Botnet, DDoS, Security, Uncategorised

Mirai IoT botnet up close

Since the release of the Mirai source code and the recent DDoS attacks on Dyn the telnet cyberspace has exploded in scanners and ddosers.

This is what a telnet session from an infected Mirai host looks like:

Notice how it grabs the malware from this url? hxxp://

Here is the information on the binary caught:

SHA256: e8289b100ebbac7243895bdbe3cc57cd36e1c5e2ac055d275a5a082f4aca4e79
File name: mirai.x86_578f88f69e5b53cb726d17d530284551

Once the loader has dropped the binary and run it, the malware then begins to randomly scan the ipv4 space for open and insecure telnet services. (obviously I am skipping out a lot of steps here)

You can see that happening in this code snippet:


Also make sure to checkout SpoofIT’s writeup on Miai here:  and


Uncategorised referrer spam and botnet infections

The other day I was notified by one of my clients that they were receiving a lot of random hits to their server. The odd thing about these hits was that the referrer was the same throughout.

I noticed 2 different referrer urls which to be honest I kinda assumed were the same bad actor (I replaced http with hxxp so they don’t get any traffic haha):



Here are some of the IP’s which hit the server with the corresponding user-agents:

I wont go too far into describing what is and what they are doing that is bad, as there are plenty of other articles describing this anyway:

But basically they are a SEO company that offer help with getting your website indexed better in search engines, by abusing http referrers and tricking google into thinking your site is more popular than it is. (Which can have a negative effect on SEO and analytics, BTW.)

To generate the traffic, this company abuse common software like youtube downloaders and music players to trick innocent people into installing it without realizing they are going to be apart of a botnet. Unfortunately it says in the terms and conditions exactly what these bits of software do, but who the fuck reads that shit anyway, huh?!

OK lets have a look to see what they are hosting (on the same server or a similar IP):

And here are some URL’s that VirusTotal picked up as suspicious or malicious:

Now if that is not suspicious I do not know what is.

More to follow.





My never ending battle with a Russian-Canadian scam pharmacy

I hate scammers; especially if they are to do with peoples health. Just like in this case with the fake Canadian pharmacy. This is a very old and famous scam, in which I remember reading at one point a botnet was sending out millions of spam emails a day to generate traffic to their websites. This could have a huge impact on vulnerable people who order medication for health reasons, and for druggos too I suppose. I do not know whether or not you get the products or not, and I do not know whether the products are legit.

Continue reading “My never ending battle with a Russian-Canadian scam pharmacy” »

Botnet, Security, Uncategorised and the email scam botnet – part 2

After being quiet for some time, the botnet appears to have been started up yet again, on a friday, keeping up with the schedule. Why is it that it seems to spike on fridays? What a horrible way to end the week.

Anyways, this time round the end-point site has changed, the HTML redirect on the hacked servers is now:

Some examples of email headers from the spoofed mail are as follows (some data is hidden):

As you can see the main culprit is still WIN-NPPN1JPV75J and also now sometimes WORLDST-UQ3K9Q0 and it is still to this very day spoofing and sending out thousands of spam mail per day.

Lets get schwifty

You know what? I have had it with this, it is illegal and unmoral and the people behind this will go down for it and I will make sure of that. My clients are constantly complaining about it and it is getting on my nerves.

Lets start with the website you get redirected too “” some details for that domain are:

IP address
Host name
IP range – CIDR
ISP OOO Fishnet Communications
Organization OOO Fishnet Communications
Country Russian Federation (RU)

Unfortunately I was unable to get the source code for this website, whenever I tried to grab it I revived a HTTP error. The website must be some proxy for the redirection stage. I will try and gather more information about this domain but for now, lets focus on the site it is redirecting too.

UPDATE 02/11/15

The hacked sites now redirect you too “” as of this date. They must be  getting taken down so they need to keep switching urls.

And to my surprise, its a Russian based url with exactly the same IP as before:

IP address
Host name
IP range – CIDR
ISP OOO Fishnet Communications
Organization OOO Fishnet Communications
Country Russian Federation (RU)

This redirect service takes you to the hook, the part that is supposed to draw your attention to the site and make you want to find out more.
It is designed like any other news portal, although I feel like I need to douse my eyes with bleach after looking at this one.


As you can see from the image, it is a dreadful website. I cannot believe that people actually fall for this, but it happens, and I want to prevent it from happening as it is not fair IMO.

If you examine the source ( you can see all hyperlinks redirect to the same bloody page:

Which is yet another redirect… fun times…

This redirect takes you to a page where it asks for information to sign up to a broker or “money making scheme”:

They are using a service called: or as the botnet uses:

Im not entirely certain what the difference is between and except one is protected via cloudflare and the other is not.

After you fill out this form (its badly coded so, you don’t need to try hard) it takes you to the final stage of the scam. The trader.

This is what is funding the crime, this is what influences the criminals to do what they do. They get commission for every affiliated registration they get., the bad guy


No matter how legit sites seem, you can never be 100% certain they are trustworthy.

As you can see from this screenshot, it looks very legit and trustworthy, but this is what they want you to think.  It is all apart of the same scam.

With a few google searches I can already see the fail of this operation. In November 2014 they had their license revoked by the CySEC.


  1. Safeguarding of clients’ funds,
  2. Own Funds, regarding the capital adequacy of investment firms. and
  3. Large exposures.

Only to have it handed back to them in December the same year:

They have the worst reviews I have ever seen, looking on trustpilot I can see a few that paint a pretty good picture of how this company operates:

You can view the reviews on trustpilot here:

Some more reviews:

So that brings us to the end, or the beginning of a shitstorm for this company, however. I will begin reporting EVERYTHING and giving all evidence to the appropriate authorities and I will get this shut down for good.

Here is a small fraction of hacked servers from wave 2:

And here is a small fraction of hacked routers or computers that are sending out spam emails: (A link regarding the fake news portals) (Threads regarding Wuxi Yilian LLC the spammer and scammer)

Botnet, Security, Uncategorised

New Threat: The WIN-NPPN1JPV75J Botnet

Over the past month I have been monitoring a sophisticated botnet which I have now called the WIN-NPPN1JPV75J botnet (as I am unable to find any info about it anywhere else).

I will be dumping all my research and findings here.

How does it work?

The botnet itself appears to be mainly about spam and traffic, using hacked servers to send spoofed emails that link to a bad actor. The initial hack must had been sent in a email attachment which users unknowingly opened thus infecting their system. Once opened, it grabs your contact lists and your email address and begins sending out spam to everyone on your contacts. Now it appears that even if you get rid of the virus and change your password it still sends emails out. This is because the emails are not being sent from your system. They are being sent elsewhere via spoofing your email address to make it seem legit. This is unstoppable without setting up third party software or SPF records on your DNS.

Unfortunately I do not know much about how this attack took place to start with, so I will dive straight in to the second stage of the attack (spoofed emails).

What do the emails look like?

The emails are mostly the same, alternating between different linked websites. The main body text goes as follows: New message, please read, or Important message, please visit


You will notice if you view the email header source that every time it has a similar header:

Received: from [] (port=57932 helo=WIN-NPPN1JPV75J)
by with esmtpsa (UNKNOWN:DHE-RSA-AES256-GCM-SHA384:256)

Notice the WIN-NPPN1JPV75J? The HELO command is used by the sending SMTP client to identify itself. This HELO command is the same for every single spam mail. Hence why I have called it the WIN-NPPN1JPV75J botnet.

What the hell is going on?!

The botnet utilizes your contact lists which it stole from your email client (most likely most recent CC attachments) and sends an email to everyone on that list, with a different link each time, each directing you to a hacked website.

The links are interesting, they normally contain the website itself ( and then a randomly generated PHP script which is just a Javascript redirect.

From what I have analysed, the hacked websites are mostly using WordPress, a free content management system. They mostly have out-of-date plugins and themes, which have multiple vulnerabilities, which is why im guessing they were easy targets.

The randomly generated PHP script contains a Javascript redirect to some dodgy news looking website:

So who’s the bad actor?



The website they all redirect too as of now, is which is currently down as of right now.

Some details from the server are below:

IP Location Russian Federation Russian Federation Novosibirsk Llc Company Interlan Communications
ASN Russian Federation AS57494 ADMAN-AS Krek Ltd. (registered Nov 14, 2011)
Whois Server
IP Address
Reverse IP 2 websites use this address.

% Abuse contact for ‘ –’ is ‘

I also found this website that is hosted on the same server, but I haven’t looked into it yet:

Vladimir E Gnat

So we got Vlad’s name from the WHOIS of domain, that’s pretty bad right? Forget to whois guard yourself? Anyway his name has popped up elsewhere, he has also been involved in the Smoke Loader Malware using the domain name:

Read more about that here:

He also owns these domains:

He uses these email addresses:

He used these phone numbers:

Address details?

He is associated with hundreds of servers, some of which are:


Is your server infected?

Below is a very small fraction of infected servers I have found which have been involved in the spreading of this email virus. Do not click on these links unless you know what you are doing!


There isnt really much we can do about this unfortunately, we can only report malicous domains and hope for the best. In the meantime I am going to be researching this a lot more, trying to discover the root of the botnet.

More to come.

Check out Wardline’s blog post about the very same issue:


PWN3d, Security

That one guy…

Whats going on?

This post wont be too long, I just wanted to publicly shame people who attempted to do anything “phishy” to my blog. So here goes.

I receive notifications when something is going on, and I noticed I had a few of these:


So why are you trying to log into my blog as “admin” Let me dump some of your info and see if that will stop you 🙂

Looks as though this IP address is involved in a lot of shit: 

IP address
Host name
IP range – CIDR
ISP PE Tetyana Mysyk
Organization PE Tetyana Mysyk
Country Ukraine (UA)
Time zone
Local time
Postal Code

Apple, Phishing, Security, Uncategorised

Another day, another Apple phisher…

Hi there!

While cruising through my email spam folder (as one does) I came across a bit of spam that stood out in front of the others, mainly by copying Apple Inc. completely. I had to see what it was. Luckily enough, upon opening the email I could clearly see that this was a phishing attempt to get my apple ID and possibly my card information, lets take a closer look shall we?

The email itself looks very dodgy and tbh I don’t use any Apple product what so ever, I hate them, so how could I be receiving emails about my Apple account being abused?

Continue reading “Another day, another Apple phisher…” »

DDoS, DoS, Security

DRDoS – Denial of Service on Steroids

DDoS is one of the oldest and most used forms of “internet protesting” in the book, its used thousands of times a day all around the world.  For those who do not know, DDoS stands for Distributed Denial of Service, otherwise meaning a shit tonne of attackers pelting a poor server with millions of packets until said server cannot cope any more and, well, denies service.

Normally if you would like to carry out a DDoS attack you would have to either build a botnet of thousands infected computers or devices, or use a pay-for-hire DDoS service which you can find in one Google search. This is great in all for the common criminal, but building a botnet takes time and skill and pay-for-hire services are costly and mostly useless.

What most people don’t know is that some of the largest attacks ever recorded in internet history were only most likely using a few, maybe 50 machines at most to attack with. This is made possible due to term “Amplification” or “DRDoS” (Distributed Reflection Denial of Service) in which the attackers turn a small request into a much larger one by using open internet resolvers that anyone can use.

Continue reading “DRDoS – Denial of Service on Steroids” »