Cisco Talos Blog

May 2, 2019 11:04

Qakbot levels up with new obfuscation techniques

Executive summary Qakbot, also known as Qbot, is a well-documented banking trojan that has been around since 2008. Recent Qakbot campaigns, however, are utilizing an updated persistence mechanism that can make it harder for users to detect and remove the trojan. Qakbot is known

June 13, 2014 10:00

Etumbot Detection, more prior coverage

Arbor Networks recently posted details about a backdoor they named Etumbot. It provides technical detail about the functionality of the malware and it includes hashes of known samples. The Arbor write up is available here:

September 13, 2012 16:30

Using negative distance to create detection windows

A common method for delivering malicious pages to clients is with the use of hidden iframes. Before I get started I want to say that I have seen hidden iframes used legitimately and the rule discussed will not be in any policies by default, due to the risk of false positives. Th

September 4, 2012 17:27

Matryoshka packets

I have heard many people talk about ICMP and UDP tunnels but very rarely observed them in the wild. We recently had the opportunity to examine a sample that uses this technique for C&C. It communicates by either an ICMP echo with a data section that includes a full TCP SYN pa

July 20, 2012 13:35

fast_pattern is fast