INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
From Highly Obfuscated Batch File to XWorm and Redline
Published: 2024-08-26.
Last Updated: 2024-08-26 07:01:14 UTC
by Xavier Mertens (Version: 1)
If you follow my diaries, you probably already know that one of my favorite topics around malware is obfuscation. I'm often impressed by the crazy techniques attackers use to make reverse engineers' lives more difficult. Last week, I spotted a file called "crypted.bat" ... which is detected by no antivirus according to VT. It deserved to be investigated!
When you open the file in a text editor, you see this ...
Read the full entry:
https://isc.sans.edu/diary/From+Highly+Obfuscated+Batch+File+to+XWorm+and+Redline/31204/
OpenAI Scans for Honeypots. Artificially Malicious? Action Abuse?
Published: 2024-08-22.
Last Updated: 2024-08-22 17:01:37 UTC
by Johannes Ullrich (Version: 1)
For a while now, I have seen scans that contain the pattern <see full ISC Diary entry> in the URL. For example, today this particular URL is popular:
/<see full ISC Diary entry>/wp-content/themes/twentytwentyone/style.css
I have been ignoring these scans so far. The "wp-content" in the URL suggests that this is yet another stupid WordPress scan for maybe the plugin vulnerability of the day. "twentytwentyone" points to a popular WordPress theme that apparently can be, HOLD YOUR BREATH, be used for version disclosure. In short, this is the normal stupid stuff that I usually do not waste time on. Running WordPress with random themes and plugins? Good luck. I hope you at least add a "!" at the end of your password (which must be "password") to make it so much more secure.
The scan itself looked broken. The <see full ISC Diary entry> pattern looked like it was supposed to be replaced with something.
So stupid hackers scanning stupid WordPress installs. I ignored it.
Leave it up to Xavier to educate me that this isn't stupid but artificially intelligent!
Read the full entry:
https://isc.sans.edu/diary/OpenAI+Scans+for+Honeypots+Artificially+Malicious+Action+Abuse/31196/