Recently I developed an application for Troy Mursch of Bad Packets Report to help him track a botnet he calls "Mirai-like". The name refers to a similarity between a network signature observed in both this and the Mirai network of infected hosts. The signature can be traced to the Mirai source code, wherein packets sent from the hosts use the destination IP address as the TCP sequence number.
...read more
Recently I purchased a Software Defined Radio dongle kit to experiment with. The kit included the SDR dongle, a dipole antenna kit and a small tripod. Through the use of a few open source and freeware programs, I was able to predict, locate, track and record Automatic Picture Transmission broadcast from the NOAA 19 weather satellite. This topic has been written about extensively and many exceptional tutorials exist; however I decided to document my first experiences with SDR and satellite communications.
...read more
Pop-unders are a special case of pop-up page that remains behind the active browser window, usually without the user's knowledge. These are commonly found on questionable websites and are used to push advertisements. With Coinhive mining scripts growing in popularity, a script that remains running in an open window without the user's knowledge could do real harm to his or her computer. This post discusses my process for reverse engineering and re-creating a commercial (if you can call paid pseudo-malware commercial) pop-under script and determining some mitigation techniques. As of the time of writing, this script is widely used and bypasses all of Chrome's popunder protections.
...read more
This post highlights a common click-jacking application: stealing Facebook likes. The Javascript and CSS used for the attack are extremely simple. Applying this technique to a Facebook "Like" button is relatively harmless and has been rendered somewhat obsolete by a confirmation dialog from Facebook. However, this technique can be used for much more malicious purposes.
...read more
An on-going campaign that consists of fake Facebook, Gmail and Paypal notification emails. The emails follow a similar template, and always link to a PHP page with a simple redirect script that send the user to a malicious page. In a previous post I covered a browser locker. Recently, the emails have been linking to a fake Flash update site. I briefly analyzed the email, associated URLs, and the malicious sample obtained.
...read more