{"id":782,"date":"2021-01-03T13:37:11","date_gmt":"2021-01-03T13:37:11","guid":{"rendered":"http:\/\/lapsed.ordinary\/?page_id=782"},"modified":"2023-02-19T11:25:43","modified_gmt":"2023-02-19T11:25:43","slug":"research","status":"publish","type":"page","link":"http:\/\/lapsed.ordinary\/research\/","title":{"rendered":"Research"},"content":{"rendered":"\n
Throughout my career working in digital security, I have been engaged in many smaller and sometimes larger research projects. This page includes a selection of these projects. (Before working in digital security, I worked as a junior researcher in pure mathematics, a job which obviously included a large research component.)<\/p>\n\n\n\n
I worked for for Silent Push<\/a>, a security start-up, in 2021 and 2022. This work involves doing some threat intelligence research, some of which has been written up, including research the infrastructure on LodaRAT<\/a> and IcedID<\/a>. <\/p>\n\n\n\n In 2013, I discovered some accounts on Twitter that were sending identical tweets. Studying these tweets and then writing a tool that detected similar ones helped me find more than 45,000 fake Twitter accounts that were being sold as followers. Twitter removed the accounts after I reported them. A brief write-up<\/a> appeared on Virus Bulletin’s blog.<\/p>\n\n\n\n For more then ten years while working at Virus Bulletin<\/a>, I researched unwanted and malicious email campaigns and products’ ability to block them. The most important trend I noticed during this time, was that the more successful campaigns gradually became less prolific but at the same time did a better job at evading filters.<\/p>\n\n\n\n In security, we are often impressed by big numbers, but even in something as mundane as email spam, size doesn’t always matter: a campaign sending 25,000 emails can be more effective than one sending many millions. Here are two<\/a> examples<\/a> of this kind of research, a more concluding version was presented at Botconf 2020.<\/p>\n\n\n\n In 2013, together with Jo\u00e3o Gouveia from Anubisnetworks, I looked into network traffic of what appeared to be a mysterious but prolific botnet. We were able to link it to Mevade (also known as Sefnit), a botnet used to mine for cryptocurrencies. We presented our research at Botconf 2014<\/a> in Nancy and also did a write-up for Anubisnetworks’ blog (of which only an archived version<\/a> exists).<\/p>\n\n\n\nTwitter botnet takedown<\/h4>\n\n\n\n
Spam: quality vs quantity<\/h4>\n\n\n\n
Mevade (Sefnit) botnet<\/h4>\n\n\n\n