held to ransom

As of late I’ve been keeping fairly busy, unfortunately with not a lot that I can blog about. I’ve built a new house, planned some overseas travel for later in the year, am in the midst of planning a security conference with some of the other ISIG and OWASP blokes (more on that later) and have been incredibly excited about Battlefield 1. I could have been left for another month and probably remained quiet on the blogging front, alas someone has prompted me to break the silence.

After a recent incident I was quizzed by this someone about how I approach handling situations where defenses fail and malware does make an impact – and they suggested I make a blog post to explain this. Well, I’m feeling pretty motivated today so let’s make that happen.

Most days I receive a couple of suspect files, emails or URL’s passed my way for inspection (the thought of those that I don’t receive is what keeps me awake at night), so I’ve selected one to illustrate my basic analysis process: a pretty standard case of ransomware via email, sent to one of our helpdesk staff.
Continue reading “held to ransom”


As a company grows in size and it’s public image becomes more and more prominent, it is inevitable that it will become a more attractive target to attackers – whether it be the prime focus of an attack, or the low hanging fruit attached to a greater one. I certainly see this with my employer, and the effort put into some emails that I have had forwarded to me for inspection following my most recent social engineering test have very much illustrated that we are on the radar of some people who possess both determination and resource. However, regardless of how much effort you put into education you’re still guaranteed to get someone who opens a malicious attachment, so to guide incident response you need to analyse the behavior of the file(s) to have meaningful data to work with.

worst phishing attempt ever – recently sent to our hr team

Continue reading “bubblewrap”

defeating god

According to ZeuS Tracker, there are still 493 ZeuS Command and Control (C&C) servers online.The number of infected PC’s is estimated to still be around the 4 million mark in the USA, so it can still be considered a threat – particularly to those using outdated (or no) AV and the giant vulnerability that is Windows XP.

A while ago I set up a local ZeuS C&C server for demonstration purposes, and as part of this showed exactly how difficult it can be to remove, bearing in mind it isn’t even close to the complexity of it’s successor Gameover ZeuS which has been observed to use encryption to bypass AV and P2P networking to communicate back to it’s C&C server(s).
Continue reading “defeating god”