The messages looked like this:
 | |
|
 |
| zip file ! |
 |
| crunchpress image folder with some aditional content |
 |
| Oh noez! no pics just exe : ( |
 |
| virustotal results |
 |
| Actual bad stuff downloaded here |
 |
| hi ho |
Showing posts with label cybercrime. Show all posts
Showing posts with label cybercrime. Show all posts
Monday, 18 March 2013
Skype Malware Analysis
When i came back from work today and fired up Skype, multiple messages popped up immediately. Some of them in in English and some in Polish, but all leading to the same url with "pictures" of me ; oo. Another interesting fact was that all the messages came from people working at the same company (zomg APT alert ;D).
The messages looked like this:
We check what is behind the url shortener:
Crunchpress seems to be a 'hacked' website:
Lets download and unzip it:
Quick scan @ virustotal.com gives 7/44 and identifies the file as a dropper:
Not surprisingly it downloads something using HTTP protocol:
Let's see what we have there. First some quick geo localization request:
Next a list of 'unwanted' domain names is downloaded (full list available here).
The messages looked like this:
Monday, 5 March 2012
Kelihos botnet - mostly located in Poland
Recent post on abuse.ch about the comeback of Kelihost botnet shows some interesting statistics. Most of the host are located in Poland. 279 out of 809 hosts to be more specific. Below a list of big polish internet providers:
- UPC - 91 hosts
- Vectra Technologie S.A. - 42
- Multimedia Polska Sp. z o.o. - 41
- Telokomunikacja Polska S.A. - 38
- PTK Centertel Sp. z o.o. - 11
 |
| Source: abuse.ch |
Subscribe to:
Posts (Atom)