About

What is this blog about?

This blog is primarily about exploit kits (such as Rig) and the malware they drop. I may do the odd  malspam though. My style of displaying the information is designed to grab the attention of someone who may otherwise have glazed eyes.

My aim to to show the latest patterns in EK activity and the malware it drops in the hopes of providing the open source community a way to look for such activity on their networks or update their rules.

Beware that there is great risk browsing to any of the sites and executing any payloads downloaded from the pcaps and that risk is your own ūüôā

What are my sources?

I rely on either submissions from users or where possible compromised sites I come across. I may use a compromised site found by another researcher if the EK is rarer such as Sundown. If you have any sites to share then please contact me, I will credit you if you want to be known.

How do you do it?

I run a lab environment and manually browse to a comprised site within it and record the activity using Wireshark, Process Explorer/Monitor and Reg Shot.

I then upload the pcap file and artifacts to Virus Total and begin some manual analysis of the pcap and note down any interesting events.

What is this ‘Zerophage’?

Before I got into security I wanted to create computer games. Zerophage was a character I created and the art is original. The game was meant to be a Pokemon clone but instead of animals it would be weapons or objects. Zerophage was a¬†final evolution and was type Bug (spreading malware through his USB’s) and Steel (robotic armour).

zerophageicon2