http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2014-12-03 15:39:14 - Andrew Martin : A couple of days ago I was investigating an attack that a reader submitted to me that was related to the recent nine ball attacks as reported by WebSense Part 1 Part 2 The attackers use the same techniques to exploit victims but this time have moved to new domains and updated their payloads http://www.secuobs.com/revue/news/548289.shtmlhttp://www.secuobs.com/revue/news/548289.shtml Secuobs.com : 2012-06-27 01:44:28 - Andrew Martin - Wow, I can t believe it s been 25 years since my last post on this blog A lot has happened since December 2009 First of all, I took a new job at my same employer as a Senior Security Consultant The new job had me performing risk assessments and 3rd party vendor reviews for our Technology http://www.secuobs.com/revue/news/383947.shtmlhttp://www.secuobs.com/revue/news/383947.shtml Secuobs.com : 2009-12-18 21:22:57 - Andrew Martin - Jart and Scott from HostExploit http hostexploitcom have put together another paper on bad hosting providers, this time giving an overview of 50 that host a great deal of malicious code The ranking is based on a mathematical calculation, which is included in the report To be absolutely clear, these providers are not knowingly acting as http://www.secuobs.com/revue/news/174038.shtmlhttp://www.secuobs.com/revue/news/174038.shtml Secuobs.com : 2009-12-09 03:39:29 - Andrew Martin - Starting sometime around November 6th, many attacks were observed coming from strangely named domains such as usbf9info, usbp0info, usbn3info, etc The attackers employed some code splitting techniques to make their scripts more stealthy by moving suspicious shellcode from inside the primary exploit script to a secondary script The attacks were being delivered through advertisements which http://www.secuobs.com/revue/news/169933.shtmlhttp://www.secuobs.com/revue/news/169933.shtml Secuobs.com : 2009-11-18 08:23:52 - Andrew Martin - I m a few days late for posting this but the HostExploit team has produced another report, this time on an attack dubbed MalFI for malicious file inclusion This encompasses remote file inclusion RFI , local file inclusion LFI and Cross Server Attack XSA The report had been in the works for quite some time and while http://www.secuobs.com/revue/news/162427.shtmlhttp://www.secuobs.com/revue/news/162427.shtml Secuobs.com : 2009-10-09 19:40:35 - Andrew Martin - With all the talk about Chinese malware authors and groups of attackers supposedly sponsored by governments out there, I thought I would publish a find of mine from back in 2007 Excellent research has been done on this topic with one of the most interesting events being the discovery of GhostNet The following message was http://www.secuobs.com/revue/news/149069.shtmlhttp://www.secuobs.com/revue/news/149069.shtml Secuobs.com : 2009-09-04 07:34:45 - Andrew Martin - MessageLabs wrote a nice report summarizing key events from August and it turns out our work was more widely felt than believed Apparently part of Cutwail s C C infrastructure resided inside Real Host s network When they got cut off, SPAM levels dropped but only briefly since there were more C Cs elsewhere to pick up the http://www.secuobs.com/revue/news/137805.shtmlhttp://www.secuobs.com/revue/news/137805.shtml Secuobs.com : 2009-08-06 01:39:04 - Andrew Martin - Now that the report has hit mainstream media outlets, I am pleased to report that Real Host has been taken down Score another one for the good guys The story was first published by the Financial Times of London With follow up stories from Network World The Inquirer CIO Magazine Information Security Magazine Sunbelt Software Computer World UK And many http://www.secuobs.com/revue/news/128360.shtmlhttp://www.secuobs.com/revue/news/128360.shtml Secuobs.com : 2009-08-05 05:43:50 - Andrew Martin - As I was perusing my logs today on a lazy Sunday afternoon I found I was being attacked by more RFI bots than usual To my surprise I realized it is because of my previous post on controlling RFI bots In my last post I included a dork that is frequently scanned for, and in http://www.secuobs.com/revue/news/128055.shtmlhttp://www.secuobs.com/revue/news/128055.shtml Secuobs.com : 2009-08-05 05:43:50 - Andrew Martin - At long last SANS and I have agreed on a date and time for me to deliver the first ever Paper of the Quarter webcast My paper Mobile Device Forensics was picked as the Q1 2009 winner while I was away traveling South America, so I am a little late to the race It will http://www.secuobs.com/revue/news/128054.shtmlhttp://www.secuobs.com/revue/news/128054.shtml Secuobs.com : 2009-08-05 05:43:50 - Andrew Martin - My RSS reader alerted me today to another wave of mass website compromises from Web Sense Hungry for more information I decided to dig in to reveal the details that, as always, have been left out Summary This attack appears to be brought to us courtesy of the attackers behind Gumblar The malware involved and the end http://www.secuobs.com/revue/news/128053.shtmlhttp://www.secuobs.com/revue/news/128053.shtml Secuobs.com : 2009-08-05 05:43:50 - Andrew Martin - Just a quick reminder that the webcast for my paper Mobile Device Forensics will be taking place at 1pm EDT today See my previous blog post for more information http://www.secuobs.com/revue/news/128052.shtmlhttp://www.secuobs.com/revue/news/128052.shtml Secuobs.com : 2009-08-05 05:43:50 - Andrew Martin - In a previous post I discussed using the technique of watching for the transfer of executable files around the network as a method of intrusion detection This is a great way of discovering machines that were attacked where IDS failed to detect the exploit s due to obfuscation Another method I d like to highlight is looking for http://www.secuobs.com/revue/news/128051.shtmlhttp://www.secuobs.com/revue/news/128051.shtml Secuobs.com : 2009-08-05 05:43:50 - Andrew Martin - While this is not totally new, I only recently came across my first event involving a one click host serving malware What is one click hosting These are providers which you have probably heard of before such as RapidShare, Megaupload, yousendit and many many more Wikipedia has a listing of many of them These providers http://www.secuobs.com/revue/news/128050.shtmlhttp://www.secuobs.com/revue/news/128050.shtml Secuobs.com : 2009-08-05 05:43:50 - Andrew Martin - It s been awhile since I posted unfortunately, but it s not due to a lack of attacks to talk about Some time ago I was approached by the Host Exploit open source security research group and they asked me if I would help contribute to their efforts This is the group that put together research http://www.secuobs.com/revue/news/128049.shtmlhttp://www.secuobs.com/revue/news/128049.shtml Secuobs.com : 2009-08-05 05:43:50 - Andrew Martin - A reader was gracious enough to share some information with me on the events surrounding the compromise of a website of his The site was compromised via stolen FTP credentials which has been a technique employed by major Internet threats such as Gumblar and Nine-ball recently This will be a two part post Lets take http://www.secuobs.com/revue/news/128048.shtmlhttp://www.secuobs.com/revue/news/128048.shtml Secuobs.com : 2009-08-05 05:43:50 - Andrew Martin - As a follow up to my previous post, here is the next video depicting the second portion of the attack For URLs, Virustotal results, etc refer back to Part 1 All analysis is conducted with Malzilla To give you some additional insight into the attack, I am also able to share the contents of a hacked http://www.secuobs.com/revue/news/128047.shtmlhttp://www.secuobs.com/revue/news/128047.shtml Secuobs.com : 2009-08-05 05:43:50 - Andrew Martin - A couple of days ago I was investigating an attack that a reader submitted to me that was related to the recent nine ball attacks as reported by WebSense Part 1 Part 2 The attackers use the same techniques to exploit victims but this time have moved to new domains and updated their payloads There http://www.secuobs.com/revue/news/128046.shtmlhttp://www.secuobs.com/revue/news/128046.shtml