Uncategorized
9

Why Open Source Ransomware is Such a Problem

A while back 2sec4u posted a poll asking if people considered open source ransomware helpful to detection and prevention, with 46% voting yes. Although the poll wasn’t limited to people working in the antimalware industry, 46% is scarily high. Trying to prove a point, help me out Twitter. Is open source ransomware helping …

Uncategorized
1

Mapping Mirai: A Botnet Case Study

Mirai is a piece of malware designed to hijack busybox systems (commonly used on IoT devices) in order to perform DDoS attacks, it’s also the bot used in the 620 Gbps DDoS attack on Brian Kreb’s blog and the 1.1 Tbps attack on OVH a few days later. Although Mirai isn’t even close to …

Uncategorized
1

Dridex Returns to the UK With Updated TTPs

With the exception of a few unconfirmed reports of Dridex targeting Baltic countries (which doesn’t make much sense economically), infection campaigns have ceased since mid August when Dridex briefly resumed spreading to propagate multiple new botnets aimed at Switzerland. This morning a friend of mine, Liam, reported receiving a malicious email which unusually didn’t …

Uncategorized
3

Significant Increase in Kelihos Botnet Activity

Since the Kelihos takedown in front of a live audience at RSA Conference in 2013, the operator had opted to maintain a low profile by keeping the total number of infections at only a fraction of the previous size. In the past Kelihos’ MO was spamming stock pump and dump schemes or pharmaceutical scams then laying …

Uncategorized
1

No the FBI Are Not Sending Bitcoins to the Shadowbrokers

A few days ago someone made the following post which suggested the FBI were sending bitcoin from the wallet where all of the seized coins from Silkroad were sent to the ShadowBrokers acution address; furthermore, the explanation was given that they were trying to “chum the water” and enable them to track transactions …

Uncategorized
2

Automatic Transfer Systems (ATS) for Beginners

ATS is one of the newer techniques employed by banking malware that not many people are familiar with so I thought I’d do a small post explaining it. To fully appreciate the complexity of ATS we have to take a look at a brief history of financial malware and how they …

Uncategorized

What’s Happening with Necurs, Dridex, and Locky?

Around the 8th of June VICE picked up the story about Necurs’ downtime and wrote a great article including a tweet from Kevin Beaumont referencing my botnet tracker. I was contacted for comment and there’s a few things i’d have liked to add but at the time i was in …

Uncategorized

How Cerber’s Hash Factory Works

Recently I saw a story on SecurityWeek about how the Cerber ransomware morphs every 15 seconds (each download results in a file with a new hash), which I then tracked back to the source, this article by Invincea. The various news articles made some dubious claims which can be put down …

Uncategorized
6

Infosec Without a Degree

I’ve seen plenty blogs from people who got into infosec through the academic route, so i figured I’d cover the other side and try to answer the three most asked questions I get via email and twitter: “Do I need a degree to get a job in infosec?”, “Will a …

Uncategorized

Dridex Updates Payload Distribution

Dridex spreads mainly using Office documents containing malicious macros, initially the primary stage would involve using VBA (Visual Basic for Applications) to download and execute the loader from one of multiple servers, though this had some flaws. Antivirus and Firewall vendors maintain a list of malicious URLs and IP addresses …