Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2015
    S M T W T F S
    « Jun    
  • Email Subscription

  • About Us

    Author Archive - Maxim Goncharov (Senior Threat Researcher)

    On December 6 2011, a number of pro-Kremlin activists launched an attack on Twitter using bots which posted messages with a hashtag #триумфальная (Triumfalnaya). These bots posted a range of national slogans and crude language. With a rate of up to 10 messages per second, these bots succeeded in blocking the actual message feed with that hashtag.

    The reason to boycott the conversations surrounding the pre-arranged #триумфалtная (Triumfalnaya) hashtag was that it had been announced as a channel for exchanging information by anti-government opposition protesters, and was also been used as a live text translation on protestor actions against the recent election results in Russia – which are taking place at Triumfalnaya Square in Moscow.

    Read the rest of this entry »


    We recently found an interesting post in a Russian underground forum in the course of our research. People exchange information about their illegal activities in these kinds of forum. We found a user in the forum with the handle “sourcec0de” and ICQ number 291149 who currently offers root access to some of the cluster servers of and its subdomains.

    Click for larger view

    The screenshot above shows that the seller appears to have a shell console window with root access to these servers. The price for each access starts at US$3,000 with the exchange of money/access being provided by the well-known garant/escrow system for which a trusted third party verifies both sides of a transaction.

    In our previous underground research, we also saw sourcec0de sell stolen PayPal account credentials and discussing the management of botnet command-and-control (C&C) servers.

    We contacted about this issue last week. We are making this public to stress the fact that hackers do not only profit from selling stolen data or by inserting bad links into spam or phishing email, websites, and other possible infection vectors.

    This case, regardless of whether sourcec0de’s claim is true or not, shows just how brazen cybercriminals are, selling administrative access to specific systems, which can be negatively impacted by their break-ins.


    Cybercriminals leveraging social media is now basically a given, especially with users’ current dedication to social media (specifically on social networks). Actually, we’ve reported quite a few instances that prove how cybercriminals used Twitter for their operation, most especially in spamming.

    Twitter is, of course, fully aware of this. Twitter users have probably even noticed some of the Web page limitations designed to hamper spammers’ efforts. One of the recent developments being the implementation of Twitter’s Link Service.

    But the cybercriminals are definitely not willing to go down without a fight.

    A tool kit that can be used to send Twitter spam is currently being promoted in underground forums. The kit, aptly namedTwitter Kit,” has interesting functions, which include sending messages to thousands of followers using socks5 proxy. The said functionality is especially useful in search engine optimization (SEO) projects. The tool also enables the user to search through other users’ followers and to send Follow invites to them as well as to break account limits set by Twitter.

    Click for larger view

    In terms of nature of use, my best guess is that the Twitter Kit is used for distributing pornography-related links, as the tool is actually offered as a bonus for a purchase of 10,000 adult content followers. But then the kit is priced at only US$20, which means that it could be used by many other cybercriminals for several malicious purposes.

    With that, Twitter users are advised to steer clear of suspicious followers and spammy links.

    Posted in Spam | 1 TrackBack »

    Nowadays, hardware have become so cheap that cybercriminals can easily reproduce fake point-of-sale (POS) devices that can be used to skim data from credit and debit cards.

    In an underground forum, a certain “Nikkon” has posted a fake POS device with flash memory for sale. The device is notably identical to a normal-looking POS terminal. Once used, however, it prints out a default receipt informing the counterfeiter’s victim that an error has occurred while reading his/her card, thus, the transaction could not be completed. Of course, at the same time that this receipt is being printed, the data held in the magnetic strip—along with the victim’s personal identification number (PIN) code—have already been uploaded and saved to the onboard flash memory.

    How would this work in the real world? Imagine you are in a restaurant, shop, or café. You would like to pay using your credit or debit card. You are handed a POS device and asked to swipe your card then to enter your PIN code. Moments later, you see that the card is being rejected. You are handed back a receipt as proof. You might dismiss this as a normal failed transaction. What you do not know is that your credit card information has already been stolen until you get your next billing statement.

    The initial price of a fake POS device is set at 1,000 EUR. An additional 200 EUR is charged for its setup and delivery. In addition, 40 percent of the stolen credit/debit card information is taken as usage fee by the seller.


    As the security industry evolves, underground cybercriminals are constantly looking for ways to counter the technology challenges presented to them. I recently found out that the bad guys have begun offering services to track the blacklisting of domain names through reputation checks. The number of “businesses” offering this type of service is growing and the service itself has now become semi-automated.

    This semi-automation can trace the list of requested domain names against the different Web reputation databases. The most recent service I studied is found on www.{BLOCKED}, which offers customers solutions wherein the list of the domain names are regularly checked for blacklisting against Google BlackList (Firefox), ZeuS Tracker,, SpamHaus, and others. The monthly fee for such a service is currently around US$30 for 100 domains.

    Click for larger view

    The message above translates to:

    Zeus TRACKER
    Added cheking on ZEUS TRACKER
    Join now!
    Now clients of our service can use jabber bot, which can help in code crypting and check if the  domain is in black list, check your domains in a real time for the black listing.
    Join! It’s easy!
    Added API!
    Now clients of our service can use our algorithms via API.
    This means you can now integrate the algorithms into your software products.

    This service offers a Web-based interface for a manual site by site check and a bulk check mechanism. It utilizes an application programing interface (API) and uses Jabber as a communication protocol. Note that this is not the main business of the said site and it still prioritizes bulky JavaScript obfuscation.

    These new services demonstrate how adept the cybercriminals have become at using new technologies and resources to their advantage. The security industry finally understands the need for and has employed technologies such as reputation checks and the bad guys have already come along and misused the technology to their advantage in order to make even more money.

    Trend Micro protects users from potential attacks via the Smart Protection Network™, which blocks user access to all malicious URLs via the Web reputation service and detects all related malware via the file reputation service.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice