Friday, January 29, 2010

Luis Sanus · SPECIAL POST



Hoy es un día grande para TRIANGULATION BLOG, y personalmente para mi también, ya que un gran amigo se ha ofrecido a subir algunas de sus increíbles obras al blog. Con él estrenamos sección "Special Post", serán todas aquellas entrevistas u obras en las que el artista o creativo nos muestre opiniones, sensaciones, técnicas... sobre los trabajos publicados.

Pintor, artista y sobretodo motivador de la vida, Luis Sanus (Alcoy 1971) licenciado en Bellas Artes (1990-1995). Finalizó sus estudios académicos en Florencia (1997), donde estudió durante un año a los maestros italianos adquiriendo la beca Leonardo da Vinci. Actualmente está terminando la tesis doctoral en la Universidad Miguel Hernández de Alicante. Ver más;

Vive en Alicante, donde desarrolla su creatividad en varios campos; pintura, escultura y diseño. Sus obras han recorrido gran parte de Europa y Argentina. Y ahora nos muestra alguna de sus últimos trabajos; CONSTELACIONES DE GORDITAS VOLADORAS, nos cuenta que significan para él;

"Las constelaciones son fruto de la casualidad, las comencé a pintar no se ni como, creo que si son buenas, que voy a decir yo... (risas) . Y lo que si se segurísimo es que son muy mías. Nacieron dentro de mi y ahí están. Son imágenes de un universo hecho de actitudes, de almas, de gordas que flotan... que están solas pero están con las demás. Entre todas configuran un espacio, una ilusión de perspectiva y un movimiento, propio de cada una y conjunto. Cada una hace algo y entre todas hacen algo"






¿Que voy a decir yo, Luis? Que alucino con las gorditas, y que alucino contigo!
Muchísimas gracias por tu gran aporte, no solo le das forma al blog sino que mucha fuerza también para seguir adelante!
GRACIAS!


Adaptive Subdivision

Imágenes generadas automaticamente con processing y flash, realizando subdivisiones partiendo de otra imagen. Las subdivisiones serán mayores o menores dependiendo del detalle que tenga la imagen original. Realizado por Quasimondo.





Wednesday, January 27, 2010

Minipost: VISA Zeus

This is not the first time we've seen a Zeus dropper acting like a VISA phish . . . recently we've had the December 21st VISA and December 12th VISA campaigns. The emails are the same as the previous campaigns.

We've seen these 53 domain names so far today in the UAB Spam Data Mine:

ewasza.co.uk
ewasza.me.uk
ewasze.co.uk
ewasze.me.uk
ewaszi.co.uk
ewaszi.me.uk
ewaszu.co.uk
ewaszu.me.uk
ewaszy.co.uk
ewaszy.me.uk
freeimagesonly.be
freeimagesonly.com
freeimagesonly.co.uk
freeimagesonly.mobi
freeimagesonly.org.uk
gyueeerd.com.vc
gyueeerd.vc
gyueeerf.com.vc
gyueeerf.vc
gyueeerh.com.vc
gyueeerh.vc
gyueeers.com.vc
gyueeers.vc
gyueeeru.com.vc
gyueeeru.vc
iurseda.com.vc
iurseda.vc
iursedq.com.vc
iursedq.vc
iursedz.com.vc
iursedz.vc
medirams.com
norytiod.com.vc
norytiod.vc
norytioq.com.vc
norytioq.vc
norytior.com.vc
norytior.vc
norytiox.com.vc
norytiox.vc
sucipa.com.vc
sucipa.vc
sucipe.com.vc
sucipe.vc
sucipy.com.vc
sucipy.vc
suecond.co.nz
suecond.co.uk
suecond.eu
suecond.me.uk
sueconu.co.uk
sueconu.eu
sueconu.me.uk

They are used in an assortment of hostnames, including:

alerts.cforms.visa.com.suecond.co.nz
reports.cforms.visa.com.suecond.co.nz
statements.cforms.visa.com.suecond.co.nz
transactions.cforms.visa.com.suecond.co.nz

as well as a variety of patterns with random numbers in the middle, such as:

sessionid-1870Y9B7BZNSQB.cforms.visa.com.ewasza.co.uk
sessionid2SW8J2XJQ.cforms.visa.com.ewasza.co.uk
sessionid3PO2C59V.cforms.visa.com.ewasza.co.uk
sessionid-3U5UEDLI878OCD4.cforms.visa.com.ewasza.co.uk
sessionid-601GIB7UW4CW.cforms.visa.com.ewasza.co.uk
sessionid_73IG9LU216.cforms.visa.com.ewasza.co.uk
sessionid_78SEOF26UCWD3.cforms.visa.com.ewasza.co.uk
sessionid-I5AE0X91LP66P.cforms.visa.com.ewasza.co.uk
sessionid_ILRG2PA40.cforms.visa.com.ewasza.co.uk
sessionidLQEGFJMSS.cforms.visa.com.ewasza.co.uk
sessionid-OP5GMS06SF.cforms.visa.com.ewasza.co.uk
sessionid_OW0EZ0Z.cforms.visa.com.ewasza.co.uk
sessionid-SHTSQ7233OL.cforms.visa.com.ewasza.co.uk
sessionid_U3KJ7Q52MC.cforms.visa.com.ewasza.co.uk
sessionidVWMOE6307CRKXRM.cforms.visa.com.ewasza.co.uk

As usual, these are "Fast Flux" hosted, meaning that, for example, all of these IP addresses have been seen to resolve the domains today . . .

8.14.250.36
24.139.170.130
24.139.199.193
24.55.191.38
41.189.44.33
58.146.223.113
58.146.235.41
58.158.42.57
59.93.102.244
59.93.116.1
59.94.211.34
60.53.195.222
61.247.96.83
61.72.140.57
69.79.96.70
79.183.200.23
84.228.139.23
87.70.85.15
89.218.192.196
94.54.201.43
94.54.3.54
95.104.39.180
95.58.109.118
110.55.15.138
111.119.182.165
112.201.100.237
112.201.126.156
112.201.254.20
112.202.136.44
112.206.169.131
114.142.215.195
114.185.93.52
114.186.197.236
114.186.241.236
114.24.3.17
115.177.129.136
115.184.170.220
115.184.239.50
116.197.79.227
116.50.154.197
116.81.48.121
116.83.35.207
118.33.211.102
118.91.2.149
119.95.213.128
121.138.176.86
121.161.251.25
122.50.143.42
123.231.61.142
125.138.245.199
183.87.51.133
186.24.114.43
186.28.215.77
186.28.69.106
186.97.24.122
187.56.67.100
188.129.234.181
188.56.4.214
189.110.149.105
189.179.10.150
189.179.12.169
189.179.12.229
189.179.12.26
189.18.101.190
189.192.66.18
189.192.7.75
189.192.77.236
189.193.229.197
189.193.43.4
189.194.133.9
189.194.204.77
189.194.204.79
189.194.208.236
189.194.213.203
189.231.5.193
190.0.134.221
190.140.29.142
190.142.57.30
190.16.136.134
190.160.226.227
190.213.161.169
190.213.161.225
190.245.121.41
190.25.63.8
190.26.176.197
190.26.50.164
190.27.40.1
190.32.78.27
190.34.46.168
190.39.129.16
190.64.7.89
194.54.36.6
200.112.81.253
200.112.92.60
200.126.69.238
200.169.71.144
200.66.45.15
200.92.200.202
200.95.250.127
201.13.55.17
201.132.143.149
201.132.6.179
201.139.142.208
201.153.96.80
201.227.129.238
201.231.205.87
201.232.142.97
201.26.127.10
201.43.140.52
202.69.171.135
210.93.54.46
211.201.216.148
211.255.29.30
218.164.0.237
219.169.208.98
219.52.84.57

(More complete list of machines:

alerts.cforms.visa.com.suecond.co.nz
reports.cforms.visa.com.suecond.co.nz
statements.cforms.visa.com.suecond.co.nz
transactions.cforms.visa.com.suecond.co.nz
alerts.cforms.visa.com.ewasza.co.uk
reports.cforms.visa.com.ewasza.co.uk
statements.cforms.visa.com.ewasza.co.uk
transactions.cforms.visa.com.ewasza.co.uk
alerts.cforms.visa.com.ewasze.co.uk
reports.cforms.visa.com.ewasze.co.uk
statements.cforms.visa.com.ewasze.co.uk
transactions.cforms.visa.com.ewasze.co.uk
alerts.cforms.visa.com.ewaszi.co.uk
reports.cforms.visa.com.ewaszi.co.uk
statements.cforms.visa.com.ewaszi.co.uk
transactions.cforms.visa.com.ewaszi.co.uk
alerts.cforms.visa.com.ewaszu.co.uk
reports.cforms.visa.com.ewaszu.co.uk
statements.cforms.visa.com.ewaszu.co.uk
transactions.cforms.visa.com.ewaszu.co.uk
alerts.cforms.visa.com.ewaszy.co.uk
reports.cforms.visa.com.ewaszy.co.uk
statements.cforms.visa.com.ewaszy.co.uk
transactions.cforms.visa.com.ewaszy.co.uk
alerts.cforms.visa.com.freeimagesonly.co.uk
reports.cforms.visa.com.freeimagesonly.co.uk
statements.cforms.visa.com.freeimagesonly.co.uk
transactions.cforms.visa.com.freeimagesonly.co.uk
alerts.cforms.visa.com.suecond.co.uk
reports.cforms.visa.com.suecond.co.uk
statements.cforms.visa.com.suecond.co.uk
transactions.cforms.visa.com.suecond.co.uk
alerts.cforms.visa.com.sueconu.co.uk
reports.cforms.visa.com.sueconu.co.uk
statements.cforms.visa.com.sueconu.co.uk
transactions.cforms.visa.com.sueconu.co.uk
alerts.cforms.visa.com.ewasza.me.uk
reports.cforms.visa.com.ewasza.me.uk
statements.cforms.visa.com.ewasza.me.uk
transactions.cforms.visa.com.ewasza.me.uk
alerts.cforms.visa.com.ewasze.me.uk
reports.cforms.visa.com.ewasze.me.uk
statements.cforms.visa.com.ewasze.me.uk
transactions.cforms.visa.com.ewasze.me.uk
alerts.cforms.visa.com.ewaszi.me.uk
reports.cforms.visa.com.ewaszi.me.uk
statements.cforms.visa.com.ewaszi.me.uk
transactions.cforms.visa.com.ewaszi.me.uk
alerts.cforms.visa.com.ewaszu.me.uk
reports.cforms.visa.com.ewaszu.me.uk
statements.cforms.visa.com.ewaszu.me.uk
transactions.cforms.visa.com.ewaszu.me.uk
alerts.cforms.visa.com.ewaszy.me.uk
reports.cforms.visa.com.ewaszy.me.uk
statements.cforms.visa.com.ewaszy.me.uk
transactions.cforms.visa.com.ewaszy.me.uk
alerts.cforms.visa.com.suecond.me.uk
reports.cforms.visa.com.suecond.me.uk
statements.cforms.visa.com.suecond.me.uk
transactions.cforms.visa.com.suecond.me.uk
alerts.cforms.visa.com.sueconu.me.uk
reports.cforms.visa.com.sueconu.me.uk
statements.cforms.visa.com.sueconu.me.uk
transactions.cforms.visa.com.sueconu.me.uk
alerts.cforms.visa.com.freeimagesonly.org.uk
reports.cforms.visa.com.freeimagesonly.org.uk
statements.cforms.visa.com.freeimagesonly.org.uk
transactions.cforms.visa.com.freeimagesonly.org.uk
alerts.cforms.visa.com.gyueeerd.com.vc
reports.cforms.visa.com.gyueeerd.com.vc
statements.cforms.visa.com.gyueeerd.com.vc
transactions.cforms.visa.com.gyueeerd.com.vc
alerts.cforms.visa.com.gyueeerf.com.vc
reports.cforms.visa.com.gyueeerf.com.vc
statements.cforms.visa.com.gyueeerf.com.vc
transactions.cforms.visa.com.gyueeerf.com.vc
alerts.cforms.visa.com.gyueeerh.com.vc
reports.cforms.visa.com.gyueeerh.com.vc
statements.cforms.visa.com.gyueeerh.com.vc
transactions.cforms.visa.com.gyueeerh.com.vc
alerts.cforms.visa.com.gyueeers.com.vc
reports.cforms.visa.com.gyueeers.com.vc
statements.cforms.visa.com.gyueeers.com.vc
transactions.cforms.visa.com.gyueeers.com.vc
alerts.cforms.visa.com.gyueeeru.com.vc
reports.cforms.visa.com.gyueeeru.com.vc
statements.cforms.visa.com.gyueeeru.com.vc
transactions.cforms.visa.com.gyueeeru.com.vc
alerts.cforms.visa.com.iurseda.com.vc
reports.cforms.visa.com.iurseda.com.vc
statements.cforms.visa.com.iurseda.com.vc
transactions.cforms.visa.com.iurseda.com.vc
alerts.cforms.visa.com.iursedq.com.vc
reports.cforms.visa.com.iursedq.com.vc
statements.cforms.visa.com.iursedq.com.vc
transactions.cforms.visa.com.iursedq.com.vc
alerts.cforms.visa.com.iursedz.com.vc
reports.cforms.visa.com.iursedz.com.vc
statements.cforms.visa.com.iursedz.com.vc
transactions.cforms.visa.com.iursedz.com.vc
alerts.cforms.visa.com.norytiod.com.vc
reports.cforms.visa.com.norytiod.com.vc
statements.cforms.visa.com.norytiod.com.vc
transactions.cforms.visa.com.norytiod.com.vc
alerts.cforms.visa.com.norytioq.com.vc
reports.cforms.visa.com.norytioq.com.vc
statements.cforms.visa.com.norytioq.com.vc
transactions.cforms.visa.com.norytioq.com.vc
alerts.cforms.visa.com.norytior.com.vc
reports.cforms.visa.com.norytior.com.vc
statements.cforms.visa.com.norytior.com.vc
transactions.cforms.visa.com.norytior.com.vc
alerts.cforms.visa.com.norytiox.com.vc
reports.cforms.visa.com.norytiox.com.vc
statements.cforms.visa.com.norytiox.com.vc
transactions.cforms.visa.com.norytiox.com.vc
alerts.cforms.visa.com.sucipa.com.vc
reports.cforms.visa.com.sucipa.com.vc
statements.cforms.visa.com.sucipa.com.vc
transactions.cforms.visa.com.sucipa.com.vc
alerts.cforms.visa.com.sucipe.com.vc
reports.cforms.visa.com.sucipe.com.vc
statements.cforms.visa.com.sucipe.com.vc
transactions.cforms.visa.com.sucipe.com.vc
alerts.cforms.visa.com.sucipy.com.vc
reports.cforms.visa.com.sucipy.com.vc
statements.cforms.visa.com.sucipy.com.vc
transactions.cforms.visa.com.sucipy.com.vc
alerts.cforms.visa.com.freeimagesonly.be
reports.cforms.visa.com.freeimagesonly.be
statements.cforms.visa.com.freeimagesonly.be
transactions.cforms.visa.com.freeimagesonly.be
alerts.cforms.visa.com.freeimagesonly.com
reports.cforms.visa.com.freeimagesonly.com
statements.cforms.visa.com.freeimagesonly.com
transactions.cforms.visa.com.freeimagesonly.com
alerts.cforms.visa.com.medirams.com
reports.cforms.visa.com.medirams.com
statements.cforms.visa.com.medirams.com
transactions.cforms.visa.com.medirams.com
alerts.cforms.visa.com.suecond.eu
reports.cforms.visa.com.suecond.eu
statements.cforms.visa.com.suecond.eu
transactions.cforms.visa.com.suecond.eu
alerts.cforms.visa.com.sueconu.eu
reports.cforms.visa.com.sueconu.eu
statements.cforms.visa.com.sueconu.eu
transactions.cforms.visa.com.sueconu.eu
alerts.cforms.visa.com.freeimagesonly.mobi
reports.cforms.visa.com.freeimagesonly.mobi
statements.cforms.visa.com.freeimagesonly.mobi
transactions.cforms.visa.com.freeimagesonly.mobi
alerts.cforms.visa.com.gyueeerd.vc
reports.cforms.visa.com.gyueeerd.vc
statements.cforms.visa.com.gyueeerd.vc
transactions.cforms.visa.com.gyueeerd.vc
alerts.cforms.visa.com.gyueeerf.vc
reports.cforms.visa.com.gyueeerf.vc
statements.cforms.visa.com.gyueeerf.vc
transactions.cforms.visa.com.gyueeerf.vc
alerts.cforms.visa.com.gyueeerh.vc
reports.cforms.visa.com.gyueeerh.vc
statements.cforms.visa.com.gyueeerh.vc
transactions.cforms.visa.com.gyueeerh.vc
alerts.cforms.visa.com.gyueeers.vc
reports.cforms.visa.com.gyueeers.vc
statements.cforms.visa.com.gyueeers.vc
transactions.cforms.visa.com.gyueeers.vc
alerts.cforms.visa.com.gyueeeru.vc
reports.cforms.visa.com.gyueeeru.vc
statements.cforms.visa.com.gyueeeru.vc
transactions.cforms.visa.com.gyueeeru.vc
alerts.cforms.visa.com.iurseda.vc
reports.cforms.visa.com.iurseda.vc
statements.cforms.visa.com.iurseda.vc
transactions.cforms.visa.com.iurseda.vc
alerts.cforms.visa.com.iursedq.vc
reports.cforms.visa.com.iursedq.vc
statements.cforms.visa.com.iursedq.vc
transactions.cforms.visa.com.iursedq.vc
alerts.cforms.visa.com.iursedz.vc
reports.cforms.visa.com.iursedz.vc
statements.cforms.visa.com.iursedz.vc
transactions.cforms.visa.com.iursedz.vc
alerts.cforms.visa.com.norytiod.vc
reports.cforms.visa.com.norytiod.vc
statements.cforms.visa.com.norytiod.vc
transactions.cforms.visa.com.norytiod.vc
alerts.cforms.visa.com.norytioq.vc
reports.cforms.visa.com.norytioq.vc
statements.cforms.visa.com.norytioq.vc
transactions.cforms.visa.com.norytioq.vc
alerts.cforms.visa.com.norytior.vc
reports.cforms.visa.com.norytior.vc
statements.cforms.visa.com.norytior.vc
transactions.cforms.visa.com.norytior.vc
alerts.cforms.visa.com.norytiox.vc
reports.cforms.visa.com.norytiox.vc
statements.cforms.visa.com.norytiox.vc
transactions.cforms.visa.com.norytiox.vc
alerts.cforms.visa.com.sucipa.vc
reports.cforms.visa.com.sucipa.vc
statements.cforms.visa.com.sucipa.vc
transactions.cforms.visa.com.sucipa.vc
alerts.cforms.visa.com.sucipe.vc
reports.cforms.visa.com.sucipe.vc
statements.cforms.visa.com.sucipe.vc
transactions.cforms.visa.com.sucipe.vc
alerts.cforms.visa.com.sucipy.vc
reports.cforms.visa.com.sucipy.vc
statements.cforms.visa.com.sucipy.vc
transactions.cforms.visa.com.sucipy.vc


Suveyda



by Ayhan Cebe

Primary Atmospheres








Artist: David Zwirner
via synaptic stimuli

Robin Rhode and Leif Ove Andsnes





Estos dos artistas se unen por primera vez, el resultado será simplemente espectacular. Robin Rhode, sudafricano de nacimiento y artista visual con sede en Berlín y el múltiple ganador de los Premios Grammy el pianista noruego Leif Ove Andsnes. Ver más dentro del post;
















Tuesday, January 26, 2010

Tadpoles


via midge's stuff

American Bankers Association version of Zeus Bot / Zbot

Today our top spam-delivered malware is coming to us in the guise of a message from the American Bankers Association.

Subject lines seen in the UAB Spam Data Mine include:

An unauthorized transaction billed from your bank account
An unauthorized transaction billed from your bank card
An unauthorized transaction billed to your bank account
An unauthorized transaction billed to your bank card
unauthorized transaction
unauthorized transaction billed from your bank account
unauthorized transaction billed from your bank card
unauthorized transaction billed to your bank account
unauthorized transaction billed to your bank card

While most of the emails come from the email address:

noreply@mail.aba.com

others are arriving with a message_id in the from address, such as:

message_ODRL6039id@mail.aba.com

The emails look like this:

An unauthorized transaction billed from your bank card.

Amount of transaction: $1781.30
Transaction ID: 7980-9779263

Please review the transaction report by clicking the link below:

get the transaction report

---------
Letter ID 9996-0347362324-49929775497-69019696317-70662423061-65867724-18065800918


where the "Amount of transaction" and "Transaction ID"

The website looks like this:



Hostnames that we saw in the spam include:

machine
-----------------------------------
getreport.aba.com.edfa4.com.vc
getreport.aba.com.edfa4.vc
getreport.aba.com.edfa5.com.vc
getreport.aba.com.edfa5.vc
getreport.aba.com.edfa6.com.vc
getreport.aba.com.edfa6.vc
getreport.aba.com.edfa7.com.vc
getreport.aba.com.edfa7.vc
getreport.aba.com.edfa8.com.vc
getreport.aba.com.edfa8.vc
getreport.aba.com.ferdsae.vc
getreport.aba.com.gertfdv.am
getreport.aba.com.sawesae.vc
getreport.aba.com.sawesag.com.vc
getreport.aba.com.sawesaj.com.vc
getreport.aba.com.sawesal.com.vc
getreport.aba.com.sawesao.vc
getreport.aba.com.sawesaq.vc
getreport.aba.com.sawesat.vc
getreport.aba.com.sawesau.vc
getreport.aba.com.uifersag.no.com
getreport.aba.com.uifersag.uy.com
getreport.aba.com.uifersar.cn.com
getreport.aba.com.uifersar.no.com
getreport.aba.com.uifersar.uy.com
getreport.aba.com.uifersat.cn.com
getreport.aba.com.uifersat.no.com
getreport.aba.com.uifersat.uy.com
getreport.aba.com.yhuusd.com.vc
getreport.aba.com.yhuusd.vc
getreport.aba.com.yhuush.vc

The malware that is dropped from this website, "transactionreport.exe" is almost entirely undetected according to this VirusTotal Report. Only six of forty-one AV products currently detect this malware, and only two of them are properly identifying it as Zeus.

Kaspersky calls it "Trojan-Spy.Win32.Zbot.gen", as does Sunbelt.

Authentium and F-Prot heuristically detect it as "El dorado", which is pretty close behavior-wise to Zbot. F-Secure and McAfee identify it as a risk, but don't classify it further.

Besides the obvious "transactionreport.exe", there is also a drive-by infector which originates at the IP address "109.95.114.251" on the path "/us01d/in.php". I'll update this post later this evening with more details about that malware path, but I would assume at this point its going to drop a PDF that leads to a fake AV product.

That IP address is famously associated with Zeus through the owner of its network - actually called in the WHOIS data "VISHCLUB" and described as being "Kanyovskiy Andriy Yuriyovich" of Kazakhstan - akanyovskiy@troyak.org. Perhaps send him an email and ask him how the life of crime is treating him. Apparently there are no laws against providing hosting for cybercriminals in Kazakhstan, but several sources say this IP address is actually in Great Britain, and I'm pretty sure they don't stand for this kind of behavior. Criminal emails such as:
Natalia Ilina - try@5mx.ru
Polina Kuznetsova - wsw@maillife.ru
Mikhail Vorobiev - bombs@maillife.ru
taffy@blogbuddy.ru
and kievsk@yandex.ru

all show up when you investigate previous Zeus infections that use this netblock with domain names like:

hostingdnssite.com
quicksitehostdns.com
platinumhostingservice.com
nekovo.ru
dnsserverbackupzones.com
windowsserverinfo.com
androzo.ru

and that's just so far in January 2010!

A Facebook version of the Zeus malware was active last night and this morning, but that's an on-going extension of the previously mentioned version.

Lake




KORB es un estudio freelance de animacion y "motion". Fundado por el director de CGI, Rimantas Lukavicius. KORB está especializado en efectos visuales y motion graphics.
Tienen buenas cosas en su site. Me recuerda en algunos aspectos a Dvein.

Sculptural Photography







Fotografiado y montado por Szymon Roginski y Kasia Korzeniecka

Monday, January 25, 2010

Futurism - An Odyssey in Continuity

Futurism - An Odyssey in Continuity es una colección de láminas retro diseñadas por Simon Page, diseñador gráfico autodidacta del Reino Unido. Le apasiona la tipografía, la ilustración y el diseño geométrico.


Saturday, January 23, 2010

AOL Update spreads Zeus / Zbot

The UAB Spam Data Mine has been receiving emails like these all weekend . . .

Dear AOL Instant Messenger (AIM) user,

Your AIM account is flagged as inactive. Within the following 72 hours it’ll be deleted from the system.

If you plan to use this account in the future, you have to download and launch the latest update for the AIM. This update is critical.

In order to install the update use the following link. This link is generated exclusively for your account and is available within a certain period of time. As soon as this link is not available anymore you will get another letter.

Thank you,

AIM Service Team

This e-mail has been sent from an e-mail address that is not monitored. Please do not reply to this message. We are unable to respond to any replies.


The email subjects today are primarily three:

AOL Instant Messenger critical update
Your AOL Instant Messenger account is flagged as inactive
Your AOL Instant Messenger account will be deleted



The download link points to a file called:

aimupdate_7.1.6.475

File size: 130048 bytes
MD5 : 506b74fab91958e0a9714c4ef5a9f24d
SHA1 : bdb3ecffb2245a6a3f4bda3880aa562a13bff421

VirusTotal of course informs us that this is a Zeus / Zbot infector:

(See VirusTotal Report)

Before you even download the "executable", there is drive-by malware that hits the visitor.

== 109.95.114.251/usr5432/in.php is called as a result of an iframe on the page.

This leads to the download and loading of:

== 109.95.114.251/usr5432/xd/pdf.pdf
and then
== /usr5432/xd/sNode.php
and /usr5432/xd/swfobject.js

and then nekovo.ru/kissme/rec.php
which downloads nekovo.ru/abs.exe

abs.exe is only detectable by 5 of 41 anti-virus products according to VirusTotal, most of them detecting them as "Hiloti":

VirusTotal Report on Hiloti - abs.exe




Websites that have been used in this campaign, all using the path "products/aimController.php", include:


machine
--------------------------------
update.aol.com.favucca.co.im
update.aol.com.favuccaco.im
update.aol.com.favucca.com.im
update.aol.com.favuccacom.im
update.aol.com.favuccaim
update.aol.com.favucca.im
update.aol.com.favucca.net.im
update.aol.com.favuccanet.im
update.aol.com.favucca.org.im
update.aol.com.favuccaorg.im
update.aol.com.hasdxzzw.co.im
update.aol.com.hasdxzzw.com.im
update.aol.com.hasdxzzw.im
update.aol.com.hasdxzzw.net.im
update.aol.com.hasdxzzw.org.im
update.aol.com.oifeazx.com.pl
update.aol.com.oifeazxcom.pl
update.aol.com.oijeaxx.com.pl
update.aol.com.oijeaxxcom.pl
update.aol.com.oijeazx.com.pl
update.aol.com.oijeazxcom.pl
update.aol.com.oijhaxx.com.pl
update.aol.com.oijhaxxcom.pl
update.aol.com.oijhayx.com.pl
update.aol.com.oijhayxcom.pl
update.aol.com.oijqayx.com.pl
update.aol.com.oijqayxcom.pl
update.aol.com.oiybaqr.com.pl
update.aol.com.oiybaqrcom.pl
update.aol.com.oiybkqr.com.pl
update.aol.com.oiybkqrcom.pl
update.aol.com.oiyqaqr.com.pl
update.aol.com.oiyqaqrcom.pl
update.aol.com.oiyqayr.com.pl
update.aol.com.oiyqayrcom.pl
update.aol.com.oiyqayx.com.pl
update.aol.com.oiyqayxcom.pl
update.aol.com.onybkqr.com.pl
update.aol.com.onybkqrcom.pl
update.aol.com.onybksm.com.pl
update.aol.com.onybksmcom.pl
update.aol.com.onybksr.com.pl
update.aol.com.onybksrcom.pl
update.aol.com.onybmsm.com.pl
update.aol.com.onybmsmcom.pl
update.aol.com.pikie.com.pl
update.aol.com.pikoe.com.pl
update.aol.com.pikqe.com.pl
update.aol.com.pikye.com.pl
update.aol.com.pioqe.com.pl
update.aol.com.pioqo.com.pl
update.aol.com.saxxxzabe
update.aol.com.saxxxzfbe
update.aol.com.saxxxznbe
update.aol.com.saxxxzn.be
update.aol.com.terfkioa.com.pl
update.aol.com.terfkioa.net.pl
update.aol.com.terfkioc.com.pl
update.aol.com.terfkioc.net.pl
update.aol.com.terfkiod.com.pl
update.aol.com.terfkiod.net.pl
update.aol.com.terfkiof.com.pl
update.aol.com.terfkiof.net.pl
update.aol.com.terfkioq.com.pl
update.aol.com.terfkioq.net.pl
update.aol.com.terfkior.com.pl
update.aol.com.terfkios.com.pl
update.aol.com.terfkios.net.pl
update.aol.com.terfkiox.com.pl
update.aol.com.terfkiox.net.pl
update.aol.com.yhff10.com.pl
update.aol.com.yhff11.com.pl
update.aol.com.yhffd0.com.pl
update.aol.com.yhffd1.com.pl
update.aol.com.yhffd2.com.pl
update.aol.com.yhffd3.com.pl
update.aol.com.yhffd4.com.pl
update.aol.com.yhffd5.com.pl
update.aol.com.yhffd6.com.pl
update.aol.com.yhffd7.com.pl
update.aol.com.yhffd8.com.pl
update.aol.com.yhffd9.com.pl
update.aol.com.yhnki6u.com.pl
update.aol.com.yhnki6ucom.pl
update.aol.com.yhnkz6u.com.pl
update.aol.com.yhnkz6ucom.pl
update.aol.com.yhuki6u.com.pl
update.aol.com.yhuki6ucom.pl
update.aol.com.yhuoi6u.com.pl
update.aol.com.yhuoi6ucom.pl
update.aol.com.yhuoo6u.com.pl
update.aol.com.yhuoo6ucom.pl
update.aol.com.yhuou6u.com.pl
update.aol.com.yhuou6ucom.pl
update.aol.com.yhusssqb.com.pl
update.aol.com.yhusssqc.com.pl
update.aol.com.yhusssqd.com.pl
update.aol.com.yhusssqf.com.pl
update.aol.com.yhusssqg.com.pl
update.aol.com.yhusssqh.com.pl
update.aol.com.yhusssqj.com.pl
update.aol.com.yhusssqn.com.pl
update.aol.com.yhusssqq.com.pl
update.aol.com.yhusssqs.com.pl
update.aol.com.yhusssqu.com.pl
update.aol.com.yhusssqv.com.pl
update.aol.com.yhusssqw.com.pl
update.aol.com.yhusssqy.com.pl
update.aol.com.yhuui6u.com.pl
update.aol.com.yhuui6ucom.pl
update.aol.com.yhuyu6u.com.pl
update.aol.com.yhuyu6ucom.pl
update.aol.com.yhuyu6y.com.pl
update.aol.com.yhuyu6ycom.pl
update.aol.com.yhyki6u.com.pl
update.aol.com.yhyki6ucom.pl
(116 rows)

Art Machine

Art machine, diseñada por Roxy Paine y Eric Drexler. Esta máquina crea mini esculturas de polietileno de baja densidad formando una textura alucinante.


Monday, January 18, 2010

Sendspace Zbot spreader a Flashback to Dec 15-20

From December 15th to December 20th, the top Zbot or "Zeus" trojan spreader was a spam email campaign which claimed to have news about a photo that may depict the recipient. The "photo" was actually called "photo.exe" and the website from which it was to be downloaded was intended to look like "Sendspace.com", a popular file sharing service.

Beginning early in the morning of January 16th, the UAB Spam Data Mine began to notice that the Sendspace version of Zeus may be making a return. On January 16th, we received six copies of the spam, nearly identical to those received December 15-20. They came between 6:15 and 8:30 AM, and then stopped.

The spam messages ask a variation of question such as:

Hey! Is this photo yours?

Subject such as:
Fw:your photo
Re:your photo
Re:
Fw:look


and provide a link supposedly to a "sendspace" page for you to see the photo.

On January 17th, we saw another burst, beginning shortly after 8:00 AM, and ending about 10:15 AM, with 90 messages being received.

Then at 11:15 PM on January 17th the real campaign began, and has been flowing steadily ever since, although the spam is definitely on a rising trend - we've seen just over 700 copies today so far.

The URLs we've seen in the spam are these:

www.sendspace.com.iko999j0.com.pl
www.sendspace.com.iko999j0.compl
www.sendspace.com.iko999j1.com.pl
www.sendspace.com.iko999j1.compl
www.sendspace.com.iko999j1com.pl
www.sendspace.com.iko999j2.com.pl
www.sendspace.com.iko999j2.compl
www.sendspace.com.iko999j3.com.pl
www.sendspace.com.iko999j3com.pl
www.sendspace.com.iko999j4.com.pl
www.sendspace.com.iko999j5.com.pl
www.sendspace.com.iko999j5.compl
www.sendspace.com.iko999j6.com.pl
www.sendspace.com.iko999j6.compl
www.sendspace.com.iko999j7.com.pl
www.sendspace.com.iko999j7.compl
www.sendspace.com.iko999j7com.pl
www.sendspace.com.iko999j8.com.pl
www.sendspace.com.iko999j9.com.pl
www.sendspace.com.iko999j9com.pl
www.sendspace.com.iko999je.com.pl
www.sendspace.com.iko999je.compl
www.sendspace.com.iko999jq.com.pl
www.sendspace.com.iko999jqcom.pl
www.sendspace.com.iko999jr.com.pl
www.sendspace.com.iko999jrcom.pl
www.sendspace.com.iko999jt.com.pl
www.sendspace.com.iko999jw.com.pl
www.sendspace.com.iko999jw.compl
www.sendspace.com.iko999jwcom.pl
www.sendspace.comiko999j1.com.pl
www.sendspace.comiko999j4.com.pl
www.sendspace.comiko999j5.com.pl
www.sendspace.comiko999j7.com.pl
www.sendspace.comiko999j8.com.pl
www.sendspace.comiko999j9.com.pl
www.sendspace.comiko999je.com.pl
www.sendspace.comiko999jq.com.pl
www.sendspacecom.iko999j1.com.pl
www.sendspacecom.iko999j4.com.pl
www.sendspacecom.iko999j6.com.pl
www.sendspacecom.iko999j7.com.pl
www.sendspacecom.iko999j8.com.pl
www.sendspacecom.iko999j9.com.pl
www.sendspacecom.iko999je.com.pl
www.sendspacecom.iko999jw.com.pl
wwwsendspace.com.iko999j1.com.pl
wwwsendspace.com.iko999j3.com.pl
wwwsendspace.com.iko999j4.com.pl
wwwsendspace.com.iko999j7.com.pl
wwwsendspace.com.iko999j8.com.pl
wwwsendspace.com.iko999j9.com.pl

Note the two pairs of typos? Some ".compl" instead of ".com.pl" and some "sendspacecom" instead of "sendspace.com" and the "wwwsendspace" instead of "www.sendspace". Those are the reasons bad guys do test runs such as we saw on the 16th and 17th. They need to get their bugs worked out.

The webpage looks like this:





While they are at it, perhaps they'll remember to update their malware as well. The version being distributed in this campaign is the same version that was being distributed when the campaign ended on December 20th, which means that 34 out of 41 anti-virus products can detect it, according to this Virus Total Report.

The websites have a secondary infector. An IFRAME in the code calls a malicious website from "gerolli.co.uk". Last go-around it was pulling a file from the "/2img/" subdirectory there. This time around its pulling a file from "/3img/in.php", which when loaded causes "pdf.pdf" to be dropped on the machine, which leads to a Fake Anti-Virus product being installed within a few minutes.

The Zeus bot uses "stomaid.ru" as its Command & Control - just as it has since December 9th.

The computers hosting the "sendspace" version of this webpage are also hosting the "USAA" version that we discussed in yesterday's article - USAA Bank Latest Avalanche Scam.

If you want to see the December version websites, they are listed below:

www.sendspace.com.1citvil1.be
www.sendspace.com.beermeetibe
www.sendspace.com.beermeeti.be
www.sendspace.com.dftjilllcom
www.sendspace.com.dftjilll.com
www.sendspace.com.dftjilllnet
www.sendspace.com.dftjilll.net
www.sendspace.com.fbermeetibe
www.sendspace.com.fbermeeti.be
www.sendspace.com.fbsftiilcom
www.sendspace.com.fbsftiil.com
www.sendspace.com.fbsftiilnet
www.sendspace.com.fbsftiil.net
www.sendspace.com.febrmeeti.be
www.sendspace.com.feeekyyiebe
www.sendspace.com.feeekyyie.be
www.sendspace.com.feeetyyiebe
www.sendspace.com.feeetyyie.be
www.sendspace.com.feeezkyiebe
www.sendspace.com.feeezkyie.be
www.sendspace.com.feeeztyiebe
www.sendspace.com.feeeztyie.be
www.sendspace.com.feeezykiebe
www.sendspace.com.feeezykie.be
www.sendspace.com.feeezytiebe
www.sendspace.com.feeezytie.be
www.sendspace.com.feeezyyiebe
www.sendspace.com.feeezyyie.be
www.sendspace.com.feeezyyikbe
www.sendspace.com.feeezyyik.be
www.sendspace.com.feeezyykebe
www.sendspace.com.feeezyyke.be
www.sendspace.com.feekzyyie.be
www.sendspace.com.feermeetibe
www.sendspace.com.feermeeti.be
www.sendspace.com.feetzyyie.be
www.sendspace.com.fekezyyiebe
www.sendspace.com.fekezyyie.be
www.sendspace.com.fetezyyie.be
www.sendspace.com.ffmjilllcom
www.sendspace.com.ffmjilll.com
www.sendspace.com.ffmjilllnet
www.sendspace.com.ffmjilll.net
www.sendspace.com.ffmjtlllcom
www.sendspace.com.ffmjtlll.com
www.sendspace.com.ffmjtlllnet
www.sendspace.com.ffmjtlll.net
www.sendspace.com.ffmjttllcom
www.sendspace.com.ffmjttll.com
www.sendspace.com.fftjilllcom
www.sendspace.com.fftjilll.com
www.sendspace.com.fftjilllnet
www.sendspace.com.fftjilll.net
www.sendspace.com.fkeezyyiebe
www.sendspace.com.fkeezyyie.be
www.sendspace.com.ftcftiilcom
www.sendspace.com.ftcftiil.com
www.sendspace.com.ftcftiilnet
www.sendspace.com.ftcftiil.net
www.sendspace.com.fteezyyiebe
www.sendspace.com.fteezyyie.be
www.sendspace.com.ftsftiilcom
www.sendspace.com.ftsftiil.com
www.sendspace.com.ftsftiilnet
www.sendspace.com.ftsftiil.net
www.sendspace.com.ftsftiitcom
www.sendspace.com.ftsftiit.com
www.sendspace.com.ftsftiitnet
www.sendspace.com.ftsftiit.net
www.sendspace.com.ftsftiulcom
www.sendspace.com.ftsftiul.com
www.sendspace.com.ftsftiulnet
www.sendspace.com.ftsftiul.net
www.sendspace.com.ftsftkilcom
www.sendspace.com.ftsftkil.com
www.sendspace.com.ftsftkilnet
www.sendspace.com.ftsftkil.net
www.sendspace.com.ftsftmilcom
www.sendspace.com.ftsftmil.com
www.sendspace.com.ftsfttilcom
www.sendspace.com.ftsfttil.com
www.sendspace.com.ftsfttilnet
www.sendspace.com.ftsfttil.net
www.sendspace.com.hcitvil1.be
www.sendspace.com.hreseet01.be
www.sendspace.com.hufteejkibe
www.sendspace.com.hufteejki.be
www.sendspace.com.i1itvil1.be
www.sendspace.com.ic1tvil1.be
www.sendspace.com.ichtvil1.be
www.sendspace.com.ici1vil1.be
www.sendspace.com.icihvil1.be
www.sendspace.com.icit1il1.be
www.sendspace.com.icithil1.be
www.sendspace.com.icitv1l1.be
www.sendspace.com.icitvhl1.be
www.sendspace.com.icitvi11.be
www.sendspace.com.icitvih1.be
www.sendspace.com.icitvil1.be
www.sendspace.com.ihitvil1.be
www.sendspace.com.ireheet01.be
www.sendspace.com.ireseet01.be
www.sendspace.com.ireseht01.be
www.sendspace.com.iresehtt1.be
www.sendspace.com.iresett01.be
www.sendspace.com.ireshet01.be
www.sendspace.com.ireteht01.be
www.sendspace.com.irhseet01.be
www.sendspace.com.iteseht01.be
www.sendspace.com.jtualasabe
www.sendspace.com.jtualasa.be
www.sendspace.com.juzeepee0.jpn.com
www.sendspace.com.kjifatilacom
www.sendspace.com.kjifatila.com
www.sendspace.com.ktualasabe
www.sendspace.com.ktualasa.be
www.sendspace.com.lhfteejkibe
www.sendspace.com.lhfteejki.be
www.sendspace.com.lipskuiil.com
www.sendspace.com.lipskuiil.jpn.com
www.sendspace.com.lipskuiil.kr.com
www.sendspace.com.lipskuiil.no.com
www.sendspace.com.lipskuiil.uy.com
www.sendspace.com.lufheejkibe
www.sendspace.com.lufheejki.be
www.sendspace.com.lufteejkibe
www.sendspace.com.lufteejki.be
www.sendspace.com.lufteejkvbe
www.sendspace.com.lufteejkv.be
www.sendspace.com.lufteejvibe
www.sendspace.com.lufteejvi.be
www.sendspace.com.lufteevkibe
www.sendspace.com.lufteevki.be
www.sendspace.com.luftevjkibe
www.sendspace.com.luftevjki.be
www.sendspace.com.lufthejkibe
www.sendspace.com.lufthejki.be
www.sendspace.com.luhteejkibe
www.sendspace.com.luhteejki.be
www.sendspace.com.mjifatilacom
www.sendspace.com.mjifatila.com
www.sendspace.com.mjifatilwcom
www.sendspace.com.mjifatilw.com
www.sendspace.com.mjifatiwacom
www.sendspace.com.mjifatiwa.com
www.sendspace.com.mjifatwlacom
www.sendspace.com.mjifatwla.com
www.sendspace.com.mjifawilacom
www.sendspace.com.mjifawila.com
www.sendspace.com.mjifwtilacom
www.sendspace.com.mjifwtila.com
www.sendspace.com.mjiuatilacom
www.sendspace.com.mjiuatila.com
www.sendspace.com.mjiwatilacom
www.sendspace.com.mjiwatila.com
www.sendspace.com.mjufatilacom
www.sendspace.com.mjufatila.com
www.sendspace.com.mjwfatilacom
www.sendspace.com.mjwfatila.com
www.sendspace.com.mnvdtdt.co.uk
www.sendspace.com.mnvdtdt.me.uk
www.sendspace.com.mnvdtdt.orguk
www.sendspace.com.mnvdtdt.org.uk
www.sendspace.com.mnvdtdtorg.uk
www.sendspace.com.modeservicepp.co.kr
www.sendspace.com.modeservicepp.com
www.sendspace.com.modeservicepp.kr
www.sendspace.com.muifatilacom
www.sendspace.com.muifatila.com
www.sendspace.com.mwifatilacom
www.sendspace.com.mwifatila.com
www.sendspace.com.polaasa1qc.com
www.sendspace.com.pretopsd.co.uk
www.sendspace.com.pretopsdco.uk
www.sendspace.com.pretopsd.me.uk
www.sendspace.com.pretopsd.org.uk
www.sendspace.com.tjualasabe
www.sendspace.com.tjualasa.be
www.sendspace.com.tkualasabe
www.sendspace.com.tkualasa.be
www.sendspace.com.ttjalasabe
www.sendspace.com.ttjalasa.be
www.sendspace.com.ttkalasabe
www.sendspace.com.ttkalasa.be
www.sendspace.com.ttuajasabe
www.sendspace.com.ttuajasa.be
www.sendspace.com.ttuakasabe
www.sendspace.com.ttuakasa.be
www.sendspace.com.ttualakabe
www.sendspace.com.ttualaka.be
www.sendspace.com.ttualasabe
www.sendspace.com.ttualasa.be
www.sendspace.com.ttualaskbe
www.sendspace.com.ttualask.be
www.sendspace.com.ttualjsabe
www.sendspace.com.ttualjsa.be
www.sendspace.com.ttualksabe
www.sendspace.com.ttualksa.be
www.sendspace.com.ttujlasabe
www.sendspace.com.ttujlasa.be
www.sendspace.com.ttuklasabe
www.sendspace.com.ttuklasa.be
www.sendspace.com.ujifatilacom
www.sendspace.com.ujifatila.com
www.sendspace.com.vdslprr.co.uk
www.sendspace.com.vdslprr.me.uk
www.sendspace.com.vdslprr.org.uk
www.sendspace.com.vufteejkibe
www.sendspace.com.vufteejki.be
www.sendspace.com.wjifatilacom
www.sendspace.com.wjifatila.com

NodalGenesis

NodalGenesis es un proyecto destinado a crear un lápiz biológico, donde los nodos tienen vida después de ser colocados.
Manual Generative Artwork, este es el nombre que le puso Bernat Fortet a este tipo de "dibujo", realizado con Flash AS 3.0.

Sunday, January 17, 2010

USAA Bank latest Avalanche Scam

Another major spam campaign has been seen in the "avalanche" group. This one seems to be a "phishing only" spam, as opposed to recent versions that also infect with malware. We've seen more than 5,000 copies of the email in the UAB Spam Data Mine today.

The emails look like this:



We've seen 95 base subject lines:

account notification: security alert
automatic notification
automatic reminder
Customer notification
Enhanced online security measures
Important alert
Important announce
Important banking mail from USAA
important banking mail
Important information
important instructions
important notice from USAA
Important notification from USAA
important notification
Important security alert from USAA
important security update
important USAA mail
information from USAA customer service team
information from USAA customer service
Instructions for customer
instructions for our customers
instructions for USAA customer
instructions for USAA customers
instructions from customer service team
instructions from customer service
message from customer service team
message from customer service
New enhanced online security measures
New online security measures
New security measures
new security notification
new USAA form released
New USAA form
notification from USAA
notification
official information
official update
online banking alert
Our enhanced online security measures
our new security measures
safeguarding customer information
scheduled security maintenance
Security alert
security issues
Security maintenance
security measures
Service message from USAA
service message
service notification from USAA
software updating
Urgent message for USAA customer
Urgent message from USAA
Urgent notification from customer service
urgent notification
Urgent security notification
USAA customer service informs you
USAA customer service team informs you
USAA customer service: account notification
USAA customer service: important information
USAA customer service: important message
USAA customer service: important notification
USAA customer service: important security update
USAA customer service: instructions for customer
USAA customer service: new online form released
USAA customer service: notification
USAA customer service: official information
USAA customer service: official update
USAA customer service: security alert
USAA customer service: security issues
USAA customer service: service message
USAA customer service: urgent notification
USAA notification
USAA online form
USAA reminder: notification
USAA reminder: online form
USAA reminder: please complete online form
USAA security upgrade
USAA: alert - online form released
USAA: customer alert
USAA: important announce
USAA: important information
USAA: important message
USAA: important notification
USAA: important security update
USAA: instructions for customer
USAA: notification
USAA: online form released
USAA: security alert
USAA: security issues
USAA: service message
USAA: software updating
USAA: urgent message
USAA: urgent notification
USAA: urgent security notification
we have released new version of USAA form

The subject lines are uniqued by adding either a Timestamp, a Message ID, a Reference Number. So, for example, the base subject "Account notification: security alert" was received with many patterns, including:

Account notification: security alert [message id: 6411033822]
Account notification: security alert [message id: 8829877625]
Account notification: security alert
account notification: security alert [message ref: 1976348562]
Account notification: security alert [message ref: 2573324226]
account notification: security alert [message ref: 2956755073]
account notification: security alert (message ref: 4790726101)
account notification: security alert
account notification: security alert (message ref: 7771108239)
account notification: security alert [message ref: 8030440576]
account notification: security alert Mon, 18 Jan 2010 00:11:54 +0100
account notification: security alert Mon, 18 Jan 2010 00:48:19 +0100
account notification: security alert Mon, 18 Jan 2010 09:30:38 +1000
Account notification: security alert - Ref No. 511853
Account notification: security alert Sun, 17 Jan 2010 14:14:28 -0300
Account notification: security alert Sun, 17 Jan 2010 14:18:53 -0300
account notification: security alert Sun, 17 Jan 2010 14:35:54 -0300
Account notification: security alert Sun, 17 Jan 2010 17:15:30 +0000

The actual website looks like this:



The URL contains:

/inet/ent_formversionnew/do_action.php?id=(bignumberhere)&email=(emailhere)

Websites we've seen used in spam today (Jan 17) include:

www.usaa.com.12asze.com.pl
www.usaa.com.12aszg.com.pl
www.usaa.com.12aszh.com.pl
www.usaa.com.12aszi.com.pl
www.usaa.com.12aszj.com.pl
www.usaa.com.12aszk.com.pl
www.usaa.com.12aszl.com.pl
www.usaa.com.12aszo.com.pl
www.usaa.com.12aszp.com.pl
www.usaa.com.12aszq.com.pl
www.usaa.com.12aszr.com.pl
www.usaa.com.12aszt.com.pl
www.usaa.com.12aszu.com.pl
www.usaa.com.12aszw.com.pl
www.usaa.com.12aszy.com.pl
www.usaa.com.eee1sa0.com.pl
www.usaa.com.eee1sa1.com.pl
www.usaa.com.eee1sa2.com.pl
www.usaa.com.eee1sa3.com.pl
www.usaa.com.eee1sa4.com.pl
www.usaa.com.eee1sa5.com.pl
www.usaa.com.eee1sa6.com.pl
www.usaa.com.eee1sa7.com.pl
www.usaa.com.eee1sa8.com.pl
www.usaa.com.eee1sa9.com.pl
www.usaa.com.eee1sae.com.pl
www.usaa.com.eee1saq.com.pl
www.usaa.com.eee1sar.com.pl
www.usaa.com.eee1sat.com.pl
www.usaa.com.eee1saw.com.pl

Wednesday, January 13, 2010

Minipost: #CNIRcyberwar ? ? ?

Several Chinese hacker groups have decided to retaliate for the "Iranian Cyber Army" attack against the Chinese search engine, Baidu.com, which we reported yesterday in our story Iranian Cyber Army Returns - Target: Baidu.

A few sources (thanks especially @packetninjas), have sent me links to Chinese webpages where their hacker community is expressing outrage by hacking back. One twitter hashtag seen with regards to this effort has been #CNIRcyberwar .

Despite the hashtag, there is no evidence whatsoever that there are GOVERNMENTS involved in this so-called CyberWar. On the Chinese side, this is the action of some patriotic but mis-guided youth who believe they can change world opinion by trashing a few insignificant websites. On the Iranian side, there is no evidence that any malice was intended towards the nation of China - it seemed their objective was to just place their message before a large audience - a goal they seem to have accomplished. I consider it highly unlikely that additional Iranian attacks on Chinese servers will result from this "CyberWar".

A hacker who claims membership in the "Honker Union for China" has posted many defacements of Iranian sites, along with lists of "official Iranian government sites" that he believes should be targeted, on the site:

http://bbs.360.cn/4261899/34063883.html

There is certainly debate going on, even within his own hacker community. One post this morning on "forums.chinesehonker.org" argued that the Iranians may not be behind the attack, but that it might really be the "dark Yankees" trying to stir up trouble. The rationale of that poster was that the attack came the day before a Chinese government missile interception test. ??? really ???

在没有确切证据的情况下,我倒是认为很能是美国佬干的,原因就是在百度背黑前一天我们进行了导弹拦截实验,进而引起了百度的被黑,这事从一件政治事件引起的网络攻击。
(from 自强不息 on forums.chinesehonker.org)

There is also an attempt to improve the image of Chinese hackers in the world with a little grammatical help from their friends. Another "honker" in the room suggests some help with one defacer's wording, suggesting that they replace:

The big national power spurs strong corps!

with

Our nation has internet experts who aren't afraid to fight back.

and

we are Oppose the special prganization of IR

with

We oppose this special organization of IR.


The Iranian attacks are being discussed in a thread on Baidu as well:


http://tieba.baidu.com/f?kz=695043079

This "soldier" is listing stored images of defaced Iranian websites, which he's actually pulling from the posts of "soping" on the site "bbs.360.cn":

room98.ir - Defaced image, including the text:



chinese honker team[H.U.C.]

I'm very sorry for this Testing!
Because of this morning your Iranian Cyber Army
Maybe you haven't konw this thing!
This morning your Iranian Cyber Army intrusion our baidu.com
So i'm very unfortunate for you
Please tell your so-called Iranian Cyber Army
Don't intrusion chinese website about The United States authoritires to intervene
This is a warning!
Khack by toutian from Honker Union For China


Other sites on his list include:

www.iribu.ir - Defacement image

Text:
CHINA Honker
China do not hear any foreign hacker!
The big national power spurs strong corps!
we are Oppose the special prganization of
IR

Another version of the text read:

Anysize
We are Red_hacker
Let the world hear the voice of China
The state is higher than the dignity of all!

f*** ir !
china up !
honker_Anysize@qq.com
(archived image)

That same text, with a different background image, also appeared on www2.mousavian.ir - (archived image)

An earlier version of the text (another hacker probably using the same vulnerability) read:

High-profile work being
Viruses, anti-virus, invasion, the invasion
The darkness of night, slowly permeates the wing?
The third area information security group By: h4ck3ber

The People's Republic of China Long Live
The great Chinese people long live
Domestic safety inspection
Oppose splkitting Safeguarding unity
http://hi.baidu.com/no_hackTime

pankration.gov.ir - Defacement image

www.diabetes.ir/home - Defacement image

Each of these sites is being tagged repeatedly by various hackers, as you can see documented in this thread:

http://bbs.360.cn/4261899/34063883.html?page=3

Tuesday, January 12, 2010

Optical illusion by Akiyoshi Kitaoka





Akiyoshi Kitaoka, profesor del departamento de Psicología de la Universidad de Ritsumeikan, Kyoto, Japón estudia la percepción visual, la ilusión óptica.