14 Jul From Cocos Islands to Cameroon Eugene Aseev
08 May Osama’s home videos and The ‘Advertising’ Botnet Dmitry Bestuzhev
29 Apr Royal Wedding or Royal hunt Dmitry Bestuzhev
27 Oct Lab Matters: An inside look at mobile malware threats Ryan Naraine
09 Jul Google Dorks: fighting fire with fire David Jacoby
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
The cybercrime business is really no different from other types of business such as pasta making or selling spare parts for cars. It has its own expenses and overheads. A hacker, just like any businessman, tries to save on attacks and keep their costs down.
In general, a web attack needs a domain name and hosting in order to spread malicious files. Everything is fairly straightforward with regards to hosting: the criminals either buy it themselves or use cracked servers to store their files. Protective measures cannot extend to the blocking of whole file servers, as legitimate data may also be stored on them.
Domain names can be blocked quickly by integrated security solutions. Therefore, a black hat has to constantly change the domain names from which their attacks originate.
Registration of a second-level domain name is relatively expensive (on average from $5 to $20 per unit), which is why cybercriminals often try to save money and use free third-level domain names.
Lately, the co.cc and cz.cc services have been at the forefront of cybercriminal activity. Hundreds of domain names were being registered every day, spreading a huge amount of malware over the Internet.
However, a couple of weeks ago an unprecedented event occurred: Google removed all resources located at co.cc from its search results.
As a result, it was no longer profitable for cybercriminals to register domain name in this zone, especially for those who make use of search engines (e.g. for spreading rogue AV with the help of black search engine optimization).
At the moment we found it, Kaspersky Anti-Virus detected the sample as Heur.Trojan.Win32 . Meanwhile the Jotti multiscanner results were 1/20
2) SEO optimized for all non-Russian Google searchers leading to Rogue AVs, in particular to “XP Anti-Virus 2011” which actually is quite aggressive in blocking Internet access and extorting money for the activation