R-fx Networks
Linux Software & Blog
Tracking & Killing Bot Networks
Aug 17th
In a previous blog I discussed how one of the more enjoyable parts of my day-to-day malware rituals also involves the tracking and killing of command and control bot networks. Recently I have begun automating this process a bit; I have created a series of scripts that extract irc servers, port numbers and channels from malware as it comes in and then checks if the irc server is still online, a custom bot then logs into the server, queries the active channels and determines how many zombies are active on the network. If an irc server is determined to be active More >
Understanding Signatures
Aug 16th
The signature naming scheme for LMD is a little confusing and something I’ve received more than a few questions about, more so about what the *.unclassed signatures mean. The naming scheme (to me) is straight forward and breaks down as follows:
{SIG_FORMAT}lang/vector.type.name.ID#
The ‘SIG_FORMAT’ is either HEX or MD5 reflecting the internal format of the signature, the ‘lang/vector’ is the language or attack vector of the malware, ‘type’ is a short descriptive field for what the malware does (i.e: ircbot, mailer, injection etc…), ‘name’ is a short descriptive name unique to the piece of malware and ‘ID#’ is the internal signature ID More >
ATF v2: Weighted Threats
Aug 14th
When I first introduced you all to the Aggregate Threat Feed back in May, it was a much smaller feed with very simple ambitions — pulling together threat data at work from our network edge and host based firewalls and aggregating the data into a usable feed. The actual intention being that as an attacker exposes themselves more on the network through invasive scans and attacks, they would quickly climb up the threat feed and end up banned proactively. Though this did and still does happen in a way, a problem was introduced when more and more data started to More >
Signature Updates: Month In Review
Jul 24th
Since I will be busy this coming week with other priorities, I am posting an early month in review blog on signature updates.
In the last 3 weeks we have not seen a whole lot of action on in-the-wild malware, most of what is propagating at the moment are variants of already detected content. That is however not to say there has not been new signatures extracted, allot of this months signatures have come from account level compromises on vulnerable e107, wordpress and joomla installations along with user submissions. There is not a whole lot of ground breaking malware threats, More >
The other side: who uses rfxn.com projects?
Jul 24th
In one of my usual A.D.D. moments I decided to aggregate some data on project downloads and daily update queries to the rfxn.com server, to get a picture of who exactly is using the projects. Although this information is not terribly important, I do find it interesting. I need to stress that none of the listed organizations, agencies or businesses in any way endorse, sponsor or represent the opinions expressed on this site, they are simply users of my projects. That said, lets have a look at who uses the projects.
The basics: 1,808 Unique Networks across 117 Countries
Top 10 Usage Networks: GNAX More >
