Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Disregard INFOCON change notifications just sent - we had a glitch on the main server

The economics of security advice (MSFT research paper)

Published: 2009-12-04
Last Updated: 2009-12-04 20:35:41 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)

A new research paper by Microsoft examines the economics of "security advice" and how users react to password rules, phishing URLs and certificate errors.  Their conclusion on password rules is similar to the one that we discussed here in the SANS ISC diary a couple weeks ago.

Keywords: passwords phising
0 comment(s)

Max Power's Malware Paradise

Published: 2009-12-04
Last Updated: 2009-12-04 19:46:31 UTC
by Daniel Wesemann (Version: 1)
4 comment(s)

Who Max Power is? Well, we don't know either. It's a pseudonym of a gang or guy who has a decent-sized spyware racket going. Max has been sitting on the same IP address for the past three months, 210.51.166.119, in AS9929. ChinaNet. Even Google knows that 10% of the sites in this AS are malicious.

Looking at the IP address in Reverse DNS or MalwareURL.com, we can see the many malware domains "Max Power" has been using in the recent past. Some of the names are associated with the Koobface and Zeus malware families. The address lay dormant for the last week of November, but just woke up again yesterday morning, and is currently serving the malware domain "tempa3-dot-cn". This domain is at the moment linked to from various questionable "pharmaceuticals" web sites, and it currently pushes a bunch of exploits which, if successful, download and run a backdoor of the "TDSS"/"Tidserv" family. Detection was dismal at first, but has improved a bit over the last 24 hours.

 

Keywords: malware
4 comment(s)
Seems that Bing has come back up. Thank you all.
Diary Archives