Are You Infected With Storm?

November 13th, 2007

If you saw the following browser window pop up on your desktop today for no apparent reason, you are…

Read more…

Avast, Ye Trojan Scallywags!

August 24th, 2007

For several years now, there has been a steady, increasing effort by computer criminals to utilize malware in order to steal data from victim computers. Often the criminals don’t actually write the malware, they simply download a trojan kit, configure it for their purposes and then spread it using various methods. We talk about these schemes all the time, yet there’s no good term to describe these miscreants.

Read more…

Back From Vegas

August 15th, 2007

DEFCON 15 Speaker BadgeSo, at Black Hat I demoed my Perl-based Windows kernel debugger. You can download it here. Nothing earthshaking, just an implementation of the Windows serial debugging protocol in a Perl script. Initially I hadn’t planned to speak at DEFCON, wanting to devote all my time to the CTF competition, but I ended up with a seat on the Internet Wars panel discussion, so picked up the nifty blue speaker badge pictured here.

Article on DDoS Tarpitting

June 26th, 2007

I just wrote up an article about using tarpits to fight off HTTP-based DDoS attacks. Since I myself have been a victim of DDoS, I thought I’d throw out an idea to help those who might find themselves at the mercy of some anonymous attacker.

The full article can be found at:

Detecting BBB/IRS/FTC/Proforma Trojan-Infected Users on Your Network

June 18th, 2007

We’ve gotten some inquiries as to how to find users infected by the recent BBB/IRS/FTC/Proforma trojan scams on corporate networks where an IDS/IPS device that can detect the exfiltration traffic might not be in play.

If you keep logs of firewall/proxy or DNS server traffic, you may be able to spot infected users by traffic analysis. This activity has been going on since at least February, so it is prudent to go back in the logfiles at least until the beginning of 2007 when searching.

Read more…

BBB Scam Changes Social Engineering Ploy

June 15th, 2007

Since we first wrote about the BBB phishing emails, we’ve seen variants change from forging BBB complaint letters to false IRS criminal investigation notices to FTC investigation notices. We’re now seeing messages from the same phishing group posing as “Proforma” invoices, now being sent with a Word document attachment (actually MS Word this time, not RTF doc files as in the other BBB/IRS phishing scheme).

Read more…

BBB/IRS Phishes and the Chinese Connection

June 7th, 2007

Recently we detailed the workings of two different phishing emails designed to install malware on the computers of executives through social engineering ploys. The first ploy was an email pretending to be a complaint routed through the Better Business Bureau. We saw this used to install two different families of malware. The second ploy, posing as a criminal investigation notice from the IRS, has now been seen installing the same two families of malware.

The one that got our attention in the first place, known as Troj-iwebho, has a simple yet powerful tactic - steal ALL data being sent from the victim’s web browser. Banking, email, shopping, stock trading, prescription/healthcare data and casual (sometimes very personal) browsing - everything the user does online is databased by the attacker. It seems on the surface that it makes for an identity theft scam with a very high payoff potential.

Read more…

QA, Anyone?

March 30th, 2007

Microsoft is not alone when it comes to writing vulnerable code. It’s downright hard to write secure code in low-level languages. It’s understandable, especially when most of your core code was written before buffer overflow exploits were even understood by most programmers. But when a vulnerability is pointed out in your code, and you claim to spend inordinate amounts of time developing and testing patches for it, wouldn’t it make sense to spend a little time auditing the rest of the code for the same bug?

Read more…

The USTR’s Silence on Spam, Viruses and Fraud From Russia

December 11th, 2006

The Office of the United States Trade Representative calls American small business “The Economic Engine Driving the World Economy”. Yet, when negotiating recently with Russia over the terms of Russia’s accession to the World Trade Organization, the USTR seems to have focused only on those American businesses with massive lobbying power (e.g., the software, movie, music and pharmaceutical industries). In a document outlining the details of the agreement, the USTR specifically names a single website in Russia ( that the music industry would like to have targeted for shutdown.

But, in this effort, the USTR ignores a fundamental component of the economic relationship between the U.S. and Russia in the Internet age - the rampant fraud, spam and virus epidemic that is slowly draining resources and money from U.S. citizens and companies alike. Unlike the potentially inflated profit loss estimates from the music and software industries which are based more on wishful thinking than fact, it is possible place a real dollar amount on the amount of money being siphoned from the U.S. economy by phishing and credit card fraud. Although many former Soviet bloc countries are involved and no country is blameless when it comes to internet fraud, Russia harbors more than its fair share of cyber-criminals.

Read more…