Evil Fingers - The Blog

State of the art in CRiMEPACK Exploit Pack

Jorge Mieres — Thu, 27 May 2010 14:04:22 +0000

CRiMEPACK exploit pack is a widespread and accepted in the crime scene in this area came under the slogan “Highest Lowest rates for the price“.

He is currently In-the-Wild 3.0 version is being developed as alpha (the first of this version). That’s, is in the middle stage of evaluation, perhaps in the next few days will go on sale in underground forums, at which time it will know your actual cost.

Like any pack exploit, it also consists of a set of pre-compiled exploits to take advantage of a number of vulnerabilities in systems with weaknesses in some of its applications, then download and run (Drive-by-Download & Execute) codes malicious and convert that system into a zombie, and therefore part of the apparatus crime.

And I mean … “criminal” because those behind the development of this type of crimeware do for this purpose. And judging by the pictures (a washcloth, a handgun, a wallet, money and what appears to be cocaine, own scenario of all mafia) observed in the authentication interface your control panel, this definition is very evident.

The first time I found this package was in 2009, when version In-the-Wild was version 2.1 and later expressed his “great leap” to one of the most popular: version 2.8 (still active) which in early 2010 had incorporated into its portfolio of exploits CVE-2010-0188 y CVE-2010-0806; in addition to adding an iframe generator and function “Kaspersky Anti-emulation“, at a cost of USD 400.

In this first stage of the evaluation version 3, CRiMEPACK incorporates a total of 14 exploits, which are:

name=”mdac”

desc=”IE6 COM CreateObject Code Execution” CVE-2006-0003

name=”msiemc”

desc=”IE7 Uninitialized Memory Corruption” CVE-2010-0806

name=”java”

desc=”JRE getSoundBank Stack BOF” CVE-2009-3867

name=”iepeers”

desc=”IEPeers Remote Code Execution” CVE-2010-0806

name=”pdfexpl”

desc=”PDF Exploits [collectEmailInfo (CVE-2007-5659), getIcon (CVE-2009-0927), util.printf (CVE-2008-2992)]”

name=”opera”

desc=”Opera TN3270″ CVE-2009-3269

name=”aol”

desc=”AOL Radio AmpX Buffer Overflow” CVE-2007-5755

name=”iexml”

desc=”Internet Explorer 7 XML Exploit” CVE-2008-4844

name=”firefoxdiffer”

desc=”Firefox 3.5/1.4/1.5 exploits” CVE-2009-355

name=”libtiff”

desc=”Adobe Acrobat LibTIFF Integer Overflow” CVE-2010-0188

name=”spreadsheet”

desc=”OWC Spreadsheet Memory Corruption” CVE-2009-1136

name=”activexbundle”

desc=”Bundle of ActiveX exploits” CVE-2008-2463

For all the exploits incorporates a feature that can be enabled or disabled from the control panel called “Aggressive Mode“, which is a JAVA Applet that emerge through a pop-up window asking the victim whether to accept potential the applet. If so, reload the payload (the malware).

Furthermore, within the constantly evolving experience this type of crimeware, incorporates self-defensive measures such as avoiding desofuscación scripts and techniques anti Wepawet and Jsunpack.

In addition to automatically check if the domain used is listed in the services:

Norton SafeWeb
My WebOfTrust
Malc0de
Google Safe Browsing
MDL
McAfee SiteAdvisor
HpHosts
MalwareURL

Brian Kreb few days ago on his blog an article about the implication that this package was in the process of propagation and exploitation of a vulnerability, so far, the type 0-Day through JAVA, and certainly was exploited vulnerability through a class.

However, it was also associated with another exploit pack called SEO Sploit Pack and although it is not the same once more evidence is in complete business processes representing crimeware has a very high demand, offering low-applications costs within a competitive business model … and increasingly aggressive!

MalwareIntelligence

BlackHat SEO Campaign for the thirtieth anniversary of PAC-MAN

Jorge Mieres — Mon, 24 May 2010 21:01:59 +0000

Recently, the legendary video game PAC-MAN has completed 30 years of existence and Google has launched a campaign in his honor by placing a banner that allows even play.

However, Google not only benefits from this but also cyber-criminals, who saw in this campaign a new opportunity to attack and have launched another campaign, but the spread of malware through BlackHat SEO (also called SEO Poisoning).

Some other search parameters may include:

pac man 30th anniversary game
pac man 30th anniversary games
pac man 30th anniversary google
pac man 30th anniversary high score
pac man 30th anniversary play
pacman free online 3d
pacman free online addicting games
pacman free online download
pacman free online game for kids
pacman free online game
pacman free online no sound
pacman free online play
pacman free online with no sound
pacman game download
pacman game flash
pacman game for kids
pacman game for wii
pacman game free download
pacman game full screen

Traffic redirected to the download of scareware. In this case, a binary md5 4c9ac21a2730a5e6d8c8018afb517d5e which has a very low detection rate: 6/41 (14.63%).

Among the domains that involves the campaign are:

accu-riteaccounting.com
africanbynature.com
allisonleach.com
bobsclamhut.com
carolfleming.org
carolinasystemsinc.com
d3-store.com
delta-electronic.com
diningbythesea.com
drakeleisure.co.nz
fastripsnackatak.com
fbgartschool.com
gas-consult.com
generationbass.com
gjsdesigns.com
goedkopepc.net
hkiarchitects.com
houndshaveninc.com
hst1066.com
itech-on.pt
jaszmetal.hu
larsonguitar.com
nsc.eypgreece.org
okidouki.com
olivermurr.com
oneaccordclass.org
partrade.net
redhanded.ca
red-partner.com
regionalportauthorityofnwo.org
reillocile.com
reillychiro.com
reynared.com
roseguggenheimer.com
ruders.com
rufiocreative.com
runawaysnail.com
ryangruhn.com
ryanroghaar.com
sacredhaven.com
saevar.com
scxdigitalslots.com
seastromlaw.com
shop.infytel.com
sor-d2.com
s-teamexpert.com
tcgpage.com
tuneoutdropin.com
turtlesplayground.com
william-heise.com

To achieve massify the campaign and get a good PageRank in Google, criminals violated a server hosted on a list of web pages with the titles which make up words that are the subject of regular search. These files are located in a hidden folder, often called the “.files“

Under this scenario, taking into account that these strategies are widely used for the propagation of malware, a good practice is to verify at the root of posting the existence of hidden folders.

MalwareIntelligence

Announcement: New Media Partner – CONFidence

BigBrother — Sun, 25 Apr 2010 23:06:33 +0000

We are happy to announce our partnership with CONFidence, one of the leading conferences in the InfoSec community. They are conducting their 7th Conference next month. Check it out at: http://2010.confidence.org.pl/

We encourage all our users to attend CONFidence, and if you do please do contact us to receive 10% discount on the conference registration.

Read more about our Media partnership with CONFidence at https://www.evilfingers.com/about/Publicity.php

Thank you for supporting InfoSec Community!

SPAM looks so real

BigBrother — Wed, 17 Mar 2010 15:44:01 +0000

Just received an email for Wordpress blog of a comment to our Botnet Analytics Blog post, that looks so real:

To: contact.fingers@gmail.com
Subject: [Botnet Analytics Blog] Please moderate: “Commercializing Botnets”
X-PHP-Script: botnet.kaffenews.com/wp-comments-post.php for xxxxxxx
Date: Wed, 17 Mar 2010 10:01:00 -0400
From: xxxxxx
Message-ID: <62e98c7537ee322c81e19df5ca2d12bd@botnet.kaffenews.com>
X-Priority: 3
X-Mailer: xxxxxx (xxxxxxxxxxxxxxxxx) [version xxxxx]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=”UTF-8″
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname – xxxxxxx.hostgator.com
X-AntiAbuse: Original Domain – gmail.com
X-AntiAbuse: Originator/Caller UID/GID – [597 597] / [47 12]
X-AntiAbuse: Sender Address Domain – xxxxxx.hostgator.com

A new comment on the post #218 “Commercializing Botnets” is waiting for your approval

http://botnet.kaffenews.com/?p=218

Author : herbal ecstacy (IP: 173.234.19.194 , 173.234.19.194.rdns.ubiquityservers.com)
E-mail : Raulnab@gmail.com
URL : http://bit.ly/herbalecstacy
Whois : http://ws.arin.net/cgi-bin/whois.pl?queryinput=173.234.19.194
Comment:
Hi all, i just found this here after an good google search. Neat blog you got here! Keep it up!

Approve it: http://botnet.kaffenews.com/wp-admin/comment.php?action=approve&c=57
Trash it: http://botnet.kaffenews.com/wp-admin/comment.php?action=trash&c=57
Spam it: http://botnet.kaffenews.com/wp-admin/comment.php?action=spam&c=57
Currently 1 comment is waiting for approval. Please visit the moderation panel:

http://botnet.kaffenews.com/wp-admin/edit-comments.php?comment_status=moderated

In here, the thing that looks real according to us is the comment: “Hi all, i just found this here after an good google search. Neat blog you got here! Keep it up!”.

The other details in the comment indicated that this is a SPAM comment:

Author : herbal ecstacy (IP: 173.234.19.194 , 173.234.19.194.rdns.ubiquityservers.com) —> Ubiquity Servers[Dedicated hosts] are damn cheap compared to other dedicated server accounts [am not comparing with Cloud services], and hence we have been seeing the increase in Botnets & SPAM accounts from there more often. It is not completely true, as in we cannot determine something like that based on hosting provider, although your antennas would turn on[sense of suspicion] and you would start looking for more info.

IP queries on the above IP[173.234.19.194]:

Block Lists …

asiaspam.spamblocked.com: Listed!

bl.deadbeef.com: Not Listed!

bl.emailbasura.org: Not Listed!

bl.spamcop.net: Not Listed!

blackholes.five-ten-sg.com: Not Listed!

blacklist.woody.ch: Not Listed!

bogons.cymru.com: Not Listed!

cbl.abuseat.org: Not Listed!

cdl.anti-spam.org.cn: Not Listed!

combined.abuse.ch: Not Listed!

combined.rbl.msrbl.net: Not Listed!

db.wpbl.info: Not Listed!

dnsbl-1.uceprotect.net: Not Listed!

dnsbl-2.uceprotect.net: Not Listed!

dnsbl-3.uceprotect.net: Not Listed!

dnsbl.abuse.ch: Not Listed!

dnsbl.ahbl.org: Not Listed!

dnsbl.cyberlogic.net: Not Listed!

dnsbl.inps.de: Not Listed!

dnsbl.njabl.org: Not Listed!

dnsbl.sorbs.net: Not Listed!

drone.abuse.ch: Not Listed!

duinv.aupads.org: Not Listed!

dul.dnsbl.sorbs.net: Not Listed!

dul.ru: Not Listed!

dyna.spamrats.com: Not Listed!

dynip.rothen.com: Not Listed!

eurospam.spamblocked.com: Listed!

fl.chickenboner.biz: Not Listed!

http.dnsbl.sorbs.net: Not Listed!

images.rbl.msrbl.net: Not Listed!

ips.backscatterer.org: Not Listed!

isps.spamblocked.com: Listed!

ix.dnsbl.manitu.net: Not Listed!

korea.services.net: Not Listed!

lacnic.spamblocked.com: Listed!

misc.dnsbl.sorbs.net: Not Listed!

noptr.spamrats.com: Not Listed!

ohps.dnsbl.net.au: Not Listed!

omrs.dnsbl.net.au: Not Listed!

orvedb.aupads.org: Not Listed!

osps.dnsbl.net.au: Not Listed!

osrs.dnsbl.net.au: Not Listed!

owfs.dnsbl.net.au: Not Listed!

owps.dnsbl.net.au: Not Listed!

pbl.spamhaus.org: Not Listed!

phishing.rbl.msrbl.net: Not Listed!

probes.dnsbl.net.au: Not Listed!

proxy.bl.gweep.ca: Not Listed!

proxy.block.transip.nl: Not Listed!

psbl.surriel.com: Not Listed!

rbl.interserver.net: Not Listed!

rdts.dnsbl.net.au: Not Listed!

relays.bl.gweep.ca: Not Listed!

relays.bl.kundenserver.de: Not Listed!

relays.nether.net: Not Listed!

residential.block.transip.nl: Not Listed!

ricn.dnsbl.net.au: Not Listed!

rmst.dnsbl.net.au: Not Listed!

sbl.spamhaus.org: Not Listed!

short.rbl.jp: Not Listed!

smtp.dnsbl.sorbs.net: Not Listed!

socks.dnsbl.sorbs.net: Not Listed!

spam.dnsbl.sorbs.net: Not Listed!

spam.rbl.msrbl.net: Not Listed!

spam.spamrats.com: Not Listed!

spamlist.or.kr: Not Listed!

spamrbl.imp.ch: Not Listed!

t3direct.dnsbl.net.au: Not Listed!

tor.ahbl.org: Not Listed!

tor.dnsbl.sectoor.de: Not Listed!

torserver.tor.dnsbl.sectoor.de: Not Listed!

ubl.lashback.com: Not Listed!

ubl.unsubscore.com: Not Listed!

virbl.bit.nl: Not Listed!

virus.rbl.jp: Not Listed!

virus.rbl.msrbl.net: Not Listed!

web.dnsbl.sorbs.net: Not Listed!

wormrbl.imp.ch: Not Listed!

xbl.spamhaus.org: Not Listed!

zen.spamhaus.org: Not Listed!

Reverse DNS/Canonical name Info …

Host IP : 173.234.19.194
Canonical Name : 173.234.19.194.rdns.ubiquityservers.com

Whois Info ... 

GeekTools Whois Proxy v5.0.4 Ready.
Checking access for 74.220.215.117... ok.
Final results obtained from whois.arin.net.
Results:
Nobis Technology Group, LLC NETBLK-NOBIS-TECHNOLOGY-GROUP-08 (NET-173-234-0-0-1)
                                  173.234.0.0 - 173.234.255.255
Ubiquity Server Solutions Dallas NETBLK-UBIQUITY-DALLAS-173-234-16-0 (NET-173-234-16-0-1)
                                  173.234.16.0 - 173.234.19.255

# ARIN WHOIS database, last updated 2010-03-16 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at https://www.arin.net/whois_tou.html

Results brought to you by the GeekTools WHOIS Proxy
Server results may be copyrighted and are used with permission.
Your host (74.220.215.117) has visited 1 times today.

Though few of the above listed RBL’s listed that it was LISTED in them, Senderbase.org did not have any records of it since the following block lists that are used by many websites because of their true positive nature has not LISTED the SPAMMING IP/site “yet”:

AbuseAT CBL........................: Not Listed!

AHBL DNSBL.........................: Not Listed!

China Anti-Spam Alliance CBL.......: Not Listed!

China Anti-Spam Alliance CBLLESS...: Not Listed!

China Anti-Spam Alliance CBLPLUS...: Not Listed!

EFNet RBL..........................: Not Listed!

Manitu DNSBL.......................: Not Listed!

NJABL DNSBL........................: Not Listed!

Sorbs web..........................: Not Listed!

Sorbs DNSBL........................: Not Listed!

Spamcop BL.........................: Not Listed!

SURBL Multi........................: Not Listed!

Surriel PSBL.......................: Not Listed!

UCEPROTECT DNSBL Level 1...........: Not Listed!

UCEPROTECT DNSBL Level 2...........: Not Listed!

UCEPROTECT DNSBL Level 3...........: Not Listed!

UCEPROTECT DNSBL BackScatterer.....: Not Listed!

URIBL Multi........................: Not Listed!

WPBL DNSBL.........................: Not Listed!

E-mail : Raulnab@gmail.com —> Did not find any records for this email.
URL : http://bit.ly/herbalecstacy —> This takes you to http://www.herbal-ecstacy.com/. Watch out for such TINY URL’s. Bit.ly & TinyURL does a great job of shrinking URL’s although this remains a threat to home users who click on URL’s without knowing where they are really taken to. JSunpack results can be viewed at:

http://jsunpack.jeek.org/dec/go?report=413fe49475b141fba1ed79768a64bd3b375385bf

In the above report, the following are listed suspicious:

suspicious: MSIEUseAfterFree CVE-2010-0249 detected
www.herbal-ecstacy.com/js/prototype.js suspicious
[suspicious:5] (script) www.herbal-ecstacy.com/js/prototype.js
suspicious: MSIEUseAfterFree CVE-2010-0249 detected
info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
info: ObfuscationPattern detected location eval String.fromCharCode
info: [script http] :
info: [decodingLevel=0] found JavaScript
info: [decodingLevel=0] decoded 542 bytes (decoding_467bcc4d36c9ddf09f15dac1e9e767806b4e4d66)
info: [decodingLevel=1] found JavaScript
info: [file] saved www.herbal-ecstacy.com/js/prototype.js to (original_1703adc185bd3af6e8dec62e343907805fdf342f)

www.herbal-ecstacy.com/ suspicious
[nothing detected] www.herbal-ecstacy.com/
info: [script .] www.herbal-ecstacy.com/products.js
info: [script .] www.herbal-ecstacy.com/js/prototype.js
info: [script .] www.herbal-ecstacy.com/js/scriptaculous.js?load=effects,builder
info: [script .] www.herbal-ecstacy.com/js/lightbox.js
info: [img http] www.herbal-ecstacy.com/images/help.jpg
info: [img .] www.herbal-ecstacy.com/images/hyperdrive-herbal-ecstacy.jpg
info: [img .] www.herbal-ecstacy.com/images/neuro-herbal-ecstacy.jpg
info: [img .] www.herbal-ecstacy.com/images/slowdown-herbal-ecstacy.jpg
info: [img .] www.herbal-ecstacy.com/images/sextreme-herbal-extacy.jpg
info: [img http] www.herbal-ecstacy.com/images/creditcard.jpg
info: [img http] cashburners.com/click.php?id=secureserver&group=3&referer=http://www.google.com/trends/hottrends
info: [decodingLevel=0] found JavaScript

Whois : http://ws.arin.net/cgi-bin/whois.pl?queryinput=173.234.19.194 —> If you would like to view the Whois info.

This shows that SPAMMERs are taking steps to ensure that they look legit and hide among the “NORMAL” category of responses, although the Security Analysts out there aren’t going to give up either. Hope this helps. Thank you for choosing EvilFingers!

IRS Scam Campaign on proposal by Zeus

Jorge Mieres — Sat, 20 Feb 2010 19:44:29 +0000

In the last hours has launched a new campaign as an excuse ZeuS a scam using the IRS (Internal Revenue Service) by which propagates its trojan.

ZeuS trojan variant in this case has the MD5 14FBCE4A3F67E46B18308AC6824B2A00 under the name tax-statement.exe, whose detection rate is high.

In addition, the person entering this page, in a transparent manner will be routed through an iframe tag injected into the HTML source code, to an attack type Drive-by-Infection from hxxp://109.95.114.251/usa50/in.php.

The domains involved in this new campaign are:

Jorge Mieres

Source: Malware Intelligence

=====================
Jorge Mieres
Malware Intelligence

Apologies for any inconvenience

BigBrother — Mon, 15 Feb 2010 02:58:41 +0000

Just noticed that there were duplicate posts of every single post that has been imported from our blogspot account. I have removed the duplocates now. Also, noticed that the old images were removed before we transferred the account from the old to new. This will not happen again. Thank you for your patience and sorry for any inconvenience.

Thank you for choosing EvilFingers!

SpyEye Bot. Analysis of a new alternative scenario crimeware

Jorge Mieres — Thu, 11 Feb 2010 14:49:41 +0000

Earlier this year saw the light in the underground black market that moves the axes of crimeware, a new application designed to provide feedback for criminal and fraudulent business.

This application, called SpyEye, is aimed at facilitating the recruitment of zombies and managing your network (C&C – Command and Control) through management panel via the web, from which it is possible to process the information obtained (intelligence) and stored in statistics, a common activity of criminal packages today.

Depending on their characteristics, very similar to those proposed by his counterpart ZeuS, SpyEye is presented as a potential successor to this within the scenario crimeware. Furthermore, it is evident that the criminal activities now represent a large business where cyber criminals and would-be cyber criminals abuse their “kindness”.

This document describes the activities of SpyEye from the stage of infection giving relevant information about their purpose.

The full document can be downloaded from:

Spanish version
English version

Jorge Mieres
Malware Intelligence

New personal blog

Jorge Mieres — Thu, 11 Feb 2010 14:46:48 +0000

Jorge Mieres Blog

Research on security, crimeware, botnets, intelligence and criminal activity involving any programs and/or harmful actions.

http://jorgemieresblog.blogspot.com

Jorge Mieres
Malware Intelligence

Automation in creating exploits II

Jorge Mieres — Thu, 11 Feb 2010 14:32:40 +0000

The exploitation of vulnerability now represents one of the highest infection strategies used in the stage of crimeware and exploits while allowing exploit weaknesses aren’t a new concept, the fact is that more and more notorious actions.

In fact now continue to be exploited, especially through exploits pack, a large number of vulnerabilities that many have been settled more than two years ago.

However, when these vulnerabilities are of type 0-Day, the problem is power. Cases such as “Operation Aurora” which has recently been bandied about by exploiting a vulnerability in the type 0-Day Internet Explorer 6. Yes, you read that right … Internet Explorer 6 and currently is being used to spread malware mass but only through version 6, but also on the 7 and 8.

The vulnerability is identified as CVE-2010-0249, and as was the case with the vulnerability exploited by the worm conficker (MS08-067) where automated creation, has recently met a builder that automates the creation of the exploit for Internet Explorer in an extremely simple question that is common in such applications.

This application is Chinese and only lets you configure the web address from where you try to exploit the weakness in the browser. Then generates a file called IE.html containing the exploit code and the url used for the attack, which is obfuscated.

As condiments relevant subject, the exploit generated (embedded in the html) is detected by less than 40% of companies reporting according to antivirus virutotal. While the builder is detected, by far, at least 25%.

On the other hand, exploits automation generates a gap, revealing that many operations “disguised” as part of campaign of distraction after simple attacks, are closely related to intelligence affairs.

Jorge Mieres
Malware Intelligence

Justifying the unjustifiable in a world criminal

Jorge Mieres — Mon, 25 Jan 2010 16:56:36 +0000

As many readers know, since we have been researching Malware Intelligence direct implications of all this new generation of malicious code and criminal activity that daily feed back the business of crimeware.

Under this premise, the researchers focused their efforts on trying to reveal the different branches that are entangled with each other in a tangle of illegal actions aimed mainly to get money from users through unethical techniques. And according to this … there are still doubts that we are facing a big business that profit through illegal activities that rub? (obviously, always according to the laws of each country). I think the unanimous answer is NO.

Saved this assessment after exposing both content around the state of the art of crimeware, including relevant data yet unexposed to not hamper the continuity of investigations, and has become a common aspect receive messages and comments, most aggressive, those responsible for the development or commercialization of certain applications crimeware.

Under this scenario, and although I’m not giving explanations on the research we perform, this time an exception will expose two of the last comments we have received from those who are part of the business of crimeware.

Especially because in some way reflect the philosophy (of life and mental) who operate from the underground, but lately things are changing.

The first case is an anonymous, non-aggressive that I personally must confess that … very nice:) left by one of the Partners, which markets the crimeware YES Exploit System. The comment was made in the article that talks about this exploit pack, and which also find my answer. The comment is as follows:

YES, We are the blackhats
Thanks for small review, but why do ppl think that blackhats are poor guyz?
It’s just a business, no less, no more Do you wanna buy our excellent product? – there is discounts for you

As they say my “friends” to them is “just a business, neither more nor less.” However, let us agree that, besides not being a conventional business, represents a business model that directly and actively collaborates with criminal activities, which isn’t so funny.

Now, YES Exploit System is a crimeware development that has much in your code and whose market value is USD 800. And the one thing is funny (as last sentence of the comet) is knowing that I will not get any discount on crimeware

The second case I want to present is a bit more aggressive in terms of what was written in the report on the Russian service to test the detection of malware, it can read the comment and my response, which does not transcribe here because of its length. The message reads:

“In summary, further evidence that not only the exploitation of malware generates profits but also moves parallel money on services to
this industry. And in some cases like the present one, have to see if you can consider this service as a criminal act or not.”

Wow and why would this service be criminal act?

It’s clear to me that someone has a year work in a software like this scanner and he want to make money with it.
If you don’t like it don’t use it. Noone forces you to pay for it or submit files there but since I see you are a little wanker
blogger who does not respect others work I giving it to you straight.

You have no inside experience in the antivirus industry whatsoever otherwise you would know that VirusTotal distributes 200K files/day
to antivirus companies for FREE. AV companies are shit on online scanners, they wouldn’t even contact you if you would ask them about file
distribution and they definately wouldn’t support an online scanner so what else can these services do to remain online?

Before you criticizing others work put something down on the table little frustrated shit…”

Regardless of the aggressive connotation that presents this second point, it’s interesting who comes. Someone who uses the word as a nickname “KLESK” and host of an “attempt by business” completely unlawful, in which page one of the first things we read is “Selling corporate data, trade secrets“.

“We sell corporate data and trade secrets“, continues the propaganda. Clarify further what type of information supposedly “steal” companies, and topped with something very interesting:

“Please losers/asszors stay away, all the data bids start on 5 figures” :: Without words…

In order, particularly the latter case represents a good opportunity to analyze the psychology of a prospectus to cyber-criminal whose attempt to “negotiate” not only leaves much to be desired but can not even be rated as a possibility to be considered as an object research.

Jorge Mieres
Malware Intelligence