From Throw-Away Traffic to Bots

Total Page:16

File Type:pdf, Size:1020Kb

From Throw-Away Traffic to Bots From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware Manos Antonakakis‡,∗, Roberto Perdisci†,∗, Yacin Nadji∗, Nikolaos Vasiloglou‡, Saeed Abu-Nimeh‡, Wenke Lee∗ and David Dagon∗ ‡Damballa Inc., †University of Georgia {manos,nvasil,sabunimeh}@damballa.com , [email protected] ∗Georgia Institute of Technology {yacin.nadji, wenke}@cc.gatech.edu, [email protected] Abstract 1 Introduction Many botnet detection systems employ a blacklist of Botnets are groups of malware-compromised ma- known command and control (C&C) domains to detect chines, or bots, that can be remotely controlled by an bots and block their traffic. Similar to signature-based attacker (the botmaster) through a command and control virus detection, such a botnet detection approach is static (C&C) communication channel. Botnets have become because the blacklist is updated only after running an ex- the main platform for cyber-criminals to send spam, steal ternal (and often manual) process of domain discovery. private information, host phishing web-pages, etc. Over As a response, botmasters have begun employing domain time, attackers have developed C&C channels with dif- generation algorithms (DGAs) to dynamically produce a ferent network structures. Most botnets today rely on large number of random domain names and select a small a centralized C&C server, whereby bots query a prede- subset for actual C&C use. That is, a C&C domain is ran- fined C&C domain name that resolves to the IP address domly generated and used for a very short period of time, of the C&C server from which commands will be re- thus rendering detection approaches that rely on static ceived. Such centralized C&C structures suffer from the domain lists ineffective. Naturally, if we know how a do- single point of failure problem because if the C&C do- main generation algorithm works, we can generate the main is identified and taken down, the botmaster loses domains ahead of time and still identify and block bot- control over the entire botnet. net C&C traffic. The existing solutions are largely based To overcome this limitation, attackers have used P2P- on reverse engineering of the bot malware executables, based C&C structures in botnets such as Nugache [35], which is not always feasible. Storm [38], and more recently Waledac [39], Zeus [2], In this paper we present a new technique to detect ran- and Alureon (a.k.a. TDL4) [12]. While P2P botnets domly generated domains without reversing. Our insight provide a more robust C&C structure that is difficult to is that most of the DGA-generated (random) domains detect and take down, they are typically harder to imple- that a bot queries would result in Non-Existent Domain ment and maintain. In an effort to combine the simplicity (NXDomain) responses, and that bots from the same bot- of centralized C&Cs with the robustness of P2P-based net (with the same DGA algorithm) would generate sim- structures, attackers have recently developed a number ilar NXDomain traffic. Our approach uses a combination of botnets that locate their C&C server through automat- of clustering and classification algorithms. The cluster- ically generated pseudo-random domains names. In or- ing algorithm clusters domains based on the similarity in der to contact the botmaster, each bot periodically exe- the make-ups of domain names as well as the groups of cutes a domain generation algorithm (DGA) that, given machines that queried these domains. The classification a random seed (e.g., the current date), produces a list of algorithm is used to assign the generated clusters to mod- candidate C&C domains. The bot then attempts to re- els of known DGAs. If a cluster cannot be assigned to a solve these domain names by sending DNS queries un- known model, then a new model is produced, indicating til one of the domains resolves to the IP address of a a new DGA variant or family. We implemented a pro- C&C server. This strategy provides a remarkable level totype system and evaluated it on real-world DNS traffic of agility because even if one or more C&C domain obtained from large ISPs in North America. We report names or IP addresses are identified and taken down, the the discovery of twelve DGAs. Half of them are variants bots will eventually get the IP address of the relocated of known (botnet) DGAs, and the other half are brand C&C server via DNS queries to the next set of automat- new DGAs that have never been reported before. ically generated domains. Notable examples of DGA- based botnets (or DGA-bots, for short) are Bobax [33], ages throw-away traffic (i.e., unsuccessful DNS resolu- Kraken [29], Sinowal (a.k.a. Torpig) [34], Srizbi [30], tions) to (1) discover the rise of new DGA-based botnets, Conficker-A/B [26], Conficker-C [23] and Murofet [31]. (2) accurately detect bot-compromised machines, and (3) A defender can attempt to reverse engineer the bot mal- identify and block the active C&C domains queried by ware, particularly its DGA algorithm, to pre-compute the discovered DGA-bots. Pleiades achieves these goals current and future candidate C&C domains in order to by monitoring the DNS traffic in local networks, without detect, block, and even take down the botnet. However, the need for a large-scale deployment of DNS analysis reverse engineering is not always feasible because the bot tools required by prior work. malware can be updated very quickly (e.g., hourly) and Furthermore, while botnet detection systems that fo- obfuscated (e.g., encrypted, and only decrypted and exe- cus on network flow analysis [13, 36, 44, 46] or require cuted by external triggers such as time). deep packet inspection [10, 14] may be capable of de- In this paper, we propose a novel detection system, tecting compromised machines within a local network, called Pleiades, to identify DGA-based bots within a they do not scale well to the overwhelming volume of monitored network without reverse engineering the bot traffic typical of large ISP environments. On the other malware. Pleiades is placed “below” the local recursive hand, Pleiades employs a lightweight DNS-based moni- DNS (RDNS) server or at the edge of a network to mon- toring approach, and can detect DGA-based malware by itor DNS query/response messages from/to the machines focusing on a small fraction of all DNS traffic in an ISP within the network. Specifically, Pleiades analyzes DNS network. This allows Pleiades to scale well to very large queries for domain names that result in Name Error re- ISP networks, where we evaluated our prototype system. sponses [19], also called NXDOMAIN responses, i.e., do- This paper makes the following contributions: main names for which no IP addresses (or other resource records) exist. In the remainder of this paper, we refer • We propose Pleiades, the first DGA-based bot- to these domain names as NXDomains. The focus on net identification system that efficiently analyzes NXDomains is motivated by the fact that modern DGA- streams of unsuccessful domain name resolutions, bots tend to query large sets of domain names among or NXDomains, in large ISP networks to automati- which relatively few successfully resolve to the IP ad- cally identify DGA-bots. dress of the C&C server. Therefore, to automatically identify DGA domain names, Pleiades searches for rela- tively large clusters of NXDomains that (i) have similar • We built a prototype implementation of Pleiades, syntactic features, and (ii) are queried by multiple po- and evaluated its DGA identification accuracy over tentially compromised machines during a given epoch. a large labeled dataset consisting of a mix of NX- The intuition is that in a large network, like the ISP net- Domains generated by four different known DGA- work where we ran our experiments, multiple hosts may based botnets and NXDomains “accidentally” gen- be compromised with the same DGA-bots. Therefore, erated by typos or mis-configurations. Our experi- each of these compromised assets will generate several ments demonstrate that Pleiades can accurately de- DNS queries resulting in NXDomains, and a subset of tect DGA-bots. these NXDomains will likely be queried by more than one compromised machine. Pleiades is able to automat- • We deployed and evaluated our Pleiades prototype ically identify and filter out “accidental”, user-generated in a large production ISP network for a period of 15 NXDomains due to typos or mis-configurations. When months. Our experiments discovered twelve new Pleiades finds a cluster of NXDomains, it applies statis- DGA-based botnets and enumerated the compro- tical learning techniques to build a model of the DGA. mised machines. Half of these new DGAs have This is used later to detect future compromised ma- never been reported before. chines running the same DGA and to detect active do- main names that “look similar” to NXDomains resulting The remainder of the paper is organized as follows. from the DGA and therefore probably point to the botnet In Section 2 we discuss related work. We provide an C&C server’s address. overview of Pleiades in Section 3. The DGA discovery Pleiades has the advantage of being able to discover process is described in Section 4. Section 5 describes the and model new DGAs without labor-intensive malware DGA classification and C&C detection processes. We reverse-engineering. This allows our system to detect elaborate on the properties of the datasets used and the new DGA-bots before any sample of the related malware way we obtained the ground truth in Section 6. The ex- family is captured and analyzed. Unlike previous work perimental results are presented in Section 7 while we on DNS traffic analysis for detecting malware-related [4] discuss the limitations of our systems in Section 8.
Recommended publications
  • A the Hacker
    A The Hacker Madame Curie once said “En science, nous devons nous int´eresser aux choses, non aux personnes [In science, we should be interested in things, not in people].” Things, however, have since changed, and today we have to be interested not just in the facts of computer security and crime, but in the people who perpetrate these acts. Hence this discussion of hackers. Over the centuries, the term “hacker” has referred to various activities. We are familiar with usages such as “a carpenter hacking wood with an ax” and “a butcher hacking meat with a cleaver,” but it seems that the modern, computer-related form of this term originated in the many pranks and practi- cal jokes perpetrated by students at MIT in the 1960s. As an example of the many meanings assigned to this term, see [Schneier 04] which, among much other information, explains why Galileo was a hacker but Aristotle wasn’t. A hack is a person lacking talent or ability, as in a “hack writer.” Hack as a verb is used in contexts such as “hack the media,” “hack your brain,” and “hack your reputation.” Recently, it has also come to mean either a kludge, or the opposite of a kludge, as in a clever or elegant solution to a difficult problem. A hack also means a simple but often inelegant solution or technique. The following tentative definitions are quoted from the jargon file ([jargon 04], edited by Eric S. Raymond): 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.
    [Show full text]
  • Analysis of Malware and Domain Name System Traffic
    Analysis of Malware and Domain Name System Traffic Hamad Mohammed Binsalleeh A Thesis in The Department of Computer Science and Software Engineering Presented in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy at Concordia University Montréal, Québec, Canada July 2014 c Hamad Mohammed Binsalleeh, 2014 CONCORDIA UNIVERSITY Division of Graduate Studies This is to certify that the thesis prepared By: Hamad Mohammed Binsalleeh Entitled: Analysis of Malware and Domain Name System Traffic and submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy complies with the regulations of this University and meets the accepted standards with respect to originality and quality. Signed by the final examining committee: Chair Dr. Christian Moreau External Examiner Dr. Nadia Tawbi Examiner to Program Dr. Lingyu Wang Examiner Dr. Peter Grogono Examiner Dr. Olga Ormandjieva Thesis Co-Supervisor Dr. Mourad Debbabi Thesis Co-Supervisor Dr. Amr Youssef Approved by Chair of the CSE Department 2014 Dean of Engineering ABSTRACT Analysis of Malware and Domain Name System Traffic Hamad Mohammed Binsalleeh Concordia University, 2014 Malicious domains host Command and Control servers that are used to instruct in- fected machines to perpetuate malicious activities such as sending spam, stealing creden- tials, and launching denial of service attacks. Both static and dynamic analysis of malware as well as monitoring Domain Name System (DNS) traffic provide valuable insight into such malicious activities and help security experts detect and protect against many cyber attacks. Advanced crimeware toolkits were responsible for many recent cyber attacks. In order to understand the inner workings of such toolkits, we present a detailed reverse en- gineering analysis of the Zeus crimeware toolkit to unveil its underlying architecture and enable its mitigation.
    [Show full text]
  • Miscellaneous: Malware Cont'd & Start on Bitcoin
    Miscellaneous: Malware cont’d & start on Bitcoin CS 161: Computer Security Prof. Raluca Ada Popa April 19, 2018 Credit: some slides are adapted from previous offerings of this course Viruses vs. Worms VIRUS WORM Propagates By infecting Propagates automatically other programs By copying itself to target systems Usually inserted into A standalone program host code (not a standalone program) Another type of virus: Rootkits Rootkit is a ”stealthy” program designed to give access to a machine to an attacker while actively hiding its presence Q: How can it hide itself? n Create a hidden directory w /dev/.liB, /usr/src/.poop and similar w Often use invisiBle characters in directory name n Install hacked Binaries for system programs such as netstat, ps, ls, du, login Q: Why does it Become hard to detect attacker’s process? A: Can’t detect attacker’s processes, files or network connections By running standard UNIX commands! slide 3 Sony BMG copy protection rootkit scandal (2005) • Sony BMG puBlished CDs that apparently had copy protection (for DRM). • They essentially installed a rootkit which limited user’s access to the CD. • It hid processes that started with $sys$ so a user cannot disaBle them. A software engineer discovered the rootkit, it turned into a Big scandal Because it made computers more vulneraBle to malware Q: Why? A: Malware would choose names starting with $sys$ so it is hidden from antivirus programs Sony BMG pushed a patch … But that one introduced yet another vulneraBility So they recalled the CDs in the end Detecting Rootkit’s
    [Show full text]
  • Diapositiva 1
    Feliciano Intini Responsabile dei programmi di Sicurezza e Privacy di Microsoft Italia • NonSoloSecurity Blog: http://blogs.technet.com/feliciano_intini • Twitter: http://twitter.com/felicianointini 1. Introduction - Microsoft Security Intelligence Report (SIR) 2. Today‘s Threats - SIR v.8 New Findings – Italy view 3. Advancements in Software Protection and Development 4. What the Users and Industry Can Do The 8th volume of the Security Intelligence Report contains data and intelligence from the past several years, but focuses on the second half of 2009 (2H09) Full document covers Malicious Software & Potentially Unwanted Software Email, Spam & Phishing Threats Focus sections on: Malware and signed code Threat combinations Malicious Web sites Software Vulnerability Exploits Browser-based exploits Office document exploits Drive-by download attacks Security and privacy breaches Software Vulnerability Disclosures Microsoft Security Bulletins Exploitability Index Usage trends for Windows Update and Microsoft Update Microsoft Malware Protection Center (MMPC) Microsoft Security Response Center (MSRC) Microsoft Security Engineering Center (MSEC) Guidance, advice and strategies Detailed strategies, mitigations and countermeasures Fully revised and updated Guidance on protecting networks, systems and people Microsoft IT ‗real world‘ experience How Microsoft IT secures Microsoft Malware patterns around the world with deep-dive content on 26 countries and regions Data sources Malicious Software and Potentially Unwanted Software MSRT has a user base
    [Show full text]
  • An Introduction to Malware
    Downloaded from orbit.dtu.dk on: Sep 24, 2021 An Introduction to Malware Sharp, Robin Publication date: 2017 Document Version Publisher's PDF, also known as Version of record Link back to DTU Orbit Citation (APA): Sharp, R. (2017). An Introduction to Malware. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. Users may download and print one copy of any publication from the public portal for the purpose of private study or research. You may not further distribute the material or use it for any profit-making activity or commercial gain You may freely distribute the URL identifying the publication in the public portal If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. An Introduction to Malware Robin Sharp DTU Compute Spring 2017 Abstract These notes, written for use in DTU course 02233 on Network Security, give a short introduction to the topic of malware. The most important types of malware are described, together with their basic principles of operation and dissemination, and defenses against malware are discussed. Contents 1 Some Definitions............................2 2 Classification of Malware........................2 3 Vira..................................3 4 Worms................................
    [Show full text]
  • Proposal of N-Gram Based Algorithm for Malware Classification
    SECURWARE 2011 : The Fifth International Conference on Emerging Security Information, Systems and Technologies Proposal of n-gram Based Algorithm for Malware Classification Abdurrahman Pektaş Mehmet Eriş Tankut Acarman The Scientific and Technological The Scientific and Technological Computer Engineering Dept. Research Council of Turkey Research Council of Turkey Galatasaray University National Research Institute of National Research Institute of Istanbul, Turkey Electronics and Cryptology Electronics and Cryptology e-mail:[email protected] Gebze, Turkey Gebze, Turkey e-mail:[email protected] e-mail:[email protected] Abstract— Obfuscation techniques degrade the n-gram malware used by the previous work. Similar methodologies features of binary form of the malware. In this study, have been used in source authorship, information retrieval methodology to classify malware instances by using n-gram and natural language processing [5], [6]. features of its disassembled code is presented. The presented The first known use of machine learning in malware statistical method uses the n-gram features of the malware to detection is presented by the work of Tesauro et al. in [7]. classify its instance with respect to their families. n-gram is a fixed size sliding window of byte array, where n is the size of This detection algorithm was successfully implemented in the window. The contribution of the presented method is IBM’s antivirus scanner. They used 3-grams as a feature set capability of using only one vector to represent malware and neural networks as a classification model. When the 3- subfamily which is called subfamily centroid. Using only one grams parameter is selected, the number of all n-gram vector for classification simply reduces the dimension of the n- features becomes 2563, which leads to some spacing gram space.
    [Show full text]
  • An Analysis of the Asprox Botnet
    An Analysis of the Asprox Botnet Ravishankar Borgaonkar Technical University of Berlin Email: [email protected] Abstract—The presence of large pools of compromised com- motives. Exploitable vulnerabilities may exist in the Internet puters, also known as botnets, or zombie armies, represents a infrastructure, in the clients and servers, in the people, and in very serious threat to Internet security. This paper describes the way money is controlled and transferred from the Internet the architecture of a contemporary advanced bot commonly known as Asprox. Asprox is a type of malware that combines into traditional cash. Many security firms and researchers are the two threat vectors of forming a botnet and of generating working on developing new methods to fight botnets and to SQL injection attacks. The main features of the Asprox botnet mitigate against threats from botnets [7], [8], [9]. are the use of centralized command and control structure, HTTP based communication, use of advanced double fast-flux service Unfortunately, there are still many questions that need to networks, use of SQL injection attacks for recruiting new bots be addressed to find effective ways of protecting against the and social engineering tricks to spread malware binaries. The threats from botnets. In order to fight against botnets in future, objective of this paper is to contribute to a deeper understanding of Asprox in particular and a better understanding of modern it is not enough to study the botnets of past. Botnets are botnet designs in general. This knowledge can be used to develop constantly evolving, and we need to understand the design more effective methods for detecting botnets, and stopping the and structure of the emerging advanced botnets.
    [Show full text]
  • Detecting Botnets Using File System Indicators
    Detecting botnets using file system indicators Master's thesis University of Twente Author: Committee members: Peter Wagenaar Prof. Dr. Pieter H. Hartel Dr. Damiano Bolzoni Frank Bernaards LLM (NHTCU) December 12, 2012 Abstract Botnets, large groups of networked zombie computers under centralised control, are recognised as one of the major threats on the internet. There is a lot of research towards ways of detecting botnets, in particular towards detecting Command and Control servers. Most of the research is focused on trying to detect the commands that these servers send to the bots over the network. For this research, we have looked at botnets from a botmaster's perspective. First, we characterise several botnet enhancing techniques using three aspects: resilience, stealth and churn. We see that these enhancements are usually employed in the network communications between the C&C and the bots. This leads us to our second contribution: we propose a new botnet detection method based on the way C&C's are present on the file system. We define a set of file system based indicators and use them to search for C&C's in images of hard disks. We investigate how the aspects resilience, stealth and churn apply to each of the indicators and discuss countermeasures botmasters could take to evade detection. We validate our method by applying it to a test dataset of 94 disk images, 16 of which contain C&C installations, and show that low false positive and false negative ratio's can be achieved. Approaching the botnet detection problem from this angle is novel, which provides a basis for further research.
    [Show full text]
  • Pax Technica
    pax technica YY6658.indb6658.indb i 22/2/15/2/15 11:15:1811:15:18 AAMM YY6658.indb6658.indb iiii 22/2/15/2/15 11:15:1811:15:18 AAMM philip n. howard pax technica how the internet of things may set us free or lock us up new haven & london YY6658.indb6658.indb iiiiii 22/2/15/2/15 11:15:1811:15:18 AAMM Published with assistance from the Mary Cady Tew Memorial Fund. Copyright © 2015 by Philip N. Howard. All rights reserved. This book may not be reproduced, in whole or in part, including illustrations, in any form (beyond that copying permitted by Sections 107 and 108 of the U.S. Copyright Law and except by reviewers for the public press), without written permission from the publishers. An online version of the work is made available under a Creative Commons license for use that is noncommercial and not derivative. The terms of the license are set forth at http://creativecommons.org/licenses/by-nc-nd/4.0/. For more information about a digital copy of the work, please see the author’s website: http://philhoward.org/. Yale University Press books may be purchased in quantity for educational, business, or promotional use. For information, please e-mail sales.press@yale .edu (U.S. offi ce) or [email protected] (U.K. offi ce). Set in Joanna type by Newgen North America, Austin, Texas. Printed in the United States of America. ISBN 978-0-300-19947-5 (cloth : alk. paper) Catalogue records for this book are available from the Library of Congress and the British Library.
    [Show full text]
  • The Trojan Wars: Building the Big Picture to Combat Efraud
    THE TROJAN WARS: BUILDING THE BIG PICTURE TO COMBAT EFRAUD MNEMONIC THREAT INTELLIGENCE UNIT White Paper TABLE OF CONTENTS INTRODUCTION ................................................................................3 THE INITIAL TORPIG CAMPAIGN ......................................................4 • Infection Cycles ..........................................................................................5 • Ice IX – Downloading Torpig and Pushdo ...................................................6 • Torpig Campaign C&C infrastructure ..........................................................9 • Ice IX Takedown Avoidance Technique .......................................................10 THE FOLLOW-ON P2P ZEUS CAMPAIGN ..........................................11 • Infection Cycles ...........................................................................................12 • Neurevt – Downloading P2P Zeus ..............................................................13 THE WAY FORWARD: CONCLUSIONS AND RECOMMENDATIONS ....14 ABOUT MNEMONIC ..........................................................................15 REFERENCES ...................................................................................16 THE TROJAN WARS - BUILDING THE BIG PICTURE TO COMBAT EFRAUD MNEMONIC AS INTRODUCTION Trojans are a very sophisticated type of malware and their use by cybercriminals to perform widespread eFraud is now well established. They are rarely operated in a standalone mode and the infrastructure used to spread and maintain Trojans is
    [Show full text]
  • Download Slides
    Scott Wu Point in time cleaning vs. RTP MSRT vs. Microsoft Security Essentials Threat events & impacts More on MSRT / Security Essentials MSRT Microsoft Windows Malicious Software Removal Tool Deployed to Windows Update, etc. monthly since 2005 On-demand scan on prevalent malware Microsoft Security Essentials Full AV RTP Inception in Oct 2009 RTP is the solution One-off cleaner has its role Quiikck response Workaround Baseline ecosystem cleaning Industrypy response & collaboration Threat Events Worms (some are bots) have longer lifespans Rogues move on quicker MarMar 2010 2010 Apr Apr 2010 2010 May May 2010 2010 Jun Jun 2010 2010 Jul Jul 2010 2010 Aug Aug 2010 2010 1,237,15 FrethogFrethog 979,427 979,427 Frethog Frethog 880,246880,246 Frethog Frethog465,351 TaterfTaterf 5 1,237,155Taterf Taterf 797,935797,935 TaterfTaterf 451,561451,561 TaterfTaterf 497,582 497,582 Taterf Taterf 393,729393,729 Taterf Taterf447,849 FrethogFrethog 535,627535,627 AlureonAlureon 493,150 493,150 AlureonAlureon 436,566 436,566 RimecudRimecud 371,646 371,646 Alureon Alureon 308,673308,673 Alureon Alureon 441,722 RimecudRimecud 341,778341,778 FrethogFrethog 473,996473,996 BubnixBubnix 348,120 348,120 HamweqHamweq 289,603 289,603 Rimecud Rimecud289,629 289,629 Rimecud Rimecud318,041 AlureonAlureon 292,810 292,810 BubnixBubnix 471,243 471,243 RimecudRimecud 287,942287,942 ConfickerConficker 286,091286, 091 Hamwe Hamweqq 250,286250, 286 Conficker Conficker220,475220, 475 ConfickerConficker 237237,348, 348 RimecudRimecud 280280,440, 440 VobfusVobfus 251251,335, 335
    [Show full text]
  • Zerohack Zer0pwn Youranonnews Yevgeniy Anikin Yes Men
    Zerohack Zer0Pwn YourAnonNews Yevgeniy Anikin Yes Men YamaTough Xtreme x-Leader xenu xen0nymous www.oem.com.mx www.nytimes.com/pages/world/asia/index.html www.informador.com.mx www.futuregov.asia www.cronica.com.mx www.asiapacificsecuritymagazine.com Worm Wolfy Withdrawal* WillyFoReal Wikileaks IRC 88.80.16.13/9999 IRC Channel WikiLeaks WiiSpellWhy whitekidney Wells Fargo weed WallRoad w0rmware Vulnerability Vladislav Khorokhorin Visa Inc. Virus Virgin Islands "Viewpointe Archive Services, LLC" Versability Verizon Venezuela Vegas Vatican City USB US Trust US Bankcorp Uruguay Uran0n unusedcrayon United Kingdom UnicormCr3w unfittoprint unelected.org UndisclosedAnon Ukraine UGNazi ua_musti_1905 U.S. Bankcorp TYLER Turkey trosec113 Trojan Horse Trojan Trivette TriCk Tribalzer0 Transnistria transaction Traitor traffic court Tradecraft Trade Secrets "Total System Services, Inc." Topiary Top Secret Tom Stracener TibitXimer Thumb Drive Thomson Reuters TheWikiBoat thepeoplescause the_infecti0n The Unknowns The UnderTaker The Syrian electronic army The Jokerhack Thailand ThaCosmo th3j35t3r testeux1 TEST Telecomix TehWongZ Teddy Bigglesworth TeaMp0isoN TeamHav0k Team Ghost Shell Team Digi7al tdl4 taxes TARP tango down Tampa Tammy Shapiro Taiwan Tabu T0x1c t0wN T.A.R.P. Syrian Electronic Army syndiv Symantec Corporation Switzerland Swingers Club SWIFT Sweden Swan SwaggSec Swagg Security "SunGard Data Systems, Inc." Stuxnet Stringer Streamroller Stole* Sterlok SteelAnne st0rm SQLi Spyware Spying Spydevilz Spy Camera Sposed Spook Spoofing Splendide
    [Show full text]