Andrew Martin

In a previous post I discussed using the technique of watching for the transfer of executable files around the network as a method of intrusion detection. This is a great way of discovering machines that were attacked where IDS failed to detect the exploit(s) due to obfuscation.
Another method I’d like to highlight is looking for [...]

Just a quick reminder that the webcast for my paper “Mobile Device Forensics” will be taking place at 1pm EDT today. See my previous blog post for more information.

My RSS reader alerted me today to another wave of mass website compromises from Web Sense. Hungry for more information I decided to dig in to reveal the details that, as always, have been left out.
Summary
This attack appears to be brought to us courtesy of the attackers behind Gumblar. The malware involved and the end [...]

At long last SANS and I have agreed on a date and time for me to deliver the first ever Paper of the Quarter webcast. My paper Mobile Device Forensics was picked as the Q1 2009 winner while I was away traveling South America, so I am a little late to the race. It will [...]

As I was perusing my logs today on a lazy Sunday afternoon I found I was being attacked by more RFI bots than usual. To my surprise I realized it is because of my previous post on controlling RFI bots.  In my last post I included a dork that is frequently scanned for, and in [...]

Lets delve a little deeper into the Osirys IRC bot which I initially discussed in part 1. First I will illustrate how the attacker finds and exploits web servers, then I will discuss how ISPs can get involved and remove these bots from their networks.
First the attacker issues a command to the bot to begin [...]