• Ending the iDefense Era

    by  • April 6, 2014

    Despite the job changes over the years, this blog has remained a constant place where I shared ideas and projects, so it’s only natural that a post like this would end up here. The title and the tweet from earlier this month are correct, tomorrow marks my last day and two year anniversary at iDefense. I...

    Read more →

    Process of NetTraveler Operations Revealed in Virustotal

    by  • March 20, 2014

    Last month, I spoke about Hypertotal (framework to identify actors abusing Virustotal) and since then, nothing has changed (no surprises there). For over 2 years now, I have watched the NetTraveler actors use Virustotal as a records retention utility (at least it appears that way) and aside from all the normal indicators you would...

    Read more →

    Virustotal Actors: Hypertotal output

    by  • February 12, 2014

    Earlier today I presented at the Kaspersky SAS 2014 conference hosted in the Dominican Republic. While I’ve have the Hypertotal engine and results for a number of years, I have never wanted to talk about it publicly to avoid major changes in actor behavior. I chose this specific conference to share some of my...

    Read more →

    Targeted Document Gathering with Dpacker

    by  • September 7, 2013

    As part of creating an incubation environment, I need to download a bunch of “interesting material” that is relevant to the organization I am attempting to mimic. 2 years ago I had written a tool to solve this issue, bighands, that worked well using the Google Ajax API. Unfortunately, and for quite a while...

    Read more →

    Concurrent Joomla Bruteforcing

    by  • August 6, 2013

    I recently saw a tweet from Andre DiMino about wanting to see more hype around CMS hacking instead of letting it fall by the wayside. Given some of the more recent events with Operation Ababil, I kind of agree with him. This software is riddled with bugs and users often neglect updating their platforms...

    Read more →

    FIRST Slides and Incubations Introduction

    by  • July 15, 2013

    Last month I was privileged enough to speak at the 25th annual FIRST conference hosted in Bangkok, Thailand and wanted to explain my slides a bit. I am not sure if FIRST will put the videos of the talks on the Internet, but until they do, I think it’s valuable for those who weren’t...

    Read more →

    PRISM Lure in Use by NetTraveler Attackers

    by  • June 18, 2013

    In between FIRST conference and a couple beers, I stumbled upon an email uploaded to Virustotal. The file itself is an EML and has the name of “CIA’s _prism Watchlist_.eml”. Inside the email, the content is the following: It appears the intended recipient of the malicious mail was a yahoo account linked to the...

    Read more →

    Asia Adventure Time

    by  • June 15, 2013

    It’s that time of year again and I will be migrating across Asia for the next several weeks. If you happen to be at any of the locations mentioned below during those time frames, please let me know and maybe we can meetup! June 17-21 – Speaking at FIRST conference in Bangkok, Thailand July...

    Read more →