Author Archives: SANS Internet Storm Center, InfoCON: green

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Continue reading ISC Stormcast For Tuesday, July 8th, 2025 https://isc.sans.edu/podcastdetail/9516, (Tue, Jul 8th)→

Modern malware implements a lot of anti-debugging and anti-analysis features. Today, when a malware is spread in the wild, there are chances that it will be automatically sent into a automatic analysis pipe, and a sandbox. To analyze a sample in a sandbox, it must be “copied” into the sandbox and executed. This can happen manually or automatically. When people start the analysis of a suspicious file, they usually call it “sample.exe”, “malware.exe” or “suspicious.exe”. It&#;x26;#;39;s not always a good idea because it&#;x26;#;39;s can be detected by the malware and make it aware that “I&#;x26;#;39;m being analyzed”.

Continue reading What’s My (File)Name?, (Mon, Jul 7th)→

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Continue reading ISC Stormcast For Monday, July 7th, 2025 https://isc.sans.edu/podcastdetail/9514, (Mon, Jul 7th)→

Just looked at our telnet/ssh honeypot data, and found some interesting new usernames that attackers attempted to use:

Continue reading A few interesting and notable ssh/telnet usernames, (Sun, Jul 6th)→

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Continue reading ISC Stormcast For Thursday, July 3rd, 2025 https://isc.sans.edu/podcastdetail/9512, (Thu, Jul 3rd)→

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Continue reading ISC Stormcast For Monday, June 30th, 2025 https://isc.sans.edu/podcastdetail/9510, (Mon, Jun 30th)→

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Continue reading ISC Stormcast For Friday, June 27th, 2025 https://isc.sans.edu/podcastdetail/9508, (Fri, Jun 27th)→

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Continue reading ISC Stormcast For Thursday, June 26th, 2025 https://isc.sans.edu/podcastdetail/9506, (Thu, Jun 26th)→

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Continue reading ISC Stormcast For Wednesday, June 25th, 2025 https://isc.sans.edu/podcastdetail/9504, (Wed, Jun 25th)→

We have collected SSH and telnet honeypot data in various forms for about 10 years. Yesterday&#;x26;#;39;s diaries, and looking at some new usernames attempted earlier today, made me wonder if botnets just add new usernames or remove old ones from their lists. So I pulled some data from our database to test this hypothesis. I didn&#;x26;#;39;t spend a lot of time on this, and this could use a more detailed analysis. But here is a preliminary result:

Continue reading Quick Password Brute Forcing Evolution Statistics, (Tue, Jun 24th)→