Diaries by Keyword - SANS Internet Storm Center

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Handler on Duty: Jesse La Grew

Threat Level: green

Date	Author	Title
SKYPE IM BOT
2010-03-11	donald smith	Cert write up on Skype IMBot Logic and Functionality.
SKYPE
2014-01-01/a>	Russ McRee	Happy New Year from the Syrian Electronic Army - Skypeâ€™s Social Media Accounts Hacked
2012-11-14/a>	Jim Clausing	Skype account hijack vulnerability fixed
2011-05-31/a>	Johannes Ullrich	Skype EasyBits Add-on
2011-05-06/a>	Richard Porter	Unpatched Exploit: Skype for MAC
2010-12-30/a>	Rick Wanner	Obvious Lessons from the Skype outage
2010-03-11/a>	donald smith	Cert write up on Skype IMBot Logic and Functionality.
2008-04-23/a>	Mari Nichols	What's New, Old and Morphing?
2006-12-18/a>	Toby Kohlenberg	Skype worm
IM
2023-10-09/a>	Didier Stevens	ZIP's DOSTIME & DOSDATE Formats
2023-07-07/a>	Xavier Mertens	DSSuite (Didier's Toolbox) Docker Image Update
2023-05-30/a>	Brad Duncan	Malspam pushes ModiLoader (DBatLoader) infection for Remcos RAT
2023-02-28/a>	Brad Duncan	BB17 distribution Qakbot (Qbot) activity
2022-12-30/a>	Jan Kopriva	SPF and DMARC use on GOV domains in different ccTLDs
2022-12-20/a>	Xavier Mertens	Linux File System Monitoring & Actions
2022-10-24/a>	Xavier Mertens	C2 Communications Through outlook.com
2022-06-26/a>	Didier Stevens	More Decoding Analysis
2022-04-07/a>	Johannes Ullrich	What is BIMI and how is it supposed to help with Phishing.
2022-03-04/a>	Johannes Ullrich	Scam E-Mail Impersonating Red Cross
2022-02-05/a>	Didier Stevens	Power over Ethernet and Thermal Imaging
2022-01-29/a>	Guy Bruneau	SIEM In this Decade, Are They Better than the Last?
2021-12-23/a>	Johannes Ullrich	Defending Cloud IMDS Against log4shell (and more)
2021-12-16/a>	Brad Duncan	How the "Contact Forms" campaign tricks people
2021-11-04/a>	Tom Webb	Xmount for Disk Images
2021-10-21/a>	Brad Duncan	"Stolen Images Evidence" campaign pushes Sliver-based malware
2021-06-26/a>	Guy Bruneau	CVE-2019-9670: Zimbra Collaboration Suite XXE vulnerability
2021-04-22/a>	Xavier Mertens	How Safe Are Your Docker Images?
2021-03-02/a>	Russ McRee	Adversary Simulation with Sim
2020-10-07/a>	Johannes Ullrich	Today, Nobody is Going to Attack You.
2020-08-12/a>	Russ McRee	To the Brim at the Gates of Mordor Pt. 1
2020-04-30/a>	Xavier Mertens	Collecting IOCs from IMAP Folder
2019-12-12/a>	Xavier Mertens	Code & Data Reuse in the Malware Ecosystem
2019-11-02/a>	Didier Stevens	Remark on EML Attachments
2019-10-30/a>	Xavier Mertens	Keep an Eye on Remote Access to Mailboxes
2019-08-22/a>	Xavier Mertens	Simple Mimikatz & RDPWrapper Dropper
2019-05-01/a>	Xavier Mertens	Another Day, Another Suspicious UDF File
2019-04-17/a>	Xavier Mertens	Malware Sample Delivered Through UDF Image
2019-02-05/a>	Rob VandenBrink	Mitigations against Mimikatz Style Attacks
2019-01-09/a>	Russ McRee	gganimate: Animate YouR Security Analysis
2018-10-31/a>	Brad Duncan	More malspam using password-protected Word docs
2018-06-27/a>	Renato Marinho	Silently Profiling Unknown Malware Samples
2018-05-16/a>	Mark Hofman	EFAIL, a weakness in openPGP and S\MIME
2017-11-25/a>	Guy Bruneau	Exim Remote Code Exploit
2017-09-19/a>	Jim Clausing	New tool: mac-robber.py
2017-07-12/a>	Xavier Mertens	Backup Scripts, the FIM of the Poor
2017-06-28/a>	Brad Duncan	Catching up with Blank Slate: a malspam campaign still going strong
2017-06-17/a>	Guy Bruneau	Mapping Use Cases to Logs. Which Logs are the Most Important to Collect?
2017-05-10/a>	Johannes Ullrich	Read This If You Are Using a Script to Pull Data From This Site
2017-05-03/a>	Bojan Zdrnja	Powershelling with exploits
2017-04-28/a>	Russell Eubanks	KNOW before NO
2017-03-25/a>	Russell Eubanks	Distraction as a Service
2017-03-11/a>	Russell Eubanks	What's On Your Not To Do List?
2017-01-24/a>	Xavier Mertens	Malicious SVG Files in the Wild
2016-12-11/a>	Russ McRee	Steganography in Action: Image Steganography & StegExpose
2016-11-20/a>	Pasquale Stirparo	How many “Epoch” times? Epocalypse.py timestamp converter
2016-11-13/a>	Guy Bruneau	Bitcoin Miner File Upload via FTP
2016-09-10/a>	Xavier Mertens	Ongoing IMAP Scan, Anyone Else?
2016-05-14/a>	Guy Bruneau	INetSim as a Basic Honeypot
2016-03-30/a>	Xavier Mertens	What to watch with your FIM?
2016-01-24/a>	Didier Stevens	Obfuscated MIME Files
2016-01-05/a>	Guy Bruneau	What are you Concerned the Most in 2016?
2015-12-14/a>	Russ McRee	AD Security's Unofficial Guide to Mimikatz & Command Reference
2015-05-15/a>	Didier Stevens	Another Maldoc? I'm Afraid So...
2015-05-09/a>	Didier Stevens	Malicious Word Document: This Time The Maldoc Is A MIME File
2015-02-10/a>	Mark Baggett	Detecting Mimikatz Use On Your Network
2014-01-24/a>	Johannes Ullrich	How to send mass e-mail the right way
2013-11-05/a>	Daniel Wesemann	TIFF images in MS-Office documents used in targeted attacks
2013-08-14/a>	Johannes Ullrich	Imaging LUKS Encrypted Drives
2013-05-22/a>	Adrien de Beaupre	Apple QuickTime 7.7.4 for Windows updated, MANY security vulnerabilities: http://support.apple.com/kb/HT1222
2013-04-25/a>	Adam Swanger	Guest Diary: Dylan Johnson - A week in the life of some Perimeter Firewalls
2013-02-06/a>	Johannes Ullrich	Are you losing system logging information (and don't know it)?
2012-12-22/a>	Guy Bruneau	New Poll - Which of the following issues impacted the most your business in 2012? - https://isc.sans.edu/poll.html
2012-06-22/a>	Kevin Liston	Investigator's Tool-kit: Timeline
2012-06-15/a>	Johannes Ullrich	Authenticating E-Mail
2012-02-07/a>	Johannes Ullrich	Secure E-Mail Access
2011-11-11/a>	Rick Wanner	APPLE-SA-2011-11-10-2 Time Capsule and AirPort Base Station (802.11n) Firmware 7.6 update
2011-08-04/a>	Jim Clausing	Apple release Quicktime 7.7 fixes 14 CVEs, see http://support.apple.com/kb/HT1222
2011-08-03/a>	Johannes Ullrich	Malicious Images: What's a QR Code
2011-05-14/a>	Guy Bruneau	Websense Study Claims Canada Next Hotbed for Cybercrime Web Hosting Activity
2011-05-06/a>	Richard Porter	Unpatched Exploit: Skype for MAC
2011-04-23/a>	Manuel Humberto Santander Pelaez	Image search can lead to malware download
2010-12-17/a>	Johannes Ullrich	Reports of Attacks against EXIM vulnerability
2010-12-12/a>	Raul Siles	Apple Quickime 7.6.9 was released a few days ago (just in case you missed it): http://support.apple.com/kb/HT1222. Update all your web browser plugins!
2010-12-10/a>	Mark Hofman	EXIM MTA vulnerability
2010-11-08/a>	Manuel Humberto Santander Pelaez	Network Security Perimeter: How to choose the correct firewall and IPS for your environment?
2010-11-07/a>	Adrien de Beaupre	Change your clocks?
2010-09-25/a>	Rick Wanner	Guest Diary: Andrew Hunt - Visualizing the Hosting Patterns of Modern Cybercriminals
2010-08-30/a>	Adrien de Beaupre	Apple QuickTime potential vulnerability/backdoor
2010-08-22/a>	Manuel Humberto Santander Pelaez	SCADA: A big challenge for information security professionals
2010-08-14/a>	Tony Carothers	Freedom of Information
2010-08-13/a>	Guy Bruneau	QuickTime Security Updates
2010-04-02/a>	Guy Bruneau	Apple QuickTime and iTunes Security Update
2010-03-23/a>	John Bambenek	The Top 10 Riskiest US Cities for Cybercrime
2010-03-11/a>	donald smith	Cert write up on Skype IMBot Logic and Functionality.
2010-01-17/a>	Rick Wanner	Buffer overflow in Quicktime
2009-11-05/a>	Swa Frantzen	RIM fixes random code execution vulnerability
2009-09-12/a>	Jim Clausing	Apple Updates
2009-09-04/a>	Adrien de Beaupre	Fake anti-virus
2009-07-11/a>	Marcus Sachs	Imageshack
2009-06-02/a>	Deborah Hale	Another Quicktime Update
2009-02-14/a>	Deborah Hale	Microsoft Time Sync Appears to Down
2009-02-06/a>	Adrien de Beaupre	Fake stimulus payments
2008-11-02/a>	Adrien de Beaupre	Daylight saving time
2008-09-09/a>	Swa Frantzen	Apple updates iTunes+QuickTime
2008-07-15/a>	Maarten Van Horenbeeck	BlackBerry PDF parsing vulnerability
2008-07-15/a>	Maarten Van Horenbeeck	Bot controller mimicry
2008-06-10/a>	Swa Frantzen	Upgrade to QuickTime 7.5
2008-04-22/a>	donald smith	Maximus root kit downloads via MySpace social engineering trick.
2008-04-03/a>	Bojan Zdrnja	A bag of vulnerabilities (and fixes) in QuickTime
2006-12-18/a>	Toby Kohlenberg	Skype worm
2006-09-12/a>	Swa Frantzen	Apple Quicktime 7.1.3 released
BOT
2024-02-18/a>	Guy Bruneau	Mirai-Mirai On The Wall... [Guest Diary]
2024-01-07/a>	Guy Bruneau	Suspicious Prometei Botnet Activity
2023-12-27/a>	Guy Bruneau	Unveiling the Mirai: Insights into Recent DShield Honeypot Activity [Guest Diary]
2023-11-27/a>	Guy Bruneau	Decoding the Patterns: Analyzing DShield Honeypot Activity [Guest Diary]
2023-11-22/a>	Guy Bruneau	CVE-2023-1389: A New Means to Expand Botnets
2023-11-09/a>	Guy Bruneau	Routers Targeted for Gafgyt Botnet [Guest Diary]
2023-06-22/a>	Brad Duncan	Qakbot (Qbot) activity, obama271 distribution tag
2023-04-12/a>	Brad Duncan	Recent IcedID (Bokbot) activity
2023-03-11/a>	Xavier Mertens	Overview of a Mirai Payload Generator
2023-02-28/a>	Brad Duncan	BB17 distribution Qakbot (Qbot) activity
2023-02-24/a>	Brad Duncan	URL files and WebDAV used for IcedID (Bokbot) infection
2022-12-02/a>	Brad Duncan	obama224 distribution Qakbot tries .vhd (virtual hard disk) images
2022-11-02/a>	Brad Duncan	Who put the "Dark" in DarkVNC?
2022-10-16/a>	Didier Stevens	Video: Analysis of a Malicious HTML File (QBot)
2022-10-13/a>	Didier Stevens	Analysis of a Malicious HTML File (QBot)
2022-08-24/a>	Brad Duncan	Monster Libra (TA551/Shathak) --> IcedID (Bokbot) --> Cobalt Strike & DarkVNC
2022-08-12/a>	Brad Duncan	Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike
2022-07-27/a>	Brad Duncan	IcedID (Bokbot) with Dark VNC and Cobalt Strike
2022-06-30/a>	Brad Duncan	Case Study: Cobalt Strike Server Lives on After Its Domain Is Suspended
2022-06-09/a>	Brad Duncan	TA570 Qakbot (Qbot) tries CVE-2022-30190 (Follina) exploit (ms-msdt)
2022-04-20/a>	Brad Duncan	"aa" distribution Qakbot (Qbot) infection with DarkVNC traffic
2022-03-25/a>	Xavier Mertens	XLSB Files: Because Binary is Stealthier Than XML
2022-03-16/a>	Brad Duncan	Qakbot infection with Cobalt Strike and VNC activity
2022-02-15/a>	Xavier Mertens	Who Are Those Bots?
2022-02-09/a>	Brad Duncan	Example of Cobalt Strike from Emotet infection
2022-01-25/a>	Brad Duncan	Emotet Stops Using 0.0.0.0 in Spambot Traffic
2022-01-07/a>	Xavier Mertens	Custom Python RAT Builder
2021-12-22/a>	Brad Duncan	December 2021 Forensic Contest: Answers and Analysis
2021-12-16/a>	Brad Duncan	How the "Contact Forms" campaign tricks people
2021-12-02/a>	Brad Duncan	TA551 (Shathak) pushes IcedID (Bokbot)
2021-11-26/a>	Guy Bruneau	Searching for Exposed ASUS Routers Vulnerable to CVE-2021-20090
2021-11-16/a>	Brad Duncan	Emotet Returns
2021-11-04/a>	Brad Duncan	October 2021 Forensic Contest: Answers and Analysis
2021-10-04/a>	Johannes Ullrich	Boutique "Dark" Botnet Hunting for Crumbs
2021-09-23/a>	Xavier Mertens	Excel Recipe: Some VBA Code with a Touch of Excel4 Macro
2021-08-13/a>	Brad Duncan	Example of Danabot distributed through malspam
2021-07-24/a>	Xavier Mertens	Agent.Tesla Dropped via a .daa Image and Talking to Telegram
2021-06-30/a>	Brad Duncan	June 2021 Forensic Contest: Answers and Analysis
2021-06-24/a>	Xavier Mertens	Do you Like Cookies? Some are for sale!
2021-04-15/a>	Johannes Ullrich	Why and How You Should be Using an Internal Certificate Authority
2021-04-06/a>	Jan Kopriva	Malspam with Lokibot vs. Outlook and RFCs
2021-03-03/a>	Brad Duncan	Qakbot infection with Cobalt Strike
2021-02-23/a>	Jan Kopriva	Qakbot in a response to Full Disclosure post
2021-02-17/a>	Brad Duncan	Malspam pushing Trickbot gtag rob13
2021-01-26/a>	Brad Duncan	TA551 (Shathak) Word docs push Qakbot (Qbot)
2021-01-20/a>	Brad Duncan	Qakbot activity resumes after holiday break
2020-12-09/a>	Brad Duncan	Recent Qakbot (Qbot) activity
2020-11-03/a>	Brad Duncan	Emotet -> Qakbot -> more Emotet
2020-10-20/a>	Xavier Mertens	Mirai-alike Python Scanner
2020-10-14/a>	Brad Duncan	More TA551 (Shathak) Word docs push IcedID (Bokbot)
2020-08-19/a>	Xavier Mertens	Example of Word Document Delivering Qakbot
2020-08-03/a>	Xavier Mertens	Powershell Bot with Multiple C2 Protocols
2020-08-01/a>	Jan Kopriva	What pages do bad bots look for?
2020-07-15/a>	Brad Duncan	Word docs with macros for IcedID (Bokbot)
2020-06-13/a>	Guy Bruneau	Mirai Botnet Activity
2020-05-20/a>	Brad Duncan	Microsoft Word document with malicious macro pushes IcedID (Bokbot)
2020-04-01/a>	Brad Duncan	Qakbot malspam sent from an infected Windows host
2020-03-21/a>	Guy Bruneau	Honeypot - Scanning and Targeting Devices & Services
2020-03-18/a>	Brad Duncan	Trickbot gtag red5 distributed as a DLL file
2020-01-28/a>	Brad Duncan	Emotet epoch 1 infection with Trickbot gtag mor84
2019-12-24/a>	Brad Duncan	Malspam with links to Word docs pushes IcedID (Bokbot)
2019-12-18/a>	Brad Duncan	Emotet infection with spambot activity
2019-12-11/a>	Brad Duncan	German language malspam pushes yet another wave of Trickbot
2019-11-13/a>	Brad Duncan	An example of malspam pushing Lokibot malware, November 2019
2019-10-30/a>	Xavier Mertens	Keep an Eye on Remote Access to Mailboxes
2019-09-18/a>	Brad Duncan	Emotet malspam is back
2019-09-03/a>	Johannes Ullrich	[Guest Diary] Tricky LNK points to TrickBot
2019-08-14/a>	Brad Duncan	Recent example of MedusaHTTP malware
2019-08-08/a>	Johannes Ullrich	[Guest Diary] The good, the bad and the non-functional, or "how not to do an attack campaign"
2019-07-26/a>	Kevin Shortt	DVRIP Port 34567 - Uptick
2019-03-13/a>	Brad Duncan	Malspam pushes Emotet with Qakbot as the follow-up malware
2019-03-06/a>	Brad Duncan	Malspam with password-protected word docs still pushing IcedID (Bokbot) with Trickbot
2019-02-14/a>	Xavier Mertens	Old H-Worm Delivered Through GitHub
2019-01-16/a>	Brad Duncan	Emotet infections and follow-up malware
2019-01-10/a>	Brad Duncan	Heartbreaking Emails: "Love You" Malspam
2018-12-23/a>	Guy Bruneau	Scanning Activity, end Goal is to add Hosts to Mirai Botnet
2018-12-18/a>	Brad Duncan	Malspam links to password-protected Word docs that push IcedID (Bokbot)
2018-12-05/a>	Brad Duncan	Campaign evolution: Hancitor changes its Word macros
2018-12-04/a>	Brad Duncan	Malspam pushing Lokibot malware
2018-11-14/a>	Brad Duncan	Day in the life of a researcher: Finding a wave of Trickbot malspam
2018-09-26/a>	Brad Duncan	One Emotet infection leads to three follow-up malware infections
2018-05-09/a>	Xavier Mertens	Nice Phishing Sample Delivering Trickbot
2018-03-08/a>	Xavier Mertens	CRIMEB4NK IRC Bot
2017-10-19/a>	Brad Duncan	HSBC-themed malspam uses ISO attachments to push Loki Bot malware
2017-08-15/a>	Brad Duncan	Malspam pushing Trickbot banking Trojan
2017-07-19/a>	Xavier Mertens	Bots Searching for Keys & Config Files
2017-05-08/a>	Renato Marinho	Exploring a P2P Transient Botnet - From Discovery to Enumeration
2016-12-31/a>	Xavier Mertens	Ongoing Scans Below the Radar
2016-12-07/a>	Xavier Mertens	The Passwords You Should Never Use
2016-09-10/a>	Xavier Mertens	Ongoing IMAP Scan, Anyone Else?
2016-07-27/a>	Xavier Mertens	Analyze of a Linux botnet client source code
2015-02-06/a>	Johannes Ullrich	Anthem, TurboTax and How Things "Fit Together" Sometimes
2014-10-09/a>	Johannes Ullrich	CSAM: My servers started speaking IRC, and that is when I started to listen!
2014-08-16/a>	Lenny Zeltser	Web Server Attack Investigation - Installing a Bot and Reverse Shell via a PHP Vulnerability
2014-01-16/a>	Kevin Shortt	Port 4028 - Interesting Activity
2013-12-07/a>	Guy Bruneau	Suspected Active Rovnix Botnet Controller
2013-10-26/a>	Guy Bruneau	Active Perl/Shellbot Trojan
2013-08-11/a>	Bojan Zdrnja	XATattacks (attacks on xat.com)
2012-10-26/a>	Russ McRee	Cyber Security Awareness Month - Day 26 - Attackers use trusted domain to propagate Citadel Zeus variant
2011-08-04/a>	Johannes Ullrich	IRC traffic on non standard ports
2011-05-14/a>	Guy Bruneau	Websense Study Claims Canada Next Hotbed for Cybercrime Web Hosting Activity
2011-02-28/a>	Deborah Hale	Possible Botnet Scanning
2011-01-11/a>	Kevin Shortt	Spam Cannons on Holiday
2010-11-18/a>	Chris Carboni	All of your pages are belonging to us
2010-11-05/a>	Adrien de Beaupre	Bot honeypot
2010-08-19/a>	Daniel Wesemann	Casper the unfriendly ghost
2010-07-29/a>	Rob VandenBrink	FBI, Slovenian and Spanish Police announce more arrests of Mariposa Botnet Creator, Operators
2010-06-14/a>	Manuel Humberto Santander Pelaez	New way of social engineering on IRC
2010-05-07/a>	Johannes Ullrich	Stock market "wipe out" may be due to computer error
2010-05-02/a>	Mari Nichols	Zbot Social Engineering
2010-04-23/a>	Adrien de Beaupre	Shadowserver botnet rules
2010-03-25/a>	Kevin Liston	Zeus wants to do your taxes
2010-03-11/a>	donald smith	Cert write up on Skype IMBot Logic and Functionality.
2010-02-02/a>	Johannes Ullrich	Pushdo Update
2010-01-25/a>	William Salusky	"Bots and Spiders and Crawlers, be gone!" - or - "New Open Source WebAppSec tools, Huzzah!"
2009-12-21/a>	Marcus Sachs	iPhone Botnet Analysis
2009-11-13/a>	Deborah Hale	Pushdo/Cutwail Spambot - A Little Known BIG Problem
2009-11-08/a>	Kevin Liston	FireEye takes on Ozdok and Recovery Ideas
2009-10-10/a>	Tony Carothers	User Notification for Possible Infected Systems
2009-09-16/a>	Raul Siles	IETF Draft for Remediation of Bots in ISP Networks
2009-05-07/a>	Deborah Hale	Botnet hijacking reveals 70GB of stolen data
2008-11-05/a>	donald smith	Bot net hunters get an improved tool from SRI bothunters
2008-09-09/a>	Swa Frantzen	The complaint that's an attack
2008-09-01/a>	John Bambenek	The Number of Machines Controlled by Botnets Has Jumped 4x in Last 3 Months
2008-07-19/a>	William Salusky	A twist in fluxnet operations. Enter Hydraflux
2008-07-15/a>	Maarten Van Horenbeeck	Bot controller mimicry
2008-04-07/a>	John Bambenek	Got Kraken?
2008-04-07/a>	John Bambenek	Kraken Technical Details: UPDATED x3
2006-08-31/a>	Swa Frantzen	NT botnet submitted
2006-08-31/a>	Joel Esler	MS06-040 Worm

SKYPE IM BOT

SKYPE

IM

BOT