Targeted Not Targeted

In the past, I used to encounter people who consistently expressed skepticism about truly targeted activity “why would a nation-state target us?” Following the onslaught of publicly available reports of APT activity over the years, I more commonly encounter those that interpret indiscriminate malicious activity encountered by their organization as targeted “we were targeted by […]

“Commodity Malware” is not the Opposite of Targeted Malware

I really don’t like the term “commodity malware”. It’s not that commodity is necessarily an inaccurate description of a particular piece of malware. And it’s not that knowing whether malware can be purchased or is publicly available is not useful, it’s that just because malware may be characterized as commodity it does not indicate whether […]

10 Years Since Ghostnet

On March 28, 2009 the Citizen Lab released “Tracking GhostNet“. So much has changed since then, both for me personally as well as the research community, the industry and the threat landscape itself. It has been a long time since I updated this blog, in fact, the last entry was at the end of 2010. […]

2010 and Beyond

The year of 2010 has been an interesting for malware researchers. From the attacks on Google through to the ShadowNet there have been many interesting cases that targeted high profile targets. However, traditional threats such as Zeus, Spyeye and fake antivirus software continue to be what most Internet users face on a daily basis. Moreover, […]

RX-promotion: A Pharma Shop

More than 65% of spam consists of “pharmaceutical spam” sent through a variety of well known spam botnets such as Rustock and Cutwail. These spam messages use multiple shop brands and sell a variety of drugs, especially Viagra. These pills, sometime fake pills, are shipped to buyers from pharma manufacturers, often in India or China. […]

Pack Mules: The Re-Shipping Fraud & Malware Connection

Malware toolkits are designed to steal information, such as bank account data, and provide cyber criminals with vast quantities of stolen credentials. Every day, credit card numbers stolen by malware such as Zeus and SpyEye are bought and sold in the underground economy. This has given rise to the recruitment of “pack mules.” When using […]

Koobface: Inside a Crimeware Network

The Information Warfare Monitor (Citizen Lab, Munk School of Global Affairs, University of Toronto and the SecDev Group, Ottawa) announce the release of Koobface: Inside a Crimeware Network by Nart Villeneuve, with a foreword by Ron Deibert and Rafal Rohozinski. The full report can be accessed here (local mirror): Globe and Mail coverage of the […]

Nobel Peace Prize, Amnesty HK and Malware

There have been two recent attacks involving human rights and malware. First, on November 7, 2010, posted an analysis of a malware attack that masqueraded as an invitation to attend an event put on by the Oslo Freedom Forum for Nobel Peace Prize winner Liu Xiaobo. The malware exploited a known vulnerability (CVE-2010-2883) in […]

Clustering Zeus Command and Control Servers Part 2

In Part 1 of “Clustering Zeus Command and Control Servers” I focused on clustering Zeus command and control servers based on three criteria: IP addresses, domain names, and email addresses used to register domain names. Using data drawn from ZeusTracker and MalwareDomainList, I observed that while a wide variety of criminals may set up disparate […]

Command and Control in the Cloud

In “Shadows in the Cloud: An investigation into cyber espionage 2.0” my co-authors and I analyzed the command and control infrastructure of a network that extracted secret, confidential and restricted documents from the Indian government and military. The Shadow Network used a complex and tiered command and control infrastructure that leveraged Twitter, Google Groups, Blogspot, […]

Malware Diversification

There are wide varieties of malware, many of which have similar functionality. As a result there is a tendency to portray them as being in competition with on another. In some ways this is true, especially when it comes to malware authors, however, I prefer to see it as less of a rivalry and more […]

Clustering Zeus Command and Control Servers

Recently, more than 150 individuals around the world have been arrested on bank fraud related charges after using the Zeus malware to acquire credentials that enabled the criminals to steal more than $70 million dollars. Those arrested include five Ukrainian individuals that are believed to be the masterminds behind the operation. Brian Krebs notes that […]

Black Hat SEO, PPC & RogueAV Part 2

Part 1 of “Black Hat SEO, PPC & RogueAV” focused on the type and amount of incoming traffic generated through BlackHat SEO methods. This traffic is monetized through the use of RogueAV, Pay-Per-Click and Pay-Per-Install affiliates. This post continues the analysis of this campaign by providing a inside look at this BHSEO operation. The attackers […]


The Kraja botnet has managed to compromise 185,645 computers, the vast majority of which are located in Russia. Of the 199,513 unique IP addresses recorded from compromised computers, 87.88% are in IP address ranges assigned to Russia. The name “Kraja botnet” comes from an image located on the command and control server which was originally […]

Old Threats are Current Threats

Despite the fact that the authors of the Pinch Trojan were “pinched” by law enforcement in 2007, the Pinch Trojan continues to be a current threat both because the source code is available (so anyone can modify it and release a variant) but also because old versions of Pinch continue to be effectively used. In […]