Crime or Espionage? Part 2

In “Crime or Espionage Part 1” I examined a series of attacks that appear to be aimed at those interested in intelligence issues and those in the government and military. The malware used in these attacks was ZeuS and there are common command and control elements used in the attacks beginning in December 2009 and […]

Crime or Espionage?

ZeuS is a well known crimeware tool kit that is readily available online. The tool allows even the most unskilled to operate a botnet. Typically, Zeus has been associated with banking fraud. Recently, there have been a series of attacks using the Zeus malware that appear to be less motivated by bank fraud and more […]

Dynamic Malware Binaries

I recently found the distribution point for a malware affiliate that dynamically generates a new binary (but the same malware) every time it is queried. The malware distributers periodically query the affiliates distribution point to receive a new binary. However, any queries to the distribution location results in a binary with a different hash value. […]

Black Hat SEO, PPC & RogueAV

Search Engine Optimization (SEO) is a term that refers to efforts to increase the rankings of a website so that it appears in the top results when searching for particular key words in a search engine. Black Hat SEO refers to “unscrupulous” SEO techniques often used to promote Rogue/Fake security software and pay-per-click (PPC) advertisement […]

Traffic Direction Systems

Traffic Direction Systems (TDS) are used as landing pages that direct traffic to malicious content based on a variety of criteria such as operating system, browser version and geographic location. There are a variety of TDS systems available including Sutra TDS ( Finjan posted an interesting analysis of one campaign (it no longer appears to […]

The Ambler Botnet

[UPDATED to include and] In the past, the operators of large botnets sought to expand the size of their operations and cared little for the details of any individual compromised computer — one bot was as good, for the most part, as any other. Any one of the thousands of computers under their […]

Human Rights and Malware Attacks

Human Rights and Malware Attacks by Nart Villeneuve On March 18, 2010, unknown attackers sent a spear phishing email that appeared to be from Sharon Hom, the Executive Director of Human Rights in China (HRIC), to a variety of organizations and individuals. Leveraging the trust and recognition of HRIC, the attackers’ email encouraged recipients to […]

A Random Walk Through the Malware Ecosystem

The forum at is a location where buyers and sellers of stolen credit card information conduct exchanges. There are many forums like this that are part of the thriving market that sustain the “botnet ecosystem.” The servers that host these types of forums are typically involved in a variety of nefarious activities. This one […]

Thanks for the malware

I checked inbox today and found an interesting email:

Blurring the Boundaries Between Cybercrime and Politically Motivated Attacks

An emerging area of inquiry in security research is the blurring boundaries between cybercrime and other, more targeted forms of attack, and more specifically attacks that appear to be politically motivated. These attacks often take the form of targeted malware attacks that act as a form of surveillance in which sensitive documents and communications are […]

Shadows in the Cloud

Last year, at just about this time, the InfoWar Monitor (IWM) released the “Tracking GhostNet” report which detailed our investigation into a cyber-espionage network that has compromised 1200+ computer systems spread across 103 countries, including ministries of foreign affairs, embassies, international organizations, news organizations, and even a computer located at NATO headquarters. I remember when […]

Vietnam & Aurora

[UPDATE: See “Vecebot Trojan Analysis” by SecureWorks.] A while back I wrote a post about “Aurora Mess” in which I tried, unsuccessfully, to make sense of the different assessments of the attacks on Google and at least 20 other companies within the security community. I was trying to grapple with the way in which Google […]

GoDaddy, .CN, Malware & Freedom of Expression

The domain registrar GoDaddy testified before the U.S. Congressional-Executive Commission on China and stated that they would “discontinue offering new .CN domain names” citing concerns over an “increase in China’s surveillance and monitoring of the Internet activities of its citizens” and the “chilling effect” that the retroactive application of new requirements on .CN domain names […]

Rogue AV, ZeuS and Spear Phishing

Brian Krebs just posted a great article about, an affiliate program for malware distributors, who get $1 per install. But they don’t just spread rogue (fake) anti-virus software, they also spread ZeuS: Distributors or “affiliates” who sign up with, for example, are given access to an installer program that downloads not only rogue […] ->

Yesterday Google began redirecting requests for to effectively ending its years of self-censorship in China. To be clear, Google has not ended censorship in China — Google has ended its own self-censorship. While searches within the .hk google are not censored by Google, they will still be affected by China’s keyword filtering. This […]