Saturday, June 28, 2014

Cyber Attacks - Visualisation

  • DDoS attacks - by Google


  •  Live botnet map- by AnubisNetworks

  •  Live honeypots map- by Honeynet Project

  •  Security Tachometer- by sicherheitstacho

  •  Attackers map- by Beenu Arora

  • Friday, April 25, 2014

    Crypto Defense Ransomware and Open Source Intelligence


    You might have heard about Crypto Defense ransomware family - if not please refer to the this.

    This morning I gave a shot with (development version) Hook Analyser 3.1, and passed the keyword "Crypto Defense" to understand co-relation of malware variants behaviors.

    Following are the results* -

    Legend - 

    • Blue dot - keyword (Crypto defense)
    • Red dot - malware sample or hash
    • Black dot - IP address where malware sample or hash communicates to


    1. Apparently, many "unique" variants of malware samples (of Crypto defense family) have been released - which could indicate that this ransomware is gaining attention or is actively being used by cyber criminals.
    2. Imphash of malware variants are different - which indicates that the malware samples might have been compiled by different threat actors / compilers.
    3. Certain variants share similar IOC's - in terms of IP addresses they communicate to.
    4. Tor network is being leveraged by cyber criminals on this malware family  - for payment / decryption process related purposes
    5. Certain malware variants have been seen since 2009. However, majority of them are being seen in 2013.

    Indicators of Compromise (IOCs) for Crypto Defense - To help security community and incident responders, I have uploaded malware variants indicator of compromises (XML format).

    *Please be advised that the results are based on information available on the Internet and there is a probability that it may not be accurate and complete. I'd recommend to perform validation.

    Saturday, March 22, 2014

    Attacks on different versions of Internet Explorer (IE)

    I had an interesting case study recently where I was trying to determine unique vulnerabilities (with CVE reference) in different versions of IE targeted or exploited by attackers or malware.

    To achieve this task, Hook Analyser 3.1 (in development stage) came out to be quite handy. I was able to identify different CVEs used/targeted by malware or exploited in wild.

    In the case study, I took IE9, IE10 and IE11.

    I noticed that IE10 or above are less targeted compared to IE9.

    This can be due to enhanced security features on IE10 or above such as memory ASLR.

    Tuesday, February 18, 2014

    Preview (Part 2)- Cyber Intelligence Module - Hook Analyser Project


    Thought of sharing some initial thoughts and work I managed to do (during free time / weekends) on Cyber Intelligence. As you might be aware, with the release of Hook Analyse 3.0 (released last year), Cyber Intelligence has become one of the key focus areas - which can be used to provide Strategic and Tactical directions related to Cyber threats to an organisation.

    The following screenshots are taken from "development" version of Hook Analyser 3.1 -

    Homepage -

    Menu 1 (option 1): Threat landscape - by country - This module will ingest "user-specified" external (or Internet facing) IP addresses from Internal / external URLs and map them back to countries. This has a potential of realising Cyber risks, and putting controls at strategic roadmap - for e.g. enforcing a stringent policy at DLP, travel to high-risk countries.

    Menu 1 (option 2) : Threat landscape - by Geography- This module will ingest external (or Internet facing)  IP addresses from Internal / external URLs and map them back to exact location. This option compliments the above - in case an organisation has multiple offices in geography, they could zoom in and consider controls for a specific location.

    Menu 1 (option 3): Vulnerability Feeds- This module will ingest "user-specified" external (or Internet facing) RSS feeds and generates a table. At the moment, the table can be used more on a tactical side (for e. a new 0-day got released), instead of Strategic (for e.g. which software or vendors have got more issues or timeline etc).

    Menu 1 (option 4) : Top 50 suspicious IPs - This module will reach to websites (for e.g. Stopbadware) and pull information about known blacklisted IPs, along with a rational - for e.g. number of malware URLs (along with ASN and Owner detail) associated with an IP.

    Menu 1 (option 5): Suspicious ASN - This module will reach to websites (for e.g. Stopbadware) and pull information about ASNs associated with malware related activities. The representation is then performed via a bubble chat. For reference, larger bubble would mean, ratio of number of malware URLs to number of IPs on that ASN is high!

    Menu 1 (Option 6) - Malware Intelligence - The module will reach onto public sources to gather information about certain keywords and generates a "motion timeline" of malwares associated to the keywords.

    Menu 2 (Option 1) - Keyword based malware intelligence - This module will reach onto public source to gather information about "user-specified" keywords linked to malware samples.

    Menu 2 (Option 2) - Keyword based search intelligence - This module will reach onto Google to extract websites (and IPs) hosting information about the user-specified keyword, and map it back to geo-location. This module could be useful if an organisation wants to keep a closer look on phishing websites targeting their customers.

    The menu (3) - which is not added on the dashboard yet, is about IP address based intelligence. The module basically pulls information about "user-specified" IP list/file from public sources for e.g. DNS records, associated malware URLs, malware files & associated HTTP/TCP/DNS connections, and generates "bird-eye" and "detailed" information graphs with correlation.

    For reference, blue dot represents - an IP address, Purple dot represents - a DNS record , Orange dot represents -URL associated with a malware and Red rectangle represents - the malware sample associated with an IP address.

    Here is the sample video -

    Tuesday, January 7, 2014

    Keyword based Cyber Intelligence


    For sometime now, I've been thinking to add another feature/module (on Cyber Threat Intelligence module) to Hook Analyser project -  keyword based Cyber intelligence. Fortunately, I had enough free time this afternoon to write the module.

    I haven't decided about the release date yet, though I'm planning to do sometime this month - So stay tuned!

    Here is the glimpse of  "updated"  Cyber Threat Intelligence dashboard - obviously this is at development stage, hence I can't commit the same dashboard on release of new version.

    Feedback and suggestions are most welcome.

    Wednesday, December 18, 2013

    Upcoming tool - Cyber Threat Intelligence (Hook Analyser 3.0)


    I strongly recommend to keep looking for upcoming release of Hook Analyser 3.0 - which will include Cyber Threat Intelligence capability.

    This will include a simple dashboard with information - easy to interpret and understand.

    On a side note - I have been working on another solution/project which performs analysis of malware attacks and internet presence (on internet) across industries and present the result in an intuitive manner.

    The solution will be shared at some later stage - just a heads-up!

    Tuesday, October 22, 2013

    Digital Attack Map - DDoS Attack

    Thought of sharing this interesting Google's project, Digital Attack Map. This is a live data visualisation of active DDoS attacks around the globe. This is one of the initiatives from Google Idea and Arbor Networks.

    I will let you explore the website to understand more about it. By looks of it (not sure data could be exported - which could then be useful for enterprises to concert with internal data source), it appears to be quite useful from the following perspective -

    1. It will provide "close to real-time" information about active DDoS attacks across different geographies.
    2. Historic data/events can be leveraged on to predict or produce actionable intelligence.

    Here is the website - Digital Attack Map