c-apt-ure.blogspot.com
c-APT-ure: May 2013
http://c-apt-ure.blogspot.com/2013_05_01_archive.html
Thursday, May 30, 2013. Ponmocup Hunter" SANS DFIR Summit 2013. The presentation slides have been online for a while [ PDF Link. I've given a newer version of this talk at DeepSec. Slides will be linked when made public. I'm thrilled to give a presentation "My name is Hunter, Ponmocup Hunter" in July at the SANS DFIR Summit 2013 in Austin, Texas. ( Summit. How the malware was discovered, what indicators were derived. How all infected hosts were identified and how remediation was done. Http:/ security-res...
c-apt-ure.blogspot.com
c-APT-ure: July 2014
http://c-apt-ure.blogspot.com/2014_07_01_archive.html
Tuesday, July 29, 2014. Using Redline for Live Response - Part 1. For once I'll write about something a bit different than before. It's still about Ponmocup. Malware, or more precise about the Zuponcic Kit for delivery, but more about how to do Live Response and Detection on the host using Redline. If you're not familiar with the Zuponcic Kit yet, you should read the following posts:. Not quite the average exploit kit: Zuponcic. Zuponcic: "Is it a bird? Is it a plane? Zuponcic: "Is it a bird? Perrugina&#...
c-apt-ure.blogspot.com
c-APT-ure: 3R4LR - Running Redline Remotely for Live Response
http://c-apt-ure.blogspot.com/2014/08/3r4lr-running-redline-remotely-for-live.html
Tuesday, August 12, 2014. 3R4LR - Running Redline Remotely for Live Response. This blog post is a work in progress and I'd love to get feedback while writing it. So while this note appears on top, the blog post is not finished. Please come back again later! This is the second post about using Redline for Live Response. The first post covered Using Redline for Live Response - Part 1. Showing how many details from artifacts can be collected with Redline. Copy the collector to the host. Here are the two scr...
c-apt-ure.blogspot.com
c-APT-ure: August 2014
http://c-apt-ure.blogspot.com/2014_08_01_archive.html
Tuesday, August 12, 2014. 3R4LR - Running Redline Remotely for Live Response. This blog post is a work in progress and I'd love to get feedback while writing it. So while this note appears on top, the blog post is not finished. Please come back again later! This is the second post about using Redline for Live Response. The first post covered Using Redline for Live Response - Part 1. Showing how many details from artifacts can be collected with Redline. Copy the collector to the host. Here are the two scr...
c-apt-ure.blogspot.com
c-APT-ure: Using Redline for Live Response - Part 1
http://c-apt-ure.blogspot.com/2014/07/using-redline-for-live-response-part-1.html
Tuesday, July 29, 2014. Using Redline for Live Response - Part 1. For once I'll write about something a bit different than before. It's still about Ponmocup. Malware, or more precise about the Zuponcic Kit for delivery, but more about how to do Live Response and Detection on the host using Redline. If you're not familiar with the Zuponcic Kit yet, you should read the following posts:. Not quite the average exploit kit: Zuponcic. Zuponcic: "Is it a bird? Is it a plane? Zuponcic: "Is it a bird? Perrugina&#...
c-apt-ure.blogspot.com
c-APT-ure: March 2012
http://c-apt-ure.blogspot.com/2012_03_01_archive.html
Thursday, March 8, 2012. Ponmocup, lots changed, but not all. See at the end and list of domains below. List of domains below). More info, links to IOC and ref's at end). So here goes another post about the Ponmocup malware. Lots of things changed recently, but not all (luckily for defenders). Previously, the first redirection step was using a "/cgi-bin/r.cgi" pattern which was detected by this snort rule ( 2013181. Here's an example from 2011-08-03. PDF] As you can see in this report. Http:/ www9.dy...
c-apt-ure.blogspot.com
c-APT-ure: February 2012
http://c-apt-ure.blogspot.com/2012_02_01_archive.html
Saturday, February 18, 2012. Not APT, but nasty malware (Ponmocup botnet). For once I don't write about APT, but about some nasty malware / botnet that I've been researching for almost a year. It's been called "Ponmocup botnet", but the malware has been called many different names (Ponmocup, Pirminay, Kryptik, Swisyn, Vundo etc). I've been putting most of my research on a privately hosted page here:. Http:/ www9.dyndns-server.com:8080/pub/botnet-links.html. Sorry about the bad formatting and strange URL).
steve.grc.com
Reverse Engineering RSA’s “Statement” | Steve (GRC) Gibson's Blog
https://steve.grc.com/2011/03/19/reverse-engineering-rsas-statement
Steve (GRC) Gibson's Blog. Steve's Public Brain Dumping Ground (watch where you step! Why Firesheep’s Time Has Come. IronMan 3 was “Unbelievable”… but not in a good way. →. Reverse Engineering RSA’s “Statement”. March 19, 2011. Ummm, not so much…. 2011, Art Coviello, RSA Security. 8216;s Executive Chairman, posted a disturbingly murky statement. As you can see, it would have been difficult for any bureaucrat to be. One of several forms of the RSA SecurID Token. Each SecureID has an external serial number...
c-apt-ure.blogspot.com
c-APT-ure: June 2014
http://c-apt-ure.blogspot.com/2014_06_01_archive.html
Tuesday, June 3, 2014. By chance I just noticed that I wrote the Introducing Ponmocup Finder. Blog post exactly two years ago. So it's time to celebrate the second anniversary :-). Well, I was wondering if anyone else is currently detecting the .htaccess infections that Ponmocup Finder (PF) reports. Let's see. Let's just look at any of the almost 500 domains currently being detected by PF as infected. 437 www.vitaminbude.de. This German site has been seen infected since more than 430 days. 12:06:50- http...
