Skip to main content

Posts

Botnet spamming The Pirate Bay with malware

Over the last few weeks, a botnet has been mass-uploading a specific package of what appears to be malware (I haven't had time to look at the payload itself yet). Cleverly, the person(s) behind this effort have appeared to scrape filenames from titles that have already been pirated by popular uploaders. Stupidly, each download uses an obviously fraudulent filesize of 8.04MB. Videogames have not been that small for decades. This mistake would have been less obvious if not for the fact that the same user account - halfax - has uploaded dozens and dozens of games with the exact same filesize. Adding to the obvious fraud behind this effort is the number of nodes sharing these bad files. A screenshot of the current front page of the Games listing for TPB shows the disparity in the number of Seeders and Leachers between files shared by actual pirates and those shared by "halfax": Notice how, although there is variation in the number of seeders and leechers, the varia...

A Shame With No End

Three years ago I wrote a blog post demonstrating how the International Business Times appeared to be associated with some extremely shady online advertising networks , resulting in International Business Times article links being advertised on places like malware-filled mirrors of The Pirate Bay. The presence of IB Times on a Pirate Bay clone site was particularly ironic as the online news outlet had recently published several articles detailing exactly how terrible the ads on Pirate Bay were. To be clear: I never found any indication of any malfeasance on IB Times' part. In fact, I think it is much more likely to be the fault of some affiliate marketing firm that did a poor job of tracking its purchases. As such, I contacted IB Times via Twitter to inform them of my findings. I was contacted by a representative of IBT Media, during which I offered (for free) to walk their marketing staff on how to identify the affiliate responsible for the ad placement. IBT declined - instead...

Palm Beach Post covers the Heroin Epidemic

For over a year I assisted the Palm Beach Post with an in-depth investigation on the State of Florida's involvement with sparking the current heroin epidemic. That investigation has just been published . Among other things, I assisted the Post by creating a custom player to support a carousel-style multimedia presentation with full-screen video encoded using Azure Media Services and distributed through Verizon CDN. It just occurred to me while writing this that my very first work with streaming was Windows Media Services 4.1 on IIS 5.0 (I missed the NetShow party ). It sucked. AMS isn't too bad. For over a century, the United States' narrative surrounding its continuing war on its own drug-addicted citizens has been a jingoistic heap of catch-phrases and rationalizations that have resulted in  the US incarcerating a larger share of our citizens in both absolute and per capita terms than any other nation in the world . News organizations (particularly - but not solely...

NSA Leak Bust Points to State Surveillance Deal with Printing Firms

Earlier this week a young government contractor named Reality Winner was accused by police of leaking an internal NSA document to news outlet The Intercept. The documents outline the intelligence community's take on Russian efforts to hack a variety of companies responsible for facilitating US election voting. You can read the documents here . Despite what anyone might have to say about the issue on Twitter, an arrest involving an accusation of any crime by any law enforcement agency in any country is not evidence of guilt. Even the most circumspect appraisal of the US justice system will reveal that tens of thousands of individuals are arrested every year only to have those charges *immediately* dismissed by a court, while nearly everyone who actually is *convicted* of a crime in this country has their charges reduced. Even in cases in which individuals have been convicted of the the most serious capitol crimes, courts have been forced to release dozens of individuals after DNA ...

Billing systems development now available

Good news for current and future clients of Josh Wieder Technical Consulting : customers can now retain a variety of unique services related to popular hosting billing platforms Ubersmith & WHMCS , many of which are not available anywhere else. The services we are now able to offer include:      - Automated per-minute DID usage billing integration for Vitelity VOIP resellers for both Ubersmith & WHMCS.     - Credit card number and profile migration services to and from WHMCS. We are capable of decrypting CC data stored in WHMCS for you and facilitating migration to a token-based payment verification system (such as Authorize.Net CIM) that can improve your compliance with PCI standards.     - PayPal subscription migration services to, from and between WHMCS & Ubersmith.     - Authorize.Net CIM profile migration services.     - Custom development of Authorize.Net & PayPal gateways ...

RAT Bastard

Earlier this week, several servers I maintain were targeted by automated attempts to upload a remote access trojan (RAT). The RAT is a simple rot-13 embedded PHP script. The script provides a means for establishing file transfer and permissions management via HTTP queries on the remote side and the dreaded eval() function on the local side - interestingly, these functions are somewhat protected; in order to work, it is necessary to provide a hash along with the HTTP query, and the length of the query string has to match the size of its associated file. Can't have someone else taking advantage of your hard work, I suppose. The script includes a standard six-byte GIF header before the "<?php" establishing the opening of the PHP code, and the payload itself had a .gif file extension. It is pretty obvious either to a naked eye or a program that more than a very basic check that this .GIF is not an image. It is slightly more sophisticated than other attempts I have seen w...

Chop That Dollar

Its been quite some time since I've received a 419 spam message in my inbox. But - like matter itself - 419 never dies - only changes form. I found the message below in my inbox this morning. I was pleased to note that the message originated from Yahoo, and contained several classic red flags for spam that even the neophyte mail server admin knows to watch out for, like from & reply-to headers with different different domains. This is the kind of l33t security I've come to expect from Yahoo. But hey, the Russians did it , and no one can be expected to secure their customers from state sponsored attacks. Susan here is no doubt a member of Nigeria's elite NIA . From: Susan ***** desmondwilliams614 yahoo.com Subject: Hello, Date: Sat, 18 Mar 2017 12:12:52 +0000 (UTC) Reply-To: desmondwilliams614 yahoo.com Susan ***** deswill0119 yahoo.fr Hello, Greetings. With warm heart I offer my friendship and greetings, and I hope that this mail will meets you in good time. Ho...