There’s a new Infowar Monitor blog post by Greg and I on the targeted malware attack on foreign correspondents based in China. The case is interesting to me because of the connections to other attacks that have been investigated by others, including Maarten Van Horenbeeck, F-Secure, ThreatExpert, and us in the past. For me, it [...]
“Correlation does not imply causation.” If you’re into “cyberwar” read and repeat this three times. When it comes to internet-based attacks, such as the recent DDoS attacks against in South Korea and the U.S., questions arise regarding the identity and motivations of those responsible for the attacks. Because attribution is difficult, if not close to [...]
The Internet-based attacks surrounding the Russia-Georgia conflict in August 2008 have resurfaced thanks to a report by the U.S. Cyber Consequences Unit (US-CCU). Because the report is top secret, all that is publicly available is a summary. There are a number of reports on the Ru-Ge incident. While some are very well done, noticeably absent [...]
Recently, Jim Harper, Director of Information Policy Studies at the CATO Institute, stated that “both cyber terrorism and cyber warfare are concepts that are gross exaggerations of what’s possible through Internet attacks,” and it rubbed some the wrong way. But the overall point he was making is somewhat lost when focusing on this quote alone. [...]
BlackBerry Spyware Dissected – Analysis by Veracode. My favourite quote: “it’s not even necessary to send the .jar, but they did, completely unobfuscated. Arrogance or incompetence? ” The 0s and 1s of Computer Warfare – Op-Ed by Evgeny Morozov. My favourite quote: “A serious international debate about cybersecurity is impossible if our only reference points [...]
I just read a great post by Jose Nazario suggesting that there hasn’t been much evidence of the use of botnets. But the most interesting point he makes is where he points out that the site under attack could take offensive action against the people participating in these “refresh” style attacks: The attackers who participate [...]
There have been a variety of good reports (zdnet, sans, fp ) on the DDOS campaigns targeting Iranian sites after the election. However, one of the things I’ve noticed is the tendency to characterize this as something relatively new. But this has been happening for at least a decade! See, http://www.fraw.org.uk/download/ehippies/archive/op-01.html , http://www.fraw.org.uk/download/ehippies/archive/op-01a.html, http://www.thing.net/~rdom/ecd/archives.html I [...]
Two recent reports have been published that document how the C&C servers of two large botnets were accessed by researchers. The first comes from Finjan which discovered a botnet, dubbed Hexzone, with 1.9 million infected hosts. (Also see Jose Nazario’s post on this.) The second report documents the exploitation of the Torpig botnet by researchers [...]
CIPAV – docs 1, 2, 3 — Because suspects are increasingly using tools to mask their IP address the FBI now uses a “computer and internet protocol address verifier” to identify a suspect’s IP (as well as additional info) . It appears to work be levergaing various “drive-by” exploits. On a worrying note, the first [...]
If by “debunking” you mean “validating” the GhostNet report you should listen to Paul Ducklin from Sophos discuss GhostNet in this interview. To be fair to Ducklin, I think that his comments are pretty much spot on but the host appears to be confused between our GhostNet report and the “Snooping Dragon” report by the [...]
My hotel uses OpenDNS to block access to the Tor website. Google Translate is also blocked. They are categorized as “Proxy/anonymizer”. This is one of the most annoying things about filtering. I just wanted to quickly translate some text from Russia to English and then read the Tor blog and …. Yes, in order to [...]
Articles like this are very irritating. They are short of detail and long on hype. And when that hype focuses on the wrong threat, it becomes the threat itself. This WSJ article is a typical case. These stories are not new and the pop up from time to time usually focused on Russian or Chinese [...]
DarkVisitor picked up on some information in the GhostNet report that we didn’t really focus on — the email addresses and other information in the domain name registration records — and were able to track down the owner of the email address listed in the registry information associated with the control servers www.lookbytheway.net and www.macfeeresponse.org. [...]
Symantec has put out a nice video demonstrating how gh0stRAT works. We gave the name “GhostNet” to the network of infected computers we uncovered because of the attackers’ use of the gh0stRAT tool but it is important to bear in mind how the whole operation works as gh0stRAT is just one part of it. One [...]
Starting on March 30 2009 the GhostNet starting coming down. The attacker began removing the files and directories being used and then began to configure the domain names of some the control servers to point to 127.0.0.1. Files hosted on other (probably compromised) “command” servers also started disappearing at the same time. It’ll be interesting [...]
Koobface: Inside a Crimeware Network
Shadows in the Cloud: An investigation into cyber espionage 2.0
The "Kneber" Botnet, Spear Phishing Attacks and Crimeware
Tracking GhostNet: Investigating a Cyber Espionage Network.
Breaching Trust: An analysis of surveillance and security practices on China’s TOM-Skype platform.