06/12/13

Government use of Cyber Weaponized Exploits

gAtO rEaD- The government is buying hackers exploits – not to stop these sophisticated cyber exploits but to use these tools against it’s own people- they are using the tools to infiltrate computer networks worldwide, leaving behind spy programs and cyber-weapons that can disrupt data or damage systems.network

The core problem: Spy tools and cyber-weapons rely on vulnerabilities in existing software programs, and these hacks would be much less useful to the government if the flaws were exposed through public warnings. So the more the government spends on offensive techniques, the greater its interest in making sure that security holes in widely used software remain unrepaired. So your computer is vulnerable and the governments knows it and will not disclose this information, but use it against you to place cookies,RAT’s or other spyware into your computer -maybe- I trust our government don’t you?

If you got nothing to hide, you should not be worried… right????

So our Tax dollars are going to Hackers and cyber criminals that sell these exploits all over the world. As a tax payer I don’t like this part at all. But the worst part is by us taking the lead of cyber offensive cyber tools -example.. Stuxnet – it is a plan book for other countries to do the same. So what we do in cyberspace has become socially acceptable to do in cyberspace and then we bitch about China. I don’t get it – mEoW

Officials have never publicly acknowledged engaging in offensive cyber-warfare, though the one case that has beenmost widely reported – the use of a virus known as Stuxnet to disrupt Iran’s nuclear-research program – was lauded in Washington. Officials confirmed to Reuters previously that the U.S. government drove Stuxnet’s development, and the Pentagon is expanding its offensive capability through the nascent Cyber Command.

Then you have the Prism disclosure and PoW- US Cyber Agents Disrupt Publication of Popular Al Qaeda Magazine – This means that Obama’s cyber military is potentially capable of more targeted attacks, specified at damaging particular pieces of information or infrastructure. I wonder where they got those vulnerabilities? maybe some bad guys—/Nato_cyber_plat

What worries me is as the U.S engages in these attacks our enemies are learning what is acceptable in cyberwar. So we must be careful not to lose the fact that everyone is watching what we do and how we treat cyberspace and others governments will follow, defensive and offensive, they are learning from the best the U.S. Government -gAtO oUt

ref: http://www.reuters.com/article/2013/05/10/us-usa-cyberweapons-specialreport-idUSBRE9490EL20130510

 

http://www.businessinsider.com/us-cyber-agents-disrupt-inspire-magazine-2013-6

 

 

03/24/13

Tor is NOT the ONLY Anonymous Network

gAtO fOuNd – this very interesting and wanted to share -

Tor does some things good, but other anonymous networks do other things better. Only when used together do they work best. And of course you want to already know how to use them should something happen to Tor and you are forced to move to another network.fin_07

Try them! You may even find something interesting you cannot find on Tor!

Anonymous networks

These are well known and widely deployed anonymous networks that offer strong anonymity and high security. They are all open source, in active development, have been online for many years and resisted attack attempts. They run on multiple operating systems and are safe to use with default settings. All are well regarded.

  • Tor – Fast anonymous internet access, hidden websites, most well known.
  • I2P – Hidden websites, anonymous bittorrent, mail, out-proxy to internet, other services.
  • Freenet – Static website hosting, distributed file storage for large files, decentralized forums.

Less well known

Also anonymous networks, but less used and possibly more limited in functionality.

  • GnuNet – Anonymous distributed file storage.
  • OneSwarm – Bittorrent, has a non-anonymous mode, requires friends for anonymity.
  • RetroShare – File-sharing, chat, forums, mail. Requires friends, and not anonymous to those friends, only the rest of the network.
  • Omemo – Distributed social storage platform. Uncertain to what extent it is anonymous.

Non-free networks

These are anonymous networks, but are not open source. Therefore their security and anonymity properties is hard to impossible to verify, and though the applications are legit, they may have serious weaknesses. Do not rely on them for strong anonymity.

  • Osiris – Serverless portal system, does not claim to provide any real anonymity.

In development

  • Phantom – Hidden Services, native IPv6 transport.
  • GlobaLeaks – Open Source Whistleblowing Framework.
  • FreedomBox – Project to create personal servers for distributed social networking, email and audio/video communications.
  • Telex – A new way to circumvent Internet censorship.
  • Project Byzantium – Bootable live distribution of Linux to set up wireless mesh nodes with commonly available hardware.
  • Hyperboria A distributed meshnet built on cjdns.

Routing Platforms

These are internets overlaid on the internet. They provide security via encryption, but only provides weak to none anonymity on their own. Only standard tools such as OpenVPN and Quagga are required to connect. Responsibility for a sufficiently anonymous setup is placed on the user and their advertised routes. More suited for private groups as things out in the open can be firewalled by other participants. Can be layered above or below other anonymity nets for more security and fun.

  • Anonet – AnoNet2, a more open replacement for AnoNet1.
  • dn42 – Another highly technical routing community.
  • CJDNS, an IPV6 overlay network that provides end to end encryption. It is not anonymous by itself.

Alternative Internet

  • Netsukuku – A project that aims to build a global P2P online network completely independent from the Internet by using Wi-Fi. The software is still in active development, although the site is no longer updated. A new site is in progress of being built.
  • Many other wireless communities building mesh networks as an alternative to the Internet, e.g. Freifunk, http://guifi.net and many more around the globe. see also

Alternative domain name systems

  • Namecoin – Cryptocurrency with the added ability to support a decentralised domain name system currently as a .bit.
  • OpenNIC – A user controlled Network Information Center offering a democratic, non-national, alternative to the traditional Top-Level Domain registries.
  • Dot-P2P – Another decentralized DNS service without centralized registry operators (at July 18, 2012 page is not accessible and has not known anything about the status of project from February 2011).

See Also

11/16/12

White Hat Bot-Nets

gAtO wAs - reading Bloomberg BusinessWeek “ The Hacker of Damascus” Karin a 31-year-old doctor had spent the previous months protesting against the government of Damascus, he refuse to give up his friends names.

Before the arrest-/ before the torture/- they found a simple vulnerability thru Skypes they also got into his hard drive and as Karin said they arrested his computers data first them him. So now we see the black hats, spammer, cyber criminal tricks against people from their own governments. Is this the way it’s going to happen, we see the news today about 2 ladies and their General boy toys and WOW -mEoW.

In Georgia detains ministry for using malware to access opposition leaders computers – This is just another example of governments using criminal cyber tactics to gain intelligence from it’s own people.

 

 

The other side of the cyber struggles in Syria is Anonymous and their role in all this: On the other side, the hacktivist group Anonymous has infiltrated at least 12 Syrian government websites, including that of the Ministry of Defense, and released millions of stolen e-mails.  

Cyberspace and it’s tools (weapons) like Facebook, Twitter – can be used by both sides  in this evolving landscape of digital warriors. That is why gATo is sadden by how basic normal Internet tools can become killers and liberators. I guess I see the fog of cyberwar thru gATO eYe’S we have only seen defensive cyber tools so far Suxnet and others are only the beginning and the new economies that had no choice but a digital path into their infrastructure need to look at their own security a wee bit more close. DId Huawei (China’s Telecom Giant accused of having backdoor ) sell you those Network infrastructure pieces at a very cheap price -(lowest bidder (or a no-bid)contract) -well guess who is watching you…

SCADA cyber controls security SUCKs = infrastructure things (energy/transportation/communication/water/air) = fix them NOW

Since no Cyber Bill has gone before congress -President Obama after a major election went and signed  a-

US secret CYber Law singed by Pres. Obama -Nov 15, 2012

Rather, the directive establishes principles and processes for the use of cyber operations so that cyber tools are integrated with the fully array of national security tools we have at our disposal. It provides a whole-of-government approach consistent with the values that we promote domestically and internationally as we have previously articulated in the International Strategy for Cyberspace.

This directive will establish principles and processes that can enable more effective planning, development, and use of our capabilities. It enables us to be flexible, while also exercising restraint in dealing with the threats we face. It continues to be our policy that we shall undertake the least action necessary to mitigate threats and that we will prioritize network defense and law enforcement as the preferred courses of action. The procedures outlined in this directive are consistent with the U.S. Constitution, including the President’s role as commander in chief, and other applicable law and policies. http://killerapps.foreignpolicy.com/posts/2012/11/14/the_white_houses_secret_cyber_order

So now even 31-year-old doctors need to worry what they do and who they talk to and WHAT they talk about -/ also- in Facebook, Skype or any other web-App-  By the way —>These basic vulnerabilities can be found and exploited in any web-app – So this person may of worked at the water plant – or the electric plant what could these White Hat Bots have obtained?? These little White Hat BotNets may go rouge or may be captured this is about virtual digital world with a click of a mouse I GOT YOU!!! -PWN

Will this become the standard? The good and bad guy’s do it NOW- plant a virus suck up your disk / then check it out – BUT “if you got nothing to hide” well it’s OK then — right - gAtO oUt

10/28/12

Cyber-War Digital -vs- Global Currency

gAtO rEaD - in Forbes – “Biitcoin Prevent Monetary Tyranny” -mEoW- Currency tyranny by global bankers and government can be down right ugly. They can shape debt into deliberate inflation, they can enforce persecutory capital control or even pre-arrange default – let’s not forget LIBOR manipulation and austerity against countries after they have ripped out all natural resources, install a puppet king and all that jazz —/ everything controlled by THE BANK CARTEL. On the other side of the coin..//

On Oct. 6 Susanne Posel reported -/ an attempt to hack into the U.S.A executive branch’s computer system through an unclassified network.  That’s the White House kitties with a simple “Spear Phishing” attack. They trolled for names of Top Military and government officials in Google’s Gmail account and got a few hit. Once again “Open Source Intelligence”  

- everything goes somewhere and gAtO (as well as others) goes everywhere.

A few days later the Iranians government blocked Gmail by government officials due to fears that Email can be a point of infection for attacks- I think that’s in the security 101 course

Bruce Schneier one of our cyber gods that knows what he is talking about say’s it best about chicken little screaming “the cyber Sky is falling” – STROKING CYBER FEARS – “Secretary Panetta’s recent comments are just the latest; search the Internet for “cyber 9/11,” “cyber Pearl-Harbor,” “cyber Katrina,” or — my favorite — “cyber Armageddon.” But Bruce says it best in his own words  “There’s an enormous amount of money and power that results from pushing cyberwar and cyberterrorism: power within the military, the Department of Homeland Security, and the Justice Department; and lucrative government contracts supporting those organizations. As long as cyber remains a prefix that scares, it’ll continue to be used as a bugaboo.”  -may I add-/ to make lots of MONEY in private-corporation and government contracts worldwide. Fear + Cyber Security = BIG $$$

Fear is what bankers see as Africa is the first country that is being targeted for the BitCoin virtual currency. Imagine the turmoil in Nigeria and other places in Africa it has had a history of unstable governments the idea of a digital currency is appealing… La-Times read -Africa — the next frontier for virtual currency?

BUT the Bitcoin is NOT ready People[1] Satoshi warned us – it’s BETA software – It has only 21 Million bit coins and the last Bitcoin will be mined in 2040 – Governments and corporations have already started the propaganda that Bitcoin’s are EVIL. — 

The most important thing is, we must all be active in out lives to make the new future- They fear us “the people” will wake up and take control of our lives” – the new generation was born with a cell device in their hand and they are using it earlier and earlier to communicate.

The Cyber war that we see is not as bad as the Cyber War that is being fought with fear and propaganda because the bankers will lose control with – One World Currency – One World Government – that is what the hacktivist want, the new kids, the new generation.

Cyberspace is the city of Babel and in this mystical city everyone was able to communicate to anyone and exchange idea, dreams and culture—/ but this cause the priest to lose control so they destroyed it and made it EVIL. It’s only Evil when you lose your power, It is EVIL when you give them control and power — it’s our turn now -gAtO oUt

References:

[1] Satoshi Nakamoto – Bitcoin Creator -https://en.bitcoin.it/wiki/Satoshi_Nakamoto

http://latimesblogs.latimes.com/world_now/2012/04/bitcoin-virtual-money-africa-rudiger-koch.html

http://www.forbes.com/sites/jonmatonis/2012/10/04/bitcoin-prevents-monetary-tyranny/ Bitcoin Prevent Monetary Tyranny

10/25/12

The deep Dark Web -Book Release

gATO hApPy

AVAILABLE @ AMAZON - http://www.amazon.com/dp/B009VN40DU

AVAILABLE @SmashWords website  @http://www.smashwords.com/books/view/247146

I learned that I hate WORD: – but it’s the general format for publishing  - text boxes- get imbedded and you can’t format to EPUB or .mobi or anything – solution after going lOcO gAtO - was copy and paste into txt editor – save as RTF then copy paste back into a new WORD document and then reformat everything from scratch – and copy over the pictures – as you can tell I had fun-..-ugh mEoW F-F-F-F as much fun as a hairball but if it get’s the message out “FREEDOM OF SPEECH IN CYBERSPACE” then we done our job, anyway I hope you read it - Thank you Pierluigi a best friend a security gAtO ever had - gATO oUt

This Book covers the main aspects of the fabulous and dangerous world of -“The Deep Dark Web” . We are just two cyber specialists Pierluigi Paganini & Richard -gAtO- Amores, with one passion and two souls we wanted to explain the inner working of the deep dark web. We have had a long collaboration in this efforts to document our findings we made infiltrations into the dark places inaccessible to many to give a you the reader a clear vision on the major mystery of the dark hidden web that exist today in the Tor Onion network..

The Web, the Internet, mobile cell devices and social networking has become commonly used words that identify technological components of daily Internet user’s experience in the cyberspace. But how much do we really know about cyberspace? Very, very little, Google / Yahoo / Bing only show us 20% of the Internet the other 80% is hidden to the average user unless you know were to look.

The other 80% of the Internet is what this book is about the “Deep Dark Web”, three words with millions of interpretations, mysterious place on the web, the representation of the hell in the cyberspace but also the last opportunity to preserve freedom of expression from censorship. Authorities and corporation try to discourage the use of this untapped space because they don’t control it. We the people of the free world control this network of Tor -Onion Routers by volunteer around the world.

The Deep Dark Web seems to be full of crooks and cyber criminals, it is the hacker’s paradise, where there are no rule, no law, no identity in what is considered the reign of anonymity, but this is also the reason why many persecuted find refuge and have the opportunity to shout to the world their inconvenient truths.

The Deep Dark Web is a crowded space with no references but in reality it is a mine of information unimaginable, a labyrinth of knowledge in the book we will try to take you by the hand to avoid the traps and pitfalls hopefully illuminating your path in the dark.

Cybercrime, hacktivism, intelligence, cyber warfare are all pieces of this complex puzzle in which we will try to make order, don’t forget that the Deep Dark Web has unbelievable opportunity for business and governments, it represents the largest on-line market where it is possible to sell and acquire everything, and dear reader where there is $money$  you will find also banking, financial speculators and many other sharks.

Do you believe that making  money in Deep Web is just a criminal prerogative? Wrong, the authors show you how things works in the hidden economy and which are the future perspectives of is digital currency, the Bitcoin.

This manuscript proposes both faces of the subject, it illustrates the risks but also legitimate use of anonymizing networks such as TOR adopted by journalist to send file reports before governments agents censored his work .

Here are some question we may answers to:

How many person know about the cyber criminals and their ecosystem in the deep web? 

How many have provided information on the financial systems behind the “dirty affairs”? 

How the law enforcement and governments use Dark Web?

Let’s hold your breath and start the trip in the abyss of knowledge to find answers to the above questions. We hope that with this book you can learn something new about – The Deep Dark Web.

09/24/12

Dark Heart botnet ToR-C2 BULLET proof server collector

gAtO fOuNd - this –// it’s crook selling to crooks take it at face value -/ but it does have some interesting ideas on what is out there in criminals hands and what is going on in the dark web. Now these are 10,000 yes 10k botnets can work in the clearWeb as well as Tor and i2p anonymized networks should cause some concern because normally we don’t monitor them.  Tor Domain-flux for both clearWeb and Tor – ( Tor Domain-flux- this is so easy to do but it’s a big feature) – VPN then Tor that will make this harder to find the botMaster. But the coolest feature is the i2p connection. Sorry boy’s and Ladies but Tor is getting old, i2p is beginning to glow and it’s a little different but very safe. It goes after (scanning)  WiFi and GPS tracking – So people sync your phone data to your computers data please…C&C and // one- BULLET proof server collector -

It not very hard to do this but – C&C and // one- BULLET proof server collector – is the sales pitch anyway I have obfuscated some links and names -find it your self – I know gAtO can build this so anyone can with some light reading – that comes out to .80 cents per bot for 10,000 bots -0ne c&c panel for $8,000 bucks – pretty cheap – oh yeah the readme comes in english too.

This modified Dark Heart bots and c&c in Tor ?12p ? 256-EAS encryption- We already have reports of it by different names but this was posted around Aug 7 2012.   Here is the –/ poor mans –Tor Domain-flux is so easy when you generate a hidden service it produces a key for your address in Tor onion land / just move the key to another directory and generate your new net key and so on and so on… Some of this is really well though out —/ but I don’t trust anyone and it’s so easy to build from scratch- gAtO oUt

—— – EDUCATIONAL – ONLY – ————— – EDUCATIONAL – ONLY – ————— – EDUCATIONAL – ONLY – ———

Dark Heart botnet— NOT – for sale $8000

Run on windows clients – I need 3 C&C server IP addresses to hardcode and obfuscate

bot coded in assembly no dependencies

Each build has maximum of 10k bots to ovoid widespread av detection.

Basic bot uses socks5.

built in ssh client

(fast-flux)

Bot is built with 30k pre generated 256 bit AES keys.

1 256 bit AES key for logs

1 256 bit AES key ssh

1 256 bit AES key socks 5

hwid it selects a pre-generated key 256 bit AES key.

Bot writes encrypted data into common file using stenography process injection

Download/Upload Socks5

Bot sends data to a collector bot via socks5 through ipv6 which makes NAT traversal a trivial matter.

Using ipv6 in ipv4 tunnel.

Collector bot assembly /tor and i2p Plug-ins C++ /Assuming 10k bots

Bots will be assigned into small groups of 25. And are assigned 400 collectors bots which is evenly 200 tor and 200 i2p.

Collector packages the encrypted logs and imports them into a .zip or rar archive and uses sftp to upload through tor to a bullet proof server Note the Ukraine is best know.

(Domain-flux .onion panel can be easily moved)

Using a Ubuntu Server on bullet proof server.  / Using tor and Privoxy. Panel can be routed through multiple cracked computers using proxychains and ssh.  / Server uses a simple .onion panel with php5 and apache2 and mysql. You might ask what happens if bullet proof server is down. The collector bots can be loaded with 5 .onion panels. If panel fails for 24 hours its removed from all Collectors and bot will go to the next one and so forth. A python Daemon runs and unzip the data and Imports it into a mysql database were it remains encrypted.

The bot master uses my Dark Umbrella.net panel to connect to the remote Bullet Proof server through a vpn and then through tor using ssh to run remote commands on server and sftp to upload and download. Running tor through a log less vpn through with a trusted exit node on the tor network. .net panel connects to mysql database database is decrypted on .NET panel (Note must real Bullet Proof hosting is not trust worthy this solves that issue) and imported into a local .mdb database. Then later the bot Master should encrypt database folder on true crypt. Commands are sent to bots individually rather then corporately like most bot nets. This allows for greater anonymity It will be possible to send commands corporately but strongly discouraged. Collector bots download and upload large files through i2p.

1.Connects remotely to rpc daemon through backconect and simplifying metasploit (Working)

2.Social network cracker. (Beta)

3.Statics. (Working)

4.Anonymity status. (Working)

5.Decrypt-er. Decryption codes in highly obfuscated.net limiting each build to 10k bots. (Working)

6.Daemon status (Working)

7.logs (Working)

8.Metasploit connects via rpc. (working)

9. GPS tracked Assets by Google maps and using net-book with a high powered external usb wifi attenas.

Starts an automatic attack if wep if wpa2 grabes handshake. If open starts basic arp spoofing attack. Common browser exploits. (alpha)

10.Teensy spread. (in development)

11.vnc back connect. (working)

12. Advanced Persistent threat. Fake Firefox, Fake Internet Explorer, Fake Chrome. Fake Windows Security Essentials. (in development allows for excellent custom Bot-master defined keyloging)

13. Dark search bot index file is downloaded allowing easy searching of hard drives. (Working)

14. voip logic bomb. bot computer is sent via a voip call file once played through voip the microphone hears mp3 file and the dormant payload is activated in bot that is the logic bomb. (Extra- Alpha)

Each Panel is hwid

1 unique build per Copy embedded into panel.

Everything is provided in English only manuals for setup: you need 3 servers for C&C and // one- BULLET proof server collector for -/ everything is working and can be setup within hours: Only serious players -  for sale $8000 -bitcoin – (obfuscated )1A9nBLgdhf4NJadXiBppqqU96AhbMBQrgV -

—— – EDUCATIONAL – ONLY – ————— – EDUCATIONAL – ONLY – ————— – EDUCATIONAL – ONLY – ————— – EDUCATIONAL – ONLY – ———

 

09/23/12

Free Bot-Nets Anyone

gAtO wAs - looking for code for bot’s to see how they work and I want to tell you it’s been kinda easy to find lots of bots…bots, code and DIY kits./ OK [1] below is the list of the Bots I found downloaded and playing with them to see how they work. Another part of this problem is it’s not just code and DIY kits, but code_mixer is a library that allows you to generate new Virus, undetectable to AV software. I also found different versions of Bots and different type of networks, IRC bots, http_bots, p2p_bots and on top of all this I found all kinds of discussions about how to make them ToR enable which has been going on for a while. Hiding a sophisticated c&c Bot-Master server in ToR ONION NETWORK IS EASY.

gAtOs –/ bot-net collection /–

I also wanted to know if these bot’s and code was not just old code stuff- well some is old by Internet years 2009 – that’s a long time in cyber pirate years but polymorphing code works no matter when it was created and it hides virus and worms really easy from AV systems especially if it’s a new version of the bots . Another thing I wanted to find is STUXNET, DUQU, FLAME SkyWriter and other famous Bots. Well I found samples of these — not just one but hundreds of version of these bot’s- and it was easy I included a list of some of the more newer bot codes.[2]…//

Oh I forgot ToR and Bots including  STUXNET, DUQU, FLAME SkyWriter and others do run in Tor onion network just check out the – insert date – First seen – Last seen – dates on this list . you may also check out —https://zeustracker.abuse.ch/statistic.php  — I found that my builder version showed that I had found Zeus 2.0.8.9 and is the number one version of zeus bot-net.  

One easy bot design is to use Tor2Web as a way to access a c&c server in Tor without running Tor on the infected client. The Tor network is getting more popular and people see that they can’t be caught in Tor so they are building lot’s of new Bots that run all over Tor – p2p and http and they are starting also new places like i2p networks and running bots—/   -gAtO oUt

[1] the list of Bots and code 

  1. _blackShades_4.8 Net -
  2. Black Pro _LostDoor v5.1
  3. BlackShade 4.8
  4. Blackshades NET v4.2
  5. Blackshades NET v3.8.1
  6. Blackshades_Archive
  7. Botnet Packet
  8. dark_Comet_1342319517
  9. ebookskayla-1
  10. G-Bot_1.7
  11. INCREDULiTY – ClientMesh
  12. ISR Stealer 0.4
  13. KnollKeylogger-1
  14. LostDoor Black Pro v5.1
  15. open source Exploit Pack
  16. optima10_ddos
  17. ProRat_v1.9 SE
  18. Spy-Net v2.7 Final
  19. SpyEye 1.3.45 Loader
  20. spyeye_tutorial
  21. Stuxnet_Laurelai-decompile-dump-2e11313
  22. Ultimate_Spy-Net v2.7 Final
  23. x_1ST-SECTION FILE INFECTOR, library+example,
  24. x_007
  25. x_arclib
  26. x_avp_troj
  27. x_code_mixer
  28. x_dscript
  29. x_eicar
  30. x_http ASM
  31. x_infecting *.HLP files (example/description)
  32. x_m1
  33. x_mistfall
  34. x_Mistfall.ZOMBIE-z10d
  35. x_pgpmorf1
  36. x_pgpmorf2
  37. x_tp_com
  38. x_zhello
  39. ZeuS 2.0.8-1.9
  40. Zeus collection
  41. ZBOT
  42. zeus 1.2.7.19
  43. ZeuS 2.0.8.9 – experimental
  44. Zeus Analysis Website

—[2] STUXNET, DUQU, FLAME SkyWriter and a few more bots in the wild check out the last seen date…

 

 

 

 

 

 

Flamer Bots  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
d73fe5f9f8dc2fc68aea57ba5c0353f4 2012-07-16 2012-06-07 09:11:15 2012-06-19 20:28:53 Win32/Flamer.A Win32:Skywiper- N [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Trojan:Win32/Fl ame.A!cert
06a84ad28bbc9365eb9e08c697555154 2012-06-26 2012-06-05 11:24:36 2012-06-08 12:08:30 Win32/Flamer.A Win32:Skywiper- K [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!D Armadillo v1.71
0a17040c18a6646d485bde9ce899789f 2012-06-20 2012-05-30 12:45:05 2012-06-29 21:10:27 a variant of Win32/Flamer.A Win32:Skywiper- H [Trj] HEUR:Worm.Win32 .Flame.gen Trojan.Flame.A Worm:Win32/Flam e.gen!A
581f2ef2e3ba164281b562e435882eb5 2012-06-20 2012-06-01 06:09:15 2012-06-08 21:49:22 Win32/Flamer.A Win32:Skywiper- E [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!A
5a002eb0491ff2b5f275a73f43edf19e 2012-06-20 2012-06-01 08:13:39 2012-06-29 21:15:07 Win32/Flamer.A Win32:Skywiper- E [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!A
7551635b101b63b215512b00d60e00f3 2012-06-20 2006-07-18 04:31:57 2012-06-20 04:19:30 probably a variant of Win32/Agent.IGOUUZX Win32:Trojan-ge n Backdoor.Win32. Bifrose.cgfb Trojan.DialUpPa sswordMailer.A Trojan:Win32/Du twiper Aspack ASPack v1.08.03
75de82289ac8c816e27f3215a4613698 2012-06-20 2012-06-01 06:17:01 2012-06-21 06:36:16 Win32/Flamer.A Win32:Skywiper- L [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!A
8ed3846d189c51c6a0d69bdc4e66c1a5 2012-06-20 2010-10-05 03:56:52 2012-06-21 06:21:20 Win32/Flamer.A Win32:Malware-g en Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!A
bddbc6974eb8279613b833804eda12f9 2012-06-20 2012-06-01 03:37:00 2012-06-21 06:23:32 Win32/Flamer.A Win32:Skywiper- K [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!D Armadillo v1.71
c09306141c326ce96d39532c9388d764 2012-06-20 2012-06-01 08:09:24 2012-06-21 06:43:33 Win32/Flamer.A Win32:Skywiper- L [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!A
cc54006c114d51ec47c173baea51213d 2012-06-20 2012-06-01 08:13:46 2012-06-01 10:05:08 Win32/Flamer.A Win32:Skywiper- E [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!C
e5a49547191e16b0a69f633e16b96560 2012-06-20 2012-05-30 14:22:32 2012-06-28 00:41:49 a variant of Win32/Flamer.A Win32:Skywiper- H [Trj] HEUR:Worm.Win32 .Flame.gen Trojan.Flame.A Worm:Win32/Flam e.gen!A
f0a654f7c485ae195ccf81a72fe083a2 2012-06-20 2012-05-28 14:37:54 2012-06-24 11:31:16 Win32/Flamer.A Win32:Skywiper- A [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!B
cb5 2012-06-19 2010-07-20 13:41:34 2012-06-24 11:30:50 Win32/Flamer.A Win32:Skywiper- I [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!A
0464e1fabcf2ef8b24d6fb63b19f1064 2012-06-18 2012-06-11 08:06:23 2012-06-11 08:06:23 Win32:Skywiper- A [Trj]
09d6740fd9be06cbb5182d02a851807d 2012-06-18 2012-06-11 08:14:24 2012-06-11 08:14:24 Win32:Skywiper- C [Trj]
780c5bc598054a365a75d10ac05a3157 2012-06-18 2012-06-11 07:50:56 2012-06-11 07:50:56 Win32:Skywiper- D [Trj]
cb98cca16865aa2330d2cf93fd6886ff 2012-06-18 2012-06-11 07:41:19 2012-06-11 07:41:19 Win32:Skywiper- E [Trj]
fac96cf0f5a43980635f6a6017a5edb0 2012-06-18 2012-08-04 06:42:23 2012-08-04 06:42:23 Win32:Skywiper- F [Trj]
bb4bf0681a582245bd379e4ace30274b 2012-06-16 2012-05-28 14:37:53 2012-07-25 19:03:03 Win32:Skywiper- D [Trj] Trojan.Generic. KDV.641104
Checked on VT at 2012-07-25 02:22:38

—DUQU Bot  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
2f5a23b67e6928d58df136fb3431c1a2 2012-08-27 2012-06-27 09:06:34 2012-06-27 09:06:34 Win32/Packed.ASProtect.CEC Win32:Duqu-L [Rtk] Trojan.Win32.Ge nome.fxan Backdoor.PCClie nt.1 Armadillo v1.xx – v2.xx
362b306967fa08fa204e968613c48b54 2012-08-27 2012-06-25 19:17:57 2012-06-25 19:17:57 a variant of Win32/PcClient.NDO Win32:Duqu-L [Rtk] Trojan.Win32.Ge nome.cfwz Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient Themida Xtreme-Protecto r v1.05
5a8b8b55e7d12bcaee50af462d70e4f1 2012-08-27 2012-03-23 03:56:59 2012-03-24 06:50:48 a variant of Win32/TrojanDropper.Delf.NXY Win32:Duqu-I [Rtk] Trojan-Dropper. Win32.Agent.wzj Trojan.Generic. 2087186 Backdoor:Win32/ Delf.RAN
71c91c34ef08b0222a7385a9fc91a156 2012-08-27 2010-01-07 16:30:15 2012-08-01 21:30:31 Win32:Duqu-L [Rtk] Trojan.Win32.Ge nome.ptdr Backdoor.PCClie nt.1 NSPack NsPacK V3.7 -> LiuXingPing
78efa3d89fa835c2d841ca021ba04f9a 2012-08-27 2012-06-20 16:29:55 2012-06-20 16:29:55 Win32/PcClient Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.akqr Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient NSPack
7e995e30b3c752d55708ba70b64c576d 2012-08-27 2012-07-01 03:18:29 2012-07-01 03:18:29 a variant of Win32/PcClient.NEK Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.eld Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient Malware_Prot.AJ
8fb8994eb25f35d1e4f62ab00871170b 2012-08-27 2011-11-30 06:35:32 2011-11-30 06:35:32 Win32/PcClient.NCD Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.eld Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient Malware_Prot.AJ
90fc2ddf9985d14d4252b016018852af 2012-08-27 2012-06-27 06:46:46 2012-06-27 06:46:46 a variant of Win32/PcClient Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.dire Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient
9a9e77d2b7792fbbddcd7ce05a4eb26e 2012-08-27 2011-11-02 03:07:36 2011-11-02 03:16:28 Win32/Duqu.A Win32:Malware-g en Trojan.Win32.In ject.bjyg Trojan.Generic. 6658401 Trojan:Win32/Hi deproc.G UPX_LZMA
9d00bebb4be61eb425ef8adfa05968fd 2012-08-27 2012-05-23 12:23:42 2012-05-27 21:59:18 a variant of Win32/PcClient.NBG Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.hnp Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient ASPack v2.12
9dc323e0595caf5e5152b6353c6c7b58 2012-08-27 2012-07-01 09:01:29 2012-07-01 09:01:29 a variant of Win32/PcClient.NEK Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.eld Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient Malware_Prot.AJ
b25cc61de1a0d2086356d7757b26e2ef 2012-08-27 2012-06-23 15:43:36 2012-06-23 15:43:36 Win32/PcClient.NBI Win32:Duqu-L [Rtk] Backdoor.Win32. Hupigon.bxjm Backdoor.PCClie nt.1 Backdoor:Win32/ Hupigon.ZQ.dll Aspack ASPack v2.12
bb9c97fe54b85179f9a83ca4cfdd24f3 2012-08-27 2012-07-02 11:06:55 2012-07-02 11:06:55 a variant of Win32/PcClient.NEK Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.eld Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient Malware_Prot.AJ
ca7b6963a5b45b67e1bfa1a0f415eb24 2012-08-27 2012-06-29 01:20:37 2012-06-29 01:20:37 Win32/PcClient.NCD Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.eld Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient Malware_Prot.AJ
5d8932237d14019ae81e97c5b8951ef8 2012-08-15 2012-08-18 11:59:04 2012-08-18 11:59:04 Win32:Duqu-L [Rtk] HEUR:Trojan.Win 32.Generic Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient NSPack
6416039108bd666f073d51db5328f6c9 2012-08-15 2012-08-18 14:07:59 2012-08-18 14:07:59 Win32:Duqu-L [Rtk] HEUR:Backdoor.W in32.Generic Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient ASPack v2.12
774c19f455cff3a443e7f3a58983a12b 2012-08-15 2012-08-18 18:18:21 2012-08-18 18:18:21 Win32:Duqu-I [Rtk] Backdoor.Win32. Hupigon2.ja Trojan.Generic. 826880 Backdoor:Win32/ Delf.RAN
b19fe4b53d01d2746eb83e9fddd1eb67 2012-08-15 2012-07-16 12:33:52 2012-07-16 12:33:52 Win32:Duqu-L [Rtk] HEUR:Backdoor.W in32.Generic Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient ASPack v2.12
f41b0a33d2ca4ba05a95b1a9a40e7e28 2012-08-15 2012-08-19 15:09:26 2012-08-19 15:09:26 Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.agyu Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient
2f4e30a497ae6183aabfe8ba23068c1b 2012-06-20 2012-06-11 17:02:50 2012-07-15 11:59:26 Win32/Stuxnet.A Win32:Malware-g en Worm.Win32.Stux net.v Win32.Worm.Stux net.E embedded  

 

 

 

 

the

 

—zeus  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

 

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
0a295bb2cbb44d9ba2e18bbfeb511d1d 2012-08-27 2011-02-24 10:59:09 2012-05-12 09:37:44 WinCE/Zbot.A Win32:Malware-g en Trojan-Spy.WinC E.Zitmo.a Backdoor.Bot.13 4855 Trojan:WinCE/Zi tmo.A
2b2dcecfd882efb2100ce28d09c89f75 2012-08-27 2009-01-30 05:49:27 2009-07-02 06:23:46 a variant of Win32/Spy.Zbot.JF Win32:Zbot-BCW Trojan.Spy.Zeus .C PWS:Win32/Zbot
33a6fef6d2487a95af539e532be424b2 2012-08-27 2011-09-03 03:28:17 2012-02-21 21:41:11 a variant of Win32/Zeus.B Win32:Malware-g en Backdoor.Win32. BotNet.ac Gen:Variant.Kaz y.8986 PWS:Win32/Zbot. TV UPX UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
4153a07347b3bdf74b527e51cc63a843 2012-08-27 2010-05-16 15:01:27 2010-05-18 21:58:47 a variant of Win32/Spy.Agent.PZ Win32:Zbot-gen Trojan-Spy.Win3 2.Zbot.myj Trojan.Spy.Zeus .1.Gen PWS:Win32/Zbot. gen!A
4fe9b3febda0dd9e8f89ed29b1a39560 2012-08-27 2012-03-27 07:25:01 2012-03-28 09:48:26 a variant of Win32/Spy.Agent.PZ Win32:Susn-G [Trj] Trojan-Spy.Win3 2.Zbot.roh Trojan.Spy.Zeus .1.Gen PWS:Win32/Zbot. GA
7b470095ce2887377e6f9e37fd0471dc 2012-08-27 2012-06-30 09:12:53 2012-06-30 09:12:53 a variant of Win32/Spy.Agent.PZ Win32:Zbot-gen [Trj] Trojan-Spy.Win3 2.Zbot.roh Trojan.Spy.Zeus .1.Gen PWS:Win32/Zbot. GA
831d2fdb9ad258f68ce5924b1feac10a 2012-08-27 2011-10-17 02:49:20 2012-04-30 22:09:54 a variant of Win32/Spy.Agent.PZ Win32:Susn-G [Trj] Trojan-Spy.Win3 2.Zbot.roh Trojan.Spy.Zeus .1.Gen PWS:Win32/Zbot. GA
9eb88298f93809ea7d733e29bb3d466b 2012-08-27 2007-11-16 20:51:16 2011-08-09 00:18:04 a variant of Win32/Spy.Agent.PZ Win32:Tibs-BND [Trj] Trojan-Spy.Win3 2.Zbot.adj Trojan.Spy.Zeus .2.Gen PWS:Win32/Zbot. gen!B
9faf0c526795ee01839ecb51074dd7ae 2012-08-27 2012-06-23 06:47:46 2012-06-23 06:47:46 a variant of Win32/Spy.Agent.PZ Win32:Tibs-BNF [Trj] Trojan-Spy.Win3 2.Zbot.adj Trojan.Spy.Zeus .2.Gen PWS:Win32/Zbot. gen!B
a05211df243da8a9e628b4767aafc989 2012-08-27 2007-11-17 13:55:10 2011-08-08 23:43:09 Win32/Spy.Agent.NDY Win32:Zbot-AG [Trj] Trojan-Spy.Win3 2.Zbot.po Trojan.Spy.Zeus .2.Gen PWS:Win32/Zbot. gen!B
aa874f7c37962240569ff35a030c2e71 2012-08-27 2012-06-26 08:59:57 2012-06-26 08:59:57 a variant of Win32/Kryptik.OV Win32:Zbot-FS [Trj] Trojan-Spy.Win3 2.Zbot.xw Trojan.Spy.Zeus .1.Gen PWS:Win32/Zbot. gen!B
b484264bca4286f65d5cb68efefa9dc4 2012-08-27 2008-08-22 19:29:43 2009-01-08 08:22:34 Trojan.Spy.Zeus .1.Gen TrojanSpy:Win32 /Zbot.gen!C
c38412218981ddc0cd93d5d98971a781 2012-08-27 2009-12-19 06:17:33 2009-12-31 15:13:34 a variant of Win32/Spy.Zbot.UN Win32:Zbot-BCW Trojan-Spy.Win3 2.Zbot.aadb Trojan.Spy.Zeus .C PWS:Win32/Zbot. gen!R
c4905c4610b9c2992bc395429b7365ab 2012-08-27 2009-09-04 15:24:05 2009-09-04 15:24:05 Win32:Zbot-BCW Heur.Trojan.Gen eric Trojan.Spy.Zeus .C PWS:Win32/Zbot. gen!R
c70db2b312a23e11b5e671cac70db98f 2012-08-27 2008-02-19 12:29:14 2012-02-19 14:34:25 PS/MPC-Zeus-753 Virus.DOS.PS-MP C-based PS-MPC.0753.DN. Gen Virus:DOS/PSMPC .753
d16a1870603a0f7111c64584e6eb5deb 2012-08-27 2012-02-20 19:36:30 2012-03-02 01:50:10 Win32/PSW.Agent.NTM Win32:Zeus-A [Trj] Trojan.Win32.Ag ent2.fadw Gen:Variant.Zlo b.1 PWS:Win32/Farei t.gen!C
d1db75d0b93b0f1bda856242c8ab1264 2012-08-27 2009-10-15 20:31:08 2009-10-17 14:14:20 a variant of Win32/Spy.Zbot.UN Win32:Zbot-BCW Heur.Trojan.Gen eric Trojan.Spy.Zeus .C PWS:Win32/Zbot. QA
d5a75c535b33fc09f1ab6e181d59fc84 2012-08-27 2011-06-18 10:59:14 2011-12-09 01:49:01 a variant of Win32/Spy.Zbot.XO Win32:Zbot-ATL [Trj] Trojan-Spy.Win3 2.Zbot.roh Trojan.Spy.Zeus .1.Gen PWS:Win32/Zbot. C
e806cfe7d3257bf61f5b95215e3ec23e 2012-08-27 2012-06-23 03:56:28 2012-06-23 03:56:28 a variant of Win32/Spy.Agent.PZ Trojan-Spy.Win3 2.Zbot.adj Trojan.Spy.Zeus .2.Gen PWS:Win32/Zbot. gen!B
078b7684cbc5cd14770fb2c842ece7e4 2012-08-15 2012-08-04 03:55:52 2012-08-09 17:09:00 Win32:Susn-G [Trj] Trojan-Spy.Win3 2.Zbot.roh

—gBot  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

 

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
0017c17069fcd00a8c13e2e1bb955494 2012-08-27 2011-11-16 12:17:45 2011-12-14 17:33:12 a variant of Win32/Kryptik.VNB Win32:Cybota [Trj] Trojan.Win32.Jo rik.Gbot.rtt Trojan.Generic. 6903230 Backdoor:Win32/ Cycbot.G
0033496f9baa6c05dc709db64a7b8cef 2012-08-27 2011-11-19 12:30:08 2011-12-16 01:08:42 a variant of Win32/Kryptik.VZB Win32:Cybota [Trj] Trojan.Win32.Jo rik.Gbot.rwf Trojan.Generic. 6914846 Backdoor:Win32/ Cycbot.G
00392a6a7919d425e512c4466984f8f3 2012-08-27 2011-10-05 04:29:14 2011-11-29 18:00:26 a variant of Win32/Kryptik.TEV Win32:Cybota [Trj] Backdoor.Win32. Gbot.osk Gen:Variant.Kaz y.38517 Backdoor:Win32/ Cycbot.G
004ed94e35b42f7b76fb4b729573a123 2012-08-27 2012-01-13 03:41:13 2012-02-11 12:53:50 a variant of Win32/Kryptik.YBH Win32:Cybota [Trj] Backdoor.Win32. Gbot.qwk Gen:Variant.Kaz y.50582 Backdoor:Win32/ Cycbot.G
00b66b966778139c0b83721c5e307695 2012-08-27 2011-11-24 01:24:42 2012-01-02 23:04:36 Win32/Cycbot.AF Win32:Cybota [Trj] Trojan.Win32.Jo rik.Gbot.qwn Gen:Heur.Kelios .1 Backdoor:Win32/ Cycbot.G
00c789e5ae793c6be65482d4b472f0f0 2012-08-27 2011-11-18 16:42:21 2011-12-15 14:43:24 Win32/Cycbot.AK Win32:Cybota [Trj] Trojan.Win32.Jo rik.Gbot.rvk Backdoor.Bot.14 6893 Backdoor:Win32/ Cycbot.G
00daf7e9577d84c5949439b02f11af74 2012-08-27 2011-03-23 02:31:51 2011-07-20 22:11:40 Win32/Cycbot.AF Win32:Cybota [Trj] Backdoor.Win32. Gbot.aed Gen:Trojan.Heur .KS.1 Backdoor:Win32/ Cycbot.B
00ddbd4723ec6394f278fd5d3275a952 2012-08-27 2012-02-02 18:46:53 2012-03-29 17:13:40 Win32/Cycbot.AK Win32:Cybota [Trj] Backdoor.Win32. Gbot.qwt Gen:Variant.Kaz y.53272 Backdoor:Win32/ Cycbot.G
00deb18fb207bc020a30ff7b7550f279 2012-08-27 2011-03-19 21:01:29 2011-07-12 08:53:49 a variant of Win32/Kryptik.LOJ Win32:Cybota [Trj] Backdoor.Win32. Gbot.adk Gen:Trojan.Heur .KS.1 Backdoor:Win32/ Cycbot.B
00e762e7fe180b096207c7b72f608cc3 2012-08-27 2012-06-20 11:30:59 2012-06-20 11:30:59 a variant of Win32/AGbot.V Win32:SdBot-FJH [Trj] Backdoor.Win32. SdBot.ozd Gen:Win32.IRC-B ackdoor.fmW@aih z9oj Backdoor:Win32/ Gaertob.A Armadillo v1.71
00f3359898621f36a5251759a3a89495 2012-08-27 2011-11-11 20:35:02 2011-11-16 04:05:08 Win32/Adware.WinAntiVirus.AD Win32:Gbot-M [Trj] Trojan-Download er.Win32.Fdvm.b Application.Gen eric.386031 Trojan:Win32/Si refef.P
00f83d49831dc202e04478f670b96d50 2012-08-27 2011-12-14 07:28:20 2011-12-14 07:28:20 Win32/Cycbot.AF Win32:Cybota [Trj] Backdoor.Win32. Gbot.qmi Backdoor.Gbot.I Backdoor:Win32/ Cycbot.G
00fc1e69ca9031e5c47dfcde78dc0537 2012-08-27 2011-09-09 05:34:05 2012-02-11 20:04:14 a variant of Win32/Kryptik.RWA Win32:Cybota [Trj] Trojan.Win32.Jo rik.Gbot.iag Gen:Variant.Kaz y.34336 Backdoor:Win32/ Cycbot.G
0117b98cb2114c51c4d51831820cc8e4 2012-08-27 2011-04-02 06:56:59 2011-07-21 00:22:16 Win32/Cycbot.AF Win32:Cybota [Trj] Backdoor.Win32. Gbot.ahq Trojan.Generic. KD.163287 Backdoor:Win32/ Cycbot.B
016d69d4cbd779b63bb6927fa9c19730 2012-08-27 2012-03-10 20:03:49 2012-04-30 20:29:18 a variant of Win32/Kryptik.SUP Win32:Cybota [Trj] Backdoor.Win32. Gbot.oep Gen:Heur.Conjar .5 Backdoor:Win32/ Cycbot.G
0189fd7b339df01d4a4be1113520ad46 2012-08-27 2010-02-19 22:20:06 2012-06-09 04:12:35 a variant of MSIL/TrojanDropper.Agent.JF Win32:Malware-g en Trojan-Dropper. MSIL.Agent.fws Trojan.Generic. 3812196 VirTool:Win32/O bfuscator.NC
01e118c11c4145710ff1801f34a44bc7 2012-08-27 2012-07-05 15:25:49 2012-07-05 15:25:49 a variant of Win32/Kryptik.ACYA Win32:MalOb-IF [Cryp] Backdoor.Win32. Gbot.wkt Gen:Variant.Bar ys.3481 TrojanDownloade r:Win32/Carberp .C
021817e91793fa15bee2937fe2befddd 2012-08-27 2011-12-06 03:55:36 2012-01-03 16:39:38 a variant of Win32/Kryptik.VCE Win32:Cybota [Trj] Trojan.Win32.Jo rik.Gbot.qxq Gen:Variant.Kaz y.42337 Backdoor:Win32/ Cycbot.G
0229d3256bd2309f1d581533febdc1e7 2012-08-27 2012-01-31 17:40:43 2012-02-21 13:59:28 a variant of Win32/Kryptik.UVF Win32:KadrBot [Trj] Trojan.Win32.Jo rik.ZAccess.no Gen:Variant.Kaz y.41897 Trojan:Win32/Si refef.J
0296357c2952eafb29b2edeaf776a787 2012-08-27 2011-09-13 21:55:14 2012-02-12 16:34:09 a variant of Win32/Kryptik.RLK Win32:Cybota [Trj] Trojan.Win32.Jo rik.Gbot.epv Gen:Variant.Kaz y.33354 Backdoor:Win32/ Cycbot.G

 

—spyeye  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

 

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
004df992aa00f6a83388aeb55cf806bb 2012-08-27 2012-03-17 18:33:21 2012-04-25 11:55:35 a variant of Win32/Kryptik.VMB Win32:MalOb-IV [Cryp] HEUR:Trojan.Win 32.Generic Gen:Variant.Kaz y.43891 Trojan:Win32/Dy namer!dtc
0050771f197d912b1fd2767c9b07b0d9 2012-08-27 2012-01-22 05:30:06 2012-01-22 05:30:06 Win32:MalOb-IJ [Cryp] HEUR:Trojan.Win 32.Generic Gen:Variant.Kaz y.46466
0055add5c7c8778b1e97e0bc2cdb34fd 2012-08-27 2011-04-05 09:52:34 2012-08-17 14:32:46 Win32:Karagany- E [Trj] Trojan-Spy.Win3 2.SpyEyes.gaf Gen:Variant.Kaz y.154 TrojanDownloade r:Win32/Karagan y.A
00881bfd664c40bd17f00da4e2b1707e 2012-08-27 2012-01-30 20:45:05 2012-03-25 16:25:27 Win32/Ramnit.A Win32:Vitro HEUR:Trojan.Win 32.Generic Gen:Heur.FKP.1 Trojan:Win32/Ra mnit.A
009f01b994bd6211d8b79775decc5854 2012-08-27 2012-06-25 07:23:14 2012-06-25 07:23:14 Win32/Spy.SpyEye.CA Win32:Regrun-JI [Trj] Trojan.Win32.Me nti.kxpm Trojan.Generic. 6382824 Trojan:Win32/Ey eStye.N Armadillo v1.71
00bbce9dac6dec8f16547da20c09594c 2012-08-27 2011-11-11 04:55:40 2011-11-11 04:55:40 a variant of Win32/AutoRun.Injector.AM Win32:Spyeye-ZL [Trj] HEUR:Trojan.Win 32.Generic Worm.Generic.35 0922 Armadillo v1.71
00db3ed3ba79dcc6627b13f5c0557f46 2012-08-27 2012-06-25 13:26:56 2012-06-25 13:26:56 a variant of Win32/Kryptik.HJW Win32:Zbot-MVW [Trj] Trojan-Download er.Win32.Piker. cqy Gen:Variant.Kaz y.1690 TrojanDownloade r:Win32/Bredola b.AC
00ffd9a941c6fe8d57210bf82c674943 2012-08-27 2011-06-26 15:23:06 2011-07-19 07:46:49 Win32/Bamital.FA Win32:Trojan-ge n Trojan.Win32.Of icla.nbt Trojan.Generic. KD.225389 Trojan:Win32/Me redrop UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
012cca77918ab828662e9b726c97319c 2012-08-27 2011-11-03 13:55:46 2012-01-28 16:05:29 a variant of Win32/Injector.KLZ Win32:Spyeye-YV [Trj] Trojan.Win32.In ject.bpoa Gen:Variant.Gra ftor.3243 VirTool:Win32/D elfInject.gen!C M
01341c165ed887fa134250750b2218c4 2012-08-27 2011-12-15 08:45:54 2012-01-19 04:40:25 Win32/AutoRun.Spy.Banker.M Win32:Spyware-g en [Spy] Trojan-Dropper. Win32.Dapato.sd d Trojan.Generic. KDV.479801 Worm:Win32/Crid ex.B Armadillo v1.71
014e076ae37f2e5e612ae748dd9e4177 2012-08-27 2011-11-11 03:24:24 2011-11-24 20:34:32 a variant of Win32/Injector.JMN Win32:Crypt-KLY [Trj] Trojan.Win32.Bu zus.iofc Trojan.Generic. 6686401 TrojanDropper:W in32/Sirefef.B
01525755f4b3c800560bdc4ac3c80cbd 2012-08-27 2011-03-09 19:58:13 2011-03-19 04:41:56 a variant of Win32/Injector.FBK Win32:Spyware-g en Trojan-Spy.Win3 2.SpyEyes.fqu Trojan.Generic. KDV.152375
019f9a5668d3de770f4c0a741a4f0c4a 2012-08-27 2012-03-28 01:18:38 2012-03-28 05:03:51 a variant of Win32/Injector.KCP Win32:Regrun-JI [Trj] HEUR:Trojan.Win 32.Generic Gen:Variant.Gra ftor.1584 Armadillo v1.71
01b36ef0ca621293f6c74c7b2950946a 2012-08-27 2012-01-06 23:55:08 2012-06-07 08:19:28 Win32/AutoRun.IRCBot.HO Win32:Malware-g en Trojan-Dropper. Win32.Injector. boyd Backdoor.Agent. ABAV Worm:Win32/Phor piex.B
01ceff3646dd40eaa11ed4cf7a75d495 2012-08-27 2012-03-21 00:04:37 2012-03-22 04:53:17 a variant of Win32/Kryptik.ACTR Win32:Spyeye-AC T [Trj] Trojan-FakeAV.W in32.Agent.dks Gen:Variant.Bre do.21 Rogue:Win32/Win websec
01d1d9f8c314a19e9f5cc7dc06693ea5 2012-08-27 2012-06-20 01:29:52 2012-06-20 01:29:52 Win32:Spyeye-WC [Trj] Trojan.Win32.Ge nome.acnzw Gen:Variant.Kaz y.37631 VirTool:Win32/O bfuscator.TT
01ef0b349a8b2c598f24fad77bb7d506 2012-08-27 2012-06-27 04:01:59 2012-06-27 04:01:59 a variant of Win32/Kryptik.HCV Win32:Malware-g en Trojan-Spy.Win3 2.SpyEyes.evw Trojan.Generic. KD.45757 Rogue:Win32/Win websec
02084edaa51e7bd688fc95c0ae86a29a 2012-08-27 2011-11-18 19:01:09 2011-11-21 15:55:16 a variant of Win32/Injector.KTW Win32:Spyeye-ZI [Trj] Trojan-Spy.Win3 2.SpyEyes.qmg Trojan.Generic. KDV.399472 Trojan:Win32/Or sam!rts
022abced09dc8142069c88ce2ee06e55 2012-08-27 2012-06-22 23:18:26 2012-06-22 23:18:26 Win32/Spy.SpyEye.CA Win32:Zbot-NES [Trj] Net-Worm.Win32. Koobface.jcb Gen:Variant.Kaz y.25416
0234f794047645d090a47550cf229bd4 2012-08-27 2012-04-08 05:38:21 2012-06-13 10:50:56 probably a variant of Win32/Injector.KNA Win32:Malware-g en HEUR:Trojan.Win 32.Generic Gen:Trojan.Heur .VP2.eu0baiVzqp ii VirTool:Win32/V BInject.UG ASPack v2.12

 

—AVP  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

 

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
00ada89f87db0db0f3939271c34f865e 2012-08-27 2008-09-18 18:15:52 2009-04-27 12:34:23 probably a variant of Win32/Adware.RogueApp Win32:Adware-ge n not-a-virus:Fra udTool.Win32.Ag ent.r Adware.AntivirP rotection.A Program:Win32/A ntivirusProtect ion
0106605d11d29384522bfa17164fd943 2012-08-27 2012-03-22 10:32:32 2012-03-22 21:11:40 Win32:Dialer-AV P [Trj] Trojan.Win32.Di aler.qn Trojan.Mezzia.G en Trojan:Win32/Ad ialer.OP
014596c2ff3198b690bf2f3debcb0711 2012-08-27 2011-12-03 03:58:24 2011-12-05 21:04:13 Win32/Spy.Zbot.YW Win32:Trojan-ge n Trojan-Spy.Win3 2.Zbot.coxf Trojan.Spy.Zbot .ETB PWS:Win32/Zbot UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
01b37e56720a5bf5a85c103878100388 2012-08-27 2012-06-11 04:52:22 2012-06-11 04:52:22 Win32/Kryptik.AGSY Win32:Kryptik-I XH [Trj] Trojan-Spy.Win3 2.Zbot.dyuc Trojan.Agent.AV PE
01cd13a561ff5396604b8718e911b49f 2012-08-27 2011-11-17 13:29:53 2012-07-25 21:46:15 Win32:Trojan-ge n Trojan-Spy.Win3 2.Zbot.coxf Trojan.Spy.Zbot .ETB PWS:Win32/Zbot UPX UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
01f699ef8a648642084f7d665c3c265e 2012-08-27 2011-10-15 19:56:04 2011-10-25 08:10:00 Win32/Olmarik.AVP Win32:Alureon-A FI [Trj] HEUR:Trojan.Win 32.Generic Gen:Variant.Kaz y.27650 Trojan:Win32/Al ureon.DX
0267027dd9091a7054ff9c46384c6654 2012-08-27 2012-02-04 10:24:19 2012-03-31 17:43:08 a variant of Win32/Kryptik.YVK Win32:MalOb-JA [Cryp] Gen:Variant.Kaz y.52638 Rogue:Win32/Fak eRean
03ceb31131f1a47c1388e9c8a53feca0 2012-08-27 2010-08-10 20:27:10 2011-02-05 09:10:23 a variant of Win32/Injector.CLG Win32:Malware-g en Trojan-Download er.Win32.Banloa d.bekw Worm.Generic.27 2239 TrojanSpy:Win32 /Swisyn.B
05740edf8ef59dfdcb3660b35e76052c 2012-08-27 2010-06-02 22:16:22 2012-08-01 23:09:46 Win32:Rootkit-g en [Rtk] Trojan.Win32.Sw isyn.avpt Trojan.Generic. KD.14612 Trojan:Win32/Tr ufip!rts Armadillo v1.71
06daf98aa5504f124d1f19bb23d8aa2b 2012-08-27 2012-02-20 01:00:55 2012-02-20 01:00:55 a variant of Win32/Kryptik.YMJ Win32:MalOb-IG [Cryp] Trojan.Win32.Fa keAV.kbsd Gen:Variant.Kaz y.51804 Rogue:Win32/Fak eRean
07837d8689d093ddfb90e0e873a40403 2012-08-27 2012-02-06 12:01:38 2012-08-04 03:14:45 Win32:FakeAlert -EM [Trj] Trojan-FakeAV.W in32.VirusDocto r.v Gen:Variant.Urs nif.2 Rogue:Win32/Fak eVimes
07ca5974da6c583b74870b97ca4418ba 2012-08-27 2011-02-04 10:40:03 2012-05-10 04:07:38 a variant of Win32/Spy.VB.NJM Win32:VB-QXQ [Spy] Trojan.Win32.VB Krypt.bavp Gen:Trojan.Heur .fm0@s5JEYbfih Trojan:Win32/Bu mat!rts
087347abfd1f071bcbd9ed2cd83742c3 2012-08-27 2011-11-15 22:10:35 2011-12-16 17:26:10 a variant of Win32/Agent.TCI Win32:Crypt-KWZ [Trj] HEUR:Trojan.Win 32.Generic Gen:Variant.Buz y.4378 Trojan:Win32/In ject.AL
089204eee8ae33f0301b90c43c55aef4 2012-08-27 2011-11-15 12:43:41 2011-12-06 23:11:43 a variant of Win32/Kryptik.VPK Win32:Gbot-M [Trj] Trojan-FakeAV.W in32.OpenCloud. p Trojan.Generic. 6850089 Rogue:Win32/Fak eScanti
09ee083b59b68fa0807dde46be7938a4 2012-08-27 2011-03-19 05:31:23 2011-03-20 00:07:52 Win32/Sirefef.C Win32:Delf-OHT Trojan.Win32.Fa keAV.avpj Trojan.Generic. KD.138388 Worm:Win32/Sire fef.gen!A
0a58fdc81e8bb0e2be92c805846f082e 2012-08-27 2012-01-28 19:43:01 2012-01-28 19:43:01 a variant of Win32/Kryptik.ZAZ Win32:ZAccess-E F [Trj] HEUR:Trojan.Win 32.Generic Gen:Variant.Kaz y.53282 Rogue:Win32/Fak eRean
0aa08ce7021f950a13167728fe7386a6 2012-08-27 2012-03-24 13:06:08 2012-05-30 19:28:26 a variant of Win32/Injector.PLK Win32:Crypt-MCG [Trj] HEUR:Trojan.Win 32.Generic Trojan.Generic. 7394229 Worm:Win32/Nayr abot.gen!A
0b3daa6dcf816fa34179197d6be16c21 2012-08-27 2012-01-17 00:16:22 2012-02-01 14:32:17 a variant of Win32/Kryptik.ZAZ Win32:ZAccess-E F [Trj] Trojan.Win32.Fa keAV.kmpm Gen:Variant.Kaz y.53282 Rogue:Win32/Fak eRean
0ce67f90dd1a936cbc08a6dea0e4d8ae 2012-08-27 2011-11-17 02:06:29 2012-02-09 06:37:16 a variant of Win32/Agent.TCI Win32:Crypt-KWZ [Trj] HEUR:Trojan.Win 32.Generic Gen:Variant.Buz y.4378 Trojan:Win32/In ject.AL
0cf1f914d2805a4cafa33ba9088424a2 2012-08-27 2012-01-17 13:30:31 2012-01-17 13:30:31 a variant of Win32/Kryptik.YWV Win32:Downloade r-MHD [Trj] Trojan.Win32.Fa keAV.kjsd Gen:Variant.Gra ftor.12856 Rogue:Win32/Fak eRean

 

—EICAR  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

 

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
14eb13beba07c82ba1851bce503cb034 2012-08-27 2011-09-06 11:15:30 2011-12-17 19:44:11 Eicar test file EICAR Test-NOT virus!!! EICAR-Test-File EICAR-Test-File (not a virus) Virus:DOS/EICAR _Test_File
16f8c3d67250837bc2e400ad19e0b72a 2012-08-27 2012-08-10 18:19:02 2012-08-15 16:50:23 BV:BVCK-gen3 P2P-Worm.BAT.Co pybat.ag UPX, PKLITE
2c64f48e5135fbaa944172202d236c7d 2012-08-27 2006-06-01 07:00:05 2012-08-20 00:47:44 EICAR Test-NOT virus!!! EICAR-Test-File EICAR-Test-File (not a virus) Virus:DOS/EICAR _Test_File
317c6356b04926b4cf107df145289435 2012-08-27 2010-12-14 12:22:14 2012-08-12 02:15:31 AntiAVP-Avbad [Trj] Trojan.DOS.Avba d Trojan.Avbad.A Trojan:DOS/Avba d LZEXE, PKLITE
5c770e1490835247d0a541474ee51c50 2012-08-27 2012-07-26 12:10:50 2012-07-27 20:06:32 EICAR Test-NOT virus!!! EICAR-Test-File
5e67103aa3baadde488fc8a66915610e 2012-08-27 2012-02-07 23:35:55 2012-04-07 06:45:15 EICAR-Test-File Virus:DOS/EICAR _Test_File
613a4ae52be7190a18c340f0ffa78fbd 2012-08-27 2012-07-21 14:15:28 2012-07-24 20:16:28 EICAR Test-NOT virus!!! EICAR-Test-File
67cafd0c5fb22dc93815700230d368c3 2012-08-27 2012-07-26 12:19:57 2012-07-27 20:06:19 EICAR Test-NOT virus!!! EICAR-Test-File
72015abc47f25b8f624a0b1b2eb3ebe0 2012-08-27 2012-01-30 00:23:27 2012-04-18 14:37:09 EICAR Test-NOT virus!!! HEUR:Trojan.Win 32.Generic Trojan.Generic. 7358064 Virus:DOS/EICAR _Test_File
79449529d738e9a3ef5893efaf048da5 2012-08-27 2012-07-26 12:27:02 2012-07-27 20:05:41 EICAR Test-NOT virus!!! EICAR-Test-File
82a83e6e1799f3886123614014ef07f4 2012-08-27 2012-07-21 15:02:40 2012-07-24 19:45:51 EICAR Test-NOT virus!!! EICAR-Test-File
934162a08d4a38711083345ef0b57d14 2012-08-27 2008-03-22 05:39:27 2012-05-16 01:40:33 EICAR-Test-File Virus:DOS/EICAR _Test_File
9590348417ce24e4c1d0e1d8af4c4939 2012-08-27 2012-08-04 04:10:00 2012-08-09 00:43:00 EICAR Test-NOT virus!!! EICAR-Test-File Virus:BAT/Mouse Disable.D
96cb4955ea6bab5f3c8524528401413c 2012-08-27 2009-11-30 16:14:16 2011-09-07 03:48:37 probably a variant of Win32/Agent.XRUNPA Win32:Malware-g en Trojan.Win32.Ge nome.qcad Trojan.Generic. 3199186 Trojan:Win32/Me redrop
a27ee916c22a51179c9e2f1ae67aa7eb 2012-08-27 2012-07-21 16:02:15 2012-07-24 19:45:21 EICAR Test-NOT virus!!! EICAR-Test-File
a911a87a26153abe77c3b25c28615218 2012-08-27 2010-09-02 12:41:52 2010-09-02 23:44:58 Win32:Malware-g en Trojan.Win32.Co smu.dry Dropped:EICAR-T est-File (not a virus)
ac2ff734c993884834c5bb820d21f3f1 2012-08-27 2011-11-19 09:10:49 2012-07-30 18:46:08 EICAR Test-NOT virus!!! EICAR-Test-File
b07e6f95ddf91415897164d7b3eb4736 2012-08-27 2011-10-05 23:16:00 2011-10-05 23:16:00 Trojan.Script.7 133
c29bc4713727d469886ea655115dd177 2012-08-27 2012-08-04 04:28:58 2012-08-08 21:33:18 BV:Malware-gen IRC-Worm.BAT.Ge neric Trojan.Batzz99. A Virus:BAT/Adiou s.A embedded
c9357c00c4da9e9fd8add93e917c57c6 2012-08-27 2012-07-21 17:35:39 2012-07-26 20:06:19 EICAR Test-NOT virus!!!

 

 

—mistfall  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
31484725213be800bc1d69cb0ece77aa 2012-08-27 2012-08-10 18:00:33 2012-08-13 13:48:27 Win32:Mistfall [Tool] VirTool.Win32.M istfall VirTool:Win32/M istfall
50e4913a0d73f61279101d08a6e983a5 1970-01-01 2006-06-11 16:14:34 2012-04-15 22:14:43 Win32/VirTool.Mistfall Win32:Mistfall [Tool] VirTool.Win32.M istfall VirTool:Win32/M istfall

 

 

 

 

 

—rBot =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
2af4783aba321f53082085e8937b2567 2012-08-28 2012-07-11 23:52:26 2012-08-26 04:26:41 Win32:Virtob Backdoor.Win32. Rbot.adqd Trojan.Generic. 5333379 Virus:Win32/Vir ut.AC
865915650a85e7c27cdd11850a13f86e 2012-08-28 2006-09-03 07:01:30 2012-06-17 17:26:56 Win32/Rbot Win32:Rbot-GKN [Trj] Net-Worm.Win32. Kolab.aefe IRC-Worm.Generi c.22084 Backdoor:Win32/ Rbot
00157f6de1c95255bb781e45088d9a21 2012-08-27 2012-06-24 18:13:49 2012-06-24 18:13:49 Win32/Rbot.YM Trojan.Win32.Ge nome.dnsq IRC-Worm.Generi c.15028 Backdoor:Win32/ Rbot
0024542e9282e2fe0c0ca9b0c0b6f43a 2012-08-27 2012-02-18 10:11:27 2012-04-16 16:12:13 Win32/Virut.NBP Win32:Rbot-GQG [Trj] Backdoor.Win32. LolBot.xzd Worm.Generic.29 8540 Trojan:Win32/Fa kefolder.B
002984263e0d36042f0a4e613f9b9b46 2012-08-27 2009-02-24 07:24:34 2009-02-24 07:24:34 probably a variant of Win32/Rbot Win32:Trojan-ge n {Other} Backdoor.Win32. Rbot.fat Backdoor.Bot.17 676 ASProtect v1.23 RC1
002d88dc3184ac1cc52018a4a34d02c4 2012-08-27 2011-09-15 04:06:24 2011-09-15 04:06:24 a variant of Win32/Injector.IIQ Win32:Sality Worm.Win32.Ngrb ot.cnh Trojan.Generic. KDV.304762 Worm:Win32/Dork bot.gen!A Armadillo v1.71
00423373be53630ab1ceea85fa574939 2012-08-27 2011-04-02 04:52:43 2012-08-17 14:22:42 Trojan.Generic. 6907346 Backdoor:Win32/ Rbot.gen!G
00492917b6eb3d9c6d62f86f9acc6bce 2012-08-27 2012-06-25 00:19:05 2012-06-25 00:19:05 Backdoor.Win32. Rbot.umw Backdoor.Bot.60 974 Dev-C++ 4.9.9.2 -> Bloodshed Software
0052a28dc60cac68b54ddf8f02d5aa5d 2012-08-27 2010-07-18 23:41:47 2010-07-18 23:41:47 a variant of Win32/Packed.Themida Gen:Trojan.Heur .RqX@5Gy!Zup Backdoor:Win32/ Bifrose.gen!C
0066ad4c5a1206fb6563a285f2ce14a0 2012-08-27 2012-06-22 19:57:07 2012-06-22 19:57:07 a variant of Win32/Packed.Themida Backdoor.Win32. Rbot.akio Trojan.Generic. 7352279 Themida
006e7190f10953306ba5846d272af457 2012-08-27 2011-03-13 17:31:06 2012-02-11 09:09:57 probably a variant of Win32/Agent.COLWWTQ Win32:Spyware-g en [Spy] Backdoor.Win32. Rbot.alyk Gen:Trojan.Heur .GM.0140430082 Backdoor:Win32/ Ursap!rts
006f203bee46359995b68b8f0f95dea1 2012-08-27 2011-12-03 11:22:06 2012-02-11 09:20:43 Win32/TrojanDropper.Delf.NJH Win32:Bifrose-D YN [Trj] Backdoor.Win32. Rbot.hyj Trojan.Keylogge r.ADY TrojanDropper:W in32/Agent.BAD
008e7e1d54316b2f2e6aebd0861a37fe 2012-08-27 2012-06-24 02:14:52 2012-06-24 02:14:52 a variant of Win32/Rbot Win32:EggDrop-A C [Trj] Backdoor.Win32. Rbot.boz Backdoor.Rbot.E UT Backdoor:Win32/ Rbot.gen!F
00a649781cf7d8153bd9af03d0ce5cd9 2012-08-27 2012-06-25 01:54:32 2012-06-25 01:54:32 a variant of Win32/Injector.OI Win32:Rbot-GLC [Trj] Trojan.Win32.Bu zus.bnsz Trojan.Generic. 1809892 VirTool:Win32/I njector.gen!B Armadillo v1.71
00ad7e4470086e1345b017876fd41619 2012-08-27 2011-09-11 16:46:41 2011-11-14 20:47:48 a variant of Win32/Packed.MoleboxUltra Win32:Malware-g en Backdoor.Win32. Rbot.hyj Trojan.Generic. 4200368 TrojanDropper:W in32/Agent.BAD
00d753fcbad0dc47101d3818d491a7e7 2012-08-27 2012-06-21 13:36:05 2012-06-21 13:36:05 Win32/TrojanDownloader.Agent.OST Win32:Trojan-ge n not-a-virus:AdW are.Win32.ZenoS earch.ky Trojan.Generic. 1385769 Trojan:Win32/Vu ndo
00e9816f69922b9c43f89dc0a92a99d1 2012-08-27 2008-12-27 13:34:07 2010-01-22 01:10:12 Backdoor.Bot.89 803 Xtreme-Protecto r v1.05
00eee20b71e92f57ded4b497e5dbdaf1 2012-08-27 2008-05-05 22:13:17 2008-05-05 22:13:17 Win32:Small-BHA Backdoor.Prorat .C Armadillo v1.71
00fc84692d5b22e4ecb3d8022ea86698 2012-08-27 2012-06-27 09:22:01 2012-06-27 09:22:01 a variant of Win32/Spy.Delf.NLM Win32:Agent-ACQ U [Trj] Backdoor.Win32. Rbot.agyp Gen:Trojan.Heur .PT.ei4abKk10V Trojan:Win32/De lf.EZ Malware_Prot.AJ themida 1.0.0.5 -> http://www.orea ns.com
00fc850b10d54e404cc1ff521ad10ea6 2012-08-27 2008-04-28 16:59:58 2008-05-06 12:24:21 Xtreme-Protecto r v1.05
Checked on VT at 2012-09-10 12:39:43
Scanned at 2012-08-26 04:26:41
Fi

 

—proRAT  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
0023b2d76c606328688afa5ade9c0acf 2012-08-27 2009-10-25 02:21:28 2009-10-25 02:21:28 a variant of Win32/Packed.Themida Win32:Bifrose-D RI Gen:Trojan.Heur .dvXarDpNMyoi Backdoor:Win32/ Prorat.AH
0043b0517c628ef897f477e4345fd7a3 2012-08-27 2010-07-02 02:34:55 2012-02-11 12:45:38 a variant of Win32/Packed.Themida Win32:Malware-g en Backdoor.Win32. Prorat.uft Backdoor:Win32/ Ursap!rts
0054c6b833c013f32bced841e1e6739d 2012-08-27 2009-10-19 17:19:55 2009-10-19 17:19:55 probably unknown NewHeur_PE Win32:Trojan-ge n MemScan:Backdoo r.Agent.ZNH Backdoor:Win32/ Prorat.AM
0073d646cf945a4b5b3ba513b87a3c60 2012-08-27 2012-06-20 00:16:55 2012-06-20 00:16:55 a variant of Win32/Prorat.19.NAC Win32:Malware-g en Backdoor.Win32. Prorat.efu MemScan:Backdoo r.Delf.HBZ Backdoor:Win32/ Prorat.AM Obsidium V1.3.0.4 -> Obsidium Software
008e37fd9125255f6a25e19fc7640bea 2012-08-27 2012-06-05 10:42:20 2012-06-05 10:42:20 Win32:Spyware-g en [Spy] Backdoor.Win32. Prorat.het Trojan.Generic. 4484805
0090c0275880256778d156f7b08e8f03 2012-08-27 2011-03-15 10:52:42 2011-04-13 18:37:22 Backdoor.Win32. Prorat.rft Gen:Trojan.Heur .dr3a4ScZqsdi
00a490a8595793e54caa7e9a38768891 2012-08-27 2008-10-01 16:13:23 2008-10-01 16:13:23 probably unknown NewHeur_PE Win32:Agent-ONW MemScan:Backdoo r.Agent.ZNH ASProtect v1.23 RC1
00eee20b71e92f57ded4b497e5dbdaf1 2012-08-27 2008-05-05 22:13:17 2008-05-05 22:13:17 Win32:Small-BHA Backdoor.Prorat .C Armadillo v1.71
00fc839a3e3d2986cceca58ae900ce13 2012-08-27 2010-08-18 21:00:24 2010-08-24 10:54:38 Win32/Packed.Themida.A Win32:Malware-g en Backdoor.Win32. Prorat.19.dht Trojan.Packed.L ibix.Gen.2 VirTool:Win32/O bfuscator.XX
0100ca070eda3acfbdfbf2424612cc5f 2012-08-27 2010-12-14 03:58:20 2012-06-07 07:22:17 a variant of Win32/Injector.BLB Win32:VB-PJN [Drp] Backdoor.Win32. Prorat.hhw Backdoor.Generi c.319260 Trojan:Win32/VB Inject.E
0121a89cb657a11e5dd092883bfd7825 2012-08-27 2010-07-17 07:37:48 2010-07-17 07:37:48 a variant of Win32/TrojanDropper.Delf.NFK Win32:Prorat-JE Gen:Trojan.Heur .GM.0408470024
017d509b8598921ed40744e0ca829db6 2012-08-27 2009-06-22 12:28:25 2009-06-22 12:28:25 Win32:Trojan-ge n {Other} Gen:Trojan.Heur .VB.1025DA9A9A Trojan:Win32/Ma lat
01e7cbd34f8bd3cf5fa608baf2fa6d60 2012-08-27 2011-11-15 13:23:32 2012-02-12 07:10:28 Win32/Prorat.NAH Win32:Prorat-FE [Trj] Backdoor.Win32. Prorat.dz Backdoor.Generi c.21020 Backdoor:Win32/ Prorat.K
01e93b84d7df6bac7cde630ffffd043f 2012-08-27 2010-05-20 13:53:52 2012-06-09 12:47:16 a variant of Win32/RemoteAnything.AA Win32:Trojan-ge n Backdoor.Win32. Prorat.hoj Packer.Malware. NSAnti.1 Backdoor:Win32/ VB.OF
01ea64f575a9f95563ffeef45fb09ca2 2012-08-27 2012-06-27 09:46:59 2012-06-27 09:46:59 Win32/Prorat.19 Win32:Prorat-BH [Trj] Backdoor.Win32. Prorat.kcm Backdoor.Prorat .19.I Backdoor:Win32/ Prorat.Z ASPack v2.12
02119a21b4b339dd367769c2aebd622c 2012-08-27 2008-11-04 18:23:06 2009-12-05 01:59:16 probably a variant of Win32/Agent Win32:Trojan-ge n Backdoor.Win32. ProRat.cqf Trojan.Generic. 1859606
022cb4ec9e03596701cdc5252c09d0e9 2012-08-27 2012-06-25 18:49:03 2012-06-25 18:49:03 a variant of Win32/Injector.EJM Win32:Trojan-ge n Backdoor.Win32. Prorat.efy Gen:Trojan.Heur .Dropper.bm0@aa gNUVni VirTool:Win32/V BInject.AZ
0247d8561b2a3b8338aa2eff5632f212 2012-08-27 2009-10-13 11:06:04 2009-11-08 22:05:55 Win32:Prorat-IR Backdoor.Win32. ProRat.fns MemScan:Backdoo r.Agent.ZNH Backdoor:Win32/ Prorat
0248b3729a47c970cbd5c43e7298d3dc 2012-08-27 2012-06-21 15:25:52 2012-06-21 15:25:52 a variant of Win32/GameHack.AL Win32:Trojan-ge n Backdoor.Win32. Prorat.fwr Backdoor.Turkoj an.AF Backdoor:Win32/ Turkojan.AI
024c8882871ba3921c2f243ad96e3956 2012-08-27 2012-06-19 17:50:01 2012-06-19 17:50:01 probably a variant of Win32/Agent.LTWPXFW Win32:Trojan-ge n Backdoor.Win32. Prorat.evo MemScan:Backdoo r.ProRat.TG Backdoor:Win32/ Prorat.U

—lostDoor – proRAT kinda  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

 

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
cb5c84f6f7e682d9cba2ecba677336c4 1970-01-01 2010-12-04 10:25:27 2012-04-04 22:06:55 a variant of Win32/Spy.KeyLogger.NHM Win32:Agent-ABM I [Trj] Trojan-Spy.Win3 2.VBChuchelo.ah Trojan.Generic. 161562 TrojanSpy:Win32 /Choochie.K

 

 

—Ultimate_Spy-Net  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
0058368c1856f88556e881d203441805 2012-08-27 2012-06-24 11:10:36 2012-06-24 11:10:36 a variant of Win32/TrojanDownloader.FakeAlert.NQ Win32:Lighty-B [Cryp] Trojan.Win32.Vi lsel.mfb Packer.Malware. Lighty.I TrojanDownloade r:Win32/Renos
00adc990cbf1e4733fdf3afbdf54938a 2012-08-27 2012-06-23 11:17:18 2012-06-23 11:17:18 a variant of Win32/TrojanDownloader.FakeAlert.NQ Win32:Lighty-B [Cryp] Backdoor.Win32. UltimateDefende r.hiw Packer.Malware. Lighty.I Trojan:Win32/Wa ntvi.I
00c547fb1918bcef0a864161b33f0ead 2012-08-27 2010-12-30 22:38:00 2012-02-11 06:34:55 a variant of Win32/Adware.Antivirus2008 Win32:FakeAV-M [Trj] Trojan-FakeAV.W in32.UltimateAn tivirus.g Trojan.Generic. 365345 Rogue:Win32/Fak eSecSen ASPack v2.12
00cbcdff13e5c710341393a19d260da6 2012-08-27 2008-07-28 12:42:05 2009-10-16 10:45:20 probably a variant of Win32/Adware.Antivirus2008 Win32:Trojan-ge n not-a-virus:Fra udTool.Win32.Ul timateAntivirus .ag Trojan.Generic. 669380 Trojan:Win32/Fa keSecSen ASProtect v1.23 RC1
0279f3e2593cb0130e2616de1e4ebb76 2012-08-27 2008-06-18 11:50:19 2012-02-12 23:45:25 Win32/Adware.WinAntiVirus Win32:FakeAV-M [Trj] Trojan-FakeAV.W in32.UltimateAn tivirus.cl Adware.Rogue.Ad vancedAntivirus .A Rogue:Win32/Fak eSecSen Armadillo v1.xx – v2.xx
029eea83722c549f099d423418b8a54a 2012-08-27 2008-10-17 23:58:48 2011-02-26 10:22:25 a variant of Win32/TrojanDownloader.FakeAlert.NQ Win32:Lighty-B Trojan-Dropper. Win32.Wlord.ahu Packer.Malware. Lighty.I TrojanDropper:W in32/Rooter.B
0305fbcff971eabd81d5ddadd29e6ec1 2012-08-27 2008-08-22 16:42:43 2011-07-18 05:11:41 probably a variant of Win32/Adware.Antivirus2008 Win32:Neptunia- AGB [Trj] not-a-virus:Fra udTool.Win32.Ul timateAntivirus .bi Trojan.Fakeav.B C Rogue:Win32/Fak eSecSen ASPack v2.12
0358ecdc802150626cec39052e43132b 2012-08-27 2008-11-03 08:08:58 2011-08-26 21:27:41 Win32/TrojanDownloader.FakeAlert.PL.Gen Win32:Lighty-D [Cryp] Backdoor.Win32. UltimateDefende r.gsv Trojan.FakeAler t.ANE TrojanDownloade r:Win32/Renos.F J
0452ca3a273127a940c491a87806b047 2012-08-27 2008-08-28 06:23:10 2008-10-22 05:12:57 not-a-virus:Fra udTool.Win32.Ul timateAntivirus .bu Program:Win32/A ntivirus2008 ASPack v2.12
057abdd8f6d1f61eef9434b5e7daa4c6 2012-08-27 2011-07-27 19:30:35 2011-10-20 22:26:38 Win32/Adware.UltimateDefender Win32:FraudTool -GY [Tool] Backdoor.Win32. UltimateDefende r.pq Trojan.Generic. 6410781 Trojan:Win32/An omaly.gen!A UPX UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
06fbf01caa783f46421a0bbedf97719e 2012-08-27 2012-06-19 23:11:45 2012-06-19 23:11:45 probably a variant of Win32/Kryptik.FD Win32:Lighty-E [Cryp] Backdoor.Win32. UltimateDefende r.hwp Trojan.FakeAler t.ANE Trojan:Win32/Wa ntvi.I
08226ab7f48461cb78d33b985ec2fa4f 2012-08-27 2008-08-25 12:55:04 2009-05-01 22:36:49 Win32/Adware.Antivirus2008 Win32:Neptunia- AGB not-a-virus:Fra udTool.Win32.Ul timateAntivirus .bq Trojan.Fakealer t.ALL Trojan:Win32/Fa keSecSen ASPack v2.12
085381cd16ef4f9c6cf03ce79f77b35f 2012-08-27 2009-04-16 21:00:47 2009-04-16 21:00:47 probably a variant of Win32/Adware.Antivirus2008 Win32:Neptunia- AGB not-a-virus:Fra udTool.Win32.Ul timateAntivirus .by Trojan.Fakeav.B C Trojan:Win32/Fa keSecSen ASPack v2.12
09cb0a224418027c40f9552c56180750 2012-08-27 2008-12-02 10:46:37 2009-09-12 07:57:49 a variant of Win32/Kryptik.CH Win32:Lighty-H Backdoor.Win32. UltimateDefende r.hki Trojan.Generic. 1730997 TrojanDownloade r:Win32/Renos.F J
0b55b43d8ec5898f408707ac069300b6 2012-08-27 2008-07-10 12:31:24 2011-08-15 04:38:12 Win32/Adware.Antivirus2008 Win32:FakeAlert -S [Trj] Trojan-FakeAV.W in32.UltimateAn tivirus.dp Trojan.FakeAv.B U Rogue:Win32/Fak eSecSen ASProtect v1.23 RC1
0c243bffc29aab2ea6e4abb65319f33c 2012-08-27 2008-09-19 14:03:15 2012-02-09 08:34:42 Win32/Adware.Antivirus2008 Win32:Neptunia- AGB [Trj] Trojan-FakeAV.W in32.UltimateAn tivirus.cp Trojan.Fakeav.B C Rogue:Win32/Fak eSecSen ASPack v2.12
0e4eaff4a610c160e9cfbe4b01463295 2012-08-27 2009-07-21 00:34:56 2009-11-15 11:49:01 probably a variant of Win32/UltimateDefender.A Win32:Agent-QNI Backdoor.Win32. UltimateDefende r.ieq Generic.Malware .P!.6473D4B8 VirTool:WinNT/X antvi.gen!A
0f27d07f89550dcae7050f3c100137f3 2012-08-27 2008-03-29 22:49:29 2008-10-29 15:07:04 not-a-virus:Fra udTool.Win32.Ul timateDefender. cm Trojan.Crypt.AN Trojan:Win32/Ti bs.gen!H
0f388783e9960156399c343ea7a70e24 2012-08-27 2008-11-03 20:53:28 2009-05-26 21:41:40 Win32/TrojanDownloader.FakeAlert.PL.Gen Win32:Lighty-D Backdoor.Win32. UltimateDefende r.gky Trojan.FakeAler t.ANE TrojanClicker:W in32/Klik
102009d4b848bd264753f877dae939a4 2012-08-27 2008-08-27 07:34:09 2012-01-24 08:11:37 probably a variant of Win32/Adware.Antivirus2008 Win32:Neptunia- AGB [Trj] Trojan-FakeAV.W in32.UltimateAn tivirus.bw Trojan.Fakeav.B C Rogue:Win32/Fak eSecSen ASPack v2.12

 

 

09/22/12

Hacking the Credit Card Code

gAtO wAs- surfing around and found this information targeted at future cyber gAtIcOs- These are the basic tricks that the bad guy’s are using to game the system. and they share this basic information to help other stupid wanna-bee bad guys. TRUST but VERIFY – be a critical reader and remember that this comes from bad guy’s always trying to trick you. I checked out most of the LINKS and deleted any ones I though may be bad. Some of this is a bullshit, some stupid  and some is real from what I can tell – enjoy–gATO oUt  

for educational PURPOSES ONLY. – how the Cyber Criminals are using the system for cyber-money laundering. 

Cracking The Credit Card Code

Credit Cards 2 BTC-Bitcoin – BTC-Bitcoin 2 Credit Cards

 

Wasn’t quite sure where to put this, but I decided I’d share some information on the actual code of a credit card.

In reading this you will be able to interpret credit card codes efficiently and actually be able to learn about the card itself. This is all simply by knowing the 16 digits on the front of a card.

The first digit of a card is called the Major Industry Identifier (MII). It designates the category of the entity which issued to card. This is useful in finding what exactly the card is for.

1 and 2 are Airlines,

3 is Travel and Entertainment

4 and 5 are Banking and Financial

6 is Merchandizing and Banking

7 is Petroleum

8 is Telecommunications

9 is a National assignment

The first 6 digits are the Issuer Identification Number (IIN). It will identify the institution that issued the card.

Visa: 4xxxxx

Mastercard: 51xxxx – 55xxxx

Discover: 6011xx, 644xxx, 65xxxx

Amex: 34xxxx, 37xxxx

Cards can be looked up by their IIN. A card that starts with 376211 is a Singapore Airlines Krisflyer American Express Gold Card. 529962 designates a pre-paid Much-Music MasterCard.
The 7th and following digits, excluding the final digit, are the person’s account number. This leaves a trillion possible combinations.

The final digit is the check digit or checksum. It is used to validate the credit card number using the Luhn algorithm

How to use this information to validate a credit card with your brain:

Take the below number (or any credit card number)

4417 1234 5678 9113

Now, double every other digit from the right

(4×2, 1×2, 1×2, 3×2, 5×2, 7×2, 9×2, 1×2)

Add these new digits to the undoubled ones (4, 7, 2, 4, 6, 8, 1, 3)

All double digit numbers are added as a sum of their digits, so 14 becomes 1+4.

8+4+2+7+2+2+6+4+1+0+6+1+4+8+1+8+1+2+3 = 70

If the final sum is divisible by 10, then the credit card number is valid.

If it’s not divisible by 10, the number is invalid or fake.

In this case, 70 is divisible by 10, so the credit card number is indeed valid. This works with every credit card and opens many ideas to the mind.

 

Credit Cards to BTC-Bitcoin

These are methods that have been discussed on HackBB for cashing CCs into bitcoins. Before I continue let me get this out of the way. No you can not cash your CVV directly into bitcoins. Exchangers know the risk involved in accepting reversible credit for non-reversible currency, and the few that have ever accepted direct CC payments were scammed out of business. There are ways around this issue..

CC -> SLL -> BTC

Editors Note:

VirWox wised up to this method and started forcing users to validate their SL avatars..

http://clsvtzwzdgzkjda7.onion/viewtopic.php?f=49&t=1836

Thought I’d tidy this up a bit with a noob-friendly tutorial on how to buy bitcoins with a CVV through VirWox.

What you will need.

  • Valid CVV (any country will do)
  • Clean Socks5 proxy as close as possible to cardholder’s address
  • Good DNS setup

Ok lets get started.

You’ll need an email account. Go create a new one at yahoo/gmail/whatever…..doesn’t matter which (i wouldn’t use tormail for this……too much of a flag).

Go to https://www.virwox.com/, and create a new account using the email you just set up and the name on the CVV. Just make up a fake SL avatar – you don’t need to validate it.

You will then have to confirm your new account by retrieving the temp password from your email.

First thing to do in Virwox is change your password in the “Change Settings” tab on the left.
Now we’re ready to do some carding. Click “deposit” and scroll down to the Skrill(moneybookers) option. Then enter the max amount for the currency of your card (currently $56 for USA cards) and click the moneybookers logo.

If you have NoScript installed you will have to temporarily allow all this page. Enter the details you have for the CVV and make up a fake date of birth if you dont have a genuine one.

If all goes well, you will then be taken back to the main page with your USD/EUR/GBP balance filled.

On the “exchange” menu left of screen choose USD/SLL to convert to Linden $s, then BTC/SLL to convert to bitcoin.

Now withdraw.

Easy Profit.

Note:

  • Typically Virwox hold funds for 48 hours before releasing.
  • You can process payments a total of 3 times with each card…..one transaction every 24hours.

CC -> Moneygram -> BTC

If you have fulls (ssn, dob, etc) you can try cashing out through moneygram. To do this just go to site and sign up for an account under the cardholders name. Be sure to chain a regional socks5 with your Tor connection so you appear to be from the same country that the cardholder is in [4]. Select Same Day service. It will prompt you for the card details, dob, and the last 4 digits of the ssn. I would suggest running this name through a background check (any background search site will do) in case you have to answer a security question to send the funds over. Don’t try to send over too much. If you accidentally go over the limit or try to send a suspicious amount you risk flagging the account. No more than $300 from each CC. If everything goes smoothly you can try exchanging through https://wm-center.com for bitcoins. You can find more information on WM-Center here: https://en.bitcoin.it/wiki/WM-Center

CC -> Forex -> BTC

The process is actually really simple. I was surprised to find the site. Kinda found it by accident actually.

Site: http://www.rationalfx.com

Using a foreign currency exchange site to change money on a credit card into a foreign currency and to wire transfer the money into a bank account.

In this case, the bank account is at https://mtgox.com

The process goes as follows:

  • Make an email account anywhere.
  • Make an account at MtGox.
  • Make an account at rationalfx.com. (all account info in the name of the cc holder).
  • In rationalfx, add account details, addy, card number, MtGox wire info.
  • Make a transfer.

Process takes 3-5 business days… It turns a cc transaction into a wire transfer so it takes a couple days… (Note: in the interest of speed and not getting the transaction reversed, Monday/Tuesday is the best day to start the transaction)

Once the money is in MtGox, turn it into bitcoins as quickly as possible and move it into your other bit wallets. Wash the coins if necessary…

Easy huh?

Already pulled it off once. 400GBP through a MC without any issues. rationalfx does not seem to have any real safeguards in place. Tor works fine there (though it is best to use an exit node wherever your card holder lives).

When I was testing it first with a visa, it told me 3 times in a row that the transfer failed. I lowered the amount each time and tried again. After the 3rd time it went through but I didn’t have the Verified by Visa password so I couldn’t continue. BOTH Visa AND MC , it seems, will pop up with a verification thingy if its enabled on the card. (Usually US/UK cards)

Make sure when you deposit to MtGox, you include the account identification info for that spacific account. You can find it on the ‘funding options’ -> ‘Bank wire’ page… If you forget that info you wont get your money..
So there you have it. Its simple as pie.. This is not 100% of the info but ya’ll can figure out the rest..

I know ya’ll prolly wont but if you are feeling generous…

Hope you enjoy..

Cashing Methods

This is a collection of cashing techniques that have been discussed on HackBB. Keep in mind before you get started you will need to know how to chain a socks5 with Tor to avoid tripping a fraud filter [1].

Easy PP/CVV cashout

I will preface this by admitting that I may have something to gain since I sell the tools needed to make this work. My mind played connect the dots when reading the forum and checking my messages, and I realized it’s easy to cash out with a little investment and work ahead of time.

I can’t guarantee this will work, I never tried it. But I do understand the systems involved so I’m as confidant as I can be.

Everybody wants to know how to cash out. Well, that is easy, the hard part is getting away with it. Any fuckin moron can rob a bank, but it takes a genius to do it time and time again while leaving the investigators in a state of mental confusion akin to drinking mercury and pithing their brains with an icepick.

This is not a step-by-step. Google is your friend (unless you’re signed in). I don’t hold hands, if you can’t figure it out on your own from here, it’s not in your scope.

Ingredients:

  • EU paypal account
  • Fresh email.
  • Anon debit card
  • CVV’s
  • Balls

Ok, Open an EU paypal account from one of the countries below. You can use fakenamegenerator.com or whatever you want. Just make sure is is a merchant and not personal. There are 3 levels, go with the middle. Get an Anonymous debit card, and link it to the paypal, using the CC and not the bank. I know for sure that the bank wont work for US accounts, as it is a deposit only bank account number. Depending on the country and the country’s banking regs, paypal may or may not try to take back the verification amount they sent. Forget that.

Once the paypal and debit card are connected successfully, it is time to get your free money. I don’t know what language you are using in the EU paypal, but it goes something like this: Merchant tools–>Generate Paypal button. Alternatively, you can google “paypal but it now button” in quotes. Figure it out.

I hope to god you got a CVV by now, because that’s whats next. Using the code you got for the BIN button, go to http://htmlpreview.richiebrownlee.com/ Paste the code, click the button, and now you are at a paypal purchase page. Depending on where you are, and I haven’t figured this out yet, you may have an option to pay with CC. It used to be that with USA, you could pay with CC but not sign up. So make sure you have a USA CC. If you registered a simple personal account, paypal will ask buyers to sign up first, and you might as well stop there.

If you see the option to either sign up or pay with CC, you are GOLD.

The amount will be immediately available on the paypal you created. Now, just withdraw funds to the debit card. 3-5 days, it will be there. Go shopping. See the girl with the big titties? Buy her a drink. You win.

I cannot account for moneybookers, as I’ve never used it, but I imagine it would work the same way. To test with moneybookers, I suggest linking to a greendot card with a throw away account, since you need to verify SSN. That can be your legit moneybookers anyway.

Here is a list of countries that SUPPOSEDLY don’t need a VBA, only a CC:

Bulgaria

Chile

Cyprus

Estonia

Gibraltar

Iceland

Indonesia

Latvia

Liechtenstein

Lithuania

Italy

Israel

Liechtenstein

Luxembourg

Malaysia

Malta

Philippines

Poland

Romania

San Marino

Slovakia

Slovenia

Turkey

UAE

Uruguay

 

I’ll share with you a cashout method

I’ve been using square on my android to cash out cards… All I did was register with jingit com and apply for their visa debit card… I do it this was cause I just watch some ads until I make $2.00 which is the fee for the card… once the card arrives you’ll get an account # and routing # as if it were a checkings account. (when you apply for the jingit card make sure you match FB’s DOB with jingit card on the application form)

now you register on squareup com and link it to the debit card acc. to verify the initial deposit they make don’t wait til you get the statement, call the # on the back of the card and you can get your transaction history over the phone. (I forgot you have to activate the card over the phone. this is why you need the SSN and DOB)

I only do this over open wifi and my android is not activated with any company. Also you must have location services enabled so don’t do it close to your home.

you don’t need the reader, you can charge cards manually entering the card info. you need at least the billing zipcode. transactions under $25 don’t require signature and you can skip the receipt.

I always get another prepaid card to swipe it when I use a new acc for the first time, I never start using an acc entering numbers manually… it’ll raise flags. don’t use your own card linked to your bank… that would be stupid

Beating the Online Casinos/Bookies (uk)
What you need

  • 2 machines, or an accomplice to play your dummy account.
  • UK non-3DS CVV
  • 50 GBP cash
  • Access to a William Hill shop

Create 1st account

Setup VM on system 1. I’m not going in to any great detail on how to do this as it’s covered elsewhere on the board. Use something like: Tor -> VM -> [UK]VPN / VPN1 -> VM -> [UK]VPN2.

Download the software and setup an account using either your genuine details, or some fictitious details from the local area of the shop you will be using. The deposit option you are interested in is “Quick Cash”

Off you go to a local William Hill shop to buy your Quick Cash voucher (say 50 GBP for this example). The shop prints 2 vouchers. One they keep which you will have to sign (in your fake name if you’ve used one), the other is given to you and contains the transaction code to enable you to deposit online.

Now either contact your accomplice who will play the other account or:

Create 2nd Account

Setup VM on system 2.

Download the software same as for Account 1, and this time setup the account using the details from your CVV. Deposit using CVV (eg 400 GBP).

Dumping Chips

Again, i’m not going into any great detail on this….if you don’t know how to play poker, then learn…fast. Become familiar with which hands tend to generate the largest pots (eg AA vs KK). 6-handed tables are a good choice (0.50/1 for these amounts).

Over the course of 1-2 hours, pass chips from Account 2 -> Account1, randomly losing some chips to the other players at the table. A reasonable target is for Account 1 to be +300.

Cashing out

Ok, you’re happy with your 300 profit. Click withdraw in the cashier, again choosing the “Quick Cash” option. Print off the voucher, then return to the shop where you were earlier in the day. Present the voucher, sign your name again to verify and walk out the shop 300 GBP richer for a few hours work.

Note: It’s probably not a great idea to use fictitious details if you use a shop in your own local area. No ID should be required for amount <500 GBP. If you’ve dumped chips with enough care, it’s almost impossible to prove you were involved in any fraudulent activity. You’ll have cash in your hand before anyone realizes any fraud has taken place, so no chance of freezing accounts.

Carding Online

Editors Note:

I edited out the “ATTAINING HIGHER LEVELS OF ANONYMITY” section due to it being

obviously wrong and changed the CC check link. Don’t add it in.

LEGAL TIDBITS

This FAQ is intended for educational PURPOSES ONLY.

THE BIG QUESTION: WHAT IS CARDING?

- Well, defined loosely, carding is the art of credit card manipulation to access goods or services by way of fraud. But dont let the “politically correct” definition of carding stop fool you, because carding is more than that. Much more.

Although different people card for different reasons, the motive is usually tied to money. Yea, handling a $9,000 plasma television in your hands and knowing that you didnt pay one red cent for it is definitely a rush.

But other factors contribute to your personal reason for carding. Many carders in the scene come from poor countries, such as Argentina, Pakistan, and Lebanon where $50 could mean a weeks pay, on a good day. Real carders (the one that have been in the scene the longest) seem to card for something more, however. The thrill of cc manipulation? The rush that the federalles could bust down your door at any minute? The defiance of knowing that everyday that you are walking among the public is another day that you have gotten away with a federal crime?

Whatever your persona reason for carding is, this tutorial should answer a few noobie questions and take the guessing out of the entire carding game. The resources and techniques mentioned in this tutorial are NOT, I repeat, NOT the only methods of carding. Experience in carding is key. You have to practice your own methods and try out new techniques in carding to really get a system that works for you. This tutorial is meant to get you on your way.

THE BASICS: WHAT DO I NEED AND WHERE DO I GET IT?

Credit Cards: Yes, CCZ.

“do you have any ccz” “where can I hack CCZ” “where can I get a list of valid CCZ?”

You need money to make money. Plain and simple. Which means that the only way your gonna be able to get ccs if you have ABSOLUTELY NO MONEY is if you successfully rip a noobie with 100 cards (but what noobie has 100 cards?), if you have any background in database hacking, if you trade for your shit, or if you know someone that’s willing to give you ccz all day.

I know thats a discouraging statement to all of you, but we have to keep shit realistic. The easiest way to get ccz is to purchase them.

“but I can’t get a job/I don’t wanna work!”

Having a regular 9 to 5 job is not a bad idea in the carding scene. Not only will you have some sort of alliby to why you have all this expensive shit in your house, but you can also use the money (who cant nowadays) to pay bills. You cant card forever, and you cant sustain yourself by carding alone.

If you are REALLY strapped for cash, you have to go through the alternative: trade for your resources. you have to be resourceful in carding, meaning you have to use what you got. Got a psybnc admin account? Offer psybnc user for a cc or two. Got shells? roots? Can you make verification phone calls? just ask yourself “what do I have that might be valuable to someone else?” and work with that. It dosnt have to be big, it just has to get you a few cc’s in your palms.

Once you’ve run your first successful cc scam, DONT SPEND ALL YOUR EARNINGS. Save $200 and re-invest back into the carding community. head to SC and get better cards. If you have level 2 cards, I suggest carding C2it/Paypal and using that $$ to buy ccs. (successful C2it/PP scamming techniques will not be discussed in this tut, sorry)

To other minor pointers on rippers and legit sellers, please scroll down to “SELLERS, TRADERS, AND RIPPERS, OH MY!”

“where can I check my CCZ?”

Knowing wether your cc is valid or not is really important for saving some time and energy. you can check them under http://www.soundcloud.com

The idea way for checking ccz is through an online merchant (authorize.net, linkpintcentral.) These merchants can verify cc amounts without charging your ccs. Good luck finding one. People on IRC want a ridiculous trade for These merchants (cvv lists, cash). So if you run accrosss a legit merc, dont give it out! even to your best buds! online mercs are gold in the world of carding.

Other methods for verifying cc amounts include registering your cc on an online bank. (You will need at least a level 2 card, level 3 for ATM cards). alot of online banks can give you limit, billing addy, ect ect but they require at least a level 2 cc (more info on ccz below)

CREDIT CARD FRAUD: INFORMATION IS KEY.

I want to make something clear right now. The secret to carding is not the number of cards you own, its what you can do with the cards. What do I mean by that? Simple.

Hypotherical situation: My name is Johnny and I have 3 ccs with SSN, DOB, CVV NUMBER, MMN, NAME, STREET ADDRESS, CITY, ZIP, AND BILLING TELEPHONE NUMBER. I have a friend named Billy. Billy has 300 CCCZ with CVV, MMN, NAME, STREET ADDRESS, CITY, ZIP, AND BILLING TEL. NUMBER. Whos more likely to successfully card something?

Simply put, I (Johnny) am. Why? Because I have more information that can prove that I am the person who owns this CC than Billy does with his 300 CCVZ. Does that mean Billy’s not gonna card anything? No, that just means Billy’s gonna have a hard time carding anything without verification.

So to sum up this lesson, you have to get information on your mark (the person that youre impersonating.) #1 rule in carding is: the more information you have on a person, the better chances you have for a successful transaction. Here is the information you’re looking for(note: the levels of a card is not a tehcnical carding term, I’ just used L1 L2 L3 to simplify shit throughout the tutorial.) :

NAME: ADDRESS: CITY: STATE: ZIP CODE: TEL. BILLING NUMBER: CARD NUMBER: CARD EXP DATE: CVV CODE:

(LEVEL 1: REGULAR CVV. If you have this much info, youve got yourself a regular cc. Nowadays you need this much info for carding ANYTHING worth mentioning. If you have any less than this information, you’re shit outta luck. :\)

Social Security Number (SSN): Date Of Birth (DOB): Mothers Maiden Name (MMN):

(LEVEL 2: (PARTIAL FULL-INFO) If you have this much info, your ccz are on another level. With this info, you should be able to card PayPal, C2IT, and other sites without too much of a hassle.)

BANK ACCOUNT NUMBER: ROUTING NUMBER: BANK NAME: BANK NUMBER: DRIVERS LICENSE NUMBER: PIN NUMBER (For CC or ATM card)

(LEVEL 3: (true full-info) If you have this info, youre cc is ready to card anything your heart desires)

Now if all you have is a regular cc, dont discourage. Just do some research and build your cards as much as possible:

First, go to whitepages.com and try to lookup your marks street address and phone number. Make sure it matches the info you have on your cc..

Last, but not least, take a quick look in ancestry.com. Ancestry.com is a bit of a pain, but you can lookup DOB and MMN (ie, if your marks name is anthony hawkins, his father is david hawkins and his mothers name is bella donna, Donna is the MMN)

So size up your cards and move on to the next lesson:

DROPS AND VERIFICATION TECHNIQUES:

The right drop is essential to your scamming needs. Finding legitamite drops inside and outside of the US is hard. Many people keep your shit and don’t send, or some people dont pick up the package at all! (theres nothing worse than watching your hard-earned laptop going back to the store because it was refused by the recepient)

If you live inside (or even outside) the USA, you’re better off scoping a drop out on your own. A drop is basically an empty home that looks to be inhabited. This is the shipping address you use for your carding needs. Your items should only picked up at night. As awlays, be sure to have a cover-story in case someone asks why youre snooping around an empty home. “I’m picking up a package for the person that used to live here” is a legit excuse. Or even “my father is the real-estate agent.” is good. Just keep in mind that if you order anything over $500, it will USUALLY need to be signed for, (this statement is based upon FEDEX/UPS policies. I’ve gotten feedback from people that state they have gotten their local UPS employee to drop merchandise worth 1k at thir doorstop using a note, but these are uncomfirmed rumours.) Wether youre willing to sit and wait all day on the doorsteps of your drop, or you rather leave the postman a note that says you’ll pick it up at the nearest postal station, its up to you. (Dont panic if you have to pick up a package at the station. When you walk in, you need to be calm so it dosent arise suspicion. If the clerk asks you to wait more than 3 minutes, PLEASE dont stand there waiting to get busted, tell him/her you have a prior engagement and quickly exit stage left. )

If you live outside the USA, youre just gonna have to trust someone. The easiest way to get a legit drop in the USA is to ask around for people that have had successful experiences with a drop. Most drops hold a 50/50 or “you card something you card me sommething” policy. If you’re talking so someone thats trying to cut themselves in to the deal “Ie yes, I know someone but you have to card me something too” just move on, they’re wasting your time.

Just a quick note, if you’re carding something like a plasma television, you’ll have better luck using a drop from the same state, changing the billing addy (you can change a billing addy with a level 2 card, youll need a L2 card for carding a plasma tv neways) and acting like you just moved. (have that mindset when you call in: I am (name of cardholder) and I just moved from (city a) to (city b)) Once you have the item in your possession, you SHOULD GUESS THAT YOUR DROP HAS BEEN FLAGGED. What does this mean? YOU SHOULD NOT – I REPEAT SHOULD NOT RETURN TO A DROP ONCE YOU’VE CARDED EXPENSIVE SHIT TO IT. Regardless of wether your drop is flagged or not, do you really want to take the chances?

The cellular phone: The anonymous cell phone is the carders sword. With it, you will make several calls to several companies using several names. You should keep this cellular phone for carding ONLY. (just in case you become confused and forget who youre talking to.) If you have a phone phreaking connection, youre a lucky SOB. For the rest of us, we gotta go out and get a pre-paid cellular phone. (a phone which dosent require much info to purchase and use.)

THE SITES: WHATS CARDABLE AND WHATS NOT?

Ok, so you got your ccs, your drop and youre as anonymous as you can make yourself. Now what sites are cardable? This is the easiest question I have to answer on this FAQ.

-ANY AND ALL SITES ARE CARDABLE- (THX CIA AND `Q_)

Why do I say that? because it’s true. Like I said in chapter two of this little tutorial, its not about how many cards you have, its what you can do with them. Alot of this has to do with your mindset as well.

If you have a card from Johnny Knoxville from Texas, you must be Johnny Knoxville from texas. Depending on the information that you have acquired from Johnny Knoxvile, you must convince merchants and I-stores that you A R E Johnny Knoxville.

When approaching these I-stores, you want to scope things out first. Ask yourself a few questions:

-whats their policy on different shipping address than billing addess?

If they have a “must call” policy, make sure to give them an anonymous number where you can be reached (have your anon cell phone ready for this.)

-do they accept other payments besides credit?

If they accept other payment methods, sometimes its easier to card with a different payment method. (Ive had more luck on Dell.com with online checks that I have with credit cards.)

Whatever you card, make sure that you have all your info prepped before carding it. If youre carding something over 1k, get on your anonymous celly and call up the banking institution of the person’s card youre holding. Make sure to let them know that youre making a purchase of a large limit, so they dont deny your card.

Know Thy Enemy: What the CC Payment Gateways Check for Fraud

These are the measures taken by CardPay which is a payment gateway to rate fraud. It wouldn’t be really hard to imagine that other gateways take the same measures. Although we all know the rules of thumbs, I thought it would be interesting to see what they *actually* measure to evaluate high risk of fraud. The amount of information that they actually collect is mind blowing.

Fraud Screening system of CardPay Inc. Payment gateway performs comprehensive analysis of transaction data, using several techniques simultaneously. Data from external systems used during screening process, also as internal transactions history and various lists.

Transaction passes through so called “pipeline”, consisting of following steps:

  • Rules system
  • Card and cardholder’s data analysis using automated fraud screening service
  • Multivariate regression analysis of in-house transactions database.
  • The above mentioned subsystems are described in more details in the following section.

Rules system: Fraud rules logic implemented in stored procedures by Oracle DBMS, which enables adding and modifying rules without service downtime. Before passing order through rules chain, additional information retrieved from MaxMind credit card fraud prevention service. MaxMind returns to gateway following data:

  • Cardholder located in high-risk country. At a moment following countries recognized as high risk: Egypt, Ghana, Indonesia, Lebanon, Macedonia, Morocco, Nigeria, Pakistan, Romania, Serbia and Montenegro, Ukraine, or Vietnam.
  • Whether country of IP address matches billing address country (mismatch = higher risk)
  • Country Code of the IP address
  • Distance from IP address to Billing Location in kilometers (large distance = higher risk)
  • Estimated State/Region of the IP address
  • Estimated City of the IP address
  • Estimated Latitude of the IP address
  • Estimated Longitude of the IP address
  • ISP of the IP address
  • Organization of the IP address
  • Whether IP address is behind an anonymous proxy(anonymous proxy = very high risk)
  • Likelihood of IP Address being an open proxy(transparent)
  • Whether e-mail is from free e-mail provider
  • Whether e-mail is in database of high risk e-mails
  • Whether usernameMD5 input is in database of high risk usernames.
  • Whether passwordMD5 input is in database of high risk passwords.
  • Whether country of issuing bank based on BIN number matches billing address country
  • Country Code of the bank which issued the credit card based on BIN number
  • Whether name of issuing bank matches entered BIN name. A return value of Yes provides a positive indication that cardholder is in possession of credit card
  • Name of the bank which issued the credit card based on BIN number
  • Whether customer service phone number matches BIN phone. A return value of Yes provides a positive indication that cardholder is in possession of credit card.
  • Customer service phone number listed on back of credit card.
  • Whether the customer phone number is in the billing zip code.
  • Whether shipping address is in database of known mail drops.
  • Whether billing city and state match ZIP code.
  • Whether shipping city and state match ZIP code.

After gathering of all data, rules in chain applies to order data sequentially, increasing or decreasing total fraud score.

Rules chain consists of following rules:

  • Cardholder country rating(global list)
  • Cardholder country rating(as set up by merchant)
  • Cardholders IP found in black lists
  • Cardholders IP range found in black list
  • Cardholders email found in merchants black list
  • Cardholders email found in global black list
  • Cardholders email found in forbidden email providers list
  • Card PAN doesnt present in global black list
  • Card PAN doesnt present in merchants black list
  • Cardholders address not in global black list
  • Cardholders address not in merchants black list
  • Order amount doesnt exceeds global purchase limit
  • Order amount doesnt exceeds local(merchant) purchase limit
  • Single PAN daily turnover doesnt exceeds global daily limit
  • Single PAN daily turnover doesnt exceeds local(merchant) daily limit
  • Billing address daily turnover doesnt exceeds global daily limit
  • Billing address daily turnover doesnt exceeds local(merchant) daily limit
  • PAN number brute force check
  • Expiry date brute force check
  • CVV brute force check

This is base rules set. Our fraud officer constantly monitors transaction flow and modifies existing rules and implements new ones to gain maximum fraud prevention efficiency.

Transaction history analysis(in-house service): After successful rules checking, transaction data verified against pool of existing transactions, enabling most accurate results and fraud decisions possible. If this routine detects no reasons to block further processing.

Transaction history analysis(external service): If in-house transaction history doesn’t shows signs of fraud, external database enters into business.

Online Verification Procedures
Over the years, I’ve come across dozens of procedure lists for top-tier merchants regarding online transations and fraud reduction. I’ll detail several companies verification procedures below.

While most virtual carders are aware of the various procedures in place to verify orders placed online, few actually understand the implementation of fraud scoring, and the order in which these verification methods are used.
The Risk Management Toolkit

  • AVS
  • CVV
  • IP/GEO/BIN
  • Cardholder Authentication (VbV/MSC)
  • Phone Verifications
  • Manual Order Reviews
  • Chargebacks & Representments
  • PCI Compliance & Data Security

 

AVS – Address Verification Service

How It Works

  • Provides a Match or Non-Match Result for only the Billing Street # and Billing Zip Code… not the actual address. (i.e. “1234 Test Street” is parsed into “1234” just the same as “1234 Wrong Way” would be).

Implementation

  • Available on any Internet merchant account and virtually any Payment Gateway.
  • Most gateways provide an AVS configuration area where you can specify whether you want to automatically“decline” (i.e. do not settle) an authorization that has an AVS mis-match or non-match.

Benefits

  • Easy to implement Limitations
  • Works only for U.S., CND, U.K. cardholders so this does not help you scrub most international transactions.
  • A growing % of compromised credit cards – especially those obtained through inside jobs or hacked databases– will also contain the necessary information to provide a valid AVS match result.

Recommendation

  • If you handle a mix of int’l and U.S. sales, you will want consider scrubbing with AVS on the U.S. transactions but do NOT scrub via AVS for any international transactions as they will always fail. AVS should not beconsidered a primary means of verifying the validity of a transaction. Nearly 20% of the fraud can potentially be eliminated by scrubbing “Non-Matched” AVS match results.

CVV – Card Verification Value

How It Works

  • A service with many names – CVV2, CVC2, CID – but the premise is the same for all.
  • Provides a Match or Non-Match Result for the 3-digit or 4-digit number embossed on the back of the cardholder’s card. The CVV is NOT generally encoded on the magnetic stripe and therefore is less likely to be captured as part of a card skimming tactic.

Implementation

  • Available on any Internet merchant account and virtually any Payment Gateway.
  • Most gateways provide an CVV configuration area where you can specify whether you want to automatically “decline” (i.e. do notsettle) an authorization that has an CVV non-match or non-entry.

Benefits

  • Works for virtually ALL cardholder accounts – both U.S. and international.
  • There is no valid reason why a legitimate cardholder, in possession of the card, would not be able to enter a 100% matching numberfor this.
  • Merchants are not allowed to store CVV and as such the CVV # is less vulnerable than the data used for AVS.

Limitations

  • CVV data can only be used for a real-time transaction. CVV data can not be stored and therefore can not be utilized for Recurring Transactions.

Recommendation

  • CVV is a recommended service to utilize for ALL initial transactions processed. Based on our internal charge-back analysis, merchants can reduce their fraud ratesby as much as 70% by simply requiring a matching CVV result.

IP/GEO/BIN Scrubbing

How It Works

  • Compares the IP address of the customer purchasing with their stated geographic location (i.e. why is the customer from California ordering from Europe?)
  • Compares the BIN # (first 6 digits) of the credit card with the IP or stated geographic location of the customer (i.e. the customer isusing an US-issued credit card but they are from Europe?)
  • Based on the IP and BIN # and other customer-inputted data, a vast amount of information can be returned on the transaction.

Implementation

  • Custom direct integration into a service such as MaxMind.com
  • Use an existing integration that is part of a Shopping Cart such as X-Cart, LiteCommerce, osCommerce, ZenCart,ASPDotNetStorefront.
  • Use an existing integration that is part of a Billing System such as WHMCompleteSolution, ClientExec or Ubersmith.

•Use an existing integration that is part of a Payment Gateway such as the Quantum Payment Gateway.

Benefits

  • Fast, Cost Effective and Non-Intrusive
  • Provides merchants with an excellent “do the pieces fit consistently?” analysis.
  • Can block up to 89% of all fraud if properly implemented

Limitations

  • Generally not reliable for AOL users due to the way that AOL routes its traffic (AOL users require a merchant-specific approach)
  • Proxy database is always in a real-time process of being updated as new proxies open up.

Recommendation

  • IP/GEO/BIN fraud scores should be used in the order evaluation process more as a means of flagging transactions as “high risk” formore intensive scrubbing vs. being an outright decline.

Examples of what IP Geo-Location can tell you:

YELLOW ALERTS

  • Free E-mail Address: is the user ordering from a free e-mail address?
  • Customer Phone #: does the customer phone # match the user’s billing location? (Only for U.S.)
  • BIN Country Match: does the BIN # from the card match the country the user states they are in?
  • BIN Issuing Bank Name: does the user’s inputted name for the bank match the database for that BIN?
  • BIN Phone Match: does the customer service phone # given by the user match the database for that BIN?

RED ALERTS

  • Country Match: does the country that the user is ordering from match where they state they are ordering from?
  • High Risk Country: is the user ordering from one of the designated high risk countries?
  • Anonymous Proxy & Proxy Score: what is the likelihood that the user is utilizing an anonymous proxy?
  • Carder E-mail: is the user ordering from an e-mail address that has been used for fraudulent orders?
  • High Risk Username/Passwords: is the user utilizing a username or password used previously for fraud?
  • Ship Forwarding Address: is the user specifying a known drop shipping address

IP/GEO/BIN Scrubbing (Continued)

Open/Anonymous Proxies: an open proxy is often a compromised “zombie” computer running a proxy service that was installed by a computer virus or hacker. The computer is then used to commit credit card fraud or other illegal activity. In some circumstances, an open proxy may be a legitimate anonymizing service that is simply recycling its IP addresses. Detecting anonymous proxies is always an on going battle as new ones pop up and may remain undetected for some time.

26% of orders placed with from open proxies on the MaxMind min Fraud service ended up being fraudulent. Extra verification steps are strongly recommended for any transaction originating from anopen/anonymous proxy.

High-Risk Countries: these are countries that have a disproportionate amount of fraudulent orders, specificallyEgypt, Ghana, Indonesia, Lebanon, Macedonia, Morocco,Nigeria, Pakistan, Romania, Serbia and Montenegro, Ukraine and Vietnam. 32% of orders placed through the MaxMind min Fraud service from high-risk countries were fraudulent. Extra verification steps should be required for any transaction originating from a high risk country.

Country Mismatch: this takes place when the IP geolocation country of the customer does not match their billing country. 21% of orders placed with a country mismatch on the MaxMind m******* service ended up being fraudulent. Extra verification steps are recommended for any transaction with a country mismatch.

Results that speak for themselves:

ChangeIP – is a DNS and domain name registration provider. The company provides free and custom Dynamic DNS services to more than 50,000 users. Before implementing MaxMind, ChangeIP was losing as much as $1,000 per month because it sold instantly delivered digital goods and could not recover the losses if the purchase turned out to be fraudulent. After implementing MaxMind, losses were reduced by 90%.

MeccaHosting – is a Web hosting company based in Colorado. Since integrating MaxMind, Mecca Hosting has not received a single chargeback. On average, 12-15 fraudulent orders pass through the in-house checks each month but are flagged by MaxMind. Over the last 5 months, this has saved MeccaHosting atleast 60 chargebacks and $6,000 in unnecessary costs.

Red Fox UK – is a Web hosting provider and software development company based in the UK which offers solutions for smalland medium sized businesses all over the world. By using MaxMind, Red Fox UK was able to increase its revenue by 4% while reducing its chargebacks by 90%.

365 Inc. – is a digital media and e-tailer specializing in soccer & rugby with a large international customer base that processes over 10,000 transactions per month. By integrating MaxMind, chargebacks were reduced byover 96% from more than $10,000 per month to less than $500 per month. At this point, most charge backs are general order disputes as opposed to fraud.

Whew. A lot of editing. I’ll post the remainder in a bit.

 

08/28/12

Black Market in Tor Growing

gAtO been down sIcK so I had to slow down so I’ve been reading underground looking around and the .onion network is beginning to take shape as more users explore it. Let’s just say it’s growing. In the Black Market things are looking up per say, more newbies and more scams with money mules, shipping mules, bot’s rentals and creation and trade. Here are two different crime recruitment points one the physical/ one code / and they are taking advantage of the economics of the situation.

People are losing their homes and eviction is coming “well I can do this for these guys online and I can make a little money and pay a few bills buy some food”. Grooming these new cyber shipping mules is a full time job, but they select and groom some for more and more /—then hit’s them with money mules transactions and they’re hooked. Greed / Pay the rent/ Now these guy know that as the money mule get’s more and more orders right the amount will go up and when they will bail with the criminals money is anyones guess, but by this time they have funneled so much money or goods thru these mules that they are throw away at the end of the life cycle of use. You also have the new code warriors watching and trading in botware working in Tor. Why because it works -/ and other have seen the .onion network as a new area were if they keep quite nobody can find them. If you keep quite nobody will know what your doing and that’s why Tor is working for the bad guys – Why can’t it work for the good guy’s when are we going to start using the best technology for the best job and leave all this other politics alone.

Cyber crime is working in the .onion but when will the law catch up, never I guess 2 many lost opportunities when they treat everyone like shit, just like the ugNazi CC bust- do they have a clue how many other CC sites are out there working in Tor and/or the surface web… . Silk road is all the rage while Black Market Reload sells explosives and drugs but come on the school boys in Cornell and other places are putting their finger into Tor to defeat Tor-attack the Tor Network Yeah – Yeah- “What If- What If -does not work in Tor students”, as they go for Silk Road the hundred of other places were real commercial cyber crooks get away with everything they can is working hard for the money boy’s and girls…. One service takes stolen credit cards to buy goods and directly ship products to the Ebay customer who purchase it and they pay them clean money while their new iPad was purchased with a stolen CC. It’s just these newbies in Tor think they are hip and cool in the surface but in the Tor network the good old boy’s that were there in the beginning are watching with a grim silly smile, knowing but not telling… gATO oUT 

07/25/12

Profiling a Corporation -metadata attack vector

gAtO sEe - that in todays world getting a corporate profile for an attack plan has become easy thanks due to their own fault. This leads down the road to ruin corporate reputation, stolen IP-Intellectual property, competitive advantage and loss of data. Of course for social activist, criminals, competitor and national governments who use the technology against them to make available unhidden access to your networks. How? 

Metadata Information leaks by the corporation and their employees. According to retrieve information and the metadata in company documents 71% of Forbes 2000 companies may be using vulnerable and out of date version of Microsoft Office and Adobe software that allows hackers to Identify —>

Usernames – emails addresses network details and vulnerable software versions to implement a Advance Persistant Threat (APT).

Metadata in documents that your company distributes constitute information leaks and it can provide all kinds of information to any attacker. The high tech sector publishes more documents across websites than any other industry. Something else your employee on LinkedIn give all kinds of information about your company and your plans, even employment adds can help a potential hacker know what you are doing and maybe design the APT geared towards that subject.

Remember todays cyber attacker have support from lot’s of eye’s and ears, like hacktivist they have many people that can scan your website and look for information that can help the attack. You have 3 different attack vectors to worry about today:

  • IP based attacks
  • Web-Software attacks
  • Information Attacks

Corporate American take care of your metadata or it will bite you hard -gAtO oUt