<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p><img class=" wp-image-2603 aligncenter" src="http://cdn2.hubspot.net/hubfs/2548414/Imported_Blog_Media/a-magician-1160153-639x1089.jpg" alt="a-magician-1160153-639x1089" width="309" height="527"></p> <p>Most creators of Trojans or worms only known attribution to their creation is made by security researchers, and although, these individuals are not known in person, some of them are known and active in the cybercriminal scene. One of these “celebrity cyber criminals” is known by his alias Houdini, and according to <a href="http://www.threatgeek.com">Threatgeek.com</a> is named '<a href="https://otx.alienvault.com/pulse/58239a2b4dc3d210c9784e20">Mohamed Benabdellah</a>'. Houdini is believed to be based in&nbsp; Algeria and connected to njq8” (aka ‘Naser Al Mutairi’) the developer of other RATs as "njRAT" and "njw0rm".</p> <!--more--> <p>RATs by Houdini have been reported since 2013, and <a href="https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html">H-w0rm</a> is the earliest reported by fireEye. H-w0rm is a tool in VBS &nbsp;and has also an <a href="http://pastebin.com/vMQWsvHS">AUTOIT</a> version. The VBS file in the relevant version, was found to be obfuscated with multiple levels of standard Base64 encoding (Safa Crypter). The H-w0rm has been known to act as a RAT; log keystrokes, record sound through the user’s microphone, capture photos through the webcam and run updates of the RAT on the infected node. The C&amp;C communication of this RAT is done by using Dynamic DNS services and over HTTP protocol.</p> <p>Both ThreatSTOP IP Firewall Service and DNS Firewall Service customers are protected from “Houdini's RAT\H-w0rm” if they enable the TS Critical targets in their policies.</p></span>
