News Archives

The news items below previously appeared on the Team Cymru home page, but we feel they are still relevant and interesting to our readers, so they are archived here for your reading pleasure.

To receive e-mail announcements of Team Cymru news, you can subscribe to our announcements mailing list. Simply send an e-mail to from the address you wish to subscribe from, and you'll always be up-to-date on the latest and greatest Team Cymru news!

Team Cymru awarded 2011 SURFcert Security Award

Team Cymru's Ian Cook accepts the 2011 SURFcert Security Award [10 FEB 2011] Team Cymru was pleased today to accept this year's SURFcert Security Award. Our own Ian Cook was presented with the award at the SURFcert security conference in Holland. The award was presented by last year's winner, Ot van Daalen from the Dutch digital rights organization "Bits of Freedom".

The SURFcert Security Award is intended for a person, initiative, organization, solution, or implementation that makes a substantial contribution to the overall level of security for SURFnet users. SURFnet is one of the premier European providers, serving Dutch academic and research organizations since the late 80s.

The SURFnet press release states that "[f]or more than a decade now, Team Cymru has done sterling work to improve the overall level of Internet security. Team Cymru's non-profit status and the concrete way in which it provides operational support for CERTs all over the world has made it an important partner for non-commercial organizations such as SURFcert and its constituency."

For more information, see Team Cymru's press release about the award.

IANA IPv4 Free Pool Exhausted

[03 FEB 2011] As of this morning, the IANA IPv4 free pool, the reserve of unicast IPv4 netblocks held for allocation to Regional Internet Registries (RIRs), is 100% exhausted. When two /8s were allocated to APNIC earlier this week, the automatic allocation of the final five /8s was triggered, one to each RIR. Our Bogon Reference project has been updated to reflect the current state of IPv4 allocations from the IANA pool. Each RIR continues to hold considerable IPv4 space, and they are expected to continue allocating to ISPs under normal policies for the next few months, depending upon demand at each registry.

Training Practice Launched

[25 NOV 2010] Today at the AfriNIC 13 conference in Johannesburg, South Africa, Team Cymru formally launched a new initiative to provide training to help combat malicious activity on the Internet, focused initially on Africa, the Middle East, South America, and Asia. In most situations, the training can be offered at cost levels that will fit with local budgets. Fifteen courses are offered to law enforcement and those responsible for network management and security, with classes already planned in early 2011 for Cambodia, Sri Lanka, Hong Kong, Papua New Guinea, Israel, and France. More information can be found in the press release.

WinMHR Beta 1 Released

[01 NOV 2010] Today Team Cymru is proud to announce the first widely-published beta of WinMHR, a tool intended to augment your existing anti-virus protection by allowing you to scan against Team Cymru's unique and extensive set of malware hashes. WinMHR is offered at no cost for both commercial and non-commercial use. Many of you have been using this tool already, and the latest beta we're launching today has significant speed and reliability improvements. Note that this is a beta release, and all feedback is encouraged. While we do consider this release to be stable, as always, use is subject to the included license terms and at your own risk.

TC Console Launched

[23 OCT 2010] Today at MENOG 7 in Istanbul Team Cymru launched a revolutionary new tool called TC Console. Imagine a tool designed to show what's happening on your network in near real time, with a crucial new innovation: it integrates Team Cymru's unique insight into malicious activity on the Internet. There really is no more complete and valuable source of critical information to help you protect your network and your users. See the TC Console page for more details!

Read the press release

New UE Brief: Malware Infections Market

[27 SEP 2010] Today sees the release of another whitepaper from our Business Intelligence team, detailing an analysis of one of the primary revenue drivers in the Underground Economy: the installation of malware on infected machines.

You can read the full whitepaper and see an interview with one of the authors as part of this week's episode of the Who and Why Show.

Major Web Presence Refresh

[01 SEP 2010] Team Cymru is pleased to announce a major revamp of its web presence today, with the launch of the Team Cymru Commercial Services site at as well as a reworking of some content on to match, and simpler navigation to the Dragon Research Group site, detailing our volunteer activities. This new "three headed" approach is intended to more seamlessly link these three aspects of Team Cymru - community services, commercial services, and volunteer activities - in order to provide a more complete view of our diverse offerings and insights.

We hope this new site will help all interested parties get a better understanding of Team Cymru's offerings, insight, and capabilities.

New UE Brief: Gaming & the Underground Economy

[09 AUG 2010] The Team Cymru Business Intelligence Team is pleased to announce the release of the latest Underground Economy Brief, entitled "Gaming & the Underground Economy". This edition details the criminal aspects of online gaming, where miscreants are increasingly seeking to monetize virtual goods and currencies, as well as stolen accounts.

As always, you can read the full whitepaper, and see an interview with one of the authors are part of this week's episode of the Who and Why Show.

Team Cymru Opens IPv6 Tunnel PoP

[29 JUL 2010] Team Cymru is proud to join the Six Access project ("SixXS"), becoming the 6th US PoP in one of the largest IPv6 tunnel broker services available. For more information on the SixXS project and how you can get a free IPv6 tunnel, check out the main SixXS web site and the Team Cymru PoP page. We look forward to seeing you on the IPv6 Internet!

UE Brief: Criminal Commodities

[28 JUN 2010] Team Cymru's Business Intelligence Team has published their latest Underground Economy Brief, "Criminal Commodities in the Underground Economy". This paper gives a short overview of current practices and trends, primarily in the area of credit card fraud, in a brief and non-technical style. You can read the full paper and see the accompanying short YouTube video as part of this week's episode of the Who and Why Show.

New Paper: The PPI Model in the Underground Economy

[17 MAY 2010] The Team Cymru Business Intelligence Team is proud to announce the release of the second in a series of "Underground Economy Briefs". This edition details the "Pay-Per-Install" market, where botherders have traditionally sought money by allowing others to install software on their infected networks. We look at the business model and examine some of the tensions and trends we've seen there recently.

You can read the full whitepaper and see an interview with one of the authors as part of this week's episode of the Who and Why Show.

New Paper: Fake ID in the Underground Economy

[26 APR 2010] Our Business Intelligence Team has just published the first in a series of "Underground Economy Briefs". This first one details changes in the counterfeit identification document trade in the Underground Economy entitled "The Future of Passports and Money Movement in the Underground Economy." Its a fascinating and unique analysis of how the market for this material continues to evolve in conjunction with new and emerging e-payment systems.

You can read it here and additionally see our latest Who and Why Show episode where we interview one of the authors here.

New Bogon Insight: Fullbogon Feed

[09 APR 2010] Team Cymru today launches a significant addition to one of our most popular and important community services: The "fullbogon feed" is more granular than the traditional bogon feeds, including a wider variety of non-routable prefixes as well as unallocated prefixes. The fullbogon feed also provides IPv6 bogon prefixes in addition to the traditional IPv4 prefixes.

It is offered at no cost to the community and the original feed is not going anywhere so you can stick with it if you wish.

See an overview in the 46th episode of Team Cymru's 'The Who and Why Show', as well as a more general overview of the bogon project in episode 12. Check out the Bogon Reference pages for full details on this and all of our bogon insight!

New Paper on DDoS Basics

[22 MAR 2010] Team Cymru has just published a briefing paper and accompanying videos on DDoS attacks. The paper explains the assorted motivations behind attacks, types of attacks and related countermeasures in very basic terms. You can find the paper here in our Whitepapers Reading Room.

We are also currently halfway through a series of 4 movies which detail the same information with short animations. You can watch the movies on our YouTube Channel.

New Analysis of Infected Systems in African Nations

[16 MAR 2010] Team Cymru's latest whitepaper analyzes and discusses the distribution of infected computer systems within African countries in recent months. Two time-lapse movies are also available in connection with this paper:

Team Cymru Launches RSS Screensaver

[26 OCT 2009] Team Cymru has released a free RSS screensaver designed to give everyone key information regarding cyber crime activity. It runs on Mac OS X and displays two separate news feeds of important IT Security stories as well as a rotating globe showing a map of currently infected computers. This map is automatically updated from our global insight every day.

For a short video showing the screensaver in action as well as detailed instructions for installation and setup, please see Team Cymru's YouTube channel. For more information and download and installation instructions, please see the RSS Feed Screensaver page and the press release.

New Tool to Help Police Investigators

[16 NOV 2009] Team Cymru's Botnet Analysis and Tactical Tool for Law Enforcement (BATTLE) has been providing police from 31 different countries with information on botnet command and control servers within their jurisdictions for over a year. Team Cymru is proud to announce today that it has been massively expanded to include phishing sites and malware download locations, making it the largest free repository of data for law enforcement of its kind.

To see the tool in action, visit the BATTLE services page and the Team Cymru YouTube Channel. Police officers can e-mail for details of the application process to get a BATTLE account. You may also view the press release for more details.

Team Cymru Renews Partnership with Microsoft for Malware Intelligence

[15 SEP 2009] Team Cymru is pleased to announce the renewal of our agreement with Microsoft to deliver malware and phishing intelligence that will continue to enhance Internet Explorer's ability to protect its customers from online threats.

Team Cymru's contribution to Microsoft's Internet Explorer automates the way users are protected by regularly updating a highly vetted list of locations confirmed to be distributing malware and phishing of various types.

"We have worked hard to become recognized in the area of top quality, near real time malware analysis and intelligence," said Jeff Vosburg, Chief Operating Officer at Team Cymru. "We are pleased that Microsoft understands the threat and has chosen to renew their sponsorship in order to protect their customers' online experience."

Further details can be found in the full press release.

Team Cymru Launches "Million Resolvers Project"

[20 JUL 2009] Team Cymru has launched the "Million Resolvers Project" to reduce the number of DNS Servers that can be used in DNS Amplification attacks.

Simply email us at if you'd like us to send you a list of your publicly accessible DNS servers that are capable of participating in one of these attacks. This information, coupled with the reference links below will hopefully help alert you to any potential open resolvers in your network, and provide some tips on how to fix them.

See the latest "Who and Why Show" which explains the problem at Read the new white paper on this topic at Read more details of the project at

Team Cymru Research Secures Tax Exempt Status

[29 JUN 2009] Team Cymru is immensely proud to announce that Team Cymru Research NFP has today been formally designated a US Federal 501(c)3 non-profit organization.

Team Cymru's CEO, Rob Thomas stated "This is both a testament to, and an acknowledgment of, the long term contribution that our organization continues to make to the community and the Internet worldwide. The tax implications for our partners are significant, this new status will enable donations to go further and the good work we do together to impact more folks in meaningful ways."

Partners from around the world have been contributing with donations of time, money, bandwidth, data and equipment. They have been working in true partnership to help us focus on what is important.

Our wide global perspective, coupled with this new tax exempt status, makes Team Cymru the only place to come to for the insight our partners need to protect what matters to them.

WebMHR provides HTTP interface to Malware Hash Registry

[15 JUN 2009] Since its launch, the Malware Hash Registry has become very popular amoung security researchers and others interested in checking the hashes of binaries running on their systems. Today we are pleased to announce WebMHR, a web-based interface to the Malware Hash Registry. WebMHR provides the same MHR data you're used to seeing, now queryable via your web browser! See more details and demonstration in Episode 3 of "The Who and Why Show" on YouTube.

Team Cymru launches "The Who and Why Show" on YouTube

[01 JUN 2009] Team Cymru is pleased to announce the debut of "The Who and Why Show", a short weekly video show on YouTube. Each week we'll be posting a new episode where we will speak with subject-matter experts on various aspects of the Underground Economy. If there is any topic that you'd like to see us cover, please feel free to suggest it by e-mailing us at

How much is your identity worth? Team Cymru featured in this month's New Scientist

[20 MAY 2009] Team Cymru has been working with Jim Giles of New Scientist Magazine on an article involving the IRC channels and HTTP message boards used by criminals to trade compromised credit cards and other account details. His piece, "How much is your identity worth?", explains what he discovered with our help in a well-rounded and non-technical way. You can also pick up issue 2709 of the print magazine (23 May 2009).

Internet Malicious Activity World Map

Internet Malicious Activity World Map

[23 MAR 2009] We are pleased to add a new visualization to our stable of offerings, the Internet Malicious Activity World Map. This map highlights areas across the globe where we have seen malicious activity taking place, based on our wide range of data sources. In addition to the static map, a small version of which is shown above, we provide an animated movie showing the activity over the past 30 days. Both the static images and the movie are updated every day, so you'll always have the latest information at your fingertips. For more details, and to download the latest movie, check out the Internet Malicious Activity Maps page.

Tweet Tweet! Team Cymru is on Twitter!

[16 MAR 2009] You can now follow Team Cymru on Twitter for short daily updates of relevance to us and the wider Internet security community. We will mainly be tweeting news items of interest with brief commentary, announcements of new Team Cymru services and insights, and interesting trends noticable in our monitoring efforts. If you're not already on Twitter, you can create a free account, or simply follow our RSS feed with your RSS reader of choice!

In the current edition of the Cymru Quarterly...

[10 MAR 2009] "... Increasingly physical world crime and online crime have come together, enabling each other and at times dependent on each other. Skimmers are a continued criminal enterprise, pulling credit card details from ATM machines and stores worldwide. Those credentials are often recovered through a wireless link, and then sold in forums and chat rooms online. The physical world crime feeds the virtual world crime, and the talents of the hackers are used to build better skimmers and enable quicker access to those stolen credentials. It's not all keystroke loggers and other malware."

Team Cymru Announcement Mailing List

[26 FEB 2009] To make it easier for you to keep up with all of the invaluable tools and services that we're working on, we are pleased to make available an announcements e-mail list, where we will detail our new projects, tools, and insight as they are released. This will be the first place that anything new from Team Cymru will be detailed. You can join this mailing list at no cost by simply sending an e-mail to from the address you'd like subscribed to the list. E-mail addresses will not be used for any purpose other than sending announcements, and will never be sold or disclosed to any third parties, and you may unsubscribe from the mailing list at any time - instructions will be provided in the subscription confirmation you will receive.

Team Cymru Makes a Middle East Push

[18 FEB 2009] In February 2009 Team Cymru made a big splash at Meftec 2009, the fifth edition of the annual banking and financial technology event in Bahrain. You can read more in these articles:

BIN Feed Launches

[08 DEC 2008] Team Cymru is pleased to announce a new service for global financial institutions. The BIN (Bank Identification Number) Feed provides vetted global financial institutions with no-cost access to a near-real-time list of potentially compromised bank and credit card accounts that appear to be their customers, via a secure web portal. To read more about this feed and for information on how financial institutions can sign up, check out the BIN Feed page.

Team Cymru Partners with Sunbelt Software

[18 NOV 2008] Clearwater, FL -- November 18, 2008 Sunbelt Software, a leading provider of Windows security and management software, today announced a new partnership with Team Cymru, an Internet security research firm, to deliver information and network security tools to aid cyber security professionals in the ongoing arms race against malware authors.

Team Cymru's malware analysis and aggregation capability now incorporates analyses powered by Sunbelts CWSandbox, the leading automated malware behavior analysis tool on the market, and Threat Track, Sunbelts malware data feeds.

Download the full press release for more details.

Team Cymru on BBC Radio

[10 NOV 2008] On Sunday November 9th 2008, Steve Santorelli from Team Cymru's outreach team took part in a BBC Radio program on "Cyber Terrorism", with a particular focus on botnets in the context of the recent cyber attacks on Georgia and Estonia. You can listen to an archive of the program and read our supporting write-up for more information.

Malware Hash Registry

[27 OCT 2008] Team Cymru is proud to announce our latest public service, the Malware Hash Registry. This service allows anyone to query for the MD5 or SHA-1 hash of a file to see if our malware analysis system has classified that file as malware, when it was first seen, and an approximate anti-virus detection rate. For more information, check out the Malware Hash Registry page!


[23 OCT 2008] Team Cymru is proud to announce a new portal that we are launching to assist Law Enforcement Officers (LEOs) worldwide. The Botnet Analysis and Tactical Tool for Law Enforcement (BATTLE) displays IRC and HTTP botnet data on an interactive world map in near real time. For more information and details of how LEOs can apply for access to this tool, check out the BATTLE page.


[09 OCT 2008] The latest visualization of our Internet security research data, our IRC C&C Map shows the locations of Internet Relay Chat (IRC) Command and Control (C&C) servers on a world map, updated frequently with the latest data from our sophisticated monitoring systems. This map really brings home that online crime is a truly global problem - check it out!

Team Cymru has some interesting friends!

Stealth B6 GT Small

[17 MAY 2008] Terry Pudwell, Executive Chairman of compliance, configuration assurance and log management software vendor Assuria Ltd also happens to be an experienced racing driver, and Team Cymru were delighted to find their logo appearing on the side of Terry's 200mph Stealth B6 GT race car at a recent race at the fabulous Mugello Race Circuit in Italy. Trouble is, you couldn't easily see the logo at those kinds of speeds, so maybe we'll try to get him to put a bigger one on next time!

Malicious Activity Movies

[06 MAY 2008] As part of our Internet security research, we often run across interesting patterns and transitions. We have captured several of them and made them available as malicious activity movies, showing geographic movement and changes over time in several areas of interest. Check them out!