• PRISM Lure in Use by NetTraveler Attackers

    by  • June 18, 2013

    In between FIRST conference and a couple beers, I stumbled upon an email uploaded to Virustotal. The file itself is an EML and has the name of “CIA’s _prism Watchlist_.eml”. Inside the email, the content is the following: It appears the intended recipient of the malicious mail was a yahoo account linked to the...

    Read more →

    Asia Adventure Time

    by  • June 15, 2013

    It’s that time of year again and I will be migrating across Asia for the next several weeks. If you happen to be at any of the locations mentioned below during those time frames, please let me know and maybe we can meetup! June 17-21 – Speaking at FIRST conference in Bangkok, Thailand July...

    Read more →

    CommentCrew Developer Disconnect

    by  • June 14, 2013

    Last week, my colleague on the advanced threat research team, Rob Falcone, pointed me over at a sample that hit on our CommentCrew DES signature. Normally I would shrug this off as something old, but the compilation time on the binary showed June 4, 2013 and the command-and-control (C&C) server appeared to be active....

    Read more →

    Redirecting Opportunistic Operators as a Service (ROOaaS)

    by  • May 28, 2013

    This theory is going to be a little out there, but go with me for a moment. It seems that you can almost get a job doing anything these days. Most people choose the high road, they pick a decent profession and try to make an honest living, but of course, alongside those same...

    Read more →

    Poor Man’s Conversion Using Google Drive API

    by  • May 19, 2013

    I lost count of how many times I have used Google Drive to convert a document to one format and download it as another. This generally means firing up a browser, logging into a random Google account, uploading the document, re-downloading it and then deleting to save space. Sure, there are utilities to do...

    Read more →

    PDF Beacons with JavaScript openDoc API

    by  • May 2, 2013

    I saw earlier in the week that McAfee had disclosed a information leak through one of the PDF JavaScript APIs. While it wasn’t exactly spelled out, I recognized the bug description as one I had reversed back in May of 2012. Why didn’t it hit the public then? Well, it wasn’t that interesting and...

    Read more →