botnets

Streams of malicious emails Talos inspects every day usually consist of active spamming campaigns for various ransomware families, phishing campaigns and the common malware family suspects such as banking Trojans and bots.. It is however often more interesting to analyze campaigns smaller in volume…

This blog was co-authored by Kevin Brooks, Alex Chiu, Joel Esler, Martin Lee, Emmanuel Tacheau, Andrew Tsonchev, and Craig Williams.   On the 21st of July, 2014, Cisco TRAC became aware that the website dwnews.com was serving malicious Adobe Flash content. This site is a Chinese language news websit…

This post was co-authored by Jaeson Schultz, Joel Esler, and Richard Harman.  Update 7-8-14: Part 2 can be found here This is part one in a two-part series due to the sheer amount of data we found on this threat and threat actor. This particular attack was a combined spearphishing and exploit attem…

Starting Friday, July 19, 2013 at 14:45 GMT, Cisco TRAC spotted a new spam campaign likely propagated by the Zeus botnet. The initial burst of spam was very short in duration and it’s possible this was intended to help hide the campaign, since it appears to be targeted towards users of a Trusteer pr…

Update 2 5/9/2013: Microsoft has released a “Microsoft fix it” as a temporary mitigation for this issue on systems which require IE8. At this time, multiple sites have been observed hosting pages which exploit this vulnerability. Users of IE8 who cannot update to IE9+ are urged to apply…

Prologue On April 10, 2013, a collective of politically motivated hacktivists announced a round of planned attacks called #OPUSA. These attacks, slated to begin May 7, 2013, are to be launched against U.S.-based targets. #OPUSA is a follow-up to #OPISRAEL, which were a series of attacks carried out…

Often it is quite surprising how long old, well-known vulnerabilities continue to be exploited. Recently, a friend sent me an example of a malicious script used in an attempted attack against their server: The script attempted to exploit the Horde/IMP Plesk Webmail Exploit in vulnerable versions of…

At 10:30 UTC one of the botnet spam campaigns we discussed yesterday took a shift to focus on the recent explosion in Texas. The miscreants responded to the tragic events in Texas almost immediately. The volume of the attack is similar to what we witnessed yesterday with the maximum volume peaking a…

Summary On April 16th at 11:00pm GMT, the first of two botnets began a massive spam campaign to take advantage of the recent Boston tragedy. The spam messages claim to contain news concerning the Boston Marathon bombing. The spam messages contain a link to a site that claims to have videos of explos…