<![CDATA[[SecurityRatty] tag: xmas]]>

<![CDATA[[SecurityRatty] tag: xmas]]> http://securityratty.com/tag/xmas Mon, 24 Dec 2007 15:33:57 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[I want one Santa!]]> http://securityratty.com/article/89d3ee7c6d80bf5c5d00de224adad33b http://securityratty.com/article/89d3ee7c6d80bf5c5d00de224adad33b Add this to your Xmas wish list. You know I did.

clipped from web.mit.edu

The WARCART

“Warcarting: when
wardriving, warwalking, warflying, warrocketing, warballooning, warbiking, and
warboating are just not good enough.”

“You’ve been wardriving, but
have you ever gone warcarting?”

“Warcarting: because
wardriving is so 2000, and warflying is so 2002.”

“Warcarting: the hobo’s
approach to wireless communications interception.”

“Warcarting: wardriving on a
budget”

]]> Tue, 05 Aug 2008 14:10:00 +0000 wireless communications interception hobos xmas budget web warcart approach list mit I want one Santa! <![CDATA[The New Media Malware Gang - Part Two]]> http://securityratty.com/article/c279dc531962fb0c454b3951d45b3649 http://securityratty.com/article/c279dc531962fb0c454b3951d45b3649

How you would you go for ruining the Xmas holidays of a malware gang directly related to the RBN, Storm Worm, Possiblity Media's malware attack, and the malware embedded at the Syrian Embassy's web site, the way they've ruined the holidays for lots of security folks out there? You disclose all of their publicly known and currently active "online properties", submit them to Stopbadware, then see how they reply with a "Die();" message on one of their IPs (85.255.116.206), which is instantly confirming the positive ROI of your actions. The New Media Malware gang currently operates the following domains/IPs :

flashupdate.net/images/index.php
taktomi.ru/NewYear/ad
l0calh0st.jino-net.ru/tds3
jkh-novgorod.ru/wstat/adpack/
natural-amber.com/spl2/index.php
s0s1.net/mp3/index.php
trffc.org/in.cgi?default
home-xxx.com/shaven/index.shtml
85.255.116.206/ax2/load.php
testers.x5x.ru/subpage/index.php
traffurl.ru/sliv/?91956802f6fabf
88.255.94.250/ddd/index.php
91.192.105.6/images
r52.juhost.ru/ip/index.php
orentraff.cn/tdsslam/index.php?out=1193100109
xll-g.com/beaty/13389babe/cumoninn.com.html
xmaturelife.com/0419/kim5.html
e-learningcenter.ru/eng/index_files/input000.htm
apnea.health-hack.com/old/index.php
milk0soft.com/ipck/index.php
85.255.116.206/ax3/loadj947.php
85.255.116.206/ax2/tet.php
85.255.116.206/ax3/tet.php
spl.vip-ddos.org
spl.vip-ddos.org/index.php

Now go migrate your "infrastructure" on the 31st of December. Happy holidays to you too!

]]> Fri, 28 Dec 2007 15:17:45 +0000 malware php malware gang directly media malware gang malware attack holidays happy holidays xmas holidays spl The New Media Malware Gang - Part Two <![CDATA[Spreading Malware Around the Christmas Tree]]> http://securityratty.com/article/4907dd75af563bd69ecce94a73eb7766 http://securityratty.com/article/4907dd75af563bd69ecce94a73eb7766

Stormy Wormy is back in the game on the top of Xmas eve, enticing the end users with a special Xmas strip show for those who dare to download the binary. The domain merrychristmasdude.com is logically in a fast-flux, here are some more details :

Administrative, Technical Contact
Contact Name: John A Cortas
Contact Organization: John A Cortas
Contact Street1: Green st 322, fl.10
Contact City: Toronto
Contact Postal Code: 12345
Contact Country: CA
Contact Phone: +1 435 2312633
Contact E-mail: cortas2008 @ yahoo.com

Name Server: NS.MERRYCHRISTMASDUDE.COM
Name Server: NS10.MERRYCHRISTMASDUDE.COM
Name Server: NS13.MERRYCHRISTMASDUDE.COM
Name Server: NS9.MERRYCHRISTMASDUDE.COM
Name Server: NS11.MERRYCHRISTMASDUDE.COM
Name Server: NS3.MERRYCHRISTMASDUDE.COM
Name Server: NS4.MERRYCHRISTMASDUDE.COM
Name Server: NS6.MERRYCHRISTMASDUDE.COM
Name Server: NS2.MERRYCHRISTMASDUDE.COM
Name Server: NS5.MERRYCHRISTMASDUDE.COM
Name Server: NS7.MERRYCHRISTMASDUDE.COM
Name Server: NS8.MERRYCHRISTMASDUDE.COM
Name Server: NS12.MERRYCHRISTMASDUDE.COM

The domain also has an embedded IFRAME pointing to merrychristmasdude.com/cgi-bin/in.cgi?p=100 where two javascipt obfuscations, courtesy of the Neosploit attack kit attempt to load. Current binary (stripshow.exe) has an over 50% detection rate 17/32 (53.13%). Stay tuned, AV vendors will reach another milestone on the number of malware variants detected, despite that compared to the real, massive Storm Worm campaign this one is fairly easy to prevent on a large scale.

Related info - SANS, ASERT, TEMERC, DISOG.

]]> Mon, 24 Dec 2007 15:33:57 +0000 contact contact postal code technical contact server contact organization contact city contact country contact street1 contact phone Spreading Malware Around the Christmas Tree