Top IT Security Bloggers
Arbor Networks
-
Automating Intelligence: Discovering Recent PlugX Campaigns Programmatically
Arbor NetworksOne of the hardest things to do when you are receiving malware that have “anonymized” (e.g. name-is-hash) names or general samples that lack any indication of the infection vector is to determine the origin of the file and its intended target. Even harder is when you do not receive telemetry data from products that contains information […] -
An Update on the UrlZone Banker
Arbor NetworksUrlZone is a banking trojan that appeared in 2009. Searching its name or one of its aliases (Bebloh or Shiotob) reveals a good deal of press from that time period along with a few technical analyses in 2009 [1] [2], 2012 [3], and 2013 [4]. Despite having a reputation of evolution, there doesn’t seem to […] -
Flu season starting early: the H1N1 Loader
Arbor NetworksThe H1N1 Loader appears to be a relatively new downloader family that, to the best of our knowledge, was initially discovered and analyzed by the security community in May 2015. We have seen several samples show up in our malware zoo this Spring and have documented our preliminary findings from a network communications perspective in a […] -
How to Become an Internet Supervillain in Three Easy Steps
Arbor NetworksOne of the truisms of comic books and graphic novels is that nothing is immutable – both heroes and villains are rebooted, retconned, featured as radically (or subtly) different versions in alternate timelines, etc. The Marvel Cinematic Universe, which so far includes the Captain America, Thor, Hulk, Iron Man, and Avengers films, is [...] -
Bedep’s DGA: Trading Foreign Exchange for Malware Domains
Arbor NetworksAs initially researched by Trend Micro [1] [2], Zscaler [1] [2], Cyphort, and Malware don’t need Coffee, the Bedep malware family focuses on ad / click fraud and the downloading of additional malware. ASERT’s first sample dates from September 22, 2014, which is in line with when Trend Micro started seeing it in their telemetry. In early 2015, the family got some more attention when it was being observed as the malware payload for [...] -
Neverquest: A global threat targeting Financials
Arbor NetworksBy: ASERT Research Team
On March 31st, Arbor’s Security Engineering & Response Team (ASERT) published a detailed threat brief on the Neverquest malware for Arbor customers. Along with thousands of IOC’s (indicators of compromise), the brief details Neverquest’s current inner workings and describes some reversing techniques ASERT uses to unravel and monitor this stealthy and quickly evolving malware. Applying this research at scale to malware and data acquired by our global ATLAS initiative allows us to develop targeted defenses and security [...] -
DDoS Attacks in the Wake of French Anti-terror Demonstrations
Arbor NetworksOn January 15th, France’s chief information systems defense official, Adm. Arnaud Coustilliere, announced a sharp rise in online attacks against French web sites:
“Calling it an unprecedented surge, Adm. Arnaud Coustilliere, head of cyberdefense for the French military, said about 19,000 French websites had faced cyberattacks in recent days, …” [1].
As we’ve done in the recent past for North Korea [2], Hong-Kong [3], and Israel [4], we can leverage Arbor’s ATLAS initiative to observe how real world conflict [...] -
North Korea Goes Offline
Arbor NetworksIt was reported earlier today that North Korea was having Internet connectivity issues.
Given recent events involving Sony Pictures Entertainment (SPE), these reports are of particular interest. The first question when you see this type of report is whether it’s purely a connectivity issue or whether an attack is behind it. While visibility into North Korean Internet is quite difficult, we are able to see quite a few attacks over the last few days.
1.) All targets are in this netblock:
inetnum: 175.45.176.0 [...] -
DDoS Activity in the Context of Hong Kong’s Pro-democracy Movement
Arbor NetworksIn early August, we examined data demonstrating a striking correlation between real-world and online conflict [1], which ASERT tracks on a continual basis [2-7]. Recent political unrest provides another situation in which strong correlative indicators emerge when conducting time-series analysis of DDoS attack data.
The latest round of pro-democracy protests in Hong Kong began on September 22nd when “. . . Students from 25 schools and universities go ahead with a week-long boycott to protest Beijing’s decision to proceed with indirect [...] -
MindshaRE: Statically Extracting Malware C2s Using Capstone Engine
Arbor NetworksIt’s been far too long since the last MindshaRE post, so I decided to share a technique I’ve been playing around with to pull C2 and other configuration information out of malware that does not store all of its configuration information in a set structure or in the resource section (for a nice set of publicly available decoders check out KevTheHermit’s RATDecoders repository on GitHub). Being able to statically extract this information becomes important in the event that [...]