Saturday 11 August 2012

Dorifel Faggotry -
These two IP published by Kaspersky contained alot of criminal stuff, you can view some screenshots here:
Unknown Webinject
Logs parser
Tick Panel
But they was just a small part of the server, obviously there was also Fragus:

But i think it's a bit useless to talk about this.
For the rest, Rickey Gevers have do a cool post, check it out !
 Dorifel/Citadel samples:
Closer view of the Dorifel code

I got a lack of time to brute force everything, now the port 80 seem filtered, but basic service like ssh still run on the ip.

Edit 11 Aug: No more communication to the C&C:
MD5 of image: dc7c483af2d2ae5a0a023e30a84ff20d

No comments:

Post a Comment