1940 IPs for a BHEK/ULocker server - Nexcess-Net
(Publication) Google search: [1]
| 1940 IPs for a BHEK/ULocker server - Nexcess-Net | |
|---|---|
| 120px | |
| Botnet | ULocker |
| Malware | |
| Botnet/malware group | |
| Exploit kits | Blackhole |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2012 / 2012-11-14 |
| Editor/Conference | |
| Link | http://malware.dontneedcoffee.com/2012/09/ULockerAS36444BHEK.html (Archive copy) |
| Author | Kafeine |
| Type | |
Abstract
“ We all remember the hack of Cryptome.org back in February 13th 2012, redirecting 2900 visitors to a "/Home/" Blackhole Exploit kit. (No ? Read cryptome.org thread about that).
I was already following that blackhole (and its ips ) since I started to dive in this field, so since December.
I decided to make a deeper search and found that the BH EK was hidding behind 2428 ips (Pastebin) on AS36444 almost all on NEXCESS-NET networks.
At that time I ensured this information reached Law Enforcement and decided to stop following that BH EK (too many IP rotation, too much work for one rotating payload).
Yesterday Jindrich Kubec (Avast) and Razor both remind me about that "/Home/ BH EK " that i was also seeing from time to time on URLQuery and MalwareDomainList.
I made a scan once again on AS36444 and there is right now 1915 ips (Pastebin) positive to that BH EK.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1249,
editor = {},
author = {Kafeine},
title = {1940 IPs for a BHEK/ULocker server - Nexcess-Net},
date = {14},
month = Nov,
year = {2012},
howpublished = {\url{http://malware.dontneedcoffee.com/2012/09/ULockerAS36444BHEK.html}},
}