Clik here to view.
itsoknoproblembro, the VRT has you covered
When the large-scale DDoS attacks on American banks began a couple of weeks ago, the VRT started digging through all of our sources of information, looking to understand the precise tactics being used,...
View ArticleClik here to view.
Information Superiority
I presented yesterday at the 9th annual Hackers2Hackers conference in Sao Paulo on the subject of information superiority, a subject the VRT has long been fond of. My slides are here for those who'd...
View ArticleClik here to view.
Web Proxies, User-Agent Strings, and Malware Detection
One of the simpler ways to identify malware-infected machines communicating with their command and control servers is to watch for known malicious User-Agent strings in HTTP requests. For those not...
View ArticleClik here to view.
Quarian: Reversing the C&C Protocol
Win.Trojan.Quarian was reportedly first found in a leaked email from the Syrian Ministry of Foreign Affairs. It arrives on the victim's machine via a PDF document. The PDF contains an exploit for...
View ArticleClik here to view.
Triggering Miniflame's C&C Communication to Create a Pcap
There are times when a malware's payload doesn't trigger because of a condition or an environment that the malware requires in order for it to execute its payload. Such is the behavior of the miniflame...
View ArticleClik here to view.
EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible...
In our most recent rule pack, amongst the 39 new rules were two very important rules that may require a bit of analyst work when you see them alert.The two rules I am referring to are:* 1:25041...
View ArticleClik here to view.
Generic Exploit Kit Detection & The First Java 0-Day of 2013
This morning the first big Java 0-day exploit of 2013 was discovered, and it is already being used in exploit kits worldwide. Regular readers may remember these exploit kit rules from Joel Esler. The...
View ArticleThe Ruby on Rails vulnerability that made Metasploit release a patch
This post on the Ruby on Rails Security group January 8th contained a few phrases that cause alarm when used together: "inject arbitrary SQL", "inject and execute arbitrary code" and "perform a DoS...
View ArticleHow To Become an Infosec Expert, Part I
I recently put a post on my personal blog seeking applicants for a position with the VRT, working directly with me on public-facing issues (such as writing for this blog, talking to customers, etc.)....
View ArticleBulgarian Android SMSsend
Reported by Dancho Danchev. Visiting a compromised Bulgarian website on an Android phone causes a redirect and download (if you have the option "Allow installation of apps from unknown sources"...
View ArticleClik here to view.
The 0-day That Wasn't: Dissecting A Highly Obfuscated PDF Attack
This morning, I was made aware of an article in which someone had snagged a PDF from one of the exploit kits that cybercriminals are using to spread malware. The author of this article claimed that the...
View ArticleMore Targeted PDF 0-Day
Much like other vendors in the security space, the VRT spent yesterday scrambling to address the latest Adobe/PDF vulnerability. The attack - which works across multiple operating systems, bypasses...
View Article25 years of vulnerabilities: 1988-2012
We at the VRT are always interested in vulnerabilities and information about vulnerabilities. To this end we recently dug into the NVD database and examined data for the last 25 years and used it to...
View ArticleLife Cycle and Detection of an Exploit Kit
Exploit kits may not be as hot a topic as the recently released Mandiant Report, but they're still an important part of today's threat landscape. As the success of the Cool Exploit Kit lets its author...
View Article25 years of vulnerabilities: 1988-2012, the report
We here at the VRT are all about backing up opinions with facts, and there are a lot of opinions about the nature of the vulnerability landscape out there. That in mind, we decided recently to study...
View ArticleClik here to view.
Changing the IMEI, Provider, Model, and Phone Number in the Android emulator
PincerI was having a look at the Pincer family of Android malware and came across some code designed to hinder analysis.From the decompilation of com/security/cert/a/a/c.class: String str1 =...
View ArticleMicrosoft Update Tuesday: Update for IE8 0-day and More
Today is Update Tuesday and Microsoft is releasing updates for 33 CVEs across 10 bulletins. We'll be discussing some of the highlights here.One of the most important updates (MS13-038) that is being...
View ArticleClik here to view.
Java Web Start or as it should be called "Sure go ahead and run what you like"
Late last month, Immunity published a blog post concerning a new way to escape the Java security warnings using a novel and simple method, by using the convenient Java Web Start framework. The Immunity...
View ArticleMicrosoft Update Tuesday, June 2013: mostly about Internet Explorer
Another month brings us another Update Tuesday. This month is pretty light with respect to the updates that Microsoft is releasing. They're releasing a total of 5 bulletins, covering 23 CVEs.First and...
View ArticleMicrosoft Update Tuesday: July 2013: an issue of TrueType fonts
This month's Update Tuesday looks pretty interesting. As usual, there's quite a few CVEs covered and most of them are once again in IE: there's a total of 7 bulletins, covering 34 CVE issues. However,...
View Article