Author: Jeff Edwards

Jeff Edwards
Jeff Edwards is a research analyst on Arbor's ASERT team. His duties include analyzing emerging threats to Internet security, reverse engineering malicious code and communications protocols, developing policies for attack mitigation, and contributing to the continual improvement and automation of Arbor's internal threat analysis software infrastructure. As a former FBI Special Agent assigned to the Detroit Cybercrime Squad, Jeff investigated network intrusions, botnets, DDos attacks, and various other computer-related federal crimes. Jeff's background also includes an assignment to an FBI lab in Quantico, VA where his duties included forensic examinations, data recovery, and reverse engineering involving diverse kinds of digital evidence. Outside of his law enforcement service, Jeff has approximately 10 years experience as a professional software developer at several Silicon Valley startup companies. Jeff holds an M.S. in Computer Engineering from Purdue University.

Zyklon Season

The ASERT research team has recently done some work reverse engineering a family of malware called “Zyklon H.T.T.P.” that is written using the .Net framework. Zyklon (German for “cyclone”) is a large, multi-purpose trojan that includes support for a variety of malicious activities, including several […]

Read more

The Mad Max DGA

This post describes a domain generation algorithm (DGA) used by the “Mad Max” malware family. Mad Max is a targeted trojan, and we plan to post a follow-up article that documents our findings regarding the features of the Mad Max malware itself. But for now we will focus on the reversing of its DGA, since we were unable to find any other published research on this topic.

Read more

Not just a one-trick PonyDOS

Reversing the crypto used by the PonyDOS attack bot This blog post is the third installment in our ongoing series of articles exploring the crypto systems commonly found in various DDoS malware families.  In previous articles we covered the reversing of the Armageddon and Khan […]

Read more

Reversing the Wrath of Khan

Analysis of the crypto used by the Trojan.Khan DDoS bot  A recent blog post described our analysis of the crypto algorithm used by the Armageddon DDoS malware.  This article continues our ongoing series on reversing the crypto mechanisms used by contemporary DDoS botnets; our guest […]

Read more

It’s 2012 and Armageddon has arrived

Breaking Armageddon’s latest and greatest crypto reveals some interesting new functionality Armageddon is one of several notable Russian malware families that are designed exclusively for DDoS attacks; it has been on our radar screens for some time now. Its primary competitors within the market of […]

Read more