This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] Fwd: Re: botnet controllers
- Previous message (by thread): [anti-abuse-wg] Fwd: Re: botnet controllers
- Next message (by thread): [anti-abuse-wg] Fwd: Re: botnet controllers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Richard Clayton
richard at highwayman.com
Fri Jul 10 14:58:58 CEST 2020
>In message <20b290b5003cafb91745b7db6d31cd57 at fos-vpn.org>, info at fos- >vpn.org writes [various message about abuse issues around VPNs without logging] In message <oTPJCACb0FCfFAyl at highwayman.com>, Richard Clayton <richard at highwayman.com> writes >I can understand the attractions to you of that business model. List readers may be interested in what I found when I decided to have a look at the "fos-vpn" website (I find that it is invariably interesting to see what people actually publish in T&Cs etc) http://www.fos-vpn.org redirects to torservers.net (where there is lots to read, so anyone interested can have a look). However https://www.fos-vpn.org does not redirect to the same website! (easy mistake to make) instead it serves up the website codevest.sh (which appears also to be known as codevest.to). There's not a whole lot on the codevest website to explain what it is about, however some Googling will reveal that it is a licensing system widely advertised on HackForums (a well-known gathering place for all sorts of hackers, both good and bad ... you may have heard of it as the place where the Mirai source code was first published). I leave it to the reader to explore HackForums, but to save you a bit of time the PaloAltoNetworks Unit42 people had this to say about codevest in October 2019, in their review (if that's the right word) of "Blackremote" an expensive RAT (remote access trojan) being sold by a Swedish actor: Blackremote utilizes the third-party "CodeVEST" licensing system, also peddled on underground forums. The licensing system validates by connecting to codevest[.]sh. "CodeVEST" seems to take the place of "Netseal" as a registration service used by commodity malware. The author of "Netseal", Taylor Huddleston, was charged in 2017 for that operation together with the sale of his own commodity malware, "Nanocore RAT." The same person who offers the "Codevest" licensing service, also profits from a crypting service "Cyber Seal". This highlights the role in the commodity malware ecosystem of not only the malware sellers, but also service providers such as the licensing services they use, and the crypting services they purchase to avoid detection of the malware that they build. I found that fascinating, but cannot vouch for its accuracy except to say that I have a high regard for Unit42. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 185 bytes Desc: not available URL: </ripe/mail/archives/anti-abuse-wg/attachments/20200710/7289fdea/attachment.sig>
- Previous message (by thread): [anti-abuse-wg] Fwd: Re: botnet controllers
- Next message (by thread): [anti-abuse-wg] Fwd: Re: botnet controllers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]