
Wire Wire: A West African Cyber Threat - chewymouse
https://www.secureworks.com/research/wire-wire-a-west-african-cyber-threat
======
Kenji
> _The SecureWorks team initially found the database by using the virus
> scanning tool VirusTotal to search for suspicious email attachments._

I feel like they left out a couple of reverse-engineering/hacking steps here.
Or is it true, does VirusTotal have such capabilities and I am just ignorant?

~~~
uxp
> VirusTotal runs its own passive DNS replication service, built by storing
> DNS resolutions performed when visiting URLs and executing malware samples
> submitted by users.

It will run malware samples and store any DNS and/or direct IP connections and
lookups from the compromised host. I'm guessing the researchers used a
combination of searches for malware coming in from email attachments and
malware that connects to external databases (whether that be mysql port 3306,
or something else less direct is unclear)

[https://www.virustotal.com/en/documentation/searching/](https://www.virustotal.com/en/documentation/searching/)

------
pierrec
This IEEE Spectrum article is bordering on blogspam. They don't link to the
original article, which is IMO better in every regard (and very interesting):

[https://www.secureworks.com/research/wire-wire-a-west-
africa...](https://www.secureworks.com/research/wire-wire-a-west-african-
cyber-threat)

~~~
sctb
Thanks, we updated the submission from [http://spectrum.ieee.org/tech-
talk/telecom/security/nigerian...](http://spectrum.ieee.org/tech-
talk/telecom/security/nigerian-scammers-infect-themselves-with-own-malware-
revealing-new-wirewire-fraud-scheme) to this.

