Jump to content

Search the Community

Showing results for tags 'domains'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Occupation


Interests


Biography


Location

Found 6 results

  1. Hello, Pentru a obtine un domeniu .xyz gratuit, pe o perioada de 1 an, accesati linkul de mai jos : https://cpanel.hostinger.co.uk/ Va inregistrati, confirmati inregistrarea pe e-mail, iar apoi in dreapta sus accesati sectiunea Domains -> New domains registration Succes!
  2. b90rvn

    Free .pw

    Primit pe mail mai devreme...
  3. The Angler Exploit Kit continues to evolve at an alarming rate, seamlessly adding not only zero-day exploits as they become available, but also a host of evasion techniques that have elevated it to the ranks of the more formidable hacker toolkits available. Researchers at Cisco’s Talos intelligence team today reported on a technique used in a recent Angler campaign in which attackers are using stolen domain registrant credentials to create massive lists of subdomains that are used in rapid-fire fashion to either redirect victims to attack sites, or serve as hosts for malicious payloads. The technique has been called domain shadowing, and it is considered the next evolution of fast flux; so far it has enabled attackers to have thousands of subdomains at their disposal. In this case, the attackers are taking advantage of the fact that domain owners rarely monitor their domain registration credentials, which are being stolen in phishing attacks.They’re then able to create a seemingly endless supply of subdomains to be used in additional compromises. “It’s one thing that people just don’t do,” said Craig Williams, security outreach manager for Cisco Talos. “No one logs back into their registrant account unless they are going to change something, or renew it.” Researchers Nick Biasani and Joel Esler wrote that Cisco has found hundreds of compromised accounts—most of them GoDaddy accounts—and control up to 10,000 unique domains. “This behavior has shown to be an effective way to avoid typical detection techniques like blacklisting of sites or IP addresses,” Biasini and Esler said. “Additionally, these subdomains are being rotated quickly minimizing the time the exploits are active, further hindering analysis. This is all done with the users already registered domains. No additional domain registration was found.” Cisco said the campaign began in earnest in December, though some early samples date back to September 2011; more than 75 percent of subdomain activity, however, has occurred since December. There are multiple tiers to the attack, with different subdomains being created for different stages. The attacks start with a malicious ad redirecting users to the first tier of subdomains which send the user to a page serving an Adobe Flash or Microsoft Silverlight exploit. The final page is rotated heavily and sometimes, those pages are live only for a few minutes, Cisco said. “The same IP is utilized across multiple subdomains for a single domain and multiple domains from a single domain account,” Biasini and Esler wrote. “There are also multiple accounts with subdomains pointed to the same IP. The addresses are being rotated periodically with new addresses being used regularly. Currently more than 75 unique IPs have been seen utilizing malicious subdomains.” Domain shadowing may soon supercede fast flux, a technique that allow hackers to stay one step ahead of detection and blocking technology. Unlike fast flux, which is the rapid rotation of a large list of IP addresses to which a single domain or DNS entry points, domain shadowing rotates in new subdomains and points those at a single domain or small group of IP addresses. “When you think about it, this is likely the next evolution of fast flux. It allows attackers an easy way to come up with domains they can use in a short amount of time and move on,” Williams said. “It doesn’t cost them anything and it’s tough to detect because it’s difficult to use blocklisting technology to defend against it. It’s not something we’ve observed before.” The attackers have zeroed in almost exclusively on GoDaddy accounts since the registrar is by far the biggest on the Internet; for now, that is the only commonality to the attacks carried out in this Angler campaign, Cisco said. “The accounts are largely random so there is no way to track which domains will be used next. Additionally, the subdomains are very high volume, short lived, and random, with no discernible patterns,” Biasini and Esler wrote. “This makes blocking increasingly difficult. Finally, it has also hindered research. It has become progressively more difficult to get active samples from an exploit kit landing page that is active for less than an hour. This helps increase the attack window for threat actors since researchers have to increase the level of effort to gather and analyze the samples.” Williams, meanwhile, warns that as security technologies catch up to domain shadowing, there is a risk that mitigations could impact legitimate traffic. “If the block list is made incorrectly, it could block both bad and legitimate traffic and harm an innocent victim,” Williams said. “If you know an attacker has credentials, you could make the case to block everything associated with a domain. That could also block the legitimate domain.” Source
  4. OpenDNS has gone public with a new tool that uses a blend of analytics principles found outside information security to create a threat model for detecting domains used in criminal and state-sponsored hacking campaigns. NLPRank is not ready for production, said OpenDNS director of security research Andrew Hay, but the threat model has been proven out and false positives kept in check to the point where Hay and NLPRank’s developer Jeremiah O’Connor were satisfied that it could be shared publicly. What separates NLPRank from other analytics software that searches, for example, for typo-squatting domains used in phishing attacks, is that the OpenDNS tool also relies on natural language processing, ASN mappings, WHOIS domain registration information, and HTML tag analysis to weed out legitimate domains from the bad ones. The data comes from OpenDNS’ massive storehouses of DNS traffic (70 billion DNS queries daily), as well as from other sources provided by researchers investigating APT campaigns, for example. The spark for NLPRank’s development was a repeating pattern of evidence from a number of phishing attacks used to gain a foothold for APT groups. Certain themes such as fraudulent social media accounts or password reset requests purporting to be from popular services such as Facebook or PayPal were used to add urgency for the potential victim, enticing them to follow the link to trouble. “Using this malicious language and applying analysis to the domains, we can start picking them off prior to a campaign launching,” Hay said. O’Connor shared details in a blog post on the science behind the analytics, including algorithms used in bioinformatics and data mining, natural language processing techniques that allow him to develop a dictionary of malicious language used in these campaigns that helps the tool predict malicious domain activity. “NLPRank is designed to detect these fraudulent branded domains that often serve as C2 domains for targeted attacks,” O’Connor wrote, adding that the tool uses a minimum edit-distance algorithm used in spell-checkers and other applications to whittle down words used for typo-squatting domains and legitimate domains. “The intuition behind using this algorithm is that essentially we’re trying to define a language used by malicious domains vs. a language of benign domains in DNS traffic,” O’Connor said. Hay added that the domains used in the recently unveiled Carbanak APT bank heist, with losses anywhere between $300 million and $1 billion, were identified as malicious by NLPRank prior to the campaign going public during the recent Security Analyst Summit. Data from Carbanak, DarkHotel and other APT groups uncovered by Kaspersky Lab are among the data sets used to put NLPRank through its paces. “This has been incredibly successful in looking at phishing kits that, at face value, are identical to the parent company’s site,” Hay said, stressing that the tool looks at various low-level code, JavaScript hosted on the site, redirects and more in its analysis. “The model picks them off and starts analyzing the data, making sure it’s associated with the parent company, that it was registered by someone associated with the parent domain through the WHOIS information, looking at how embedded HTML may be different versus the parent company and determining how much it deviates from the parent site.” Eventually the tool will be folded into OpenDNS offerings, but Hay said more analysis capabilities, such expanded HTML and embedded script analysis, need to be added to further keep false positives at bay. “The false positive rate is low, but it’s not at point where we are comfortable putting it into production or turning on automated blocking,” Hay said. “We want additional inputs to the model, but so far it’s looking great.” Source
  5. Existing in some form since 2008, the popular remote access tool PlugX has as notorious a history as any malware, but according to researchers the tool saw a spike of popularity in 2014 and is the go-to malware for many adversary groups. Many attacks, especially those occurring during the latter half of the year, were seen using the tool. In fact, researchers are theorizing the further proliferation of PlugX, which enables attackers to log keystrokes, modify and copy files, capture screenshots, as well as the ability to quit processes, log users off, and completely reboot users’ machines, could suggest eventual worldwide adoption. The malware was the most used variant when it came to targeted activity in 2014 according to Crowdstrike’s Global Threat Report, released today. Despite kicking around for years, the malware is now the de facto tool for dozens of China-based adversarial groups the firm tracks. One of the ways the malware improved itself in 2014, and in turn caught on, was by switching up the way it communicates with its infrastructure further up the chain. By implementing a newer DNS command and control module, the malware has been able to send its data in the form of long DNS queries to its overseeing infrastructure. By modifying the way the DNS and HTTP requests are produced, something Crowdstrike is calling a deviation from “some of the more typically monitored protocols,” it’s made it more difficult to be detected over the past year or so. “The upward trend in use of PlugX indicates an increasing confidence in the capabilities of the platform, justifying its continued use across multiple sectors and countries,” according to the report. One of the groups that Crowdstrike caught dropping PlugX on machines was a hacking collective it calls Hurricane Panda, who used the malware’s custom DNS feature to spoof four DNS servers, including popular domains such as Pinterest.com, Adobe.com, and Github.com. Instead of their legitimate IP addresses, the malware was able to instead point these domains to a PlugX C+C node. The malware, as has been the case in the past, is commonly delivered via a spear phishing attack. Some of attacks go on to leverage a zero day from last March, CVE-2014-1761, which exploits vulnerable Microsoft RTF or Word documents. Others, meanwhile, make use of well-worn holes like CVE-2012-0158 in PowerPoint and Excel, that were also used by the IceFog, Red October, and Cloud Atlas attacks. While some of the groups using PlugX have gone out of their way to register new domains for leveraging the malware’s C+C, many domains from the last several years remain active, something else that Crowdstrike has attributed to the malware’s success and persistence over the years. The firm has two schools of thought when it comes to rationalizing how the malware has become so commonplace. It’s thought that there’s either a central malware dissemination channel that’s pushing PlugX out to adversary groups or that groups that hadn’t used PlugX in the past have recently been able to get copies of it via public repositories or the cybercrime underground. Either way, while the malware is mostly used by attackers from “countries surrounding China’s sphere of influence,” the report suggests that that trend could change soon enough. The malware has been used in recurring attacks against commercial entities in the U.S., and in other politically fueled attacks, but its rapid deployment “could be a precursor to future worldwide use,” according Crowdstrike. “The ongoing development of PlugX provides attackers with a flexible capability that requires continued vigilance on the part of network defenders in order to detect it reliably.” Source
  6. DoubleClick malvertising campaign exposes long-run beneath the radar malvertising infrastructure Today, at 2014-02-12 12:16:20 (CET), we became aware of a possible evasive/beneath the radar malvertising based g01pack exploit kit attack, taking place through the DoubleClick ad network using an advertisement featured at About.com. Investigating further, we were able to identify the actual domains/IPs involved in the campaign, and perhaps most interestingly, managed to establish a rather interesting connection between the name servers of one of the domains involved in the attacks, and what appears to be a fully operational and running Ukrainian-based ad platform, Epom in this particular case. Actual URL: hxxp://ad.doubleclick.net/N479/adi/abt.education/education_biology;p=1;svc=;site=biology;t=0;bt=9;bts=0;pc=4;oe=iso-8859-1;auc=1;fd=2;fs=1;sp2=0;go=9;a=;kw=;chan=education;syn=about;tile=1;r=1;dcopt=ist;sz=728×90;u=DBIIS70bOkWAXwch41309;dc_ref=http:/biology.about.com/library/glossary/bldefmenlawia.htm;ord=1DBIIS70bOkWAXwch41309 Malvertising domains/URLs/IPs involved in the campaign: adservinghost1.com – 212.124.112.232; 212.124.112.226 (known to have responded to the same IP is also cpmservice1.com); 212.124.112.229; 74.50.103.41; 68.233.228.236 ad.onlineadserv.com – 37.59.15.44; 37.59.15.211 hxxp://188.138.90.222/ad.php?id=31984&cuid=55093&vf=240 IP reconnaissance: 188.138.90.222 – The following domains are also known to have responded to the same IP: rimwaserver.com; notslead.com; adwenia.com – Email: philip.woronoff@yandex.ru (also known to have responded to 188.138.74.38 in the past; as well as digenmedia.com) Based on BrightCloud’s database, not only is adservinghost1.com already flagged as malicious, but also, we’re aware that MD5: dc35b211b5eb5bd8af02c412e411d40e (Rogue:Win32/Winwebsec) is known to have phoned back to the same IP as the actual domain, hxxp://212.124.112.232/cb_soft.php?q=dcee08c46ea4d86769a92ab67ff5aafa in particular. Here comes the interesting part. Apparently, the name servers of adservinghost1.com are currently responding to the same IPs as the name servers of the Epom ad platform. NS1.ADSERVINGHOST1.COM – 212.124.126.2 NS2.ADSERVINGHOST1.COM – 74.50.103.38 The following domains are also currently responding to 212.124.126.2, further confirming the connection: ns1.epom.com ads.epom.com api.epom.com directads.epom.com ns1.adshost1.com ns1.adshost2.com ns1.adshost3.com The following domains are also responding to the same IP as the Epom.com domain at 198.178.124.5: automob.com autos.net.ua epom.com formanka-masova.cz ipfire.com – Email: kaandvc@gmail.com; Email: satilikdomain@live.com smartkevin.com We’ll be keeping an eye on this beneath the radar malvertising infrastructure, and post updates as soon as new developments emerge. Via DoubleClick malvertising campaign exposes long-run beneath the radar malvertising infrastructure Webroot Threat Blog
×
×
  • Create New...