Author Archives: SANS Internet Storm Center, InfoCON: green

Some new Data Feeds, and a little “incident”., (Thu, Mar 20th)

Posted on by

Our API (https://isc.sans.edu/api) continues to be quite popular. One query we see a lot is lookups for individual IP addresses. Running many queries as you go through a log may cause you to get locked out by our rate limit. To help with that, we now offer additional “summary feeds” that include all data recently received. You may download these feeds and import them in your database of choice (or grep the text file for records). This will make bulk lookups a lot easier and faster.

Continue reading Some new Data Feeds, and a little “incident”., (Thu, Mar 20th)

Posted in Uncategorized

Python Bot Delivered Through DLL Side-Loading, (Tue, Mar 18th)

Posted on by

One of my hunting rules triggered some suspicious Python code, and, diving deeper, I found an interesting example of DLL side-loading. This technique involves placing a malicious DLL with the same name and export structure as a legitimate DLL in a location the application checks first, causing the application to load the malicious DLL instead of the intended one. This is a classic vulnerability seen for years in many software. The attacker also implemented simple tricks to bypass classic security controls.

Continue reading Python Bot Delivered Through DLL Side-Loading, (Tue, Mar 18th)

Posted in Uncategorized

Mirai Bot now incroporating (malformed?) DrayTek Vigor Router Exploits, (Sun, Mar 16th)

Posted on by

Last October, Forescout published a report disclosing several vulnerabilities in DrayTek routers. According to Forescount, about 700,000 devices were exposed to these vulnerabilities [1]. At the time, DrayTek released firmware updates for affected routers [2]. Forescout also noted that multiple APTs targeting devices.

Continue reading Mirai Bot now incroporating (malformed?) DrayTek Vigor Router Exploits, (Sun, Mar 16th)

Posted in Uncategorized