{"id":39,"date":"2013-11-08T20:23:20","date_gmt":"2013-11-08T20:23:20","guid":{"rendered":"http:\/\/www.lapsedordinary.net\/?p=39"},"modified":"2013-11-08T20:23:20","modified_gmt":"2013-11-08T20:23:20","slug":"hunting-a-botnet-the-story-of-unknowndga17-and-mevade","status":"publish","type":"post","link":"http:\/\/lapsed.ordinary\/2013\/11\/08\/hunting-a-botnet-the-story-of-unknowndga17-and-mevade\/","title":{"rendered":"Hunting a botnet: the story of UnknownDGA17 and Mevade"},"content":{"rendered":"
During the past few weeks, me and Jo\u00e3o Gouveia<\/a> of AnubisNetworks<\/a> have spent many an evening hunting a botnet that Jo\u00e3o had discovered and subsequently called ‘UnknownDGA17’. During the past few weeks, me and Jo\u00e3o Gouveia of AnubisNetworks have spent many an evening hunting a botnet that Jo\u00e3o had discovered and subsequently called ‘UnknownDGA17’. I think ‘hunting’ is the right term here, because we based our research on information from AnubisNetworks’ Cyberfeed, in particular hundreds of thousands of connections the botnet made […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"_links":{"self":[{"href":"http:\/\/lapsed.ordinary\/wp-json\/wp\/v2\/posts\/39"}],"collection":[{"href":"http:\/\/lapsed.ordinary\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/lapsed.ordinary\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/lapsed.ordinary\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/lapsed.ordinary\/wp-json\/wp\/v2\/comments?post=39"}],"version-history":[{"count":0,"href":"http:\/\/lapsed.ordinary\/wp-json\/wp\/v2\/posts\/39\/revisions"}],"wp:attachment":[{"href":"http:\/\/lapsed.ordinary\/wp-json\/wp\/v2\/media?parent=39"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/lapsed.ordinary\/wp-json\/wp\/v2\/categories?post=39"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/lapsed.ordinary\/wp-json\/wp\/v2\/tags?post=39"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nI think ‘hunting’ is the right term here, because we based our research on information from AnubisNetworks’ Cyberfeed<\/a>, in particular hundreds of thousands of connections the botnet made to a sinkhole, rather than on actual malware samples. In the end, we were able to find so many links with ‘Mevade’, a botnet (in)famous for using the Tor network for C&C communication, that we can be certain the botnets are closely linked, if not the same. We also found that Mevade is heavily involved in bitcoin mining.
\nThe full story is here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"