Security Blog

Chris Larsen's picture
Written by
Chris Larsen

One of my all-time favorite posts involved looking at the traffic of a shady "warez" (downloads) network, where the malware payloads were being served in response to specific search terms.

Andrew Brandt's picture
Written by
Andrew Brandt

We've been tracking the release of new features in the Dyre password-stealing Trojan, and noticed a new behavior starting last month: The malware seems to be trying to connect to the anonymizing network known as i2p during the course of a typical infection.

We started to notice this behavior in early February, and it was easy to call it a fluke then because the behavior was rudimentary and buggy. But that's no longer the case. SSL traffic generated by the Trojan, decrypted by the SSL Visibility Appliance and revealed by Security Analytics, reveals that the malware is actively setting up and connecting to i2p.

By default, i2p configures itself to use a single UDP port on the host machine to receive inbound communications and to proxy outbound requests to connect to various "dark" services hosted within the service. Security Analytics reveals this traffic as a large volume of UDP packets, from a variety of i2p "peer" machines, destined to a single UDP port on the machine connected to i2p.

Andrew Brandt's picture
Written by
Andrew Brandt

The convoluted case of a recent malware-spam campaign serves as an illustrative example of the riduclous, Rube Goldberg-esque lengths criminals will go to control your computer.

It all starts with a spam email that purports to originate with a Bitcoin management service I had previously never heard of, called OK Pay. Clearly the message didn't originate with this service, but it claimed that Your BitCoin wallet has been successfully completed. Setting aside the message creator's obvious inability to logically parse words in a written language, the spam essentially says that I've received 154.1523 bitcoins on some wallet, somewhere.

At today's exchange rate, that converts to somewhere north of $43,000 -- a not-insignificant sum. Who wouldn't want to click a link that's labeled "Download the wallet" embedded in the message? I imagine some message recipients -- who would, naturally, laugh off an offer to split 2.8 gajillion United States Dollars from an African government official -- thinking to themselves, "Bank error in my favor!"

Chris Larsen's picture
Written by
Chris Larsen

Last month, we recommended that customers consider blocking the entire ".country" top level domain (TLD) space, due to the fact that it appeared to be entirely devoted to shady stuff -- mostly a big scam network.

Andrew Brandt's picture
Written by
Andrew Brandt

Ransomware arrived in one of the email honeypot accounts last week, disguised using the well-worn electronic fax "Incoming Fax Report" trope.

Snorre Fagerland's picture
Written by
Ashwin K. Vamshi

Kaspersky Labs recently posted a report on a highly advanced cyberespionage group named Equation and also detailed several malware families used by this group.