Analyze data uploaded by hackers

Analyze data uploaded by hackers

Attackers and network spies both use the upload scanning tool as one of the methods to test their malicious code. It sounds silly, right? But in the early years, this phenomenon exists, specifically two years ago. In fact, while you are wandering around and reading this report, many people are busy testing their code. When I mention this to most security researchers, their responses are skeptical and come along with issues like "do these people not do their own anti-virus testing ?" Or "you must say that those script boys are training their own technologies ". I do not know why these people use the upload scanning tool, but I am 100% sure they have done so.

In the past two years, I have collected scanning data for file uploads through various technologies to identify user behavior types through the files they uploaded. Compared with viewing files directly, I would like to describe the unique hash of the files uploaded by the user for judgment. When I started doing this, all the operation data that these people now perform had been returned before the scanning tool, faster than those who automatically scan illegal elements. Today, I have obtained more attackers and believe this is the last time that the masses are blinded by scanning tools.

Wired has drafted an article to summarize most of my work over the years. This blog will also provide a guide to how they detect suspicious people through scanning tools. I wrote a short article describing what I learned through different accounts over the years, including the algorithm code that records those activities. These technologies and algorithms help me find a new and interesting activity method to replace the typical record method.

In addition to papers and algorithms, I found this is worth recommending to those who are interested in new cases and want to learn. I have prepared a Google public document describing all the activities of PlugX against illegal molecular testing. In order to easily distinguish it from the file signal detection, I highlighted the files without signal monitoring in green, the five and the following were highlighted in yellow, and the others were made in red. All activities are classified by date, so it is easy to see how illegal elements are "" during testing. This activity began in April 2013, including some examples of files that were uploaded to the scanner but were not seen (accurate hash). These files were used as target files in Hong Kong.

Materials mentioned:

Plugx Development Testing

VirusTotal Mining

@ 91ri.org team]