Clik here to view.
Banking Trojan Spread Via UPS Phish Uses 0xDEADBEEF Beacon
In addition to collecting phishing emails directly, the VRT often receives malicious email and associated binaries through the ClamAV submission page. Today's post is about a sample that was attached...
View ArticleClik here to view.
CVE-2012-1723: New Java Attack Added to Blackhole
Word began to emerge last week of the addition of a new vulnerability to the Blackhole Exploit Kit. The bug in question - CVE-2012-1723 - is a complex Java issue, which thankfully has patches available...
View ArticleClik here to view.
It's not the Dalai Lama's birthday, oh and you got owned
A number of recent targeted attack campaigns have centered around the Dalai Lama, including purported plans for his birthday and calls to action for democracy in Tibet. These attacks use several...
View ArticleClik here to view.
The Power of Open Source Intelligence
Last week, an email came into the main VRT email account, entitled "New Malicious Javascript." The note inside was from Mr. Brett C., a Sourcefire customer who'd stumbled across an interesting chunk of...
View ArticleClik here to view.
fast_pattern is fast
A fairly new reconnaissance tool called Skipfish was brought to our attention earlier this week. I wanted to take a few minutes and demonstrate a case where multiple rules using fast_pattern can be...
View ArticleClik here to view.
Don't Panic
Probably the very last thing I think about when I settle down to a nice cup of tea and an electronic book is that my Kindle is being owned. Here I am, enjoying the satiric humor of Douglas Adams and...
View ArticleClik here to view.
Phishing Games
It's no surprise that, as the 2012 London Olympic games approach, cybercriminals are using the event as bait for a variety of scams. Sure, there are plenty of 419 scams revolving around the games - but...
View ArticleClik here to view.
ClamAV vs. Content IQ Test, part 4
This is the fourth in a series of five blog posts about the Content IQ Test. Please see ClamAV vs. Content IQ Test, part 1, ClamAV vs. Content IQ Test, part 2 and ClamAV vs. Content IQ Test, part 3.How...
View ArticleClik here to view.
Stupid CSS Tricks
As has been well-demonstrated by the Blackhole Exploit Kit's "Loading, Please Wait..." page, people browsing the web are most likely to allow a malicious page to complete whatever action it is...
View ArticleClik here to view.
Gauss & FinFisher: The latest targeted malware everyone cares about.
This week has been a busy one for high-profile malware. A pair of new types of malware - Gauss and FinFisher - have people around the world worried, and media churning out concerned articles as fast as...
View ArticleClik here to view.
CVE-2012-1535: Flash 0-day In The Wild
Yesterday Adobe released APSB12-18, which addressed CVE-2012-1535. As noted in the Adobe bulletin, the vulnerability has been actively exploited in the wild, though primarily in targeted attacks...
View ArticleClik here to view.
New Threat: DistTrack
Sourcefire is aware of at least one ongoing incident in the energy vertical involving a threat named "DistTrack". This is a new, destructive threat that has not perviously been seen in the wild. At...
View ArticleClik here to view.
SMSZombie: A New Twist on C&C
One of the most virulent pieces of Android malware to date was recently discovered by TrustGo Labs. Dubbed SMSZombie, this malicious application has infected some 500,000 users throughout China, after...
View ArticleClik here to view.
CVE-2012-4681: bypassing built-in java security
A new Java 0-day is running rampant around the internet this week. With a code paste Sunday night and a Metasploit module coming in early yesterday morning, along with myriad research and blog posts,...
View ArticleClik here to view.
Matryoshka packets
I have heard many people talk about ICMP and UDP tunnels but very rarely observed them in the wild. We recently had the opportunity to examine a sample that uses this technique for C&C. It...
View ArticleClik here to view.
Anomaly Detection Rules & The Success of Open-Source Rule Testing: Don't Do...
Last November, the VRT established an open-source rule testing group, composed of a number of Snort users from around the planet in industries as diverse as defense contracting and education. To date,...
View ArticleClik here to view.
The Best Defense is a Good Defense
As things stand, Snort is at version 2.9.3.1 and is constantly being developed to integrate new and more powerful features and detection. The VRT fairly regularly receives inquiries from folks on how...
View ArticleClik here to view.
Dorifel (aka Quervar, XDocCrypt)
Dorifel (aka Quervar, XDocCrypt) is a worm that is allegedly related to the Citadel trojan. Although it's been found worldwide, the Netherlands have been particularly affected by this piece of malware...
View ArticleClik here to view.
Using negative distance to create detection windows
A common method for delivering malicious pages to clients is with the use of hidden iframes. Before I get started I want to say that I have seen hidden iframes used legitimately and the rule discussed...
View ArticleClik here to view.
Internet Explorer use-after-free 0-Day vulnerability
A new vulnerability has been discovered that affects Internet Explorer 6, 7, 8 and 9 on Windows XP, Vista, 7, Windows Server 2003 and 2008 . It is still unpatched at the time of this blog post.Late...
View Article