In my latest post about the iframe attack that used free domains from dynamic DNS hosting providers that pointed to a network of compromised dedicated server, I asked readers for any additional information they know about this attack. A few day later I received this email:
Since this may I am watching this network (I named it “quicksilver“) after two PCs/users ran into cn-8080-iframe-modified websites. Using only “white hat” instruments (dig, whois, malzilla, VMWare, google and my brain ;) ) I was able to collect information about the basic frame of this network.
It is not a simple botnet – it combines three networks with different functions to form a “malware superstructure”.
Nearly everything in this network is constantly moving (thus the name) and uses compromised machines acting as proxies or slaves. The machines of the real black hats are movable themselves – the older “gumblar” network (which i think is a precursor to quicksilver) used an ukrainian c&c-server with a different ip address.
At the end of the email, the reader said that he had a chart of this network and asked me if I wanted to take a look at it. The information looked interesting so I asked if he would like to publish it on my blog and got his permission:
you have my explicit permission to publish everything I send you – anonymously. Although I have a name and a title, the only thing relevant is to unmask those networks.
So here it is. I’ve published the story as is. I just added some formatting and converted the chart to GIF format to avoid PDF security concerns.