Ohhh, Kazy, you so krazy. It seems Kazy has moved to using outbound UDP port 53 for part of its coms. From what we discern, it appears to be check-in-related traffic. The payloads are static but change on a host-by-host basis. This time, Kazy doesn’t seem to make any attempt to emulate DNS. Outbound UDP [...]

My day started off today like most here at ET Pro. I grabbed my morning cup of coffee, checked email, handled some community-related items and began to look at a  sample (md5:a01d75158cf4618677f494f9626b1c4c) one community member found “interesting.” Right away we could tell that the sample was trying to evade detection by attempting to camouflage itself [...]

>Today’s bot isn’t that new, the CnC channel it uses has been in use by a few different families for some time now. It’s simple, and extremely easy to detect. But they keep using it… Fine by us. So once executed the malware connects to a server on a high port, in today’s case port [...]

>Interesting bot today to talk about, and a great example of how header analysis is really changing how we snag badness in your Emerging Threats Rulesets. We don’t know what to call this one, every AV has a different opinion there, but in general it’s a downloader for some kind of FakeAV. Regardless, it’s bad [...]

>In our last episode (Header Analysis to Catch Malware) we introduced the idea of and the first two signatures for doing do. These have been extremely useful! But we’re catching some things that aren’t malware. Suspicious, unusual, things we didn’t know about before, but not malware. Just on those two initial signatures which were looking for [...]