This is the second part of the FortiGuard Labs analysis of the new Poison Ivy variant, or PlugX, which was an integrated part of Poison Ivy’s code. In the first part of this analysis we introduced how this malware was installed onto victim’s systems, the techniques it used to perform anti-analysis, how it obtained the C&C server’s IP&Port from the PasteBin website, and how it communicated with its C&C server. [Read More]
by RSS Xiaopeng Zhang  |  Sep 15, 2017  |  Filed in: Security Research
The FortiGuard Domain Reputation Service License for FortiDDoS is yet further ammunition to use against the growing threat of the IoT and botnet attacks, which are easier than ever to launch due to proliferation of open source code for such attacks, and growing availability of vulnerable devices. [Read More]
by RSS Hemant Jain  |  Sep 06, 2017  |  Filed in: Business and Technology
At the end of October, a bot that we have not tracked before appeared in our system. Our initial analysis of its features got our attention as it revealed some behaviour that are considered dangerous to infected users. After tracking its history using our monitoring system, we found out that it has been distributed by a well-known botnet, Andromeda 2.09, since September, 2014. As a new addition to the botnet families that we are continually tracking, we are now going to discuss our initial analysis of this botnet, which is named Recslurp. In this... [Read More]
by RSS He Xu  |  Nov 17, 2014  |  Filed in: Security Research
Dofoil, also known as Smoke Loader, is a modularized botnet that has existed for a few years. Since 2013, we have not received any new variants of this bot and the command-and-control (C&C) servers of its previous variants are no longer accessible, making Dofoil seem like a dead botnet. In September 2014, however, we have received a brand new Dofoil variant that carries more features. This blog post will discuss our brief analysis of this new variant, which we are detecting as W32/Zurgop.BK!tr.dldr. New Dofoil? The previous Dofoil botnet... [Read More]
by RSS He Xu  |  Nov 12, 2014  |  Filed in: Security Research
A few months have passed since the release of the “Backoff” point-of-sale (PoS) malware advisory, but Backoff and other PoS malware continue to be an active threat as businesses keep reporting data breaches and the compromise of their customers’ financial information. We have recently encountered a new version of the Backoff malware family, which we are detecting as W32/Backoff.B!tr.spy. Unlike previous versions, this one no longer uses a version number in the malware body, but just uses the version name ROM. ROM performs very similarly... [Read More]
by RSS Hong Kei Chan  |  Nov 03, 2014  |  Filed in: Security Research
Asprox, a.k.a. Zortob, is an old botnet that was uncovered in 2007. It is known to spread by arriving as an attachment in spam emails that purport to be from well-known companies. The attachment itself is disguised as a legitimate document file by using icons such as those of a .doc or .pdf file. Figure 1. Asprox malware posing as a Microsoft Word document. This blog post will give an overview on Asprox's functionality with a focus on the changes in its communication with the command-and-control (C&C) server, including a new C&C command,... [Read More]
by RSS Long Tran  |  Jul 28, 2014  |  Filed in: Security Research