botnet – Martijn Grooten

Necurs update reminds us that the botnet cannot be ignored

Martijn — Fri, 06 Jul 2018 12:00:47 +0000

The operators of the Necurs botnet, best known for being one of the most prolific spam botnets of the past few years, have pushed out updates to its client, which provide some important lessons about why malware infections matter.
More on Virus Bulletin’s blog.

Hide'n'Seek IoT botnet adds persistence

Martijn — Wed, 09 May 2018 09:28:02 +0000

The Hide’n’Seek IoT botnet has received an update to make its infection persist on infected devices beyond a restart.
Read more on Virus Bulletin’s blog.

The Return of Qakbot

Martijn — Tue, 18 Feb 2014 17:03:15 +0000

Together with João Gouveia of AnubisNetworks, and using their real-time feeds, I’ve been looking at Qakbot, a piece of malware that was huge in 2011 and had since disappeared off the radar.
We found that Qakbot is still active and there are at least 20,000 infected devices. The command and control protocol has progressed from version 2 back in 2011 to version 8 today. We cracked the obfuscation used in earlier protocols, but are still struggling with version 8, which appears to use encryption rather than obfuscation.
I tried a large number of obvious and slightly less tricks to crack the protocol (including RC4, which I didn’t mention in the blog post), but so far to no avail. If anyone has any suggestions on how the encryption might work, we are of course happy to learn of it.
Still, I am quite content with the research we did, which will hopefully contribute to the knowledge of and the fight against Qakbot. The blog post is here. (NB the original blog post is not available any longer; an archived version can be found here.)