botnet


This is the second part of FortiGuard Labs’ deep analysis of the new Emotet variant. In the first part of the analysis we demonstrated that by bypassing the server-side Anti-Debug or Anti-Analysis technique we could download three or four modules (.dll files) from the C&C server. In that first blog we only analyzed one module (I named it ‘module2’). In this blog, we’ll review how the other modules work. Here we go. [Read More]
by RSS Xiaopeng Zhang  |  May 09, 2017  |  Filed in: Security Research
In part 1 of FortiGuard Labs’ analysis of a new variant of the BADNEWS backdoor, which is actively being used in the MONSOON APT campaign, we did a deep technical analysis of what this backdoor of capable of and how the bad guys control it using the command and control server. In this part of the analysis, we will try to discover who might be behind the distribution of these files. [Read More]
by RSS Jasper Manuel and Artem Semenchenko  |  Apr 05, 2017  |  Filed in: Security Research
Fortinet is proud to announce today the results from International Data Corporation’s (IDC) latest Worldwide Quarterly Security Appliance Tracker. The 2016Q4 and historical report data reinforces Fortinet’s continued leadership within the security industry by once again shipping the most security appliances, which also further strengthens our industry-leading global network of threat intelligence sensors. [Read More]
by RSS Bill McGee  |  Apr 03, 2017  |  Filed in: Industry Trends & News
Digital Video Recorders / Network Video Recorders (DVR/NVR) Back in 2015, our telemetry detected a relatively small number of IPS signature hits on known vulnerabilities targeting DVR/NVR devices (~ 749 hits). In 2016, however, we saw this number increase alarmingly to around 1.5 million hits. By using a size comparison chart again, we can see the huge increase more clearly when we compare both years, as shown below: The question, of course, is what contributed to this huge increase in detected hits? Once again, let’s look at the... [Read More]
by RSS Gavin Chow  |  Mar 24, 2017  |  Filed in: Security Research
Attacks targeting and originating from IoT devices began grabbing news headlines toward the last quarter of 2016. Insecure IoT devices became the low-hanging fruit for threat actors to easily exploit. Some were even notoriously used as botnets to launch DDoS attacks against selected targets. For example, the infamous Mirai botnet exploited weak login vulnerabilities in insecure IoT devices such as IP cameras and home routers, and was responsible for one of the largest known DDoS attacks to date. Besides being used in DDoS attacks, exploited IoT... [Read More]
by RSS Gavin Chow  |  Mar 06, 2017  |  Filed in: Security Research
Dot ransomware is a new Ransomware-as-a-service(RaaS) that is openly available in hacking forums. And following the current trend in malware services, it uses web portals hosted in the TOR network for anonymity. Commission-based Profit While lurking in hacking forums, we came across a post for this new ransomware service. RaaS services are now switching from a one-time fee or subscription payment model to a commission based strategy. One advantage of this scheme is that the up front price for the ransomware is free, and any profits realized... [Read More]
by RSS Rommel Joven  |  Mar 02, 2017  |  Filed in: Security Research
Introduction Dyzap belongs to a family of malware designed to steal confidential information from enormous target applications by installing a “man in the browser” attack into common browsers. FortiGuard Researchers recently discovered a new variant of this Trojan virus. Stolen information may include, but is not limited to, system information and application credentials stored on infected systems. In this blog, we will explain how the malware steals user accounts, acts as a keylogger, and communicates with its C&C server. Stealing... [Read More]
by RSS Bahare Sabouri and He Xu  |  Feb 22, 2017  |  Filed in: Security Research
  One month ago we captured a Word document infected with malicious VBA code, which was detected as WM/Agent!tr by the Fortinet AntiVirus service. Its file name is InternalFax.doc, and its MD5 is 4F2139E3961202B1DFEAE288AED5CB8F.  By our analysis, the Word document was used to download and spread the botnet TrickBot. TrickBot aims at stealing online banking information from browsers when victims are visiting online banks. The targeted banks are from Australia, New Zealand, Germany, United Kingdom, Canada, United States, Israel, and... [Read More]
by RSS Xiaopeng Zhang  |  Dec 06, 2016  |  Filed in: Security Research
  Introduction The ART team at Fortinet has discovered a new malware named Proteus, a multifunctional botnet written in .NET that appears to be a proxy, coin miner, e-commerce merchant account checker, and keylogger. This particular botnet is downloaded by the Andromeda botnet. The handful of malicious features densely packed in this new malware also includes the ability to drop other malware. We have compiled its main features in this brief analysis. Data Encryption All C&C communication is encrypted with a symmetrical algorithm.... [Read More]
by RSS Donna Wang, Jacob (Kuan Long) Leong  |  Nov 28, 2016  |  Filed in: Security Research
A well-known aspect of criminals in any space is that they are unpredictable. They look for holes and vulnerabilities in systems and try to use them to their advantage. Security systems, therefore, have to be architected in a way that assumes attack unpredictability. A new threat emerging on the horizon is called BlackNurse DDoS attack. Fortinet protects organizations against this content based protection, with the IPS signature  "BlackNurse.ICMP.Type.3.Code.3.Flood.DoS", as well as with behavior-based protection through our FortiDDoS... [Read More]
by RSS Hemant Jain  |  Nov 14, 2016  |  Filed in: Industry Trends & News