Popular Posts

[SMF Forum] Cannot access attachments upload path.

Last days I was installing a SMF Forum in a website, but there was a problem. When an user was uploading a file as attachment it returned this error: An Error Has Occured! Cannot access attachments upload path. To fix this problem, go to Admin Panel -> Attachments and Avatars and be sure to write […]
Continue reading...

Analysis of a website infected with a hidden iframe

A user submitted a suspicious link that was present in his website as a hidden iframe. Malicious hidden iframes are mainly inserted into HTML pages of legitimate websites, by hackers that want to spread their malware with the objective of infecting all the users that visit the compromised website and in most of the cases, […]
Continue reading...

Whistler Bootkit – a new powerful Windows bootkit

Whistler Bootkit is a new interesting Windows bootkit which attacks all Windows versions from 2000 up to the recent Server 2008 and 7. Whistler Bootkit can be used to start an executable with NT-AUTHORITY\SYSTEM rights on every startup of the OS and secure it from anything and anyone, making “impossible”
Continue reading...

A new sophisticated bot named SpyEye is on the market

A new fresh and sophisticated web-based bot named SpyEye is around in the markets and looks like to be the possible successor of the famous Zeus Trojan due to its very interesting features, with the main objective to steal bank accounts, credit cards, ftp accounts and other sensitive data from the victim’s computer. SpyEye was […]
Continue reading...

Welcome to the jungle: Zeus + Pinch + Rogue Software

This second part of our part 1 analysis, will show you what the files we collected did once live. From the main loader we can extract the following useful strings: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 msxslt3.exe MsXSLT SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ntdll.dll wininet.dll Content-Type: application/x-www-form-urlencoded POST tmpf […]
Continue reading...

Rogue Antispyware 2009 served through beedly.us ADS

Today, when I was browsing the beedly.us website, I saw a suspicious ADS link where there was a link to the malicious website proantispyware2009(dot)com, so I started to analyze the link and, below, there is the result: So after clicking on the ADS I was redirected to a new sub-domain: and if we view the […]
Continue reading...

More than 100 websites compromised for Blackhat SEO strategy

We have noticed a new case of blackhat SEO used by cybercriminals to distribute their backdoors and to gain as many victims as possible, by driving specific users traffic (by hijacking keywords in search engines) to malicious websites that contains hidden iframes, evil javascript codes, and other sorts of malicious code, that redirect the users […]
Continue reading...

I-Worm/Nuwar.W + Rustock.E Variant – Analysis

Steve sent me a new interesting malware sample classified as I-Worm/Nuwar.W. When I executed the file, it injected code into a system process named svchost.exe, and I started to receive a lot of traffic from a specified domain that has a random name (aaqarkznvb.com), and during the established connections with the domain, a lot of […]
Continue reading...

Pay-Per-Install Analysis – Part Three

InstallConverter This is where things get interesting. This company distributes one executable, TDL3. TDL3 is a very advanced piece of stealth malware, with rootkit capabilities. Here you can see Symantec are well aware of this. Backdoor.Tidserv This is how much they per for 1000 installs per country. USA - $170 Canada - $120 United Kingdom […]
Continue reading...

Blackhole Exploit Kit Served With Google Images Links

While searching images on Google Images, we noted a suspicious redirect: hxxp://epnfmackey. info/index.php?tp=81350e0ebb536599hxxp://epnfmackey. info/index.php?tp=81350e0ebb536599 It looks like the Blackhole Exploit Kit URL format! Malicious code can be found by analyzing the page source: The main redirect was created by this malicious URL: hxxp://www.buy-itraconazole. info/noob-tube&page=6hxxp://www.buy-itraconazole. info/noob-tube&page=6 Analysis from NoVirusThanks Sandbox: Connection Established - %ProgramFiles%\Internet Explorer\iexplore.exe - […]
Continue reading...

Find out who visits your Facebook profile: it is a fake, the link redirects to malicious websites

We have noted recently various messages posted by Facebook users that promote few methods to find out who visits your Facebook profile. At the end of the message there is a link to a Bit.ly shortened URL, as you can see from this image: The shortened URL redirects the users to a malicious URL: HTTP/1.1 […]
Continue reading...

Scam: Account suspicious activity – Facebook.Team

We started to receive emails that state our Facebook account has been blocked due to suspicious activity and to activate it we should click on a URL. Clearly this is a scam, the email seems to be sent by an email account from China, see the image below: This is an image of the body […]
Continue reading...

11 Linux Firewall Software (Free)

List of Firewall Software (Free) for Linux Systems: IPCop Firewall 1.4.21 IPCop Firewall is a Linux firewall distribution geared towards home and SOHO (Small Office/Home Office) users. The IPCop interface is very user-friendly and task-based. IPCop offers the critical functionality of an expensive network appliance using stock, or even obsolete, hardware and OpenSource Software. Homepage […]
Continue reading...

FakeAV: AntiVirus Studio 2010

Another FakeAV, this time called AntiVirus Studio 2010. Like all FakeAV’s it claims to have found alot of infections in your computer and the only way to clean it is to pay a hefty price for a “license key”. Here we have the main interface. As usual it starts the scan without any user interaction […]
Continue reading...

How to remove PlayMP3Z.biz Adware (Uninstall instructions)

PlayMP3Z.biz is a new adware program that displays annoying popups, installs malicious files and also a Browser Helper Object that is used to control and hijack your Internet Explorer web browser. Make sure to not fall in this scam, if your computer is infected with PlayMP3Z.biz, it is recommended to remove it immediately and to […]
Continue reading...