BLOG

abuse.ch gets a new home at BFH

Published on 1st June 2021, 07:25:31 UTC

In October 2020, I've described the challenges I'm facing with operating abuse.ch as a non-profit project. I've also draw a plan for the future of abuse.ch that was collecting sufficient funds to turn abuse.ch into a research project. Today, I'm very excited to announce that the fund raising was successful and that as of April 15th 2021, abuse.ch became a research project at Institute for Cybersecurity and Engineering ICE hosted at the Bern University of Applied Sciences (BFH) in Switzerland... [read on]


Introducing ThreatFox

Published on 8th March 2021, 12:41:55 UTC

In 2018, I've launched URLhaus - a platform where security researchers and threat analysts can share malware distribution sites with the community. A year ago, in March 2020, the launch of MalwareBazaar enabled the community to share malware samples with others and hunt for such by e.g. using YARA rules. The goal of abuse.ch always was to make threat intelligence easy accessible for everyone - for free, and without the need of a registration on a platform. Today, ... [read on]


Moving Forward

Published on 26th October 2020, 13:45:09 UTC

13 years ago, I started to look at malware samples in my spare time that occasionally hit my personal mailbox. I've decided to document my findings in a blog, and abuse.ch was born. In the same year, ZeuS (aka Zbot) appeared. Sold on the dark web, it quickly became one of the most popular crimeware kits for cyber criminals to commit ebanking fraud and identity theft. Due to the rise of ZeuS in 2008/2009, I decided to create my first project: ZeuS Tracker. The two ... [read on]


Introducing MalwareBazaar

Published on 17th March 2020, 12:29:31 UTC

Almost two years ago, I've launched URLhaus with the goal of collecting malware distribution sites. With more than 300,000 malware distribution sites tracked, the project still is a great success. However, over the past weeks, I've been focusing my efforts on a new project. And here' it is: MalwareBazaar! MalwareBazaar collects known malicious malware sample, enriches them with additional intelligence and provides them back to the community - for free! [read on]


Using URLhaus as a Response Policy Zone (RPZ)

Published on 17th June 2019, 09:43:12 UTC

A few days ago, URLhaus, cracked 200,000 malware URLs tracked. The majority of the malware sites tracked by URLhaus are related to Emotet (aka Heodo), followed by Mirai, Gayfgyt and Gozi ISFB (aka Ursnif). But there are many other threats being tracked with the help of the infosec community. There are several ways how to utilize the data generated by the community to protect your network and users. This blog post is a short tutorial on how to use URLhaus as a DNS Response Policy Zone (RPZ). What is RPZ? RPZ is a way to rewrite or block responses to DNS queries. It is sometimes also refered as DNS Firewall, as it allows system administrators to block access to certain domain names. [read on]


How to Takedown 100,000 Malware Sites

Published on 21th January 2019, 11:23:48 UTC

End of March 2018, abuse.ch launched it's most recent project called URLhaus. The goal of URLhaus is to collect and share URLs that are being used for distributing malware. The project is a huge success: with the help of the community, URLhaus was able to takedown almost 100,000 malware distribution sites within just 10 months! During that time, 265 security researchers located all over the world have identified and submitted in average 300 malware sites to URLhaus each day, helping others to protect their network and users from malware campaigns. [read on]


Measuring Reaction Time of Abuse Desk

Published on 1st October 2018, 10:07:31 UTC

In March 2018, I've launched my most recent project called URLhaus. The goal of URLhaus is to collect and share URLs that are being used for distributing malware. In the first half year, 234 users have contributed and shared more than 50'000 malware distribution sites on URLhaus. That's amazing! But URLhaus does not only collect malware URLs: The project also reports active malware distribution sites to blacklist providers like Spamhaus, SURBL and Google Safe Browsing.Since June 2018, URLhaus is also sending out automated abuse reports to the respective network owners by using Abuseix Abuse Contact DB. [read on]


Sinkholes and Internet Hygiene

Published on 13th September 2018, 12:52:49 UTC

Keeping the Internet hygiene good can be challenging. There is a lot of badness around, harming not only internet users, organisations or corporate networks but also services that rely on the internet and sometimes even the integrity and stability of the internet itself. It is therefore essential to keep a certain level of internet hygiene. Among other things, internet services providers (ISPs) and national computer emergency response teams (CERTs) try to achieve that by collecting information about infected computers (so-called "bots") in order to notify the associated broadband subscriber or network owner about compromised machines. [read on]


AnMaXX, Gerber EDV and the Qrypter Connection

Published on 9th April 2018, 10:03:17 UTC

In August 2017, I've blogged about Adwind, a cross-platform RAT written in Java that is also known as "jRAT" and "JSocket". The main infection vector for Adwind is via spoofed email. The attacker doesn't have to care about the recipients operating system (OS): Adwind works on Windows, macOS and Linux. Recently, security researchers and AV vendors have published a handful interesting blog posts on Adwind. The recent uprise in Adwind campaigns seems to be related to Qrypter: a Malware-as-a-Service (MaaS) platform @Angelill0 blogged about in December 2017. The Qrypter MaaS platform is hosted in the Tor network, which makes it more resilient against takedowns and actions from law enforcement (LEA). [read on]


Cybercriminals taking advantage of Cryptocurrency Boom

Published on 8th January 2018, 11:55:29 UTC

It is fair to say that 2017 was the year of cryptocurrencies. In 2017, many cryptocurrencies went through the roof. Let's take Bitcoin (BTC) as an example: 1.0 BTC got traded for about 1,000 USD in beginning of 2017. In December 2017, one Bitcoin was more than 18,000 USD worth. An increase of 1800%! It was a very successful year for traders speculating on cryptocurrencies, and even more for cybercriminals: Cryptocurrencies like Bitcoin are the #1 means of payment when it comes to extortions. In the past years, the amount of extortions in cyberspace has grown rapidly. The most popular (and likely most easiest) way to extort money from not only random internet users but also small and medium businesses (like webshops) is DDoS extortion (DD4BC, Armada collective, you name it) and Ransomware (Crypt0L0cker, Locky, Cerber etc). Many of them demand Bitcoins as a ransom. [read on]


.bit - The next Generation of Bulletproof Hosting

Published on 25th Sptember 2017, 04:50:29 UTC

To control infected computers (so called bots), cybercriminals often use domain names for hosting their botnet Command&Control infrastructure (C&C). One of the advantages for botnet operators using domain names for botnet C&C hosting is that the A record (IP address) of the domain name can easily be changed in the case when the IP address where the botnet C&C is hosted gets disconnected or shut-down (for example as a result of an abuse complaint sent to the associated hosting provider). Another advantage is the fact that the Top-level domains (TLDs) where a domain name resides in are being maintained by the Internet Corporation for Assigned Names and Numbers (ICANN) which is more or less independent from governments. While ICANN is responsible for the governance of the domain names and e.g. publishes rules for registires and registrars how to operate and manage TLDs and domain names, ICANN can't take action against domain names. [read on]