03
Apr 13

Who Wrote the Flashback OS X Worm?

facebooktwittergoogle_plusredditpinterestlinkedinmail

A year ago today, Apple released a software update to halt the spread of the Flashback worm, a malware strain that infected more than 650,000 Mac OS X systems using a vulnerability in Apple’s version of Java. This somewhat dismal anniversary is probably as good a time as any to publish some clues I’ve gathered over the past year that point to the real-life identity of the Flashback worm’s creator.

mavookiconBefore I delve into the gritty details, a little background on this insidious contagion is in order. A keenly detailed research paper (PDF) published last year by Finnish security firm F-Secure puts the impact and threat from Flashback in perspective, noting that the malware boasted a series of “firsts” for its kind. For starters, Flashback was the first OS X malware to be “VMware aware” — or to know when it was being run in a virtual environment (a trick designed to frustrate security researchers). It also was the first to disable XProtect, OS X’s built-in malware protection program. These features, combined with its ability to spread through a then-unpatched vulnerability in Java made Flashback roughly as common for Macs as the Conficker Worm was for Windows PCs.

“This means Flashback is not only the most advanced, but also the most successful OS X malware we’ve ever seen,” wrote F-Secure’s Broderick Ian Aquilino.

The F-Secure writeup answers an important question not found in other analyses: Namely, what was the apparent intended purpose of Flashback? Put simply: to redirect Google results to third-party advertisers, all for the author’s profit. It’s name was derived from the fact that it spread using a social engineering trick of presenting the OS X user with a bogus Flash Player installation prompt. F-Secure notes that this same behavior — both the Flash social engineering trick and the redirection to fake Google sites that served search results for third-party advertisers that benefited the author — was also found in the QHost malware, suggesting that Flashback may have been the next evolution of the Mac QHost malware.

BLACK SEO

A year ago, I published a series that sought to identify the real-life hackers behind the top spam botnets. Using much the same methodology, I was able to identify and locate a young man in Russia who appears (and privately claims) to be the author of Flashback. As it happens, this individual hangs out on many of the same forums as the world’s top spammers (but more on that at another time).

Given Flashback’s focus on gaming Google’s ad networks, I suspected that the worm’s author probably was a key member of forums that focus on so-called “black hat SEO,” (search engine optimization), or learned in illicit ways to game search engines and manipulate ad revenues. Sure enough, this individual happens to be a very active and founding member of BlackSEO.com, a closely guarded Russian language forum dedicated to this topic.

Below is a screen shot taken from a private message between a “VIP” user named “Mavook” and a top forum member on BlackSEO.com. The conversation took place on July 14, 2012. A rough translation of their conversation is superimposed on the redacted screen grab, but basically it shows Mavook asking the senior member for help in gaining access to Darkode.com, a fairly exclusive English-language cybercrime forum (and one that I profiled in a story earlier this week).

BlackSEO.com VIP member "Mavook" claims responsibility for creating Flashback to a senior forum member.

BlackSEO.com member “Mavook” claims responsibility for creating Flashback to a senior forum member.

Mavook asks the other member to get him an invitation to Darkode, and Mavook is instructed to come up with a brief bio stating his accomplishments, and to select a nickname to use on the forum if he’s invited. Mavook replies that the Darkode nick should be not be easily tied back to his BlackSEO persona, and suggests the nickname “Macbook.” He also states that he is the “Creator of Flashback botnet for Macs,” and that he specializes in “finding exploits and creating bots.”

The senior member that Mavook petitions is quite well known in the Russian cybercrime underground, and these two individuals also are well known to one another. In fact, in a separate exchange on the main BlackSEO forum between the senior member and a BlackSEO user named JPS, the senior member recommends Mavook as a guy who knows his stuff and can be counted on to produce reliable attack tools.

MavookExploitIn the conversation screen-shotted here to the left, JPS can be seen asking the senior forum member for recommendations about reliable individuals who sell unique exploit packs, software toolkits built to be stitched into hacked Web sites and exploit common Web browser vulnerabilities. JPS says he’s looking for a pro who can deliver decent exploitation rates.

“I have no time (and no desire) to roam chats and argue there with cool hackers,” JPS said. “I need to check traffic in terms of exploitability, and in the future, if everything is alright, I can work on a continuous basis” with the hired expert.

The senior member tells JPS to ask Mavook. “If Mavook won’t budge, saying that he is no longer doing this stuff, write to me again.”

WHO IS MAVOOK?

If we take a closer look at Mavook’s profile page on BlackSEO.com, we can see that he is a longtime member, dating back to 2005, when he was the 24th member registered on BlackSEO (out of thousands).  Mavook’s profile also shows that his personal home page was at one time mavook.com. The WHOIS registration records for mavook.com have long been hidden by commercial WHOIS privacy protection services, but I found the original WHOIS record for this domain using the indispensable historic WHOIS service maintained by domaintools.com. Those records show that the domain was originally registered in 2005 by a Maxim Selikhanovich in Saransk, the capital city in Mordovia, a republic in the eastern region of the East European Plain of Russia.

The email address used to register mavook.com was “h0mini@mail.ru” (the second character in the address is a zero). A search for that email address in Skype’s user database brings up a user with the screen name “Maximsd”. Mavook also used the email address “mavook@gmail.com.” That address is tied a Maxim Selikhanovich in Saransk via the registration records for the now defunct Website saransk-offline.com, which at one point sold popular MP3 files for pennies apiece.

One of the emails used by Maxim for that Website and a related site was “troxel@yandex.ru,” which was the same email used to register a now-deleted Facebook account under a Maxim Selikhanovich from Saransk. Yet another abandoned music sales site — mavook-mp3.com — was registered to a “Mavook aka Troxel” and to the h0mini@mail.ru” address used for mavook.com.

MACS, MAX and MAKS

The final clue offers perhaps the most tantalizing details: The h0mini@mail.ru address is the contact point of record for a business in Saransk called mak-rm.com, the domain name registered to a IT-outsourcing and Web design firm in Saransk called the Mordovia Outsourcing Company (the “mak” part of the name comes from the Russian version of the company name, which is “МОРДОВСКАЯ АУТСОРСИНГОВАЯ КОМПАНИЯ”). That domain is registered to a “Max D. Sell” in Saransk (see a cached image from mak-rm.com’s homepage in 2010 at the Internet Archive).

mak

According to a trusted source who has the ability to look up tax information on citizens and corporations in Russia, the Mordovia Outsourcing Company was registered and founded by one Maxim Dmitrievich Selihanovich, a 30-year-old from Saransk, Mordovia.

Tags: , , , , , , , , , , , , , , , , , ,

75 comments

  1. I love your work Kerbs. You have some of the best articles in my RSS feed, and I can’t wait to read them.

  2. Reader13894576

    Mordovia sounds like mordor

  3. Zhengzhong Chiang

    One small russian from deep-deep siberia infected 650k mac computers! Imagine what could happen if there were like two or three of them. Krebs, how we should protect ourself against russians? LiveCD or something?

    • Hi Zhengzhong,

      Mordovia is not in Siberia :) lol.
      Do you read article carefully? Brian wrote about Mordovia a little bit.

  4. harvey seeley

    Krebbs, you have nailed him! You should be working for the govt
    Our government is just derelict in policing this sector and protecting folks from these increasingly innovative criminals. Ours is derelict, China is a hackerbacker and Russia is not going to get involved unless they actually try to hack the mafia there!

  5. Lol, it’s look like Brian can use a google to find underweb forums and copy information from them.

    • You got him, Sherlock! Keep going!

      Brian – good work. You do very well your part in making this world better :-)

    • It’s funny how you eastern block wankers are constantly taking the time to heckle on here about how little skill Brian has. Then you immediately tab over to the underweb forums and alert everyone of the doxing.

      • “It’s funny how you eastern block wankers are constantly taking the time to heckle on here about how little skill Brian has. Then you immediately tab over to the underweb forums and alert everyone of the doxing.”

        That’s how manchildren think. The Internet is basically a peacetime playground for the kind of arrogant young males who, in past centuries, would have been willing cannon-fodder for the army. Society has started to learn that being at war with your neighbors is stupid and counterproductive, but the cannon-fodder continues to be born and grow up. Their raging hormones need an outlet, so they become obsessed with FPS shoot-up games, hacking and cracking, robotically editing Wikipedia, and other such non-careers. Society evidently finds botnet operators to be more “acceptable” than outright street thugs mugging people randomly — but there really isn’t much difference.

  6. What is even more important is how this affected Apple and the perception that OS X was better at protecting its users then Windows. If nothing else it woke up Apple and its users to the fact that OS X was not the perfect OS that Apple had been making out OS X to be. Much is to be said for number of users vs the focus of attacks. Grow your user base and watch the attacks rise. I find this to be true with Linux on desktops as users are limited to attacks only by the fact their numbers are not worth the attention of the attackers. In this case being unpopular is probably safer.

    • John,

      This was not an OS X assault, but a weak third party application known to be a problem for both Apple and Microsoft. It’s called called Java.

      Apple is in the process of killing off Java and encouraging third party developers to rewrite their code to native OS X. CrashPlan, for example, requires Java to run. CrashPlan engineers are rewriting their program so that it does not rely upon Java to operate.

      The other offending Application for both Mac and Windows users is Flash Player. Steve Jobs began the campaign to rid us of this software as well.

      If you didn’t have Java installed, then this exploit would have had zero consequences to OS X users. The mere presence of an antivirus program shut down the exploit (written into the Flasback worm itself to avoid detection).

      I use the free ClamXav Sentry on my Macs because no OS is totally immune. But safe to say that a Unix based OS like OS X is far more robust than a Windows based OS when it comes to hacking and overall stability.

      • I disagree that this is not a Mac issue. This was a vulnerability to Apple’s version of Java that was already patched by this time in Oracle’s third party Java. The only users that could be affected are Mac users.

        • Thanks, Mike. You beat me to the same reply. While none of what Ted said is wrong, per se, Apple erred here by waiting almost two months after Oracle shipped an update to fix these flaws. This event had been a long time coming. For years, even back when I was at The Washington Post, I sounded the alarm on the huge time gaps between Oracle and Apple patch times on Java. The gap narrowed considerably in 2011 and into 2012, but six weeks is a big window of exploitation for a widely-installed, cross platform target like Java.

          • Yes, it’s an APPLE problem because they didn’t patch Java.

            But it’s not an *OSX* problem. I think that’s what Ted Grigg was trying to point out.

            • Rabid Howler Monkey

              “Yes, it’s an APPLE problem because they didn’t patch Java. But it’s not an *OSX* problem.

              Yes and no. The original frameworks included in OS X included BSD, Carbon, Cocoa and Java. Java was actually a component of the original OS X operating system and persisted through OS X Snow Leopard. And users of these early OS X versions could not remove the Java framework from the operating system.

              Thus, for OS X Leopard and Snow Leopard, it was an OS X problem. For OS X Lion it was not an OS X problem, but it still was an Apple problem. More here:

              http://en.wikipedia.org/wiki/Trojan_BackDoor.Flashback#Resolution
              “The updated Java release [by Apple] was only made available for Mac OS X Lion and Mac OS X Snow Leopard; the removal utility was released for Intel versions of Mac OS X Leopard in addition to the two newer operating systems.”

              • Mmm, no, you can remove the Java framework from 10.4 and 10.5 (at the very least), but then, of course, Java applets and applications and pretty much anything that’s written to expect to see the Java framework will be broken. Nothing in OS X itself is written this way (aside from Java helper applets), but some things – like portions of Adobe’s Creative Suite – were written in Java and require the framework to function.

                Gutting the Java framework, however, is likely beyond the skillset of the average user. I tried to explain how to do it to someone online and I got the digital equivalent of eyes glazing over.

                Apple is ultimately still at fault for Flashback due to taking their sweet time rolling out Java updates (which, historically, has been a persistent problem for them), so no argument there…

                • Rabid Howler Monkey

                  “Gutting the Java framework, however, is likely beyond the skillset of the average user.”

                  This statement implies a lot. Here’s a link to an Apple discussion on uninstalling the Java platform from OS X Snow Leopard:

                  “Uninstall Java
                  https://discussions.apple.com/thread/2641348?start=0&tstart=0

                  The two substantive replies were like this:
                  o can’t be done as Java is too deeply embedded in OS X
                  o you don’t want uninstall Java as it’s required for too many OS operations

                  • ASF (Apple Support Forums) devolved into the blind leading the blind a long time ago. Apple has been writing their applications in Cocoa and Carbon for a long time (famously QuickTime and iTunes for Windows included a Carbon implementation, for shared code purposes), the only bits that were Java based were related to the Java subsystem (at least in 10.4 and 10.5, I don’t remember if it was true in earlier releases).

                    I’ve gutted Java from a 10.5 system, it can be done. It’s just a set of frameworks and plugins and apps. Obviously if you have applications that use Java then they’ll be broken, and it’s not really advisable though because a lot of applications use Java, but… it’s certainly possible.

                    • Rabid Howler Monkey

                      “I’ve gutted Java from a 10.5 system, it can be done.”

                      There’s that word again, “gutted”. On Windows and GNU/Linux I merely uninstall Java as OS X Lion and Mountain Lion users now do.

                      And on Windows, advanced users can remove components using built-in features.

                      “Gutted” implies that Java was a component of OS X. Which, up to Snow Leopard, it was. The fact that you could open up a terminal window, change directories with the ‘cd’ command and use the ‘rm’ command changes nothing. And the fact that you had to resort to this implies that Apple never intended its users to remove Java from OS X.

  7. Skype resolver for Maxim:

    As of midday UTC, April 3, 2013:

    troxel@yandex.ru –> id skype: buybatterymanager –> 193.150.109.15 –> Saransk ISP Dartel.ru

  8. My granddad had on old rat terrier that just would not quit once he was after something. You remind me of him somewhat. Diggin’ and snifflin’ around and diggin’ some more until he got it. Flat out stubborn. He was very low tech though.

  9. Well done!

  10. How did you manage to see Private messages between two other members of said forum?

  11. Can’t believe I forgot to include this detail in my story. So, in 2007, Dmitry Stupin, the co-administrator of the SpamIt online pharmacy affiliate program, had a chat with his partner Igor Gusev about the top earners of Glavmed, their sister pharmacy affiliate program. They liked Mavook’s sales/traffic numbers so much they decided the next day to reach out to him and invite to spam pills for SpamIt. Here is a snippet of that conversation, which involves ICQ 272990 (Mavook) and Stupin (ICQ 246439146).

    12:50:14 PM 246439146: привет! есть минутка?
    3:07:28 PM 272990: yeah i have a one minute
    3:08:48 PM 246439146: я с главмеда. я вижу ты на юмаксе рекламишь балкера, ты с ним работаешь?
    3:09:10 PM 246439146: мы сейчас активно привлекаем всем чем только можем новых адверов)
    3:09:13 PM 272990: да
    3:09:23 PM 246439146: СЕ на него льешь?
    3:09:28 PM 272990: хм 
    3:09:49 PM 246439146: он ведь для мыльного трафа ориентирован
    3:09:59 PM 272990: c доров да, но у меня rxpayouts.com в топах по buy xxx белый домен
    3:10:18 PM 246439146: не хочешь нас попробовать?
    3:10:26 PM 272990: у вас нет хмл фидов
    3:10:36 PM 272990: и мастеркард не биллите
    3:10:37 PM 246439146: только из-за этого?
    3:10:44 PM 246439146: мастер???? уже давно билим
    3:10:48 PM 246439146: и чеки прнимаем
    3:10:52 PM 272990: ну да – я щас только белые домены вывожу
    3:10:55 PM 272990: в СЕ
    3:11:05 PM 272990: траф бесплатный идет стабильно
    3:11:09 PM 272990: покупки тоже
    3:11:13 PM 272990: в отличие от дорвеев и прочей шелухи
    3:11:36 PM 246439146: а можешь сказать какие у тебя обороты? если приличные – мы для тебя быстренько сделаем фиды
    3:11:43 PM 246439146: ну так, примерно
    3:12:05 PM 272990: обороты слабые я не заморачиваюсь ну допустим с 100 уников СЕ трафа которые идут на шопы – 2-3 покупки
    3:12:17 PM 272990: всмысле на белые шопы – я грубо говорю
    3:12:27 PM 272990: от side effects до прочих
    3:12:34 PM 246439146: а в день у тебя сколько выходит?
    3:12:47 PM 272990: 500-1000 комиссионых
    3:12:53 PM 246439146: ооо!
    3:12:55 PM 272990: у владельцев больше идет 
    3:13:02 PM 246439146: а почему же ты балкер рекламируешь?
    3:13:23 PM 246439146: у них то ни фидов нет ни мастера
    3:14:03 PM 272990: т.к. неизвестная не рекламная партнерка (главмед стимулмедиа рхпайаутс и прочие на слуху) хочу посмотреть как по продажам у других будет
    3:14:41 PM 246439146: так они не рекламятся потому как все спамеры их и так знают) а на СЕ трафик они не смотрят
    3:15:30 PM 272990: да встречный вопрос

    на главмеде есть как на rxpayouts лекарства типа renova seasonale
    3:15:33 PM 272990: diplorene
    3:15:33 PM 272990: и прочие
    3:15:35 PM 272990: из тех что берут
    3:15:45 PM 272990: т.к. белому шопу по ним вылезти проще чем по виагре
    3:16:33 PM 246439146: не, таких нет
    3:17:56 PM 246439146: я тебя понял, спасибо! очень полезно для нас будет. как будут новости по твоим вопросам – постучусь к тебе
    3:18:57 PM 272990: не просто стимул медиа дает фид
    3:19:07 PM 272990: но не биллят мастер
    3:19:19 PM 272990: rxpayouts.com та которая буржуйская
    3:19:26 PM 272990: биллят все но тока US онли в етом минус – зато фиды разные дают
    3:19:44 PM 272990: во всяком случае я щас под их подгоняю домен 2003 года белый
    3:19:49 PM 272990: чтобы сделать шоп
    3:20:41 PM 246439146: понял. будем делать фиды
    3:21:57 PM 272990: давно пора
    3:22:05 PM 272990: народ тут на стимул медиа на белых доменах в топы гугла вылазиет по НЧ
    3:22:09 PM 272990: именно белых или серых где свой фид без редиректа
    3:22:24 PM 272990: мне товарищ недавно показывал домен говорит делает 2-3к в сутке с продаж
    3:22:30 PM 272990: а там фид магаза
    3:22:36 PM 246439146: супер!
    3:22:38 PM 272990: со своим дизайном и текстами

    • Topher Kessler

      do you have a translation? Online translation services have a horrendous time with Russian.

      Btw, great job!

    • Mr Krebs, when is the Russian langue class ?

      BTW, congras on your own traffic count, 39,584, one month ago!

      • Rough Translation

        12:50:14 PM 246439146: Hello! have a minute?
        3:07:28 PM 272990: yeah i have a one minute
        3:08:48 PM 246439146: I GlavMed. I see you on the Umax Advertising bulk carrier, you work with him?
        3:09:10 PM 246439146: We are now actively involve all than only can new adverov)
        3:09:13 PM 272990: yes
        3:09:23 PM 246439146: CE him lesh?
        3:09:28 PM 272990: hmm
        3:09:49 PM 246439146: he’s for soap oriented cores
        3:09:59 PM 272990: c Fedorov, yes, but I rxpayouts.com in tops on white buy xxx domain
        3:10:18 PM 246439146: We do not want to try it?
        3:10:26 PM 272990: you do not feed CML
        3:10:36 PM 272990: Mastercard and not Bill
        3:10:37 PM 246439146: Only because of this?
        3:10:44 PM 246439146: master?? has long Bilim
        3:10:48 PM 246439146: and checks prnimaem

        3:10:52 PM 272990: Well, yes – I am right now just white domains infer
        3:10:55 PM 272990: in CE
        3:11:05 PM 272990: free cores is stable
        3:11:09 PM 272,990 shopping too
        3:11:13 PM 272990: unlike the doorways and other skins
        246439146 3:11:36 PM: Can you say what is your turnover? If decent – we will do for you quickly feeds
        246439146 3:11:43 PM: Well, about
        3:12:05 PM 272990: speed weak I say well, do not bother with 100 uniques CE cores that go to shops – 2-3 purchases
        3:12:17 PM 272990: vsmysle the white shops – I roughly
        3:12:27 PM 272,990 from side effects to other
        246439146 3:12:34 PM: and in how many days do you go?
        3:12:47 PM 272990: 500-1000 commission fee
        246439146 3:12:53 PM: ohh!
        3:12:55 PM 272990: the owners are more 
        246439146 3:13:02 PM: Why do you advertise bulker?
        246439146 3:13:23 PM: they neither feed no master
        3:14:03 PM 272990: since unknown no advertising affiliate (GlavMed stimulmedia rhpayauts and others at the hearing) I want to see how sales will be others
        246439146 3:14:41 PM: so they not advertising because all the spammers and they already know) and the CE traffic they do not look
        3:15:30 PM 272990: yes another question

        GlavMed to have both types of drugs rxpayouts renova seasonale
        3:15:33 PM 272990: diplorene
        3:15:33 PM 272990: and other
        3:15:35 PM 272,990 Of those that take
        3:15:45 PM 272 990: as shopu white on them to get out easier than Viagra
        246439146 3:16:33 PM: no, there are none
        246439146 3:17:56 PM: I understand you, thank you! very useful for us to be. as there will be news on your issues – knock to you
        3:18:57 PM 272990: not just the media gives incentive feed
        3:19:07 PM 272990: not master Bill
        3:19:19 PM 272990: rxpayouts.com that which bourgeois
        3:19:26 PM 272990: Bill all but the current US ONLY in it are negative – but give different feeds
        3:19:44 PM 272990: in any case I am right now under the domain of desire 2003 white
        3:19:49 PM 272990: to make shop
        246439146 3:20:41 PM: understood. we do feeds
        3:21:57 PM 272990: it’s time
        3:22:05 PM 272990: the people here on the spur of media on the white tops of Google domains in vylaziet on LF
        3:22:09 PM 272990: it is white or gray with a feed without a redirect
        3:22:24 PM 272990: I recently showed a friend says domain does 2-3k per day from sales
        3:22:30 PM 272990: and there feed Magaz
        246439146 3:22:36 PM: super!
        3:22:38 PM 272990: with its design and text

    • Sorry, I don’t know Russian — Does балкер refer to bulker.biz, which was the 2007 equivalent of Eva Pharmacy?

  12. NICE! you the man! A real eye opener for people who think mac’s are totally safe . And shows how much havoc one person can create for so many people. I really think our gov’t is starting to take hackers seriously in the recent months. I just wish American corporations and business would too finally, if not the avg home user.

    lol at the guys posting the dudes ip and phone number. haha.

  13. I think he should be made an example of and thrown in jail and anything else that can be given to him and anyone else writing viruses, etc.

  14. BRILLIANT.

  15. You Sir are insanely courageous. Sometime now you should really consider (if you have not already) asking your Govt to provide you various forms of protection from potential revenge attacks by international criminals.

    You are doing a brave job of naming and shaming hard-core criminals, and they obviously won’t keep quiet if they get into trouble due to your exposes. A bit like Julian Assange, maybe?

    Great work and take care!

  16. This russian hacker is just the tip of the iceberg.
    There are tens or maybe hunders of real hax0rz communicating with each other on ‘deep-forums’ trying to create a virus, like darkleech, but much much more advanced and the most important thing, independent-virus, not needing java-exploits or flashbacks..

    Rumour tells that workingplatforms for this virus are WIN, MAC OS..

    Just rumours though, but still, its getting bigger and bigger every day.

  17. Kakie vashi dokazatelstva?
    za vami viehali…

  18. Outstanding work Brian, your forensic skills are truly amazing.

    What I still find astonishing, a majority of Apple owners still do not think they can be the victim of an exploit, no matter how many instances one can quote. And due to this, I know that my periodic cleanup work of marketing and advertising agencies will never end.

  19. H.C. Bloomquist

    As a retired mainframe “geek”, I appreciate your “digging” and finding ways to fix “holes”. In 39 years, I worked for ONLY ONE company that took security seriously (multi-industry conglomerate). I find SPAM very annoying, but I appreciate “Yahoo” and other providers for providing ways to isolate most of it. I really appreciate Yahoo for providing “header show” which tracks to sources. Keep up the good work!!! From a 70+ retiree—-

  20. When Brian mentions a site like BlackSEO.com I go various site testing services to get their opinion. I call my effort “LOL Time.” Google Safe Browsing: “Diagnostic page for blackseo.com This site is not currently listed as suspicious.”
    McAfee SiteAdvisor: “BlackSEO.com This link is safe. We tested it and didn’t find any significant security issues. When we tested the links on this site for security risks, this is what we found.” There were red “X”s by ipod-hacking.com and peakclick.com.

    Norton Safe Web: blackseo.com
    Summary
    Norton Safe Web found no issues with this site. Embedded Link To Malicious Site Threats found: 0

    McAfee found two nasty links but Norton did not find those links. This situation sounds like a topic for another short story.

  21. It takes a person with a lot of determination, skill and sheer patience to do this kind of work. I always wondered how if people can sit online and do this type of work, why can’t law enforcement around the globe do the same It’s not a real hard thing to do, if you have the focus and ability to do so.

    This kind of internet forensic work real depends on a individual who is good at doing investigative work. If more people getting out of a four year University where trained in the know how of doing this specific type of work, we would have less internet crime. I believe that we need more capable people to do this work, otherwise things will get worse on the internet , not better.

  22. Nothing against really, except that russian translation from the forum is not exact. It looks more as imaginary example, rather than a sober claim.

  23. they shut down their site! wow!
    well done mister

  24. yesterday mavook (too drunk) join in wmirc.net and wrote this

    13:02:44 kkosteg: http://krebsonsecurity.com/2013/04/who-wrote-the-flashback-os-x-worm/ мавук звезда!

    1:04:29 mavook [webmaster@8EAEA1D3.711D4958.C3F5E575.IP] вошёл в комнату.
    1:04:40 mavook: всем привет
    1:04:53 mavook: кто готов полить трафика на мою нч теорию =)))))))))
    1:20:17 mavook: сука проснулся в 15-00\
    1:20:23 mavook: с ТАКОГО ПОХМЕЛЬЯ
    1:20:30 mavook: и тут на тебе новости
    1:20:48 mavook: уже 3ий день пью
    1:20:55 mavook: проблема в том что деньги не кончаются
    1:21:09 mavook: потому что дивиденды

    1:22:39 mavook: слушай а что пишут про меня еще
    1:22:47 krob: я незнаю
    1:22:47 mavook: мне тут позвонили сказали что я виновен
    1:22:58 mavook: но я не признался по телефону

  25. Mavook чист, как младенец. Знаю человека лично, вместе делаем бизнес

  26. David Schwartzberg 六

    That was some very impressive investigative research. How many months did it take you to complete your research and verify all the facts?

  27. _tex_ translation
    1:04:29 mavook [webmaster@8EAEA1D3.711D4958.C3F5E575.IP] entered the room.
    1:04:40 mavook: Hello
    1:04:53 mavook: who is ready to pour traffic to my theory LF =)))))))))
    1:20:17 mavook: bitch woke up at 15-00 \
    1:20:23 mavook: with such a hangover
    1:20:30 mavook: and here you news
    1:20:48 mavook: already the third day of drinking
    1:20:55 mavook: the problem is that the money does not end
    1:21:09 mavook: because dividends

    1:22:39 mavook: listen to what they write about me yet
    1:22:47 krob: I Do not Know
    1:22:47 mavook: I then called to say that I am guilty
    1:22:58 mavook: but I do not recognize on the phone

    spomoni:
    Mavook clean as a baby. I know a man personally, do business together

  28. Зачем нужны вообще эти истории?

  29. 2good4you2 .. to expose the scum of the earth?

  30. That’s a fantastic job of sleuthing. The implications to Apple/Mac are astounding, honestly. I applaud you for doing what (it seems like) nobody else is going to do. Maybe some authority will read your post and pick up from there. Haha.


Read previous post:
Fool Me Once…

When you're lurking in the computer crime underground, it pays to watch your back and to keep your BS meter...

Close