Another day, another malware, and today it was an unknown Delphi application which encrypts your office documents on your non-root and non-CD/DVD drives and prepends it with a copy of itself, turning a document into an executable. Great, everybody loves these kinds of things as your entire IT dependant organization will grind to a complete halt … Continue reading XDocCrypt/Dorifel – Document encrypting and network spreading virus
Category: Blog
How to find malicious communication leaving your network
Most Zeus trojan infections use HTTP for communication. There are however versions of Zeus that use P2P technology, but they are the exception. Once a computer is infected, Zeus must connect to the command and control (CnC) server for settings and instructions. The usual way of doing this is to use a HTTP POST. When … Continue reading How to find malicious communication leaving your network
Critical analysis of Microsoft Operation B71
A little over 2 weeks ago Microsoft announced operation B71. It was being brought as the biggest blow to ZeuS botnets in history, and was picked up in the media globally. A released movie showed Microsoft personnel executing a preliminary injunction in a civil case and seizing a server in Scranton, PA. In their words: … Continue reading Critical analysis of Microsoft Operation B71
Post mortem report on the sinowal/nu.nl incident
March 14th 2012, another normal day in the office, I looked at my massive to-do list and had planned quite some work for the day. And like every normal day my planning of the day is rudely interrupted by another incident. Our network analysts at the Security Operations Center looked very busy, and they were … Continue reading Post mortem report on the sinowal/nu.nl incident
RSA-512 Certificates abused in the wild
During recent weeks we have observed several interesting publications which have a direct relation to an investigation we worked on recently. On one hand there was a Certificate Authority being revoked by Mozilla, Microsoft and Google (Chrome), on the other hand there was the disclosure of a malware attack by Mikko Hypponen (FSecure) using a … Continue reading RSA-512 Certificates abused in the wild
Fox-IT International blog 