Menu

Internet Storm Center

Traffic

News Feeds (RSS) Internet Storm Center

Sat, 18 Nov 2017 12:09:36 -0700

BTC Pickpockets

Sat, 18 Nov 2017 11:15:54 -0700

I observed requests to my webserver to retrieve Bitcoin wallet files:

Fri, 17 Nov 2017 07:56:20 -0700

Yesterday, we were contacted by one of our readers who asked if we provide a STIX feed of our blocked list or top-100 suspicious IP addresses. STIX[1] means “Structured Threat Information eXpression” and enables organizations to share indicator of compromise (IOC) with peers in a consistent and machine readable manner.

Fri, 17 Nov 2017 02:15:05 -0700

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Thu, 16 Nov 2017 08:27:01 -0700

Domain names remain a gold mine to investigate security incidents or to prevent some malicious activity to occur on your network (example by using a DNS firewall). The ISC has also a page[1] dedicated to domain names. But how can we detect potentially malicious DNS activity if domains are not (yet) present in a blacklist? The typical case is DGA's of Domain Generation Algorithm[2] used by some malware families.

Thu, 16 Nov 2017 02:00:13 -0700

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Wed, 15 Nov 2017 07:16:17 -0700

Another day, another malicious document&#;x26;#;x21; I like to discover how the bad guys are creative to write new pieces of malicious code. Yesterday, I found another interesting sample. It&#;x26;#;xe2;&#;x26;#;x80;&#;x26;#;x99;s always the same story, a malicious document is delivered by email. The document was called &#;x26;#;39;Saudi Declare war Labenon.doc&#;x26;#;xe2;&#;x26;#;x80;&#;x26;#;x99; (interesting name by the way&#;x26;#;x21;). According to VT, it is already flagged as malicious by many antivirus[1] (SHA267: 7f39affc9649606f57058b971c0c5a7612f7d85ef7ed54c95034cd2b9ae34602/detection). The document is a classic RTF file that triggers the well-known %%cve:2017-0199%%. When started, it downloads the first file from:

Wed, 15 Nov 2017 03:35:03 -0700

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Tue, 14 Nov 2017 04:00:15 -0700

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Mon, 13 Nov 2017 20:25:39 -0700

My honeypot captured several copies of this file info.zip (info.vbe). I used Didier&#;x26;#;39;s Python script decode-vbe.py to examine the file and obtained following output:

Mon, 13 Nov 2017 19:34:15 -0700

In the past few weeks I have noticed this type of POST activity showing in my honeypot {"id":0,"jsonrpc":"2.0","method":"eth_accounts"} looking for ID 0 (root). Activity has a static source port of 65535 and destination port 8080.