{"id":782,"date":"2021-01-03T13:37:11","date_gmt":"2021-01-03T13:37:11","guid":{"rendered":"http:\/\/lapsed.ordinary\/?page_id=782"},"modified":"2023-02-19T11:25:43","modified_gmt":"2023-02-19T11:25:43","slug":"research","status":"publish","type":"page","link":"http:\/\/lapsed.ordinary\/research\/","title":{"rendered":"Research"},"content":{"rendered":"\n<p>Throughout my career working in digital security, I have been engaged in many smaller and sometimes larger research projects. This page includes a selection of these projects. (Before working in digital security, I worked as a junior researcher in pure mathematics, a job which obviously included a large research component.)<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Silent Push<\/h4>\n\n\n\n<p>I worked for for <a href=\"https:\/\/silentpush.com\/\">Silent Push<\/a>, a security start-up, in 2021 and 2022. This work involves doing some threat intelligence research, some of which has been written up, including research the infrastructure on <a href=\"https:\/\/silentpush.com\/blog\/more-lodarat-infrastructure-targeting-bangladesh-uncovered\/5\">LodaRAT<\/a> and <a href=\"https:\/\/silentpush.com\/blog\/icedid-command-and-control-infrastructure\/7\">IcedID<\/a>. <\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Twitter botnet takedown<\/h4>\n\n\n\n<p>In 2013, I discovered some accounts on Twitter that were sending identical tweets. Studying these tweets and then writing a tool that detected similar ones helped me find more than 45,000 fake Twitter accounts that were being sold as followers. Twitter removed the accounts after I reported them. A <a href=\"https:\/\/www.virusbulletin.com\/blog\/2013\/09\/tens-thousands-fake-twitter-accounts-passed-and-sold-followers\/\">brief write-up<\/a> appeared on Virus Bulletin&#8217;s blog.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Spam: quality vs quantity<\/h4>\n\n\n\n<p>For more then ten years while working at <a href=\"https:\/\/www.virusbulletin.com\/\">Virus Bulletin<\/a>, I researched unwanted and malicious email campaigns and products&#8217; ability to block them. The most important trend I noticed during this time, was that the more successful campaigns gradually became less prolific but at the same time did a better job at evading filters.<\/p>\n\n\n\n<p>In security, we are often impressed by big numbers, but even in something as mundane as email spam, size doesn&#8217;t always matter: a campaign sending 25,000 emails can be more effective than one sending many millions. Here are <a href=\"https:\/\/www.virusbulletin.com\/blog\/2019\/02\/malspam-security-products-miss-emotet-ursnif-and-spammers-blunder\/\">two<\/a> <a href=\"https:\/\/www.virusbulletin.com\/blog\/2019\/01\/spam-hardest-block-often-most-damaging\/\">examples<\/a> of this kind of research, a more concluding version was presented at Botconf 2020.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Mevade (Sefnit) botnet<\/h4>\n\n\n\n<p>In 2013, together with Jo\u00e3o Gouveia from Anubisnetworks, I looked into network traffic of what appeared to be a mysterious but prolific botnet. We were able to link it to Mevade (also known as Sefnit), a botnet used to mine for cryptocurrencies. We presented our research at <a href=\"https:\/\/www.botconf.eu\/2014\/the-many-faces-of-mevade\/\">Botconf 2014<\/a> in Nancy and also did a write-up for Anubisnetworks&#8217; blog (of which only an <a href=\"https:\/\/web.archive.org\/web\/20150121184222\/https:\/\/www.anubisnetworks.com\/community\/anubislabsblog\/from-the-botnet-battlegrounds-the-tale-of-unknown-dga17\/\">archived version<\/a> exists).<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"867\" height=\"463\" src=\"http:\/\/lapsed.ordinary\/wp-content\/uploads\/2021\/01\/MevadeGlobalSpread.png\" alt=\"Global spread of the Mevade botnet\" class=\"wp-image-908\" srcset=\"http:\/\/lapsed.ordinary\/wp-content\/uploads\/2021\/01\/MevadeGlobalSpread.png 867w, http:\/\/lapsed.ordinary\/wp-content\/uploads\/2021\/01\/MevadeGlobalSpread-300x160.png 300w, http:\/\/lapsed.ordinary\/wp-content\/uploads\/2021\/01\/MevadeGlobalSpread-768x410.png 768w\" sizes=\"(max-width: 867px) 100vw, 867px\" \/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Qakbot botnet<\/h4>\n\n\n\n<p>In 2014, Jo\u00e3o looked at the network traffic of another botnet, Qakbot (also known as Qbot and Pinkslipbot). Seven years later, Qakbot continues to be active and has been the initial infection for a number of prominent ransomware cases. An <a href=\"https:\/\/web.archive.org\/web\/20140426002642\/http:\/\/www.anubisnetworks.com:80\/the-return-of-qakbot\/\">archived version<\/a> of the blog post we wrote still exists.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Dridex malicious spam campaign<\/h4>\n\n\n\n<p>This is an example of some ad hoc malware analysis performed with two colleagues at Virus Bulletin, resulting in a short <a href=\"https:\/\/www.virusbulletin.com\/blog\/2019\/11\/german-malspam-campaign-unfashionably-large\/\">blog post<\/a>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Phone support scams<\/h4>\n\n\n\n<p>During the early days of phone support scams (around 2012), I found myself of the receiving end of a few of such calls and then ended up researching this kind of scam and the (fake) companies behind them, getting a good understanding of how and why such scams work. A regularly cited <a href=\"https:\/\/www.virusbulletin.com\/conference\/vb2012\/abstracts\/my-pc-has-32-539-errors-how-telephone-support-scams-really-work\/\">paper<\/a> on the subject, written together with three others, was presented at Virus Bulletin 2012. I also shared my research with other researchers, the FTC and law enforcement.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Throughout my career working in digital security, I have been engaged in many smaller and sometimes larger research projects. This page includes a selection of these projects. (Before working in digital security, I worked as a junior researcher in pure mathematics, a job which obviously included a large research component.) Silent Push I worked for [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"_links":{"self":[{"href":"http:\/\/lapsed.ordinary\/wp-json\/wp\/v2\/pages\/782"}],"collection":[{"href":"http:\/\/lapsed.ordinary\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"http:\/\/lapsed.ordinary\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"http:\/\/lapsed.ordinary\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/lapsed.ordinary\/wp-json\/wp\/v2\/comments?post=782"}],"version-history":[{"count":10,"href":"http:\/\/lapsed.ordinary\/wp-json\/wp\/v2\/pages\/782\/revisions"}],"predecessor-version":[{"id":1025,"href":"http:\/\/lapsed.ordinary\/wp-json\/wp\/v2\/pages\/782\/revisions\/1025"}],"wp:attachment":[{"href":"http:\/\/lapsed.ordinary\/wp-json\/wp\/v2\/media?parent=782"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}