Underworld works on several security projects in order to help protect the internet and its users. The projects have a special focus on the Norwegian internet space but do also provide specific knowledge and resources on certain threats.
All the work is non-profit and are in cooperation with other security groups and professionals, with the help of sponsor companies.
These are some of the projects Underworld currently works on:
Underworld runs a malware collector who visits websites attempting to download any malware from the site. Today’s number one way of infection is thru “drive by malware” spread on legit websites. The website could either be hacked or someone bought advertisement that is spreading malware.
Underworld runs a malware database which focus on performing automatic analysis of certain types of malware in order to find out what it does. Our goal is not to explore the code of the Trojan itself like other research do, but to map and correlate the payload of the Trojan.
Underworld uses its world wide IRC services in order to report infected clients attempting to connect to those public networks. With the help of the networks themselves Underworld collects thousands of compromised machines a day and report to security vendors, internet providers, hosting provders and national computer emergency response teams.
In order to track compromises and known malware Underworld collects passive DNS from providers willing to contribute. Using passive DNS the security community is able to track known infections and see how malware command & control spread across locations.