I sometimes I take the time to review my honeypot to see if it captured anything that might be worth looking at and found this VBE script that looked kind of interesting. I used Didier width:762px” /> A check against Virustotal identifies this script as a VBS Trojan downloader script[3]. Since I couldnt get a …
Read more “Honeypot Logs and Tracking a VBE Script, (Sun, Mar 12th)”
In our craft, there aremore than ample opportunities to occupy our time. There are so many things you CAN do. How canyouensure focus on the things that actually make the biggest impact?I suggest that often times you take on more workthan what you are able to complete. Many times there isso much work to do …
IP location, GeoIP or Geolocalization are terms used to describe techniques to assign geographic locations toIP addresses. Databases are built and maintained to link the following detailstoIP addresses: Country Region width:799px” /> If this looks very aggressive, in some cases, it can be useful if you want to protect online services used only by local …
Read more “The Side Effect of GeoIP Filters, (Fri, Mar 10th)”
On Monday, Apache released a patch for the Struts 2 framework [1]. The patch fixes an easy to exploit vulnerability in the multipart parser that is typically used for file uploads. A Metasploit module was released that same day, and some readers reported seeing already exploit attempts in the wild. You should be running Struts …
Read more “Critical Apache Struts 2 Vulnerability (Patch Now!), (Thu, Mar 9th)”
Everyday we hear about new pieces of malware which implement new techniques to hide themselvesand defeat analysts. But they are still people whowrite simple code that just do the job. The samplethat Im reviewing todayhad a very short lifetime because it was quickly detected by most antivirus. Its purpose is to steal information from the …
Read more “Not All Malware Samples Are Complex, (Wed, Mar 8th)”
This is a guest diary submitted by Renato Marinho Distracted users mistyping the first n when accessing www.santanderempresarial.com.br are subject to banking credentials theft and a very convincing phone call from a pretended Santanders attendant. The calls reason? To collect the victims OTP Token combination and proceed with previously prepared fraudulent. This is the exact …
I had to help out someone with this sample. It contains obfuscated strings like these: Notice the Like operator. This is a strong indication that the strings are obfuscated by adding extra characters (e.g. the string left of the Like keyword). If we remove all these extra characters, we end up with this: This PowerShell …
In a previous diary[1], I explained why the automatic processing of IOCs (Indicator of Compromise) could lead to false positives. Here is a practical example found yesterday. I captured the following malicious HTML page (MD5: b55a034d8e4eb4504dfce27c3dfc4ac3)[2]. It is part of a phishing campaign and tries to lure the victim to provide his/her credentials to get …
Read more “How your pictures may affect your website reputation, (Sat, Mar 4th)”
I was looking at a curious uptick in traffic to TCP port 6881. What caught my eye was that itwas a immediate uptick from almostnothingand it hasbeensustained over a couple of weeks.Also, the number of sources has risen significantly compared to the past year. Here width:600px” /> Heres what it looked like over the past …
=============== Rob VandenBrink Metafore (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.