Media Coverage

Shadowserver in the news

It took 4 years to take down 'Avalanche', a huge online crime ring

Wired, December 2, 2016

ON THURSDAY, A group of international law enforcement agencies announced that it had completed an ambitious takedown of an extensive online criminal infrastructure called “Avalanche.” It’s one of the largest botnet takedowns ever, a four-year effort that turned up victims in 180 countries worldwide. Which is to say, nearly all of them. The scale of Avalanche is overwhelming, as was that of the effort to unwind it.

Audacious Android scam hacks a million Google accounts to boost app ratings

CSO Online, December 1, 2016

A new Android scam is hacking Google accounts just to help apps get discovered in Google Play’s crowded marketplace of two million apps. Google is working with ISPs, security firms and handset makers to fight Android malware, dubbed Gooligan, that has compromised a million Google Accounts to boost ratings on select apps in Google Play.

Legal raids in five countries seize botnet servers, sinkhole 800,000+ domains

Ars Technica, December 1, 2016

A botnet that has served up phishing attacks and at least 17 different malware families to victims for much of this decade has been taken down in a coordinated effort by an international group of law enforcement agencies and security firms. Law enforcement officials seized command and control servers and took control of more than 800,000 Internet domains used by the botnet, dubbed “Avalanche,” which has been in operation in some form since at least late 2009. The Shadowserver Foundation, a non-profit organization of security professionals that assisted in what the organization described in a post on the takedown as an 18-month collaboration with law enforcement, described Avalanche as a “Double Fast Flux” botnet.

Android 'Gooligan' Hackers Just Scored The Biggest Ever Theft Of Google Accounts

Forbes, November 30, 2016

A new variant of Android malware is responsible for what’s believed to be the biggest single theft of Google accounts on record. The so-called Gooligan strain has infected as many as 1.3 million Android phones since August, completely prising the devices open and stealing the tokens users are given to verify they are authorized to access accounts. Its main aim, though, is not to pilfer all that juicy data in Gmail or Docs, but to force users into downloading apps as part of a huge advertising fraud scheme, making as much as $320,000 a month.

Security Firm Detects 57M Attempts to Exploit 2-Year-Old Router Firmware Backdoor

Bleeping Computer, November 21, 2016

The case of the Netis router firmware backdoor shows you that even if a company puts out a patch to resolve security issues, the problem lingers on for years, as users fail to update their devices, or the patch itself fails to properly fix the issue. A more accurate statistics for the number of compromised Netis routers is provided by The Shadowserver Foundation, which claims to have identified over 15,000 hacked Netis routers, which is more than enough to build powerful DDoS botnets and bring down websites.

Avoiding gaps and duplications in global cyber capacity building

GFCE, June 20, 2016

Across the world, public and private organizations are investing in cyber capacities to reap the economic and social benefits that IT has to offer. Increased interconnectedness also necessitates the management of risks in cyberspace: strengthening cybersecurity, combating cybercrime and protecting online data. It is a global game, and the stakes are high. Weaknesses in cybersecurity can be exploited from anywhere; catching cybercriminals requires international collaboration and a new digital divide can stifle growth in developing economies. In the GFCE community, states, companies and intergovernmental organizations work together with NGOs, academia and the technical communities in the global effort to build cyber capacities. So far 25 GFCE members and partners collaborate on a total of 11 different cyber capacity-building initiatives. The initiatives fall in two categories. First are the regional initiatives, which support capacity building in a certain geographical area. Three initiatives are focused on capacity building in Africa: obtaining research data on cyber trends and developments, supporting national and regional cybersecurity strategies and incident response mechanisms and the training of cyber staff. In the America’s the Organization of American States (OAS) coordinates similar programs to develop local cyber capacity, the US and Canada developed best practices for cybersecurity awareness campaigns, while an initiative in Southeast Asia focusses on collaboration to combat cybercrime. Regional and Global GFCE Initiative (data provided by The Shadowserver Foundation).

Hackers hacking hackers to knacker white hat cracker trackers

The Register, April 14, 2016

ACSC2016 Malware writers are selling each other out to white hats and hacking through each other’s infrastructure to frame rivals, Shadowserver’s Richard Perlotto says.

Malware developers hide in plain sight in online sandboxes

Tech Republic, February 10, 2016

Malware analysis using online sandboxes is another example of technology designed to assist good guys that ends up helping bad guys as much if not more. A group of researchers from Eurecom, Symantec Research Labs, and Universita’ degli Studi di Milano decided to investigate databases from several malware analysis services — some containing millions of samples.

iOS Malware XcodeGhost affecting Hong Kong

HKCERT, November 17, 2015

In the Sep-2015, a security researcher discovered iOS malware XcodeGhost in official Apple Store. Over hundred applications were affected, including “WeChat”, “TTPod”, “Di Di”, “Hexin Financial” common application and “Angry Birds 2” famous game. Apple officially announced, the infected app were under the removal process in the App Store. The affected apps’ developers would update their apps and submit to the App Store again. There is still a risk of data leakage if users does not remove or update the affected apps. HKCERT analyzed the data from the Shadowserver. We discovered that average 14,147 unique IPs per day still made connection to the C2 server of XcodeGhost in the first week of October. This figure is about 30 times of other botnets infection.

FBI teams up with hackers to bust bank robbing botnet

CNN, October 15, 2015

American and British police have managed to stop a massive hacking operation that infected computers worldwide, stealing at least $10 million from the United States alone.