And DDoS extortion campaigns continue to be reported. Two weeks ago, Johannes Ullrich published a diary [1] about a fake DDoS pretending to be sent from Anonymous, threatening the targeted company with a massive attack if they werent paid in Bitcoins. Yesterday we were reportedofa similar extortion campaignalthough, this time,followed by a realDDoStestas promised by …
Read more “DDoS Extortion E-mail: Yet Another Bluff?, (Fri, Jul 7th)”
[This is a second guest diary by Dr. this post discusses evidencethat can be extracted from related log files of BitTorrent Sync version 2.0 on Windows 8.1, Mac OS X Mavericks 10.9.5, and Ubuntu 14.04.1 LTS. BitTorrent Sync storeslogs in the application folder and the filename of which is displayed as sync.log border:solid windowtext 1.0pt”> …
I often have to go through lists of domains or URLs, and filter out domains that look like random strings of characters (and could thus have been generated by malware using an algorithm). Thats one of the reasons I developed my re-search.py tool. re-search is a tool to search through (text) files with regular expressions. …
Read more “Selecting domains with random names, (Wed, Jul 5th)”
PE files (.exe, .dll, …) have sections: a section with code, one with data, … Each section has a name, and different compilers use different section names. Section names can help us identify the compiler and the type of PE file we are analyzing. @Hexacorn compiled a list of section names with corresponding description, you …
With both WannaCry and NotPetya using MS17-010 for propagation it is important to be able to detect servers which are vulnerable. Even if you have comprehensive vulnerability management and patching programs there are almost certainly servers that have been missed, whether because they are vendor supported or part of your companyscottage IT. It is important …
Read more “Using nmap to scan for MS17-010 (CVE-2017-0143 EternalBlue), (Sat, Jul 1st)”
Introduction Blank Slate is the nickname for a malicious spam (malspam) campaign pushing ransomware targeting Windows hosts. Ive already discussed this campaign in a previous diary back in March 2017. It has consistently sent out malspam since then. Today I collected 11 Blank Slate emails, so this diary examines recent developments from the Blank Slate …
Read more “Catching up with Blank Slate: a malspam campaign still going strong, (Wed, Jun 28th)”
This is a follow-up the our previous diary on the ransomware outbreak that happened yesterday on Tuesday 2017-06-27. Introduction By now, it seems almost everyone has written something about yesterdays ransomware outbreak. This led to some confusion after more information became available, and initial reports were updated. border-width:2px” /> Shown above: Screen shot from a …
This is a follow-up from our previous diary about todays ransomware attacks using the new Petya variant. So far, weve noted: Several hundred more tweets about todays attack can be found on Twitter using #petya. The new Petya variant appears to be using the MS17-010 Eternal Blue exploit to propagate. Others claim the new variant …
Read more “Checking out the new Petya variant, (Tue, Jun 27th)”
Sent from a reader earlier today: Hearing some rumors that the company Merck is having a major virus outbreak with something new and their Europe networks are affected more than their US offices. Have you heard anything on this? A quick check reveals that, apparently, another global ransomware attack is making the rounds today. Forbes: …
Read more “Wide-scale Petya variant ransomware attack noted, (Tue, Jun 27th)”
Introduction Has anyone read A Tale of Two Cities, the 1859 novel by Charles Dickens? Or maybe seen one of the movie adaptations of it? Its set during the French Revolution, including the Reign of Terror, where revolutionary leaders used violence as an instrument of the government. In the previous sentence, substitute violence with email. …