Trojan.Eclipse — A Bad Moon Rising?

ASERT’s malware collection and processing system has automatic heuristics that bubble up potentially new and interesting DDoS malware samples into a “for human analysis” queue. A recent member of this queue was Trojan.Eclipse and this post is my analysis of the malware and its associated campaigns.

Analysis was performed on the sample with an MD5 of 0cdd10cd3393d3fe916a55b946c10ad6.

The name Eclipse comes from two places: a mutex named “eclipseddos” and a hardcoded Cookie value used in the command and control (C2) phone home. [...]

Read More

The Heartburn Over Heartbleed: OpenSSL Memory Leak Burns Slowly

Marc Eisenbarth, Alison Goodrich, Roland Dobbins, Curt Wilson

A very serious vulnerability present in OpenSSL 1.0.1 for two years has been disclosed (CVE-2014-0160). This “Heartbleed” vulnerability allows an attacker to reveal up to 64kb of memory to a connected client or server. This buffer-over-read vulnerability can be used in rapid succession to exfiltration larger sections of memory, potentially exposing private keys, usernames and passwords, cookies, session tokens, email, or any other data that resides in the affected memory region. This flaw [...]

Read More


I’ve always found sites which test IPv6 connectivity interesting.  In 2005, I implemented the ipv6calc cgi software as part of a server-side include that reported which IPv4 or IPv6 address the visitor was using to visit the Web site.  At that time, the number of IPv6-enabled visitors to the site per month averaged in single digits.

As mentioned in another posting (you can read it here), the “test-ipv6” software is available open-source.  I’ve implemented a mirror of this site at [...]

Read More

State of IPv6: Web Sites Now Offer Easy IPv6 Connectivity Tests

There is a certain level of skill to creating an IPv6-capable network. There is even more skill to creating an IPv6-capable network correctly. To help confirm an IPv6-capable network has been configured correctly and that “upstream” IPv6 connectivity is correct, there are several Web sites which offer basic insights into the quality of IPv6 connectivity.

Such sites have been around in one form or another since at least 2000. The most famous early “test” Web site was perhaps “” – if [...]

Read More

Global Attack Intelligence Integrated into Local Protection

Arbor Networks has built a massive, global intelligence network centered around ATLAS, a unique collaboration with nearly 300 service provider customers who have agreed to share anonymous traffic data with Arbor. This massive traffic data set, totaling 80Tbps, is combined with information from a global honeypot network of sensors in dark IP address space as well as strategic partnerships, such as the Red Sky Alliance.

Arbor’s Security Engineering & Response Team (ASERT) is one of the largest dedicated research organizations in [...]

Read More

Pravail Security Analytics (Packetloop)

Today marks our first major product release since Packetloop became part of Arbor Networks in September 2013. It marks a major step in realizing the combined vision of Arbor Networks and Packetloop and also sees us change the Packetloop name to Pravail Security Analytics.

The combined vision is leveraging Arbor Networks’ ability to “see things that others can’t,” analyze and mitigate. It’s implemented by integrating Arbor Networks’ expertise in threat intelligence (ASERT), analysis and forensics (Pravail Network Security Intelligence and Packetloop) [...]

Read More

Drive Returns with New Tactics and New Attacks

The last time I blogged about Drive, it had just added some new attacks and obfuscation to its attack commands. Fast forward seven months, and Drive has another new variant that has adopted a completely new set of tactics while being used in some recent high-profile attacks.

Similar, Yet Different

I first discovered this new Drive variant in early January 2014 when I noticed that my previous Yara rule was alerting on samples that my network classifiers were not. Upon [...]

Read More

NTP attacks continue – a quick look at traffic over the past few months

In February, Kirk Soluk’s post on NTP Attacks: Welcome to The Hockey Stick Era reported that we have seen a increase in NTP-based application attacks.   We thought we would take a few minutes to post an update on the state of traffic metrics.

The graphs below are depicting aggregate traffic based on the NTP network port (123).  The first graph shows observed NTP traffic via UDP since December of 2013 until early [...]

Read More

Dexter and Project Hook Point-of-Sale Malware Activity Update

An increase in credit and debit card theft via Point of Sale (PoS) malware campaigns over the late 2013 holiday season has resulted in significant media attention and has likely emboldened threat actors as the success of past campaigns comes to light. Media attention has decreased since news of the Target breach and associated fallout, however threat actors targeting PoS systems are still engaged in active [...]

Read More

NTP ATTACKS: Welcome to The Hockey Stick Era

Although Network Time Protocol (NTP) reflection/amplification attacks have been observed in the wild for many years, they have received an uptick in popularity due to recent high-profile attacks, first in late December 2013 on gaming networks, and again this week in Europe.

Arbor is able to confirm that our ATLAS system monitored an attack on Monday, February 10 targeting a destination in France, peaking at 325 Gbps. Since then, ATLAS has observed no less than 4 more attacks exceeding 100 Gbps [...]

Read More