• Become An Endpoint with LazyEye

    by  • November 21, 2014

    For the past couple of years I have written Chrome extensions to do my bidding, but never shared them out in the open. Some would modify the Virustotal website and include data from Hypertotal, while others would highlight indicators inside of my browser content. I wanted to release one of the extensions I have...

    Read more →

    Faster Renting with AirSort

    by  • November 1, 2014

    Airbnb is awesome and super convenient for booking a place to stay when traveling somewhere new. Unfortunately, just like other hotel booking sites, the price per night is never the actual price you end up paying. Hidden fees or additional charges are tacked on as you go to book your place and honestly, it’s annoying....

    Read more →

    Who’s in the Photo of the Wired Article?

    by  • September 13, 2014

    Due to my poor travel timing, I wasn’t able to really engage in conversation when the Virustotal Wired article came out. One of the questions that seemed to float around was who was in the photo behind me? Well, if you haven’t figured it out now, it’s good ol’ Claudio, maker of Cuckoo and...

    Read more →

    Watching Attackers Through Virustotal

    by  • September 1, 2014

    Bad guys, both crime and cyber espionage, use Virustotal as a means to test their exploit code. Sounds silly, but it’s true and not true as in they used it a few years ago, but true as in they used it a couple of days ago. In fact, some actor likely tested their code...

    Read more →

    Ending the iDefense Era

    by  • April 6, 2014

    Despite the job changes over the years, this blog has remained a constant place where I shared ideas and projects, so it’s only natural that a post like this would end up here. The title and the tweet from earlier this month are correct, tomorrow marks my last day and two year anniversary at iDefense. I...

    Read more →

    Process of NetTraveler Operations Revealed in Virustotal

    by  • March 20, 2014

    Last month, I spoke about Hypertotal (framework to identify actors abusing Virustotal) and since then, nothing has changed (no surprises there). For over 2 years now, I have watched the NetTraveler actors use Virustotal as a records retention utility (at least it appears that way) and aside from all the normal indicators you would...

    Read more →

    Virustotal Actors: Hypertotal output

    by  • February 12, 2014

    Earlier today I presented at the Kaspersky SAS 2014 conference hosted in the Dominican Republic. While I’ve have the Hypertotal engine and results for a number of years, I have never wanted to talk about it publicly to avoid major changes in actor behavior. I chose this specific conference to share some of my...

    Read more →

    Targeted Document Gathering with Dpacker

    by  • September 7, 2013

    As part of creating an incubation environment, I need to download a bunch of “interesting material” that is relevant to the organization I am attempting to mimic. 2 years ago I had written a tool to solve this issue, bighands, that worked well using the Google Ajax API. Unfortunately, and for quite a while...

    Read more →