The “Kneber” Botnet, Spear Phishing Attacks and Crimeware



After I received an email from Jeff Carr warning about a spoofed email containing malware, I asked Jeff to send it along. It turns out that the attackers also used portions of a blog post by Brian Krebs as lure. What interesting is that the attack targeted .mil and .gov email addresses using text from […]

Decrypting the Google statement



There have been many articles saying that Google is pulling out China. Well, that’s not exactly what Google said. Here is exactly what Google stated: We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government […]

Chatter…



This post is my analysis of publicly information available on the attack against Google. I think that Google linked to my blog and the GhostNet report because of similarities in methods, not because the two cases are linked. This post combines my analysis of Google’s statement, media report and my experience with other attacks — […]

Google’s New Approach



Google has just announced that there were successful attacks against their infrastructure resulting in the theft of intellectual property. Google traced the attacks to China and although the attribution regarding the Chinese government is unclear, Google also discovered that the attackers also attempted to compromise the Gmail accounts of Chinese human rights activists. But the […]

Malware Market



It’s no surprise that there is a malware market, an ecosystem of buyers, sellers and middlemen known as “guarantors”. In a very interesting post, “The botnet ecosystem“, Vitaly Kamluk explains the way in which this system works. There is a malware market in which malicious code and services are exchanged with the help of trusted […]

Thoughts on Critical Infrastructure Protection



In a very interesting paper for the International Risk Governance Council, Ortwin Renn describes a framework that provides an “analytic structure for investigating and supporting the treatment of risk issues.” Renn argues that risks are “mental ‘constructions’” in which actors link signals from the real world with “experience of actual harm” along with “the belief […]

Adventures in Russian Malware



I just posted an analysis of a pcap file from a political figure. While I expected to find targeted malware tat was possibly associated with political activities, I found a bunch of Russian/Ukrainian malware. What I found interesting, and which seems to match what key security community folks are seeing (here and here), is a […]

Russian Malware Bundle



by Nart Villeneuve This Malware Lab blog post analyzes a packet capture file from an infected computer associated with a political figure. While evidence of compromise was found, the malware infection is most likely unrelated to political activities and was not a targeted attack. Rather, the infection is related to the criminal activities of attackers […]

Rogue AV: IAV Pro



Internet AntiVirus Pro is rogue anti-virus software that is uses fake scans and threats to entice users into downloading and purchasing the software. Moreover, IAV uses intermediary sites that force users to download the software. there is no easy way to uninstall the software and the IAV demonds that people pay to receive software that […]

“0day”: Civil Society and Cyber Security



by Nart Villeneuve & Greg Walton Civil society organizations face a wide range of online security threats that they are often ill equipped to defend. The lack of both resources and training leaves many organizations vulnerable to even basic Internet-based attacks. However, civil society organizations are being compromised by attackers using “0day” exploits – vulnerabilities […]

“0day”: Civil Society and Cyber Security



Greg and I have put up a new post on the IWM and Malware Lab about 0day exploits and Civil Society organizations. It s not about coordinated 0day attacks but rather some general trends and patterns that we’re seeing. We’re finding that the websites of civil society organizations are being used to push malware — […]

Hossein Derakhshan



Cyrus Farivar has posted a translation of a letter sent by Hossein’s father to Ayatollah Larijani. It has been almost a year since Hossein was arrested and still there have been no charges laid against him, his family has only been able to meet with him twice for a few minutes and they don’t know […]

GhostNet in Portugal



A new report from www.trusted.pt documents their investigation into GhostNet in Portugal. I’ve only been able to read it via Google translate but it seems very interesting. During the GhostNet investigation we found several Portuguese infections including: Embassy of Portugal, Germany Embassy of Portugal, France Embassy of Portugal, Finland CEGER, Management Center for the Electronic […]

Russian Botnet Readme.txt



A recent Malware Lab investigation I’ve been working on led me to two interesting files on a Russian botnet: readme.txt version.txt I don’t know if these are well known or not, but they describe how to install the botnet backend as well as what’s been added between version 1.0 to 6.0. Here are the executables […]

Targeted Malware Attack on Foreign Correspondent’s based in China



By Nart Villeneuve and Greg Walton Overview There have been recent reports of malware attacks on journalists based in China. The attacks specifically targeted Chinese employees working for media organizations, including Reuters, the Straits Times, Dow Jones, Agence France Presse, and Ansa.1 These employees received an email from “Pam ” who claimed to be an […]