Saturday, 11 August 2012

Dorifel Faggotry

184.22.103.202 - 184.82.162.163
These two IP published by Kaspersky contained alot of criminal stuff, you can view some screenshots here:
Unknown Webinject
Logs parser
Tick Panel
Citadel
But they was just a small part of the server, obviously there was also Fragus:




But i think it's a bit useless to talk about this.
For the rest, Rickey Gevers have do a cool post, check it out !
http://rickey-g.blogspot.nl/2012/08/more-details-of-dorifel-servers.html
 Dorifel/Citadel samples: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1795
Closer view of the Dorifel code http://translate.google.com/translate?hl=en&sl=nl&tl=en&u=http://webwereld.nl/analyse/111452/de-code-van-dorifel-nader-bekeken/1.html

I got a lack of time to brute force everything, now the port 80 seem filtered, but basic service like ssh still run on the ip.

Edit 11 Aug: No more communication to the C&C:
MD5 of image: dc7c483af2d2ae5a0a023e30a84ff20d

No comments:

Post a comment