The “S” Files

The “S” Files

 

Alex, 4x4 fan
Tolder – The new Maxided shield company
Read how dedicated servers from Maxided are used and who is behind the setup.
(Updated 2nd April 2017)
Who am I
Bestbuy – VDOS reloaded
Read how Bestbuy operated the largest Mirai-based botnet and the connection with VDOS.
(Updated 23rd February 2017)
Lonestarcell
Mirai and VDOS-S attacks against Lonestarcell in Liberia
Read about how Mirai is being used to attack Lonestarcell in Liberia and how VDOS was also used in the past against the GSM operator (Updated 9th November)
Data Flow
Mirai runs hidden behind a new network prefix at dataflow.su
Read how we discovered where one of the Mirai C2 is hidden and how new network prefixes and fake ASNs are used by bulletproof hosters. Check how routing announcements are pushed from hidden locations, RIPE objects are created with fake documents and how a “grocery store” got the IP space!
Nick Lim
Nick The Lim – The upraise
Read about Nick Lim upraise against @MalwareTech and how @BannedOffline makes fun of the very same person that hosted Ghost Hackers Squad website
Who is Rainbow?
Who is Raibow?
Learn who is behind many attacks in VDOS and Booter.xyz. Meet one more Pony. Meet Rainbow.
No More Ponies
New World Hackers and Blazingfast
Are the latest denial of service attacks really the work of Russian and Chinese hackers?
No More Ponies
Ponies in the mist and Stressit.org
Ponies in the mist tells you how we just found stressit.org and the right owner of Proginter.com that hosted booter.xyz powered by VDOS
My Little Pony
Booter XYZ and Proginter (Updated 15th October 2016) <PART I>
Who is behind 180k attacks using the VDOS booter API?. This is the story of booter.xyz and Proginter.com
Eden Hen
Proginter and the booter.xyz saga <PART II> (Last update: 1st November 2016)
Proginter.com has reached out to us to clarify his role in the stress testing service booter.xyz
Gorilla
Harambe or not harambe! Attacks against SpoofIT (Updated 19th October 2016)
For the past twelve hours, the site is under denial of service attacks. Shame on you!
krebs
The 665 Gbps attack on “Krebs On Security”
During the month of September 2016, we have been monitoring the activities of the Ghost Squad Hacker (GSH), a hacker group that until then actively participated in different Anonymous operations as #OpIcarus targeting banks or #OpIsrael.
kepler Kepler, the Russian web flooder
If you wonder how malicious actors find newly assigned address space to operate bullet proof hosting providers, keep reading!We have been monitoring VDOS and other similar services for a few years now and trying to understand better this “pay-as-you-go attack industry”.
mirai
New Mirai instances are being deployed! (Part 1)
This page collects updates about our findings about the Mirai botnet. The information contained in this page has been obtained after analyzing several samples of the malware. Despite the media attention that Mirai has received so far, very little information is available about the other infrastructure needed to operate the botnet.

Mirai Samples (Part 2)
This article includes a collection of Mirai samples that we have collected for different platforms.
santa_candy
Santas Big Candy Cane. Mirai C&C
The Friday 30th September, Anna-senpai posted the source code of the Mirai botnet. After reviewing the code and comparing with our own findings, we can confirm that the code release is authentic. The botnet communicates with two “services”, one of the services is the command and control and the other is a “reporter”…
ghost
Fantomnet and Ghost Anti-DDoS
@BannedOffline started to collaborate closely with Fantomnet to build a anti-DDOS hosting service for  GSH and their supporters: ghostantiddos.com. Fantonment claims two have two members Crazy and Mike Fantom. ghostantiddos.com’s low-cost DDOS protection strategy was to host the protected site behind third party providers offering DDOS protection and focus on layer 7 (application) protection as this the most common traffic that leaks through such providers.
stress
Are Stress Testing Services Legitimate?
The business logic behind stress testing services is that site owners should have the right to test and benchmark the security and performance of their websites. Stress testing owners offer a service that “in theory” is supposed to be used for legitimate purposes. Here is a collection of reasons why we believe that stress
syndicate
The “Sindicate” and DNS amplification
Thanks to the leak of data from VDOS stress tester we could get access to the history of commands run in the server. A selection of those commands shows how the owners of VDOS where feeding their attack amplification tools with lists of open resolvers.
The lists were obtained by actively scanning the whole Internet from a server of an organization known as the “Sindicate Group”.