Tuesday, May 10, 2016

A collection of PHP backdoors


Just a quick post to announce I've set up a GitHub repository with a collection of PHP backdoors for educational and/or testing purposes only:






















Feel free to check it out and/or contribute here:
https://github.com/bartblaze/PHP-backdoors

The repository will be updated continuously and gradually.

If you're interested in analysing a PHP backdoor, check out my post on PHP/C99shell:
C99Shell not dead


Additionally, find tools to deobfuscate PHP backdoors here:
PHP tools

Wednesday, May 4, 2016

SteamStealer IP visualisations


Just for fun I decided to visualise all SteamStealer IPs I've encountered (till now). They are hosting multiple fake screenshot websites, fake voice communication software, fake streaming websites, fake Steam websites and others. They may also be a C&C for the malware, or fake gambling/lottery websites.

Any additional information can also be found on my blog:
Malware spreading via Steam chat

Additionally, be sure to read the paper I wrote with Santiago from Kaspersky about SteamStealers here: The evolution of malware targeting Steam accounts and inventory


Now for the fun part:




View SteamStealer IPs in a full screen map



Alternatively, check out the following map and stats:



a

CountryCount
Russian Federation163
United Kingdom19
Netherlands18
United States14
Germany9
Ukraine6
France6
Poland4
Romania1
Italy1
Czech Republic1
Canada1
Australia1
Belarus1
Belize1
Kazakhstan1
Virgin Islands, British1
Spain1
Moldova, Republic of1



As you can see, most of them are hosted in Russia; while the United Kingdom and The Netherlands rank second and third respectively.

Note: CloudFlare is gaining popularity in 'hiding' the real server IP address. CloudFlare IPs are not included.

That's about it, hope you enjoyed! Please find below tools used to create the mapping.


Resources

Geomapping:
Batchgeo
GIPC

Data:
SteamStealer IPs IOCs