2014-02-06 - Connect the dots

And real name of Magnitude is....

Magnitude from Community

You may have noticed a rise in Magnitude occurrence past days. This helped me in connecting the dots.

When GrandSoft talked about the remaining Exploit Kits in November 2013 he mentioned :

- нейтрино
- оранж
- магнитуда
топэксп

so

Neutrino
Sweet Orange
Magnitude
TopExp


I was wondering why he was not mentioning Styx, Sakura and Nuclear which were all still here at that time but the TopExp got my attention...

I saw that post underground :


Предоставляю связку за % от трафа


--------------------------------------------
Предоставляю связку за % от трафа
Всех приветствую! предоставляю связку за процент от траффа бьющие только IE.
НЕ ПРИНИМАЕМ СТРАНЫ: СНГ, небольшие страны азии, востока, африки и южной америки): 
A1 A2 O1 SU RU UA BY UZ KZ GE AZ LT MD LV KG TJ AM TM JP JA CN TH VN ID MY TZ PH RO SG 
TT YE LK PK SA BG UY RS OM IQ KW DO SV TN KE EU NP BD MN SK CR JO LU BB MU NI AP BS MQ 
NG CY BO AO PY MK GU BH SI NA LB BA BN GD LA BZ PG ZM SY LY SD HT MO PS UG GF RE AF SN 
LR NC KH GP BW HN AW PF CW VI IS KN AG BM GY DM MT BT MZ EE GL CI MG MV MC GA CD LI GQ 
ZW CM SR JE DJ CV SZ ME FJ LC KY GH SB VU ET RW MW ER LS EG AE TW ZA 

За контактом в ПМ. 
--------------------------------------------
Translated as :
--------------------------------------------
Give a bunch of cores per%
All welcome! give a bunch for a percentage of traffa beating only IE. 
DO NOT TAKE THE COUNTRY: CIS, small countries in Asia, East, Africa and South America):
A1 A2 O1 SU RU UA BY UZ KZ GE AZ LT MD LV KG TJ AM TM JP JA CN TH VN ID MY TZ PH RO SG 
TT YE LK PK SA BG UY RS OM IQ KW DO SV TN KE EU NP BD MN SK CR JO LU BB MU NI AP BS MQ 
NG CY BO AO PY MK GU BH SI NA LB BA BN GD LA BZ PG ZM SY LY SD HT MO PS UG GF RE AF SN 
LR NC KH GP BW HN AW PF CW VI IS KN AG BM GY DM MT BT MZ EE GL CI MG MV MC GA CD LI GQ 
ZW CM SR JE DJ CV SZ ME FJ LC KY GH SB VU ET RW MW ER LS EG AE TW ZA 
For contact : PM.
--------------------------------------------

I guess this is the reason for the rise in Magnitude events those days.

Being asked for the CVE he wrotes :

CVE-2012-0507
CVE-2013-2551
CVE-2013-2471

Hum... match what is remaining in Magnitude (Flash exploit was only a downloader, (not CVE-2013-0634) and no more CVE-2011-3402 (Duqu Like Font Drop)

and :

Says he uses it since two years


I should have connected the dots before. In may the "backend" domain for stats/threads of what was called popads (aka Magnitude) was :

http://topexpstat .com/
69.64.50.203

So...Magnitude is : top-exp

But hey...Magnitude sound better no ? (Thanks Will ! :) )

Where is Magnitude now ?
184.172.109.156
and yesterday ?
184.172.109.155


Here is the manual :
http://pastebin.com/raw.php?i=HkAxAaFd
Google Translated:
http://pastebin.com/raw.php?i=mRHYYK5a

Side note : Neutrino is also advertising on underground.

Seems Nuclear is now taking a big part of the cake.

Read More :
Deobfuscating Magnitude Exploit Kit - 2013-11-11 Darryl - KahuSecurity
Magnitude EK : Pop Pop ! - 2013-10-26