Dynamic Malware Binaries

I recently found the distribution point for a malware affiliate that dynamically generates a new binary (but the same malware) every time it is queried. The malware distributers periodically query the affiliates distribution point to receive a new binary. However, any queries to the distribution location results in a binary with a different hash value. […]

Black Hat SEO, PPC & RogueAV

Search Engine Optimization (SEO) is a term that refers to efforts to increase the rankings of a website so that it appears in the top results when searching for particular key words in a search engine. Black Hat SEO refers to “unscrupulous” SEO techniques often used to promote Rogue/Fake security software and pay-per-click (PPC) advertisement […]

Traffic Direction Systems

Traffic Direction Systems (TDS) are used as landing pages that direct traffic to malicious content based on a variety of criteria such as operating system, browser version and geographic location. There are a variety of TDS systems available including Sutra TDS (www.kytoon.com/sutra-tds.html). Finjan posted an interesting analysis of one campaign (it no longer appears to […]

The Ambler Botnet

[UPDATED to include makeithappen2ce.info and zhogdiana.info] In the past, the operators of large botnets sought to expand the size of their operations and cared little for the details of any individual compromised computer — one bot was as good, for the most part, as any other. Any one of the thousands of computers under their […]

Human Rights and Malware Attacks

Human Rights and Malware Attacks by Nart Villeneuve On March 18, 2010, unknown attackers sent a spear phishing email that appeared to be from Sharon Hom, the Executive Director of Human Rights in China (HRIC), to a variety of organizations and individuals. Leveraging the trust and recognition of HRIC, the attackers’ email encouraged recipients to […]

A Random Walk Through the Malware Ecosystem

The forum at darkcc.com is a location where buyers and sellers of stolen credit card information conduct exchanges. There are many forums like this that are part of the thriving market that sustain the “botnet ecosystem.” The servers that host these types of forums are typically involved in a variety of nefarious activities. This one […]

Thanks for the malware

I checked inbox today and found an interesting email:

Blurring the Boundaries Between Cybercrime and Politically Motivated Attacks

An emerging area of inquiry in security research is the blurring boundaries between cybercrime and other, more targeted forms of attack, and more specifically attacks that appear to be politically motivated. These attacks often take the form of targeted malware attacks that act as a form of surveillance in which sensitive documents and communications are […]

Shadows in the Cloud

Last year, at just about this time, the InfoWar Monitor (IWM) released the “Tracking GhostNet” report which detailed our investigation into a cyber-espionage network that has compromised 1200+ computer systems spread across 103 countries, including ministries of foreign affairs, embassies, international organizations, news organizations, and even a computer located at NATO headquarters. I remember when […]

Vietnam & Aurora

[UPDATE: See “Vecebot Trojan Analysis” by SecureWorks.] A while back I wrote a post about “Aurora Mess” in which I tried, unsuccessfully, to make sense of the different assessments of the attacks on Google and at least 20 other companies within the security community. I was trying to grapple with the way in which Google […]

GoDaddy, .CN, Malware & Freedom of Expression

The domain registrar GoDaddy testified before the U.S. Congressional-Executive Commission on China and stated that they would “discontinue offering new .CN domain names” citing concerns over an “increase in China’s surveillance and monitoring of the Internet activities of its citizens” and the “chilling effect” that the retroactive application of new requirements on .CN domain names […]

Rogue AV, ZeuS and Spear Phishing

Brian Krebs just posted a great article about avprofit.com, an affiliate program for malware distributors, who get $1 per install. But they don’t just spread rogue (fake) anti-virus software, they also spread ZeuS: Distributors or “affiliates” who sign up with avprofit.com, for example, are given access to an installer program that downloads not only rogue […]

google.cn -> google.com.hk

Yesterday Google began redirecting requests for google.cn to google.com.hk effectively ending its years of self-censorship in China. To be clear, Google has not ended censorship in China — Google has ended its own self-censorship. While searches within the .hk google are not censored by Google, they will still be affected by China’s keyword filtering. This […]

Google, Yahoo, Microsoft Still Censoring In China

Today MSNBC reported that Google “appears” to have stopped censoring its search engine in China, google.cn. This is not true. In Search Monitor Project: Toward a Measure of Transparency I tried to carefully document the different censorship practices among Google, Yahoo, Microsoft and Baidu. (Here are some more posts on this issue.) In short, it […]

Malware Attacks on Solid Oak After Dispute with Greendam

A while back I posted an analysis of attacks on Solid Oak (the makers of CyberSitter) after a dispute with a Chinese firm that produced GreenDam over stolen code. Rob Lemos covered the story and also revealed that the law firm representing Solid Oak subsequently came under a similar targeted malware attack. The story has […]