Clik here to view.
Mozi, Another Botnet Using DHT
Overview On September 03, 2019, a suspicious file was tagged by our new threat monitoring system and a quick checking on VT shows most engines flagged it as Gafgyt. The sample does reuse part of the...
View ArticleClik here to view.
Multiple botnets are spreading using LILIN DVR 0-day
Author:Yanlong Ma,Lingming Tu,Genshen Ye,Hongda Liu When we talk about DDos botnet, we tend to think the typical scenario, some mediocre, code-borrowing scripts target old vulnerabilities. But things...
View ArticleClik here to view.
LILIN DVR 在野0-day 漏洞分析报告
本文作者:马延龙,涂凌鸣,叶根深,刘宏达 当我们研究Botnet时,我们一般看到的是攻击者通过N-day漏洞植入Bot程序。但慢慢的,我们看到一个新的趋势,一些攻击者开始更多地利用0-day漏洞发起攻击,利用手段也越发成熟。我们希望安全社区关注到这一现象,积极合作共同应对0-day漏洞攻击威胁。 背景介绍...
View ArticleClik here to view.
Icnanker, 一个使用了SHC技术的木马下载器
背景介绍 2019年8月15日,360Netlab恶意流量检测系统发现一个通过SSH传播的未知ELF样本(5790dedae465994d179c63782e51bac1)产生了Elknot Botnet的相关网络流量,经分析这是一个使用了"SHC(Shell script...
View ArticleClik here to view.
Icnanker, a Linux Trojan-Downloader Protected by SHC
Background On August 15, 2019, 360Netlab Threat Detecting System flagged an unknown ELF sample (5790dedae465994d179c63782e51bac1) which generated Elknot Botnet related network traffic. We manually took...
View ArticleClik here to view.
Clik here to view.
DrayTek Vigor企业级路由器和交换机设备在野0-day 漏洞分析报告
本文作者:马延龙,叶根深,刘宏达 背景介绍 从2019年12月4开始,360Netlab未知威胁检测系统持续监测到两个攻击团伙使用DrayTek Vigor企业级路由器和交换机设备0-day漏洞,窃听设备网络流量,开启SSH服务并创建系统后门账号,创建Web Session后门等恶意行为。 2019年12月25号,我们在Twitter[1][2]上披露了DrayTek...
View ArticleClik here to view.
Two zero days are Targeting DrayTek Broadband CPE Devices
Author: Yanlong Ma, Genshen Ye, Hongda Liu Background From December 4, 2019, 360Netlab Threat Detection System has observed two different attack groups using two 0-day vulnerabilities of DrayTek[1]...
View ArticleClik here to view.
DDG的新征程——自研P2P协议构建混合P2P网络
1. 概述DDG Mining Botnet 是一个活跃已久的挖矿僵尸网络,其主要的盈利方式是挖 XMR。从 2019.11 月份至今,我们的 Botnet 跟踪系统监控到 DDG Mining Botnet 一直在频繁跟新,其版本号和对应的更新时间如下图所示:DDG Version Timeline其中,v4005~v4011 版本最主要的更新是把以前以 Hex 形式硬编码进样本的 HubList...
View ArticleClik here to view.
DDG botnet, round X, is there an ending?
DDG is a mining botnet that we first blogged about in Jan 2018, we reported back then that it had made a profit somewhere between 5.8million and 9.8million RMB(about 820,000 to 1.4Million US dollar ),...
View ArticleClik here to view.
Multiple fiber routers are being compromised by botnets using 0-day
Author: Yanlong Ma, Genshen Ye, Lingming Tu, Ye Jin This is our 3rd IoT 0-day series article, in the past 30 days, we have already blogged about 2 groups targeting DrayTek CPE 0-day here [1], and Fbot...
View ArticleClik here to view.
多款光纤路由器设备在野0-day漏洞简报
本文作者:马延龙,叶根深,涂凌鸣,金晔 大致情况 这是我们过去30天内的第3篇IoT 0-day漏洞文章,之前我们还披露了DrayTek Router在野0-day漏洞分析报告[1],LILIN DVR在野0-day漏洞分析报告[2]。我们观察到僵尸网络存在相互竞争获取更多的Bot规模的情况,其中有些僵尸网络拥有一些0-day漏洞资源,这使它们看起来与众不同。我们正在研究并观察IoT...
View ArticleClik here to view.
LeetHozer Botnet分析报告
背景 2020年3月26日我们捕获了一个可疑的样本 11c1be44041a8e8ba05be9df336f9231,大部分杀毒引擎将其识别为Mirai,但是其网络流量却不符合Mirai的特征,这引起了注意,经分析,这是一个复用了Mirai的Reporter,Loader机制,重新设计了加密方法以及C2通信协议的Bot程序。...
View ArticleClik here to view.
The LeetHozer botnet
Background On March 26, 2020, we captured a suspicious sample11c1be44041a8e8ba05be9df336f9231. Although the samples have the word mirai in their names and most antivirus engines identified it as Mirai,...
View ArticleClik here to view.
双枪团伙新动向,借云服务管理数十万僵尸网络
本文作者:jinye,JiaYu,suqitian,核心安全部研究员THL 概述 近日,我们的域名异常监测系统 DNSMon 捕捉到域名 pro.csocools.com 的异常活动。根据数据覆盖度估算,感染规模超过100k。我们通过告警域名关联到一批样本和...
View ArticleClik here to view.
New activity of DoubleGuns Group, control hundreds of thousands of bots via...
Overview Recently, our DNS data based threat monitoning system DNSmon flagged a suspicious domain pro.csocools.com. The system estimates the scale of infection may well above hundreds of thousands of...
View ArticleClik here to view.
从DNS角度看NTP pool服务器的使用
随着互联网的快速发展,其已经深入到日常生活中的方方面面,越来越多的业内人员对于网络基础设施的重要性有了非常深入的认识。不过谈到基础设施,通常都会谈及DNS协议,但是还有一个关键的协议NTP(Network Time...
View ArticleClik here to view.
Look at NTP pool using DNS data
With the rapid development of the Internet, more and more people have realized the importance of network infrastructure. We don’t hear people talk about NTP ( Network Time Protocol) much...
View ArticleClik here to view.
The Gafgyt variant vbot seen in its 31 campaigns
Overview Gafgyt botnets have a long history of infecting Linux devices to launch DDoS attacks. While dozens of variants have been detected, new variants are constantly emerging with changes in terms of...
View ArticleClik here to view.
那些年我们一起追过的僵尸网络之Moobot
概述 Moobot是一个基于Mirai开发的僵尸网络,我们最早发现其活动在2019年7月,这里有一篇我们关于Moobot的文章,感兴趣的读者可以去阅读[0]。 2019年8月起我们开始对其进行跟踪,在这将近一年的时间其样本更新、DDoS攻击等活动从未间断过。其最近参加了一次我们不方便透露的重大DDoS攻击活动,又一次成功引起了我们的注意。所以决定来扒一扒它的前世今生。 样本传播...
View Article