Note on WannaCrypt Infection Count Accuracy


Our sinkhole is designed to collect any and all HTTP requests to sinkholed domain for investigation purposes (these are then sent to a back-end database). What this means is that around the period when infections started being prevented the data on had almost pinpoint accuracy; however, as the news went global people began posting links to the sinkhole domains which people ended up clicking in their thousands.

Although we have ways to differentiate between regular and bot visits, this can only be done during data export, therefore graph data became less accurate as the sinkhole domain was posted around the internet. Data sent out for purpose of victim notification has already been filtered to ensure best accuracy possible, whereas graph data is unfiltered. As a result the graph data will show a slightly higher count than actual until the graph can be regenerated (this was supposed to be done immediately, but we have been busy dealing with attacks against our sinkhole infrastructure).

Until data can be exported, processed, then re imported; below is an accurate count of total non-browser connections to our sinkhole (these are almost all infections which have been stopped by our ‘kill-switch’ domain).

[Last Updated 2017-05-19 09:00 UTC]

Best Languages to Learn for Malware Analysis

One of the most common questions I’m asked is “what programming language(s) should I learn to get into malware analysis/reverse engineering”, to answer this question I’m going to write about the top 3 languages which I’ve personally found most useful. I’ll focus on native malware (malware which does not require …

Investigating Command and Control Infrastructure (Emotet)

Although the majority of botnets still use a basic client-server model, with most relying on HTTP servers to receive commands, many prominent threats now use more advanced infrastructure to evade endpoint blacklisting and be resilient to take-down. In this article I will go through and explain my process of identifying …

Creating a Simple Free Malware Analysis Environment

Computer Requirements: A CPU with AMD-V or Intel VT-x support (pretty much any modern CPU). 4 GB RAM (more is better). Make sure Virtualization (AMD-V or Intel VT-x) is enabled in the BIOS. To do this, you’ll need to google “enable virtualization” along with your bios or motherboard version, then …