Thursday, November 06, 2014

Automating Victim Notifications - 1800 unique victims notified today

Wapack Labs has been running sinkholes since early April of this year. Up until recently we have been performing manual victim notifications however recent activity forced us to automate. Two recently sink-holed domains started generating a large quantity of traffic. One was from an old worm that has been around since 2010 but is apparently still
propagating.

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm:Win32/Esfury

The second is from a malware variant detected as Troj/Neurevt-K

http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Neurevt-K/detailed-analysis.aspx

In less than a week of monitoring, a total of 19561 victims checked into our sinkhole. Amongthe total victims, there were approximately 1800 unique networks and/or ISPs. As part of the notifications, we are providing the victim data, destination domains and timestamps of activity. If you received one of these notifications and need more clarification, shoot us a note at notifications[at]wapacklabs.com.

Jeff
Post a Comment