile&u=369&sid=8be147989567657c04b4504b0fa25eba
http://xmax.jogger.pl
http://www.last.fm/user/xmax/
http://jaggedalliance.pl/forum/profiles/814.htm
http://www.kamienna-gora.pl/en/index.html
Google cache hit in fcliverpool.pl
http://grono.net/pub/u/4424/
Ok, let’s move on. Another guy involved with zief.pl and ircgalaxy.pl goes under the nickname adx. He also seems to be an asm-whiz. Here’s some information on him:
Nickname: adx
Realname: Piotr Niżyński
Where: Warszawa (Warsaw)
Email Addresses:
adx@zief.pl
adx@crashnet.pl
adx@bezduszni.pl
adx@irc7.pl
Various links:
http://forum.ircnet.pl/viewtopic.php?p=19908&sid=c1b71d4a7e8d00c3db973dba524c7ac1
http://209.85.129.104/search?q=cache:kbBMbZ7QY8cJ:www.ksiazki.com/pl.irc_60.html+adx+zief&hl=fi&ct=clnk&cd=2&gl=fi
http://www.antywir.pl/post1039.html
http://www.adx.irc7.pl/
http://forum.ircnet.pl/profile.php?mode=viewprofile&u=740&sid=e3c8945c1eb2468be559683659f49586
http://www.grupy.waw.pl/stats-21961.html
I’ll try to see if I can dig something up a little later, but meanwhile you can check this out:
http://209.85.129.104/search?q=cache:mgPye9UW60UJ:www.htn.pl/index.html%3Fid%3D8+%22Piotr+Ni%C5%BCy%C5%84ski%22&hl=fi&ct=clnk&cd=10&gl=fi
Seems that the guys might be running a legitimate cover on their operations.
If you know a capable contact inside the Polish police forces you might point them to some of the information seen here. It would be high time to get these guys off the market.
Even though this is a late warning, take heed.
If you are running TrendMicro installations that haven’t been patched in a while please patch them soon :) There’s already malwares that exploit the vulnerable installations.
I’ve launched a forum concentrating on malwares, packers and reverse engineering. The forums can be reached here:
http://www.teamfurry.com/index.php
If you have any questions on any of the topics handled here or any other questions relating to them send your queries to the forum. Also, as a result of craploads of automated comment spam bombarding the blog, commenting will be disabled. Any comments to blog entries can be submitted to the forums in it’s own board.