shadowserver.org
Shadowserver Foundation - Main - HomePage
http://shadowserver.org/wiki/pmwiki.php/Main/HomePage
Get Reports on your Network. TOR Nodes and Reporting. Virus Two Year Stats. Virus Three Year Stats. Improvement Between Initial and Retests. Established in 2004, The Shadowserver Foundation gathers intelligence on the darker side of the internet. We are comprised of volunteer security professionals from around the world. Our mission. Is to understand and help put a stop to high stakes cybercrime in the information age. Laquo; May 2016. Middot; November 2016. No entries for September 2016.
shadowserver.org
Shadowserver Foundation - Information - BotnetDetection
http://www.shadowserver.org/wiki/pmwiki.php/Information/BotnetDetection
Get Reports on your Network. TOR Nodes and Reporting. Virus Two Year Stats. Virus Three Year Stats. Improvement Between Initial and Retests. If you are diagnosing a single machine, there are several steps you can take to discover a possible bot infection.On the other hand, if you are investigating an entire network, you can uncover a slew of infected drones or a c&c itself. Host based detection strategies. Network based detection strategies. Host based detection strategies. If not, malware may be redirec...
c-apt-ure.blogspot.com
c-APT-ure: May 2013
http://c-apt-ure.blogspot.com/2013_05_01_archive.html
Thursday, May 30, 2013. Ponmocup Hunter" SANS DFIR Summit 2013. The presentation slides have been online for a while [ PDF Link. I've given a newer version of this talk at DeepSec. Slides will be linked when made public. I'm thrilled to give a presentation "My name is Hunter, Ponmocup Hunter" in July at the SANS DFIR Summit 2013 in Austin, Texas. ( Summit. How the malware was discovered, what indicators were derived. How all infected hosts were identified and how remediation was done. Http:/ security-res...
shadowserver.org
Shadowserver Foundation - Information - Botnets
https://www.shadowserver.org/wiki/pmwiki.php/Information/Botnets
Get Reports on your Network. TOR Nodes and Reporting. Virus Two Year Stats. Virus Three Year Stats. Improvement Between Initial and Retests. What is a Botnet? Botnet Formation and Propagation. Command and Control Mechanisms. From Detection to Takedown. A Snoop is Established. What is a Botnet? The compromised machines are referred to as drones or zombies, the malicious software running on them as 'bot'. Botnet Formation and Propagation. For this reason, most bot software contains spreaders that automate ...
c-apt-ure.blogspot.com
c-APT-ure: July 2014
http://c-apt-ure.blogspot.com/2014_07_01_archive.html
Tuesday, July 29, 2014. Using Redline for Live Response - Part 1. For once I'll write about something a bit different than before. It's still about Ponmocup. Malware, or more precise about the Zuponcic Kit for delivery, but more about how to do Live Response and Detection on the host using Redline. If you're not familiar with the Zuponcic Kit yet, you should read the following posts:. Not quite the average exploit kit: Zuponcic. Zuponcic: "Is it a bird? Is it a plane? Zuponcic: "Is it a bird? Perrugina&#...
c-apt-ure.blogspot.com
c-APT-ure: 3R4LR - Running Redline Remotely for Live Response
http://c-apt-ure.blogspot.com/2014/08/3r4lr-running-redline-remotely-for-live.html
Tuesday, August 12, 2014. 3R4LR - Running Redline Remotely for Live Response. This blog post is a work in progress and I'd love to get feedback while writing it. So while this note appears on top, the blog post is not finished. Please come back again later! This is the second post about using Redline for Live Response. The first post covered Using Redline for Live Response - Part 1. Showing how many details from artifacts can be collected with Redline. Copy the collector to the host. Here are the two scr...
c-apt-ure.blogspot.com
c-APT-ure: August 2014
http://c-apt-ure.blogspot.com/2014_08_01_archive.html
Tuesday, August 12, 2014. 3R4LR - Running Redline Remotely for Live Response. This blog post is a work in progress and I'd love to get feedback while writing it. So while this note appears on top, the blog post is not finished. Please come back again later! This is the second post about using Redline for Live Response. The first post covered Using Redline for Live Response - Part 1. Showing how many details from artifacts can be collected with Redline. Copy the collector to the host. Here are the two scr...
c-apt-ure.blogspot.com
c-APT-ure: Using Redline for Live Response - Part 1
http://c-apt-ure.blogspot.com/2014/07/using-redline-for-live-response-part-1.html
Tuesday, July 29, 2014. Using Redline for Live Response - Part 1. For once I'll write about something a bit different than before. It's still about Ponmocup. Malware, or more precise about the Zuponcic Kit for delivery, but more about how to do Live Response and Detection on the host using Redline. If you're not familiar with the Zuponcic Kit yet, you should read the following posts:. Not quite the average exploit kit: Zuponcic. Zuponcic: "Is it a bird? Is it a plane? Zuponcic: "Is it a bird? Perrugina&#...
c-apt-ure.blogspot.com
c-APT-ure: March 2012
http://c-apt-ure.blogspot.com/2012_03_01_archive.html
Thursday, March 8, 2012. Ponmocup, lots changed, but not all. See at the end and list of domains below. List of domains below). More info, links to IOC and ref's at end). So here goes another post about the Ponmocup malware. Lots of things changed recently, but not all (luckily for defenders). Previously, the first redirection step was using a "/cgi-bin/r.cgi" pattern which was detected by this snort rule ( 2013181. Here's an example from 2011-08-03. PDF] As you can see in this report. Http:/ www9.dy...
c-apt-ure.blogspot.com
c-APT-ure: February 2012
http://c-apt-ure.blogspot.com/2012_02_01_archive.html
Saturday, February 18, 2012. Not APT, but nasty malware (Ponmocup botnet). For once I don't write about APT, but about some nasty malware / botnet that I've been researching for almost a year. It's been called "Ponmocup botnet", but the malware has been called many different names (Ponmocup, Pirminay, Kryptik, Swisyn, Vundo etc). I've been putting most of my research on a privately hosted page here:. Http:/ www9.dyndns-server.com:8080/pub/botnet-links.html. Sorry about the bad formatting and strange URL).
SOCIAL ENGAGEMENT