English - 360 Netlab Blog - Network Security Research Lab at 360 (Page 2)

English

A collection of 38 posts

CLDAP is Now the No.3 Reflection Amplified DDoS Attack Vector, Surpassing SSDP and CharGen

Author: Xu Yang，kenshin With our DDoSMon, we are able to perform continuous and near real-time monitoring on global DDoS attacks. For quite a long time, DNS, NTP, CharGen and SSDP have been the most frequently abused services in DDoS reflection amplification attacks. They rank respectively 1st, 2nd, 3rd and

IoT_reaper: A Few Updates

Here is a quick follow up post regarding to our initial blog. IoT_reaper Sample History The historical delivery of the IoT_reaper samples we observed through our honeypot are as follow: It is noticeable that most malicious samples for IoT_reaper are located at the following URL: * Downloading URL:

IoT_reaper: A Rappid Spreading New IoT Botnet

On 2017-09-13 at 01:02:13, we caught a new malicious sample targeting IoT devices. Starting from that time, this new IoT botnet family continued to update and began to harvest vulnerable iot devices in a rapid pace. The bot borrowed some code from the famous mirai botnet, but it

Is Hajime botnet dead?

Overview The mysterious Hajime botnet was first discovered by Rapiditynetworks in Oct 2016, and it was all over the news earlier this year, but it seems that nobody talks about it any more now, is this botnet gone? The answer is no, our team has been tracking this botnet for

Http 81 Botnet: the Comparison against MIRAI and New Findings

Overview In our previous blog, we introduced a new IoT botnet spreading over http 81. We will name it in this blog the http81 IoT botnet, while some anti-virus software name it Persirai, and some other name it after MIRAI. In this blog, we will compare http81 against mirai at

New Threat Report: A new IoT Botnet is Spreading over HTTP 81 on a Large Scale

Overview 360 Network Security Research Lab recently discovered a new botnet that is scanning the entire Internet on a large scale. Taking into account the following factors in the botnet, we decided to disclose our findings to the secure community: 1. Very active, we can now see ~ 50k live scanner

Netlab‘s ScanMon at RSA Conference 2017

The RSA Conference 2017 will be held during Feb 13 - 17 at Moscone Center, San Francisco. This year in the conference, we will introduce our Network ScanMon system to global security community. Network scanning is a prevalent threat in the Internet. It can discover active hosts or services in

Fraudulent Top Sites, an Underground Market Infrastructure

[Update History] * 2017-01-16 First English version. Updates in original Chinese version is merged. Overview Some domain names contains strings representing well-known companies are noticed in our abnormal traffic detecting system, including 360, ali, baidu, cloudflare, dnspod, google and microsoft. We later found these strings are adopted by a mature dedicated

New Mirai DGA Seed 0x91 Brute Forced

Up till very recently, through the samples we had learned that the Mirai DGA seeds are all fixed to 0, as detailed in blog Now Mirai Has DGA Feature Built in, and were able to predict all corresponding DGA domains. Surprisingly, although we have not see any related samples, just

Now Mirai Has DGA Feature Built in

Update History * 2016-12-09 first version * 2016-12-12 fig-0 update, fix a TLD choosing error in our DGA implement Summary Nearly 2 weeks ago, 2 new infection vectors (aka TCP ports of 7547 and 5555) were found being used to spread MIRAI malwares * <A Few Observations of The New Mirai Variant

A Few Observations of The New Mirai Variant on Port 7547

Much of the new mirai variant that scans port 7547 has been covered by various sources. In this blog, we will not repeat such known facts, and we are just going to list a few observations that we have seen so far. Mirai First Hit and Capability Assessment All the

A quick stats on the 608,083 Mirai IPs that hit our honeypots in the past 2.5 months

Over the last few weeks Mirai, a DDoS botnet family which is believed to be responsible for the large attacks against Brian Krebs on September 13, 2016, has become a hot topic in security community. Previous investigations show that this malware mainly infects IoT devices, e.g., CCTV, and TCP

New Elknot/Billgates Variant with XOR like C2 Configuration Encryption Scheme

Overview Elknot is a notorious DDoS botnet family which runs on both Linux and Windows platforms [1] [2] [3] [4]. Multiple variants have been found since its first appearance, while the most infamous variant is called BillGates by many researchers because of its characteristic use of Bill and Gates modules