These two IP published by Kaspersky contained alot of criminal stuff, you can view some screenshots here:
Unknown Webinject
Logs parser
Tick Panel
Citadel
But they was just a small part of the server, obviously there was also Fragus:
But i think it's a bit useless to talk about this.
For the rest, Rickey Gevers have do a cool post, check it out !
http://rickey-g.blogspot.nl/2012/08/more-details-of-dorifel-servers.html
Dorifel/Citadel samples: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1795
Closer view of the Dorifel code http://translate.google.com/translate?hl=en&sl=nl&tl=en&u=http://webwereld.nl/analyse/111452/de-code-van-dorifel-nader-bekeken/1.html
I got a lack of time to brute force everything, now the port 80 seem filtered, but basic service like ssh still run on the ip.
Edit 11 Aug: No more communication to the C&C:
No comments:
Post a Comment