Malware Attacks on Solid Oak After Dispute with Greendam



A while back I posted an analysis of attacks on Solid Oak (the makers of CyberSitter) after a dispute with a Chinese firm that produced GreenDam over stolen code. Rob Lemos covered the story and also revealed that the law firm representing Solid Oak subsequently came under a similar targeted malware attack. The story has […]

The Aurora Mess



The data about Aurora has always felt just a little off for me. Maybe its that everyone writing about it just has their own piece of the puzzle to analyse, without the detail required to accurately link the pieces together. When it comes to the command and control infrastructure, maybe it’s that some obfuscated the […]

The “Kneber” Botnet, Spear Phishing Attacks and Crimeware



After I received an email from Jeff Carr warning about a spoofed email containing malware, I asked Jeff to send it along. It turns out that the attackers also used portions of a blog post by Brian Krebs as lure. What interesting is that the attack targeted .mil and .gov email addresses using text from […]

Decrypting the Google statement



There have been many articles saying that Google is pulling out China. Well, that’s not exactly what Google said. Here is exactly what Google stated: We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government […]

Chatter…



This post is my analysis of publicly information available on the attack against Google. I think that Google linked to my blog and the GhostNet report because of similarities in methods, not because the two cases are linked. This post combines my analysis of Google’s statement, media report and my experience with other attacks — […]

Google’s New Approach



Google has just announced that there were successful attacks against their infrastructure resulting in the theft of intellectual property. Google traced the attacks to China and although the attribution regarding the Chinese government is unclear, Google also discovered that the attackers also attempted to compromise the Gmail accounts of Chinese human rights activists. But the […]

Malware Market



It’s no surprise that there is a malware market, an ecosystem of buyers, sellers and middlemen known as “guarantors”. In a very interesting post, “The botnet ecosystem“, Vitaly Kamluk explains the way in which this system works. There is a malware market in which malicious code and services are exchanged with the help of trusted […]

Thoughts on Critical Infrastructure Protection



In a very interesting paper for the International Risk Governance Council, Ortwin Renn describes a framework that provides an “analytic structure for investigating and supporting the treatment of risk issues.” Renn argues that risks are “mental ‘constructions’” in which actors link signals from the real world with “experience of actual harm” along with “the belief […]

Adventures in Russian Malware



I just posted an analysis of a pcap file from a political figure. While I expected to find targeted malware tat was possibly associated with political activities, I found a bunch of Russian/Ukrainian malware. What I found interesting, and which seems to match what key security community folks are seeing (here and here), is a […]

Russian Malware Bundle



by Nart Villeneuve This Malware Lab blog post analyzes a packet capture file from an infected computer associated with a political figure. While evidence of compromise was found, the malware infection is most likely unrelated to political activities and was not a targeted attack. Rather, the infection is related to the criminal activities of attackers […]

Rogue AV: IAV Pro



Internet AntiVirus Pro is rogue anti-virus software that is uses fake scans and threats to entice users into downloading and purchasing the software. Moreover, IAV uses intermediary sites that force users to download the software. there is no easy way to uninstall the software and the IAV demonds that people pay to receive software that […]

“0day”: Civil Society and Cyber Security



by Nart Villeneuve & Greg Walton Civil society organizations face a wide range of online security threats that they are often ill equipped to defend. The lack of both resources and training leaves many organizations vulnerable to even basic Internet-based attacks. However, civil society organizations are being compromised by attackers using “0day” exploits – vulnerabilities […]

“0day”: Civil Society and Cyber Security



Greg and I have put up a new post on the IWM and Malware Lab about 0day exploits and Civil Society organizations. It s not about coordinated 0day attacks but rather some general trends and patterns that we’re seeing. We’re finding that the websites of civil society organizations are being used to push malware — […]

Hossein Derakhshan



Cyrus Farivar has posted a translation of a letter sent by Hossein’s father to Ayatollah Larijani. It has been almost a year since Hossein was arrested and still there have been no charges laid against him, his family has only been able to meet with him twice for a few minutes and they don’t know […]

GhostNet in Portugal



A new report from www.trusted.pt documents their investigation into GhostNet in Portugal. I’ve only been able to read it via Google translate but it seems very interesting. During the GhostNet investigation we found several Portuguese infections including: Embassy of Portugal, Germany Embassy of Portugal, France Embassy of Portugal, Finland CEGER, Management Center for the Electronic […]