Thursday, May 28, 2015

Locker Ransomware Support Topic - General Security

This is the support topic for the Locker Ransomware.
The Locker ransomware has a very large install base that has affected
many people globally. As this topic is already quite large, and will
likely grow larger, this first post will be used to post any new
information as it becomes available.

Summary

The
Locker ransomware is a computer infection that silently runs on a
victim's computer until May 25 Midnight local time at which point it
became active. Once active, it will begin to encrypt the data files on
the computer with what appears to be RSA encryption. When encrypting the
data files it will not change the extension of the
file. Therefore, the only way to determine if the file is encrypted is
by trying to open it and being told that the file is corrupt or not
usable.

After the Locker ransomware encrypts your data it will
delete your shadow volume copies and then display the Locker interface.
This interface will be titled Locker and then a random version number.
This version number does not appear to have any significance. Some
example titles are Locker v1.7, Locker v3.5.3, Locker V2.16, and Locker
V5.52. This Locker screen will give you information on how to pay the
ransom, your unique bitcoin address to send the ransom to, a list of
encrypted files, and a page to check the status of your payment. More.....

Locker Ransomware Support Topic - General Security

Tuesday, May 26, 2015

Locker ransomware hides until midnight on May 25th and then encrypts your data - News

A new ransomware called Locker has been discovered that
once installed lay dormant until midnight local time on May 25th when
it would activate and encrypt your data files. Once your files were
encrypted it would demand .1 bitcoins in order to decrypt your files. If
payment was not made within 72 hours, the ransom price would then
increase to 1 bitcoin. This ransomware is currently widespread with
global targeting. More.....

Locker ransomware hides until midnight on May 25th and then encrypts your data - News

Sunday, May 24, 2015

(UAC) User Assisted Compromise - Room362.com

A number of times during tests I’ve actually run into those mythical creatures called “patched windows machines”. At DerbyCon Chris Gates and I released the “Ask” post module (which I had failed to publish). This module very simply uses the ShellExecute windows function via Railgun with the undocumented (but very well known) operator of ‘runas’. These two lines accomplished that:

(UAC) User Assisted Compromise - Room362.com

Trick me once, ShameOnUAC

ShameOnUAC

When the Cylance SPEAR Team was formed late last year we started
looking into an area that we had long wanted to study: the potential for
subverting programs during privilege elevation through UAC. We created
proof of concept malware that attacks Windows Explorer, which we dubbed
ShameOnUAC.

ShameOnUAC injects itself into the unprivileged Explorer process,
where it hooks SHELL32!AicLaunchAdminProcess and waits for the user to
ask to run a program as administrator. It then then tampers with the
elevation requests before they're sent to the AppInfo service. (This is a
downside of having an unprivileged process submit elevation requests
for you.)

Here's how UAC works normally:

Trick me once, ShameOnUAC

Installer stuck at 18% when upgrading from Windows 10 (10074 to 10122) - Enterprise Mobility Tips - Site Home - TechNet Blogs

Are you trying to upgrade to Windows 10 preview build 10122 and the
installation hangs at 18%? The following approach unblocked me,
hopefully it works for you too – please let us know in the comments:

Download psexec.exe from sysinternals to e.g. c:\temp
Open an elevated command prompt
Execute psexec with the following parameters (try not to copy/paste):
- C:\Temp\psexec.exe –s –i cmd.exe
A command prompt in the system context should launch:
More....

Installer stuck at 18% when upgrading from Windows 10 (10074 to 10122) - Enterprise Mobility Tips - Site Home - TechNet Blogs

Debugging Tutorial Index - Sysnative Forums

!tz and !tzinfo WinDbg Extensions - Thermal Zone ACPI Trip Levels

Debugging Tutorial Index - Sysnative Forums

Meet 'Tox': Ransomware for the Rest of Us - McAfee

The packaging of malware and malware-construction kits for cybercrime
“consumers” has been a long-running trend. Various turnkey kits that
cover remote access plus botnet plus stealth functions are available
just about anywhere. Ransomware, though very prevalent, has not yet
appeared in force in easy-to-deploy kits.

But now we have Tox–and it’s free.

Meet 'Tox': Ransomware for the Rest of Us - McAfee

Wednesday, May 20, 2015

Dynamoo's Blog: Malware spam: "Sky.com / Statement of Account" and...

Dynamoo's Blog: Malware spam: "Sky.com / Statement of Account" and...: These two spam runs attempt to download malware from volafile.io. To give the folks at Volafile credit, all the malware I have seen linked...

Wednesday, May 13, 2015

Dr. Fu's Security Blog: Malware Analysis Tutorials: a Reverse Engineering ...

Dr. Fu's Security Blog: Malware Analysis Tutorials: a Reverse Engineering ...: Author: Dr. Xiang Fu Roadmap: You need to first follow Tutorials 1 to 4 to set up the lab configuration. Then each tutorial addresses an ...

The El-Polocker ransomware is no chicken as it encrypts your drives and shares - News

A new "Breaking Bad" themed ransomware called El-Polocker,
or Los Pollos Hermanos, has been targeting and encrypting Australian
victim’s data and requesting $450 AUD in order to get their files back.
This ransomware is distributed by fake DHL penalty notices that request
payment of unpaid fees. This notice contains a DropBox link to a zipped
VBS file that when launched will execute a PowerShell script that
encrypts your files with AES encryption. Unfortunately, the decryption
keys are stored on the Command & Control server and there is
currently no way to decrypt your files for free. More....

The El-Polocker ransomware is no chicken as it encrypts your drives and shares - News

Monday, May 11, 2015

Dynamoo's Blog: Malware spam: "Payment details and copy of purchas...

Dynamoo's Blog: Malware spam: "Payment details and copy of purchas...: I haven't really had time to analyse this, so I am using the analysis of an anonymous source (thank you).. From : Kristina Prest...

PHP Hash Comparison Weakness A Threat To Websites, Researcher Says

Flaw could
allow attackers to compromise user accounts, WhiteHat Security's Robert
Hansen -- aka "RSnake" -- says in new finding on 'Magic Hash'
vulnerability.

A
weakness in the manner in which PHP handles hashed strings in certain
situations gives attackers an opportunity to try and compromise
authentication systems, passwords, and other functions involving hash
comparisons in PHP, a researcher from WhiteHat Security says.

Robert Hansen, vice president of WhiteHat, describes the issue as one
that affects any website that uses two specific types of operators for
comparing hashes in PHP.

The issue mostly affects authentication, but it could also effect
"forgot password" flows, nonces, binary checking, cookies, and
passwords, among other things, Hansen, aka RSnake, told Dark Reading.
"It totally depends on the website, and how it's constructed." More...

PHP Hash Comparison Weakness A Threat To Websites, Researcher Says

Friday, May 8, 2015

Windows 10 Microsoft Passport (aka Microsoft Next Generation Credential) In Detail » Active Directory Security

At the Microsoft Ignite conference this week, there are several
sessions covering Windows 10 features. One of biggest changes in Windows
10 is the new credential management method and the related “Next
Generation Credential”, now named Microsoft Passport.

There hasn’t been much information on how the new credential system
works, so I challenged myself to gather as much information and
understand it as best as possible before the Microsoft Ignite conference
ends this week. This post covers my understanding of this (still beta)
technology.

Note that the information in this post is subject to change
(& my misunderstanding). As I gain clarification, I will update this
post.

Traditional Windows Credential Management

Up until Windows 10, when a user logs on, the user’s credentials are verified, hashed, and loaded into LSASS (Local Security Authority Subsystem Service),
a process in protected memory. The user credential data is stored in
LSASS for authenticating the user to network resources without having to
prompt the user for their password. The issue is that up until Windows
8.1, the user’s clear-text password (reversible encryption) is no longer
placed in LSASS, though the user’s NTLM password hash, among others,
are still stored in LSASS. When using Kerberos, the user’s Kerberos
tickets are stored in LSASS. More....

Windows 10 Microsoft Passport (aka Microsoft Next Generation Credential) In Detail » Active Directory Security

Know your Windows Processes or Die Trying | System Forensics

I have been talking with quite a few people lately tasked with
“security” inside their organizations and couldn’t help but notice their
lack of understanding when it came to Windows process information.

I figured if the people I have talked with don’t understand then
there are probably a lot more people that don’t understand. I’m guessing
quite a few people that consider themselves “experts” as well.

I decided to write this post in an effort to help the individuals
that may not have the knowledge, free time, training budgets, etc. to
explore Windows processes. For about $50 – $75 (few books) and some free
time you can learn pretty much everything needed to know about Windows
processes.

My goal isn’t to dive very deep into each of the processes. I figured
a bulleted “cheat sheet” vs. wordy descriptions will be best for my
intended audience.

The people that want to dive deeper can buy themselves a copy of
Windows Internals, 6th Edition Part I and II, fire up Process
Explorer/Process Hacker, start reading the great documentation by the
Volatility team (references below).

Know your Windows Processes or Die Trying | System Forensics

Wednesday, May 6, 2015

TeslaCrypt and Alpha Crypt Ransomware Information Guide and FAQ

Info: There are active TeslaCrypt and AlphaCrypt support topics that contain discussion and the experiences of a variety of IT consultants, end users, and companies who have been affected by these ransomware programs. If you are interested in this infection or wish to ask questions about it, please visit either the TeslaCrypt support topic or Alpha Crypt Support Topic. Once at the topic, and if you are a registered member of the site, you can ask or answer questions and subscribe in order to get notifications when someone adds more information to the topic.

What is TeslaCrypt and AlphaCrypt?

TeslaCrypt and Alpha Crypt are file-encrypting ransomware programs that target all version of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. TeslaCrypt was first released around the end of February 2015 and Alpha Crypt was released at the end of April 2015. When you are first infected with TeslaCrypt or Alpha Crypt they will scan your computer for data files and encrypt them using AES encryption so they are no longer able to be opened. Once the infection has encrypted the data files on all of your computer drive letters it will display an application that contains instructions on how to get your files back. These instructions include a link to a Decryption Service site, which will inform you of the current ransom amount, the amount of files encrypted, and instructions on how to make your payment. The ransom cost starts at around $500 USD and is payable via bitcoins. The bitcoin address that you submit payment to will be different for every victim.
When TeslaCrypt or Alpha Crypt are first installed on your computer they will create a random named executable in the %AppData% folder. This executable will be launched and begin to scan all the drive letters on your computer for data files to encrypt. If a a supported data file is detected it will encrypt it and then append a new extension to the filename based on the particular variant you are infected with. For TeslaCrypt, the extension .ECC will be appended and for Alpha Crypt the extension .EZZ will be appended to filenames.

Haifei's random thoughts: Integrating Outdated Flash is a Bad Idea, Even Wor...

Haifei's random thoughts: Integrating Outdated Flash is a Bad Idea, Even Wor...: Shining the Light on the Security of Customized Browsers Used in China When I traveled in China last time, I was quite surprised that the...

Andromeda/Gamarue bot loves JSON too (new versions details) | eternal-todo.com

Andromeda/Gamarue bot loves JSON too (new versions details) | eternal-todo.com

After my last post about Andromeda different updates related to version 2.07 and 2.08 appeared. Mostly, Fortinet was talking about the version 2.7 features and the new anti-analysis tricks of version 2.08. After that, Kimberly was also mentioning version 2.09 in his blog
but I have not seen too many details about the latest versions of
Andromeda. This is a summary of the interesting details about the newer
versions.

Tuesday, May 5, 2015

CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want you to know: Analyzing the ZeuS bot Part 2

Okay start up REMnux and sign in as root.

We start with the command like in the previous tutorial:

type: volatility -f ‘zeus.vmem’ imageinfo

Thursday, April 30, 2015

Anti-Botnet Advisory Centre: Inform

To prevent the re-infection of your computer please note these important rules:

1

Check your computer for infection. Please use our EU-Cleaner to remove all
malware.
2

Install current Service Packs and Security Updates for your system. Activate automatic updates. Microsoft Instructions: Protect.
3

Check your Internet browser and the
embedded plugins (e.g. Java, Flash, Shockwave, Quicktime) regularly to
make sure they are up to date. Browser- and Plugincheck
4

Install a virus scanner, e.g. one that is mentioned here and update it
regularly.
5

Use a firewall e.g. built-in Windows firewall or a router. More Information
about Firewalls..

hfiref0x/UACME · GitHub

UACMe

Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor.
More info http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3643

Wednesday, April 29, 2015

Blaze's Security Blog: Thoughts on Absolute Computrace

Blaze's Security Blog: Thoughts on Absolute Computrace: Introduction Not too long ago my friend and colleague from Sweden, Jimmy, contacted me in regards to a strange issue. In the firewall, he...

TorrentLocker changes it's name to Crypt0L0cker and bypasses U.S. computers - News

TorrentLocker changes it's name to Crypt0L0cker and bypasses U.S. computers - News

A new ransomware called Crypt0L0cker (the OHs have been replaced with
ZEROs) has been released that appears to be a new version of TorrentLocker.
This ransomware was first sighted at the end of April in European and
Asian countries and in Australia. Unlike TorrentLocker, for some reason
this variant is Geo-Locked so that it will not install on US based
computers. This ransomware is currently being distributed through emails
that pretend to be traffic violations or other government notices. At
this point it is unknown what encryption method is used and if its
possible to recover encrypted files. The ransom amount is currently set
for 2.2 Bitcoins.

Monday, April 27, 2015

Without a Trace: Fileless Malware Spotted in the Wild | Security Intelligence Blog | Trend Micro

Without a Trace: Fileless Malware Spotted in the Wild | Security Intelligence Blog | Trend Micro

With additional analysis from David Agni

Improvements in security file scanners are causing malware authors to
deviate from the traditional malware installation routine. It’s no
longer enough for malware to rely on dropping copies of themselves to a
location specified in the malware code and using persistence tactics
like setting up an autostart feature to ensure that they continue to
run. Security file scanners can easily block and detect these threats.

A tactic we have spotted would be using fileless malware. Unlike most
malware, fileless malware hides itself in locations that are difficult
to scan or detect. Fileless malware exists only in memory and is written
directly to RAM instead of being installed in target computer’s hard
drive. POWELIKS
is an example of fileless malware that is able to hide its malicious
code in the Windows Registry. These use a conventional malware file to
add the entries with its malicious code in the registry.

Simple and easy ways to keep your computer safe and secure on the Internet

Simple and easy ways to keep your computer safe and secure on the Internet

This tutorial was created to provide tips and techniques for smart and
safe computing. When using these techniques you will not only protect
yourself and your data from hackers and viruses, but also keep your
computer running more smoothly and reliably. The advice in this tutorial
applies to all computer users and all operating systems, but we have
tried to point out specific steps for various operating systems as it
becomes necessary. By Lawrence Abrams

Threat Spotlight: TeslaCrypt – Decrypt It Yourself

Threat Spotlight: TeslaCrypt – Decrypt It Yourself

This post was authored by: Andrea Allievi, Earl Carter & Emmanuel Tacheau

After the takedown of Cryptolocker, we have seen the rise of
Cryptowall. Cryptowall 2 introduced “features” such as advanced
anti-debugging techniques, only to have many of those features removed
in Cryptowall 3. Ransomware is becoming an extremely lucrative business,
leading to many variants and campaigns targeting even localized regions
in their own specific languages. Although it is possible that these
multiple variants are sponsored by the same threat actor, the most
likely conclusion is that multiple threat actors are jumping in to claim
a portion of an ever increasing ransomware market. One of the latest
variants is called TeslaCrypt and appears to be a derivative of the
original Cryptolocker ransomware. Although it claims to be using
asymmetric RSA-2048 to encrypt files, it is making use of symmetric AES
instead. Talos was able to develop a tool which decrypts the files
encrypted by the TeslaCrypt ransomware...

How Kaspersky makes you vulnerable to the FREAK attack and other ways Antivirus software lowers your HTTPS security - Hanno's blog

How Kaspersky makes you vulnerable to the FREAK attack and other ways Antivirus software lowers your HTTPS security - Hanno's blog

Lately a lot of attention has been payed to software like Superfish and Privdog
that intercepts TLS connections to be able to manipulate HTTPS traffic.
These programs had severe (technically different) vulnerabilities that
allowed attacks on HTTPS connections.

What these tools do is a widespread method. They install a root
certificate into the user's browser and then they perform a so-called
Man in the Middle attack. They present the user a certificate generated
on the fly and manage the connection to HTTPS servers themselves.
Superfish and Privdog did this in an obviously wrong way, Superfish by
using the same root certificate on all installations and Privdog by just
accepting every invalid certificate from web pages. What about other
software that also does MitM interception of HTTPS traffic?

Antivirus software intercepts your HTTPS traffic

Many Antivirus applications and other security products use similar
techniques to intercept HTTPS traffic. I had a closer look at three of
them: Avast, Kaspersky and ESET. Avast enables TLS interception by
default. By default Kaspersky intercepts connections to certain web
pages (e. g. banking), there is an option to enable interception by default. In ESET TLS interception is generally disabled by default and can be enabled with an option.

SANS Digital Forensics and Incident Response Blog | Identifying and Disrupting Crypto-Ransomware (and Destructive Malware) | SANS Institute

SANS Digital Forensics and Incident Response Blog | Identifying and Disrupting Crypto-Ransomware (and Destructive Malware) | SANS Institute

I have been giving some thought to how we can stop crypto-ransomware
doing it's thing. Initially, I thought about interfering with the Windows CryptAPI, perhaps hooking the CryptEncrypt function, however page 16 of a report analysing various samples by Bromium shows that some samples use CryptoAPI, others use OpenSSL libraries and a few even use custom inline code.

Saturday, April 25, 2015

Security Flaw in Samsung Galaxy S5 Allows Hackers to Steal Your Fingerprint

Security Flaw in Samsung Galaxy S5 Allows Hackers to Steal Your Fingerprint

Security flaw in Android
version 5.0 and below makes it possible for hackers to take fingerprint
copies and unlock Samsung Galaxy S5. This could lead to obtaining and
exploitation of victim’s personal data.

FireEye experts Yulong Zhang and Tao Wei have exposed a critical Android flaw, which makes Samsung Galaxy S5 smartphone highly vulnerable to attacks.

Experts revealed that hackers can easily obtain fingerprint data and steal personal info, thanks to the flaw and use personal data for malicious purposes.

GoodDeals Advertisements Removal Guide

GoodDeals Advertisements Removal Guide

GoodDeals is an adware program that displays deals,
offers, or coupons when browsing certain online shopping sites. When
browsing sites such as BestBuy or Target, the GoodDeals adware will
display a rectangular banner at the bottom of the web page that provides
offers or deals based on the particular site you are visiting.
Unfortunately, these advertisements are done so in an intrusive manner
that overlay the content you are trying to read.

Hackers can potentially hack WIFI systems on aircrafts to commandeer the plane | Emsisoft Blog

Hackers can potentially hack WIFI systems on aircrafts to commandeer the plane | Emsisoft Blog

Flying thousands of feet in the air can be a scary event for most
people; but, now it seems that airway travel may be more dangerous than
it has ever been. Potential flaws have been discovered in several new
model airplanes that could allow hackers to commandeer the plane by
hacking into a single WIFI system using their laptop computer. It is a
scary thought to think that a hacker may be sitting next to you on a
plane.

According to news Giant CNN,
hundreds of the planes flying commercially today could potentially be
vulnerable to having their on-board computers hacked and taken over by a
plane passenger or even someone on the ground. One of the authors of
the report told CNN that the Boeing 787 Dreamliner, the Airbus A350, and
the A380 aircraft’s all have cockpits that are wired into the same WIFI
system that passengers use.

Ransomware: Should you pay the cybercriminals?

Ransomware is a type of malware, or malicious software, which has exploded in notoriety in recent years.

The malware is often installed on your machine
via a phishing email or a drive-by-download on a compromised website,
and a short time later a pop-up message will appear on screen telling
the user to pay a ransom (in some cases as much as $300) in order to ‘unlock’ their stolen documents.

EasySync Solutions

Only EasySync Solutions Directly Combats Ransomware Criminals are taking notice at the amount of money to be made by Ransomware, so whether you have been infected before or have never been infected, now is the time to get proper protection. The simple fact is, most of the time a Anti-Virus, Firewall, or even group policies is not enough to stop Ransomware like CryptoWall, TorrentLocker, and CryptoLocker. Without the proper software you may come home to find that all of your personal files have been encrypted and are being held hostage until a payment is made. Sometimes Ransomware can even delete your files if you do not pay, or may corrupt them making payment useless. With EasySync Solutions you will find software that will help you stay protected from every type of Ransomware. You will always have a plan A, B, and C if you do get infected. From prevention measures to recovery measures, you can be sure that if you are running our software and you find yourself being attacked by Ransomware, you will always have options.

Middle East Malware: Cyber Attack 8 (SEA)

Middle East Malware: Cyber Attack 8 (SEA): This is an interesting attack of the infamous Syrian Electronic Army ( SEA ). What is special about it is that it comes as a Windows link ...

Wednesday, April 15, 2015

MiddleEastMalware: CyberAttack 1

MiddleEastMalware: CyberAttack 1: Attack vector: Victims receive it as malicious links in emails. The email above translates as " A new leak for the Egyptian pres...

MiddleEastMalware: Cyber Attack 4

MiddleEastMalware: Cyber Attack 4: The attack of this post is from the same attack group as in Cyber Attack 1 and Cyber Attack 2 . The attack vector is a malicious emai...

Monday, April 13, 2015

Blaze's Security Blog: Remediate VBS malware

Blaze's Security Blog: Remediate VBS malware: I have developed a small tool that will aid you to remove VBS malware from a machine or in a network. I made this some months ago when I sa...

Tuesday, April 7, 2015

Windows Incident Response: Windows Event Logs

Windows Incident Response: Windows Event Logs: Dan recently tweeted: Most complete forensics-focused Event Log write-ups? # DFIR I have no idea what that means. I'm going to assu...

Monday, April 6, 2015

Malware Must Die!: MMD-0031-2015 - What is NetWire (multi platform) R...

Malware Must Die!: MMD-0031-2015 - What is NetWire (multi platform) R...: The background It has been a talk internally in our group about a RAT (Remote Access Trojans) commonly found and used by crook called &quot...

Thursday, April 2, 2015

A Few Thoughts on Cryptographic Engineering: Truecrypt report

A Few Thoughts on Cryptographic Engineering: Truecrypt report: A few weeks back I wrote an update on the Truecrypt audit promising that we'd have some concrete results to show you soon. Thanks to so...

Wednesday, April 1, 2015

Dynamoo's Blog: Malware spam: "Australian Taxation Office - Refund...

Dynamoo's Blog: Malware spam: "Australian Taxation Office - Refund...: This fake tax notification spam leads to malware hosted on Cubby. From : Australian Taxation Office [noreply@ato.gov.au] Date : ...

Monday, March 30, 2015

Dynamoo's Blog: Malware spam: "Invoice ID:12ab34" / "123"

Dynamoo's Blog: Malware spam: "Invoice ID:12ab34" / "123": This terse spam has a malicious attachment: From: Gerry Carpenter Date: 25 March 2015 at 12:58 Subject: Invoice ID:34bf33 1...

Monday, March 23, 2015

Malware Analysis: The Final Frontier: Data Obfuscation: Now you see me... Now you don't....

Malware Analysis: The Final Frontier: Data Obfuscation: Now you see me... Now you don't....: Introduction This blog post shows how malware authors use Adobe Flash files to hide their creations' ' sensitive ' data. I&#39...

Saturday, March 21, 2015

Scrutiny from an Inquisitive mind: Defeating EMET 5.2

Scrutiny from an Inquisitive mind: Defeating EMET 5.2: Since my last post, i thought if Malware Bytes Anti Exploit can be bypassed in a targetted attack why not work on bypassing EMET using rop ...

Friday, March 20, 2015

Dynamoo's Blog: Something evil on 85.143.216.102 and 94.242.205.10...

Dynamoo's Blog: Something evil on 85.143.216.102 and 94.242.205.10...: I will confess that I don't have much information on what this apparent exploit kit is or how it works, but there seems to be somethin...

Thursday, March 19, 2015

Dynamoo's Blog: Malware spam: "sales@marflow.co.uk" / "Your Sales ...

Dynamoo's Blog: Malware spam: "sales@marflow.co.uk" / "Your Sales ...: This spam run pretends to come from Marflow Engineering but it doesn't, instead it is a simple forgery. Marflow are not sending out t...

Wednesday, March 18, 2015

Jump ESP, jump!: Thousand ways to backdoor a Windows domain (forest...

Jump ESP, jump!: Thousand ways to backdoor a Windows domain (forest...: When the Kerberos elevation of privilege (CVE-2014-6324 / MS14-068) vulnerability has been made public, the remediation paragraph of follo...

Dynamoo's Blog: Malware spam: "December unpaid invoice notificatio...

Dynamoo's Blog: Malware spam: "December unpaid invoice notificatio...: This spam comes with no body text, but does come with a malicious attachment. From : Korey Mack Date : 18 March 2015 at 11:04 ...

Friday, March 13, 2015

Malware Battle: 750,000 Computers Infected With Malware In Belgium...

Malware Battle: 750,000 Computers Infected With Malware In Belgium...: In the first half of 2014 were 750,000 computers infected with malware and Belgium were part of one or several botnets, according to figu...

Friday, January 30, 2015

Google Lat Long: Google Earth Pro is now free

Google Lat Long: Google Earth Pro is now free: Over the last 10 years, businesses, scientists and hobbyists from all over the world have been using Google Earth Pro for everything from...

Tuesday, January 20, 2015

Blaze's Security Blog: Ransomware: a Q&A

Blaze's Security Blog: Ransomware: a Q&A: Ransomware A Q&A written by @bartblaze Who creates them? What is their goal? How successful are they, and what is their recipe f...

Friday, January 16, 2015

Blaze's Security Blog: Malware spreading via Steam chat

Blaze's Security Blog: Malware spreading via Steam chat: If you're only interested in how to remove this malware from your machine or other tips and prevention advise, click here . In case you ...

A Few Thoughts on Cryptographic Engineering: Hopefully the last post I'll ever write on Dual EC...

A Few Thoughts on Cryptographic Engineering: Hopefully the last post I'll ever write on Dual EC...: I've been working on some other blog posts, including a conclusion of (or at least an installment in) this exciting series on zero knowl...

Thursday, January 15, 2015

Omri Herscovici: CapTipper - Malicious HTTP traffic explorer tool

Omri Herscovici: CapTipper - Malicious HTTP traffic explorer tool: What is CapTipper Analysis Example GitHub Project Download CapTipper! Info ...

Friday, January 9, 2015

Dynamoo's Blog: Malware spam: DO-NOT-REPLY Datasharp UK Ltd - Mont...

Dynamoo's Blog: Malware spam: DO-NOT-REPLY Datasharp UK Ltd - Mont...: This spam email pretends to be from a wholly legitimate company called Datasharp UK Ltd but it isn't, it is a spoof. Datasharp is not...