GhostNet in Portugal

A new report from documents their investigation into GhostNet in Portugal. I’ve only been able to read it via Google translate but it seems very interesting. During the GhostNet investigation we found several Portuguese infections including: Embassy of Portugal, Germany Embassy of Portugal, France Embassy of Portugal, Finland CEGER, Management Center for the Electronic […]

Russian Botnet Readme.txt

A recent Malware Lab investigation I’ve been working on led me to two interesting files on a Russian botnet: readme.txt version.txt I don’t know if these are well known or not, but they describe how to install the botnet backend as well as what’s been added between version 1.0 to 6.0. Here are the executables […]

Targeted Malware Attack on Foreign Correspondent’s based in China

By Nart Villeneuve and Greg Walton Overview There have been recent reports of malware attacks on journalists based in China. The attacks specifically targeted Chinese employees working for media organizations, including Reuters, the Straits Times, Dow Jones, Agence France Presse, and Ansa.1 These employees received an email from “Pam ” who claimed to be an […]

Targeted Malware Attack on Foreign Correspondents based in China

There’s a new Infowar Monitor blog post by Greg and I on the targeted malware attack on foreign correspondents based in China. The case is interesting to me because of the connections to other attacks that have been investigated by others, including Maarten Van Horenbeeck, F-Secure, ThreatExpert, and us in the past. For me, it […]

Beware of Correlation

“Correlation does not imply causation.” If you’re into “cyberwar” read and repeat this three times. When it comes to internet-based attacks, such as the recent DDoS attacks against in South Korea and the U.S., questions arise regarding the identity and motivations of those responsible for the attacks. Because attribution is difficult, if not close to […]

Ru-Ge Skepticism

The Internet-based attacks surrounding the Russia-Georgia conflict in August 2008 have resurfaced thanks to a report by the U.S. Cyber Consequences Unit (US-CCU). Because the report is top secret, all that is publicly available is a summary. There are a number of reports on the Ru-Ge incident. While some are very well done, noticeably absent […]

When Hype is the Threat Part 2

Recently, Jim Harper, Director of Information Policy Studies at the CATO Institute, stated that “both cyber terrorism and cyber warfare are concepts that are gross exaggerations of what’s possible through Internet attacks,” and it rubbed some the wrong way. But the overall point he was making is somewhat lost when focusing on this quote alone. […]

Link Dump

BlackBerry Spyware Dissected – Analysis by Veracode. My favourite quote: “it’s not even necessary to send the .jar, but they did, completely unobfuscated. Arrogance or incompetence? ” The 0s and 1s of Computer Warfare – Op-Ed by Evgeny Morozov. My favourite quote: “A serious international debate about cybersecurity is impossible if our only reference points […]

Iran DDOS 2

I just read a great post by Jose Nazario suggesting that there hasn’t been much evidence of the use of botnets. But the most interesting point he makes is where he points out that the site under attack could take offensive action against the people participating in these “refresh” style attacks: The attackers who participate […]


There have been a variety of good reports (zdnet, sans, fp ) on the DDOS campaigns targeting Iranian sites after the election. However, one of the things I’ve noticed is the tendency to characterize this as something relatively new. But this has been happening for at least a decade! See, ,, I […]

pwn3d botnets

Two recent reports have been published that document how the C&C servers of two large botnets were accessed by researchers. The first comes from Finjan which discovered a botnet, dubbed Hexzone, with 1.9 million infected hosts. (Also see Jose Nazario’s post on this.) The second report documents the exploitation of the Torpig botnet by researchers […]

Lots of Stuff

CIPAV – docs 1, 2, 3 — Because suspects are increasingly using tools to mask their IP address the FBI now uses a “computer and internet protocol address verifier” to identify a suspect’s IP (as well as additional info) . It appears to work be levergaing various “drive-by” exploits. On a worrying note, the first […]

“Debunking” GhostNet

If by “debunking” you mean “validating” the GhostNet report you should listen to Paul Ducklin from Sophos discuss GhostNet in this interview. To be fair to Ducklin, I think that his comments are pretty much spot on but the host appears to be confused between our GhostNet report and the “Snooping Dragon” report by the […]

Tor Website blocked at My Hotel

My hotel uses OpenDNS to block access to the Tor website. Google Translate is also blocked. They are categorized as “Proxy/anonymizer”. This is one of the most annoying things about filtering. I just wanted to quickly translate some text from Russia to English and then read the Tor blog and …. Yes, in order to […]

When Hype is the Threat

Articles like this are very irritating. They are short of detail and long on hype. And when that hype focuses on the wrong threat, it becomes the threat itself. This WSJ article is a typical case. These stories are not new and the pop up from time to time usually focused on Russian or Chinese […]