April 3rd, 2011 by peter.bassill
Ok, so here are some of the results. I will try and get some visualisation of the results through Splunk later in the week but here is the raw output from the box after 48 hours:
April 2nd, 2011 by peter.bassill
First update of the weekend, the victim machine has certainly had a very busy night.
Here is the first output form norman:
[ DetectionInfo ]
* Sandbox name: NO_MALWARE
* Signature name: W32/Spybot.CKBU
April 1st, 2011 by peter.bassill
So, lets start with the question posed over a couple of ales today.
“How much malware would get installed on a server with a basic ‘IT Admin’ style configuration over a weekend?”
With a question like that being posed, an answer is needed, and this is the start of the journey for the weekend. At 1930 on the 1st of April we put live our nepenthes node looking like what can only be described as a moderatly configured server. It is certainly not to the standard I would allow anywhere near a corporate environment, but it is representative of many servers I encounter on the ‘net’.
February 1st, 2011 by peter.bassill
Late last year, online crime forums were abuzz with talk that development of the world’s most notorious banking Trojan — ZeuS — was being retired, after its maker handed the malware’s secret blueprints to a rival developer.
The recipient of those plans — the author of the SpyEye Trojan– has been hard at work on a malware strain that blends the two malware families. But new evidence suggests that the source code for the latest ZeuS version may have also been given or sold to a third party who is now reselling it to the highest bidder in the criminal underground, a development that could soon guarantee the production of a whole new ZeuS lineage.
Sources say the ZeuS author — known variously as “Slavik” and “Monstr” on criminal forums — gave the SpyEye author Gribodemon stewardship over the ZeuS code base, on the condition that Gribodemon agreed to provide ongoing support for existing ZeuS clients, a sizable user base that demands considerable care and attention. Sources also believe Slavik may have separately sold the code itself, ostensibly to the same individual shown in the screen shot below.
Established crime forums are built upon reputation, which is earned over a period of time by points awarded from other members for positive or negative transactions — much like eBay’s buyer and seller feedback system. The solicitation in the above screen shot is unlikely to be a fake: It indicates that the seller has been a member of this particular vetted crime forum since June 13, 2009, and has 18 positive reputation points and zero negative.
This seller is offering the full ZeuS source code for the latest version 2.0.8.9, and warns away members without a significant war chest. But how much could the code actually fetch? Toward the end of last year, the ZeuS author was selling fully-loaded, single-user licenses for up to $10,000 apiece. Aviv Raff, chief technology officer and co-founder of Seculert, said this individual could probably demand at least ten times that amount for the source code, which would give the buyer full rights to sell one-off licenses to others, and/or to continue developing the malware family.
But don’t come bearing gold, credit cards, or even cold hard cash: This seller only accepts payment via an irreversible virtual currency called Liberty Reserve. On top of that, payments must be made through the forum’s escrow service — a feature offered by forum administrators designed to cut down on members ripping one another off — but one which can add considerably to the final price of the item(s) for sale.
re-posted from krebsonsecurity.com
April 6th, 2009 by peter.bassill
Recieved this forst thing in my email box:
I am Greg Fred Walter,i am offering a loan at a maximum low rate of 4%,both secure and unsecured,every interested applicant should contact us.
Contact Immediately below address greginvestmentlender@gmail.com
The Information Needed From A Client is Listed Below:
Full Name;
Amount Needed:
Phone Number:
Country:
Duration Period:
Age:
Sex:
Email Address:
Monthly Income:
Regards.
Greg Fred Walter
—————
Now of course no one is going to be silly enough to fall for this one are they? Or are they? This particular form of scum is playing on the heavily in need and desperate and with this form of email, he might just get a few takers. I certainly hope not though!