Now at IOActive

For those that haven't seen the exchanges on Twitter or LinkedIn, I'm no longer with Damballa...

The last 3.5 years with Damballa were a wild ride. My first 3 years with the company saw much innovation and cutting-edge technology making its way to the market, but as things slowed down and the business doubled down on the features that make a product more "channel friendly", it was becoming less interesting to me. Don't get me wrong though, the research coming from Damballa Labs still can't be beat, and I hope it makes it the product sometime soon.

So, with that all said, I wanted to get back in to consulting. I love the constant flux of new problems, logistics and cutting-edge technology.

Last week I joined IOActive, Inc., as their CTO.

As some of you may be aware, I've been working with the company for a number of years - including being  a member of their Advisory Board. As their CTO my initial focus will be on helping to develop the long-term service strategy - bringing new boutique and cutting-edge services to market to address the latest onslaught of technology threats and preempt many upcoming security problems for large and sophisticated organizations.

IOActive is a fantastic company. It's at the forefront of advanced security consultancy and has been growing at an amazing rate.

So, with all that said, you can now find me at IOActive, and I'd be pleased to offer you my new business card. I'm sure IOActive will be able to help! :-)

Predicting Crime Hotspots

There’s a new sheriff in town and he’s riding the horse of “predictive policing”. Back in July the Santa Cruz Police Department began deploying police officers to places where crime is likely to occur in the future – making use of new predictive modeling programs that are designed to provide daily forecasts of crime hotspots – thereby allowing the Department to preempt more serious crimes before they occurred. You can find a story describing how Santa Cruz is sending in the police before there’s a crime in The New York Times.

In essence, this is another physical-world application of machine learning and clustering technologies – applied to preempting a criminal problem. In the cyber-world we’ve been applying these techniques for a number of years with great success. In fact many of the most important advances in dealing with cybercrime revolve around the replacement of legacy IP reputation systems and domain filtering technologies with dynamic reputation systems – systems easily capable of scaling with both the threat and an ever-expanding Internet (e.g. IPv6).

Just last week Manos Antonakakis (a principal scientist at Damballa Labs) presented at the USENIX Security 2011 conference in San Francisco about a new generation of technology capable of identifying domain names being used for malicious purposes weeks, if not months, in advance of malware samples being intercepted, analyzed and “protected” against by legacy anti-virus approaches.

The patent-pending technology utilizes passive DNS observations within the upper DNS hierarchy, and the paper describing the first generation of research (and cybercrime proof-points) can be found in the paper “Detecting Malware Domains at the Upper DNS Hierarchy“. The system running here within Damballa Labs is affectionately known as “Kopis” and has proved its worth time and again preemptively identifying new botnets and cybercrime campaigns – keeping our Threat Analyst team busy with enumerating the real-world criminals behind the domain abuse.

The Kopis system extends many of the principles and research we learnt and formulated when developing the Notos technology – a next generation dynamic reputation system for DNS.

In several ways the Santa Cruz Police Department’s modeling systems approximates an early generation of such a dynamic reputation system – utilizing a mix of long term observations and historical information, combined with real-time crime updates, the output of which is a forecast capable of predicting hotspots for daily crime.

Damballa Labs utilizes Notos and its derivative output evolutions in a number of ways. For example, we’re able to take any observed DNS record (e.g. domain name and resolved IP address) and provide a real-time score of its reputation – even if this is the first time anyone on the Internet has ever tried to resolve that particular domain name. In practice this means that we can predict (with a scale of confidence) that connecting to a device utilizing that particular domain name (or IP) is malicious (or good) and the nature of the threat it represents – all done through passive means, and without having to have observed the maliciousness directly associated with the device anytime in the past.

Systems like Notos make use of big data (i.e. colossal volumes of historical and streaming data) gathered from a global array of sensors. The mix of historical observations and real-time data feeds means that prediction models can be dynamic enough to keep pace with truly agile threats (and threat operators) – and can yield new approaches in unveiling advanced and sophisticated threats. For example, a possible query could be “provide me a list of domain names that are pointing to residential DSL IP addresses within Villianstan, that have never been looked up by any hosts within the country of Villanstan, that have only been looked up by hosts located within Fortune-100 companies in the USA, and that the number of Fortune-100 companies doing so is less than 5 over the last 12 months.” The result of the query would be a (long) list of domain names that are very high contenders for APT victims, which then drives specialist counter-intelligence analysts and law enforcement to uncover the nature of the threat.

In the meantime I’ll be watching with keen interest the successes of the Santa Cruz Police Department and their new modeling programs. Here at Damballa we’ve had phenomenal success in using machine learning and advanced clustering techniques in unveiling and forecasting new threats.

Not Endgames Again

With the Blackhat and Defcon conferences back to back, the melting pot that is Vegas has served its purpose in bringing together so many of the worlds leading security researchers, consultants, and opinions together. It’s been a tough slog through long days and longer nights, but it’s been so worth it.

While many of the presentations this time round may not have been worthy of previous years conferences, the true value of the event really lies in the hallway discussions and logistical movements between the vendor parties – trading invites for favors, and negotiations over beers pre- and post- party. I know that many folks would agree with me when I say that more business deals are secured and contacts negotiated at the Galleria bar of Caesars Palace than all the other event locations combined.

This year there was a lot of discussion in the Galleria Bar relating to exploit development (a big change from the past decades worth of vulnerability disclosure debate) – mostly due to the media attention garnered by the HB Gary Federal and Endgame Systems (Endgames) disclosures/revelations over recent months.

Each evening I’d inevitably get pulled into (new) discussions as folks I hardly know (or had only just been introduced to) tried to pump me for insider information about Endgames – somehow assuming I’m involved with that company. Let’s be clear – I have nothing to do with the Endgames business! It’s important that people understand that. The fact that both Endgames and Damballa (where I work) are in the same building in Atlanta is a reflection of shared Georgia Tech heritage and talent recruitment - not to mention $$$ per-square-foot office space rental costs – and is not a conspiracy seeking new enlightenment. And No, I don’t (and have never) worked for Endgames.

By way of preempting the next recycled batch of grilling from security nuts, weirdo’s and conspiracy theorists, here are some facts…

1. Back in 2005 I was enticed to leave NGS Software and London, and assume the role of Director of X-Force in Atlanta after Chris Rouland (the former Director of X-Force – and current CEO of Endgames) took on the role of CTO at Internet Security Systems, after Christopher Klaus (an ISS founder) vacated that particular position. As it happened, I took over responsibility for X-Force just after the Blackhat/Defcon events of 2005 – immediately after the Mike Lynn and Ciscogate (so that wasn’t anything to do with me). So, yes, Chris and I have both held the same titles at ISS and No, Ciscogate was not my fault.
2. While I was the Director of X-Force, the X-Force group (which consisted of R&D, threat research, detection/protection engineering teams and signature development teams, etc.) reported up through the VP of Engineering. The professional services teams (some of which were/are commonly tagged as “X-Force”) were regionally focused and organized, and so tended to report up through the regional sales organizations (i.e. not my responsibility). This is an important distinction, because ISS wasn’t unfamiliar with some of the professional services that would eventually transfer with the people that kicked off Endgames. So, No, I was not responsible for things labeled as “X-Force” within the professional services division in the US, and Yes, the professional services group(s) did have access at the time to all the latest vulnerabilities and 0-days uncovered by the X-Force R&D teams.
3. When IBM acquired ISS in October 2006, there were a lot of changes. ISS became IBM ISS and an “Office of the CTO” was established. Given integration challenges and the hope that a center of excellence could be created within IBM to bring together all the great security research done throughout IBM globally – and the hope that the derivative technologies would make it in to products within IBM ISS – the responsibilities for X-force were to be divided and I took on the role of Chief Security Strategist – reporting in to the new “Office of the CTO” – working with Chris Rouland and another founder of Endgames. So, Yes, Chris and I (and several of the eventual founders of EndGames) worked together for a couple of years in the same “office” for IBM ISS.
4. Some of the (PSS) services ISS had previously provided were not well suited to a company such as IBM and needed to be shutdown or were left to passively wilt while contract renewals wouldn’t be pursued. Several of these services (derivatives and extensions) are directly related to how Endgames came to exist – after the ISS professionals familiar with their delivery and a belief their commercial viability struck out from IBM ISS to create Endgames and satisfy those customer needs. I was never part of that side of the IBM ISS business. For one thing, I’m a foreigner and didn’t have the appropriate security clearances to get involved. For another, I find some aspects of that particular business model unsavory. So, No, I never had a hand in that side of ISS/IBM ISS’ business.
5. You can’t swing a stick in Atlanta without hitting an ex-ISSer. The number of security professionals that have passed through ISS over the last decade-and-a-half and gone on to establish and populate new security startups in Atlanta is amazing. This is why you’ll find so many ex-ISSer’s working at both Endgames and Damballa – and dozens of other security companies in the area! So, Yes, we all know and respect each other and tend to get on well. Endgames is on the same building one floor below Damballa, and there are several bars within spitting distance of our respective offices.
6. In the early days of Damballa (which is a startup that sprung out of Georgia Tech), Chris Rouland was on the companies Technical Advisory board. Damballa for it’s first few years of existence was focused on tracking botnets, enumerating the bot infected victims, and providing that insight as commercial intelligence feeds. Shortly after my joining Damballa in 2009, Damballa stopped providing commercial threat intelligence feeds and focused on appliance-based threat detection solutions. Chris Rouland elected to leave the Damballa Technical Advisory Board shortly before Endgames launched their IPTrust brand/service. So, Yes, in the past there was a relationship between Damballa and Chris Rouland (after all, he created the original X-Force and has been a thought leader in the security community for quite some time) – just not what some people have assumed.

There’s probably a whole bunch of additional questions that folks were battering me with this week in Vegas related to Endgames (and HB Gary Federal by proxy) that I couldn’t be bothered answering then, and I’m not going to bother answering now.

There is no commercial relationship between Endgames and Damballa. Damballa and Endgames are separate commercial entities – doing completely different things in totally different ways, with different objectives, customers and employees. The histories of several folks working at both companies are entwined with the history of ISS and IBM ISS – but that’s it.

And so on to the last conspiracy theory questions; No, I know of no cases of ISS selling vulnerabilities to any foreign entities. And, Yes, I’m still an opponent to middle-men financial models relating to the buying and selling 0-day vulnerabilities.

Where are those botnet CnC's at?

If you're building or managing a botnet of more than a few thousand victim machines, where and how you host your command and control (CnC) servers is damned important.
Where were the bad guys hosting there CnC servers for the first half of the year? Damballa has just released a blog covering the top-10 worst offender service providers as well as a breakdown by country. Guess who's at the top of the lists...

Botnet Hosting (H1 2010) Blog

Paste Bin & Card Dumps

Trawling around for stolen credentials and identity information - in the form of criminal cast-offs and sales samples - can be an interesting endeavor if you're looking to understand the current state of credential laundering. One growing repository for such information are all of the various paste bin repositories (of which there are dozens of popular sites).

Earlier this week I discussed the topic over on Damballa's blog site in the entry titled: A Treasury of Dumps. The blog provides a few samples of whats available and how the criminals are using them to augment their search for potential sellers.

Botnet Operations: Running a Campaign

"One bullet, one kill" - isn't that some kind of sniper saying from the movies? If you're a professional botnet operator you're not going to want to loose control of your favorite botnet just because some damned whitehat managed to take down a single command and control (CnC) server.

With that in mind, you're also probably not going to want to build your botnet in a way that its growth is reliant upon a single infection vector or content distribution vehicle. The solution nowadays lies with the strategy of running multiple campaigns against your targets.

Just as political contenders running for office unleash a barrage of sophisticated and targeted campaigns to draw in supporters, professional botnet builders similarly unleash their own barrage of targeted campaigns - looking to sucker en mass their victims.

To understand botnet building campaigns a little better, I've thrown up a blog on the topic over at the Damballa site - Botnet Building Campaigns.

The Botnet Helpdesk

So, you're planning on building your own botnet and despite all the how-to videos on YouTube you're still having problems building your botnet malware agent and getting your command & control to work like the videos said ti would. What do you do? Well, if you purchased your DIY botnet creation kit from one of several "commercial" botnet providers, you'd contact their help-desk.

I kid you not. Several crimeware service providers go beyond 24x7 IRC and email support - now offering full online help-desks; complete with ticketing systems for tracking your "incident" and live virtual advisers.

For a full analysis of one of these botnet service providers - check out my latest blog entry over on the Damballa site - The Botnet Distribution and Helpdesk Services.

Anti-antivirus Testing Services

If you're a professional botnet operator, the malware agents you use are critical. To guarantee successful operation of the botnet agent and avoid detection on the victims computer, it needs to be tested. Today there is a growing service industry focused on providing anti-antivirus detection and malware QA to cybercriminals.

I been playing around with anti-antivirus testing services and posed a new blog entry covering Virtest.com over on the Damballa site - Malware QA and Exploit Testing Services

Enterprise Botnets - Targeted or What?

Whats the difference between these massive botnets gobbling up sizable chunks of the Internet and those found inside the enterprise? Quite a bit actually.

Over the last couple of months I’ve been talking at a number of conferences and speaking with customers about the kinds of botnets we observe within enterprise networks as opposed to whats generally seen propagating the Internet at large. As you’d expect, there are a number of differences – partly because of the types of bad actors targeting businesses, and partly because enterprise perimeter security is considerably more advanced than that found at the end of the average DSL Internet connection.

From a cross-network visibility perspective, the types of botnets regularly encountered operating within enterprises in 2009 can best be divided (and described) as follows:

Internet Targeted – or “broad-spectrum” attack for want of a better description – account for approximately half of all botnets regularly encountered inside enterprise networks. These botnets aren’t targeted at any particular network – just at the average Internet user – but they typically manage to infiltrate enterprise networks due to lax security policies and as bleed-over from the other networks (and devices) employees may connect to. I discussed some of this in the earlier blog – Botnet bleed-over in to the enterprise – in which botnets designed to steal online gaming authentication credentials often appear within the enterprise. Just about all of these broad-spectrum botnets can self-propagate using an assortment of built-in worming capabilities. Fortunately, just about every one of these botnets are easily detected with standard host-based antivirus products.

What this means in practice however is that hosts “not quite” adhering to the corporate security policy, or which are a little behind in apply the latest patches (including not running the very latest signatures for their antivirus package), are the first to fall victim – and no organization I’ve observed in the last 20 years has ever managed implement their security uniformly throughout the entire enterprise.

I foresee that these “broad-spectrum” botnets will continue to appear within enterprises and be a nuisance to enterprise security teams. That said though, just because they aren’t targeted and fixes are available, it doesn’t mean that there’s no threat. If a particular botnet agent doesn’t yield value to its original botnet master (e.g. a botnet focused on obtaining passwords for social networking sites), it is quickly passed on to other operators that can make money from it – repurposing the compromised host and installing new malware agents that will yield value to the new owner.

Enterprise Targeted botnets are botnets that are hardly ever found circulating the Internet, and are designed to both penetrate and propagate within enterprise networks alone. Around 35% of botnets encountered within enterprise networks are this type. They are typically based upon sophisticated multi-purpose Remote Access Trojans (RAT); often blended with worming functions capable of using exploits against standard network services (services that are typically blocked by perimeter firewal technologies). Perhaps the most visible identifier of a botnet targeted at enterprises is the native support for network proxies – i.e. they’re proxy-aware – and capable of leveraging the users credentials for navigating command and control (CnC) out of the network.

In general, these “targeted” botnets aren’t targeted at a specific organization, but at a particular industry (i.e. online retail companies) or category of personnel within the organization (e.g. the CFO).The botnet agents tend to more advanced (on average) than most botnet malware encountered within enterprise networks – offering greater flexibility for the botnet masters to navigate the network and compromise key assets, and to be able to extract any valuable information they manage to obtain.

Deep Knowledge botnets are a completely different beast. Accounting for 10% of the botnets encountered within typical enterprise networks, these botnets tend to rely upon off-the-shelf malware components (more often than not, being built from commercial DIY malware creator kits). Depending upon the investment made by the botnet master, the features of the botnet agent can be very sophisticated or run-of-the-mill. What makes them so dangerous though is that the creator (who is often the botnet master) has a high degree of knowledge about the infiltrated enterprise – and already knows where to find all the valuable information. In some cases specific people or systems are targeted as beachheads in to the organization, while in others key organization-specific credentials are used to navigate the network.

Where this “deep knowledge” comes from can vary considerably. Each botnet within this category tends to be unique. I’ve come to associate these botnets with past or present employees (rather than industrial espionage) – as it’s not uncommon to be able to associate the CnC server of the botnet to a DSL or cable Internet IP address in the same city as the office or building that has been breached. In some cases I wouldn’t be surprised if the installation of these botnet agents were conducted by hand as a means of (semi)legitimate remote administration (think back to the problem in the mid-1990’s when people were installing modems in to their work computers so they could access them remotely). The problem though is that most of these commercial DIY malware construction kits have been backdoored by their creators (or “partners” in their distribution channel) – which means that any corporate assets infected with the botnet agent will find themselves under the control of multiple remote users.

“Other” represents the catch-all for remaining 5% of botnets encountered within enterprise networks. These botnets (and the malware they rely upon) vary considerably in both sophistication and functionality, and don’t fit neatly in to any of the previous three categories. They include the small botnets targeted at an organization for competitive advantage, through to what can only be guessed at as being state-sponsored tools targeting specific industries and technologies.

It’ll be interesting to see how the distribution of these four categories of botnets change in 2010. I suspect that the proportions will remain roughly the same – with the “other” category decreasing over time, and being largely absorbed in to the “Enterprise Targeted” category rather than “Deep Knowledge”.

==> Reposted from http://blog.damballa.com/

Senior Research Analyst Role(s) Now Available

Just a quick note to say that I've got a couple of open security jobs going for Senior Research Analysts over at Damballa. I'm looking for a couple of folks that like living on the cutting-edge of security.

You can submit your resume on the company portal HERE if you're interested in getting elbow-deep with botnets.

Below is the job description...

Job Specification: "Senior Research Analyst"
Internet security is evolving at an increasingly rapid pace. As the thrust and parry of attack vectors and defensive tactics force technologies to advance, the biggest security threat now facing enterprise organizations lies with botnets. The Damballa Research team spearheads global threat research and botnet detection innovation.

Damballa’s dedicated research team is responsible for botnet threat analysis and detection innovation. From our Internet observation portals, and using the latest investigative technologies to intercept and capture samples, the research team studies the techniques employed by criminal botnet operators to command and control their zombie hordes – mapping their spread and evolution – and developing new technologies to both detect and thwart the threat.

As a Senior Research Analyst you would be part of the team responsible for providing the threat knowledge that powers the core technologies of Damballa’s products – working on advanced pattern detection algorithms, massive data collection and analysis solutions, prototyping new detection systems, and advancing large-scale applications that deliver actionable threat intelligence.

The rapid evolution of the threat means that, as a Senior Research Analyst, you will also need to be able to deep-dive in to the botnet masters lair – turning over the rocks they hide under and visiting the online portals they do their business in – and be capable of analyzing the evidence of their passing. A key to being successful in this role is the ability to provide internal departments with comprehensive intelligence on malicious software (malware) behavior as it pertains to Botnets and other targeted threats – and to be able to communicate the threat in a clear and concise manner.

Collaborating with the marketing and engineering teams, the Senior Research Analyst will typically need to design and construct analysis tools that automate the extraction of botnet intelligence and make it available to the company’s other technologies and its knowledgebase as well as responding to ad-hoc requests for malware analysis driven by business and client needs to determine characteristics, functionality, and/or recommend countermeasures.

The position may entail interaction with the media following the successful outcome of directed research or response activities.

Responsibilities:

• Independent threat analysis and data mining of new botnet instances
• Research in to new methods for detecting and reporting botnet activities
• Dissection of new botnet samples and the automation of sample processing
• Investigation of new botnet command and control tactics and subsequent enumeration of botnet operators
• Focused analysis of botnet outbreaks within enterprise and ISP networks
• Contribution to research and commercial papers describing the evolving botnet threat

Skills & Experience:

• Experience as a security engineer, threat intelligence analyst, or similar senior technical role
  
• Extensive knowledge of tracing and debugging Windows processes in the context of malware reverse engineering
• Proficiency with C/C++ programming and x86 assembly /disassembly
• Deep understanding of network flow data analysis , deep packet inspection and network behaviors of malicious software
• Comprehensive knowledge of anti-debugging and anti-instrumentation techniques
• Familiarity with packing and anti-reverse engineering techniques, including data obfuscations that employ primitive or basic cryptography
• Ability to troll underground Internet forums and criminal sites/portals for new botnet intelligence

Requirements:

• BS or MS in Computer Science or equivalent industry experience
• Good understanding of TCP/IP networking and security
• Proficient in multiple compiled and scripting languages (Perl, Python, Ruby, Java, C, etc.)
• Proficient with Unix (Linux preferred) development and production environment
• Proficient query design in relational databases (Postgres/pgsql preferred)
• Excellent formal communication and presentation skills
• Ability to read and translate multiple international languages a bonus

-------
Note: The roles are ideally based in Atlanta. If you're having trouble with the online form (or need to check to see if your resume arrived safely), you can always try to drop me an email at my work address of 'gollmann-at-damballa-dot-com' - but don't bother to do so if you're an agent or representing someone else (those emails will go straight to the deleted items).

New Bot-powered Pharmaceutical Scam Network

The other day we staggered across a strange botnet. It was only small as far as IP addresses were concerned, but gigantic as far as domains under management (greater than 25,000 currently in use). The cost of registering that number of domains is a significant investment by the botnet operators - at $20 each to register, you're looking at $500k in setup costs alone).

But the strangeness doesn't end there. The botnet is being used for pharmaceutical scams (i.e. Canada Drugs), but the DNS lookup process is messed up. Somehow the botnet operators have figured out how to manipulate the .com root servers in to doing some weirdness - and having them act as the authoritative resolvers for the 3LDs.

I'm not sure how this situation arose, but the criminals behind this are making good use of the flaw/exploit/manipulation. What they now effectively have is a system that prevents the good-guys from shutting down the resolution of where their scam Web sites are. Not good.

I'm still looking in to how this arose and what the real (longer-term) ramifications of this are. But its new to me and definitely in the strange/weird department.

I've posed a full blog about this botnet over on the Damballa site - Strange Bot-powered Scam Network. Take a look at whats going on.

"Unnamed", unloved, "invisible" and unprotected...

So, whats an "unnamed" threat, and how well are you protected against it?

Given the industry reliance upon reactive signature systems, an "unnamed" threat is something you genuinely need to be scared of.

Then there's those "invisible" threats too. How about them?

Dealing with those pesky "unnamed" threats are covered within the Damballa blog I wrote this afternoon.

Conficker and GhostNet Hype

Have you seen all this hype about Conficker and GhostNet recently? Surely there are more important threats out there rather than what this media frenzy would have you believe. How many times can security vendors claim "the sky is falling" before their customers get tired of the FUD?

I've been examining the details of both incidents/outbreaks, and it's got me chuckling while watching how many professionals are chasing their tails.

A word to the wise, if a threat gets a unique name and makes it to the prime-time news then it's too late - the odds are that it's no longer a threat to be worried about. The good guys have already countered it (as far as enterprise's are concerned anyway).

I've just blogged about the intricacies of the malware naming business and the (mitigated) threat that is Conficker and GhostNet over on the Damballa Blog site.

Read my first appearance on the blog and the brand-spanking-new post "Who really will be the fool on April Fool's day?"

Bye bye IBM. Hello Damballa!

Many readers will have heard that I in handed my notice to IBM a few weeks back, and actually (finally) departed the company mid-last week. This week I begin my new role at Damballa as VP of Research.

By way of history, having worked for several NZ and UK-based companies previously, I rejoined ISS back in 2005 as Director of X-Force and relocated to Atlanta - just in time to pick up the reigns following Cisco-gate (funny true story - I was actually a backup speaker at Blackhat that year and if Mike Lynn hadn't got on stage I would have probably have been giving a replacement talk - even though at the time I was working NGS Software (so wasn't involved in ripping pages out of the conference books) - can't remember what topic I had submitted though). Then, in October 2006 IBM came along and gobbled up ISS, and I decided to shift in to a more strategic role - Chief Security Strategist.

I largely enjoyed my time with IBM, and got to work on many interesting (and HUGE) projects. However, as with any big company, I found myself moving further and further away from the coalface of security. And, for anyone thats known me for some time, they'll know that I'm deeply interested in the technical aspects of security evolution and cybercrime - which isn't something that IBM is typically associated with.

So, with that in mind, I decided to join Damballa (conveniently located in Atlanta - the Silicon Valley for security companies) and focus on the most important security threat affecting enterprises today - botnets and organized crimeware. If you're at least partially familiar with the threat, then you've probably already seen or heard about some of the leading research Damballa are doing in this area. Given all that, it was a no brainer for me to join Damballa and work to kick things up a notch or two in stopping the bad guys.

I obviously won't be posting to ISS' Frequency-X blog, but you'll be able to tune in to my botnet analysis and threat evolution opinions on Damballa's blog. For other security topics not specifically associated with Damballa and crimeware, I'll continue to post here in my personal security blog - and post new whitepapers over at my main Web site Technical Info.

If you're really interested in what I'm doing, the press announcement can be found here.

I'm really looking forward to diving deeper in to the rapidly evolving botnet threat and, just as importantly, having a a little more elbow room when discussing/publishing whats going on with the threat (without an entourage of PR bodyguards).