Malware Analysis

Necurs.P2P – A New Hybrid Peer-to-Peer Botnet

Last week I received a tip about a sample displaying some indication that it could be peer-to-peer (a large amount of UDP traffic being sent to residential IPs), after a couple days of analysis I was able to confirm that not only was it peer-to-peer but also currently active. The person …

Malware Analysis

Exploring Peer to Peer Botnets

Peer to Peer and Everything In between Back in October I’d gotten bored of the endless stream of cryptolockers and PoS trojan, so decided to look at something old school, that something was Kelihos. Since then, I’ve come to realize that P2P botnet monitoring brings together two of my favorite …

Threat Intelligence

Darkode – Ode to Lizard Squad (The Rise and Fall of a Private Community)

For the 10 of you who don’t know, darkode was on of the most active English-speaking “underground” cybercrime boards. The forum was started around 2009 by a coder named “Iserdo” and gained popularity off the back of Iserdo’s bot, “Buterfly bot” (AKA Mariposa), which was sold there. In The Beginning …

Malware Analysis

Usermode System Call hooking – Betabot Style

This is literally the most requested article ever, I’ve had loads of people messaging me about this (after the Betabot malware made it famous). I had initially decided not to do an article about it, because it was fairly undocumented and writing an article may have led to more people …

Threat Intelligence

The Centralization of Fraud

Everyone is aware of the dangers of credit/debit cards, right? You get infected with banking malware or you leave your wallet at the bar, next thing you know there are bills for things you don’t remember purchasing showing up on your bank statement. Well there was once a time when …

Malware Analysis

Rise of the dual architecture usermode rootkit

A bit about past rootkits In the past it has been very common to see usermode rootkits that only attack one architecture, which has usually been 32-bit. A standard rootkit injects code into specific/all running processes in order to modify code inside them, this then allows it to hide itself …