After the discovery of the Carbanak malware, indicators connected to the malware were released.
One of them being the domain: systemsvc.net.
It turned out later on that this specific domain was pointing towards the web server of the FSB (IP:213.24.76.23).
Several security researchers noticed this and publicly reported it.
1) At first hand the general opinion was that the criminals changed the domain to the FSB web server once their campaign was exposed, as some sort of easter egg. Funny, probably not that smart, but could be possible.
2) The FSB confiscated the domain and pointed it towards its web servers for sinkholing purposes. Although this option does not necessarily follow the general rules of sinkholing, especially not when you direct the traffic straight to your main web server.
The main web server handler your web traffic, pointing an APT campaign towards it could result in a DDoS effect in which your main web site becomes unreachable, something you'd want to circumvent when sinkholing. The main purpose of the web server is serving the website, it would be practicle to choose a completely different set up for sinkholing purpose.
3) 3th and last option seemed unlikely but it could have been possible that the FSB made a huge mistake and by accident or neglect was involved in this whole Carbanak campaign from the beginning. Neglecting to use dedicated untraceble infrastructure, or maybe pressuring the fraudsters to relay back their activities towards the FSB. This option is ruled out by most, especially from the RU countries. (*wink*)
Remarkable
As a starting point it was always assumed the domain started to point towards the FSB webserver after the Carbanak APT attack was exposed. Some digging into databases now revealed the domain started point to the FSB web server close to its registration date.
The domain was registrated on 28-10-2014.
On 4-11-2014 the domain systemsvc.net was first (in the wild) seen pointing to 213.24.76.23.
VirusTotal has an entry of systemsvc.net pointing to 213.24.76.23 on 5-11-2014.
It turns out the domain systemsvc.net has been pointing to the FSB web server all along! The Kaspersky PDF about this attack tells us the domain had been pointing towards the IP address 131.72.138.18. Our research connects this IP only occasionally to this domain name (For example this one VirusTotal entry where the domain systemsvc.net is spotted poiting to 131.72.138.18 on 29-10-2014).
A slightly different domain: system-svc.net has been seen pointing to 131.72.138.18 all along.
When we look at the chain of events above, we can conclude that the attackers used this FSB IP adress for the domain since the beginning. They even changed the IP address several times back towards the FSB IP address. Keeping this in mind the likely hood that pointing the systemsvc.net domain towards the FSB IP address seemed of persistent routine and not as a randomly made up joke.
These are some fascinating new insights that have to be kept in mind.
One of them being the domain: systemsvc.net.
It turned out later on that this specific domain was pointing towards the web server of the FSB (IP:213.24.76.23).
Several security researchers noticed this and publicly reported it.
1) At first hand the general opinion was that the criminals changed the domain to the FSB web server once their campaign was exposed, as some sort of easter egg. Funny, probably not that smart, but could be possible.
2) The FSB confiscated the domain and pointed it towards its web servers for sinkholing purposes. Although this option does not necessarily follow the general rules of sinkholing, especially not when you direct the traffic straight to your main web server.
The main web server handler your web traffic, pointing an APT campaign towards it could result in a DDoS effect in which your main web site becomes unreachable, something you'd want to circumvent when sinkholing. The main purpose of the web server is serving the website, it would be practicle to choose a completely different set up for sinkholing purpose.
3) 3th and last option seemed unlikely but it could have been possible that the FSB made a huge mistake and by accident or neglect was involved in this whole Carbanak campaign from the beginning. Neglecting to use dedicated untraceble infrastructure, or maybe pressuring the fraudsters to relay back their activities towards the FSB. This option is ruled out by most, especially from the RU countries. (*wink*)
Remarkable
As a starting point it was always assumed the domain started to point towards the FSB webserver after the Carbanak APT attack was exposed. Some digging into databases now revealed the domain started point to the FSB web server close to its registration date.
The domain was registrated on 28-10-2014.
On 4-11-2014 the domain systemsvc.net was first (in the wild) seen pointing to 213.24.76.23.
VirusTotal has an entry of systemsvc.net pointing to 213.24.76.23 on 5-11-2014.
It turns out the domain systemsvc.net has been pointing to the FSB web server all along! The Kaspersky PDF about this attack tells us the domain had been pointing towards the IP address 131.72.138.18. Our research connects this IP only occasionally to this domain name (For example this one VirusTotal entry where the domain systemsvc.net is spotted poiting to 131.72.138.18 on 29-10-2014).
A slightly different domain: system-svc.net has been seen pointing to 131.72.138.18 all along.
When we look at the chain of events above, we can conclude that the attackers used this FSB IP adress for the domain since the beginning. They even changed the IP address several times back towards the FSB IP address. Keeping this in mind the likely hood that pointing the systemsvc.net domain towards the FSB IP address seemed of persistent routine and not as a randomly made up joke.
These are some fascinating new insights that have to be kept in mind.
Happy Childrens Day 2015
BeantwoordenVerwijderenChildrens Day 2015
Happy Childrens Day
Childrens Day Speech
Happy Childrens Day 2015 Speech
Happy Childrens Day 2015 Quotes
Happy Childrens Day 2015 Wishes
Happy Childrens Day 2015 Images
Happy Childrens day 2015 Sms
Muharram 2015 Images
BeantwoordenVerwijderenMuharram 2015
10 Muharram 2015
9th Muharram 2015
Muharram 2015 Matam Videos
Muharram 2015 Sms
Muharram 2015 Wishes
Muharram Fasting 9th 10th 2015
Muharram 2015 Karbala Sms
10 Muharram 2015 Greeting Cards
Muharram 2015 ?Greetings cards
10 Muharram 2015 Ashura Zanjeer Talwar Juloos Matam Video
Muharram 2015 Matam
Muharram 2015 fasting Schedule
Muharram 2015 Images
Muharram fasting 9th 10th
Muharram 2015 fasting virtues
Muharram 2015 fasting benefits
Muharram 2015 Wishes
Muharram 2015 Quotes
Muharram 2015 Dua Messages
Happy Childrens Day 2015
BeantwoordenVerwijderenChildrens Day 2015
Happy Childrens Day
Childrens Day Speech
Happy Childrens Day 2015 Speech
Happy Childrens Day 2015 Quotes
Happy Childrens Day 2015 Wishes
Happy Childrens Day 2015 Images
Happy Childrens day 2015 Sms
Happy Childrens day 2015 Songs
Latest Govt Jobs 2016
BeantwoordenVerwijderenDSE Punjab ETT Teacher Notification 2015-16
Very Good Explanation, Nice Article
I've been using Kaspersky protection for a number of years, I'd recommend this Anti virus to all of you.
BeantwoordenVerwijderenVery Nice blog for learning new things, thanks for such beautiful blog.
BeantwoordenVerwijderenIncontinence pads
Hi Everyone!
BeantwoordenVerwijderenWe have USA fresh & Verified SSN Leads with best connectivity score
All info checked & genuine
Info in LEADS
First Name | Last Name | SSN | Dob | DL Number |Address | State | City | Zip | Phone Number | Account Number | Bank NAME
*Price for SSN lead $2
*You can ask for sample before any deal
*If anyone buy in bulk, we can negotiate
*Sampling is just for serious buyers
==>ACTIVE & FRESH CC FULLZ ALSO AVAILABLE<==
->$5 PER EACH
LIMITED DATA AVAILABLE
->Hope for the long term deal
->Interested buyers contact me fast
Whatsapp > +923172721122
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040