Clik here to view.
Androrat - Android Remote Access Tool
AndroratAndrorat is an appropriately named remote access tool (or RAT) for Android. In case you're unfamiliar, RATs provide backdoor functionality to an operator, giving access to your system and...
View ArticleAndroid Extra Field Vulnerability Spotted in the Wild
It has been 20 days since the Extra Field vulnerability (also known as Chinese Master Keys) was first reported (translated link) by the Android Security Squad. It has now been spotted in the wild. The...
View ArticleMicrosoft Update Tuesday August 2013: More font issues, some interesting DoSes
It's a pretty standard month for Update Tuesday this time around. There's a total of 8 bulletins, covering 23 CVE issues. This bulletin addresses the final 2 issues reported during CanSecWest's...
View ArticleBytecode - Covering the Android Vulnerabilities Master Key and Extra Field
This post will walk through our coverage for the Master Key and Extra Field vulnerabilities. Both vulnerabilities allow arbitrary files to be added to signed APKs without breaking the digital...
View ArticleClik here to view.
Inquiring Minds: Exploratory road trips, malware, and cool tools and services
While browsing interesting sandbox reports, we here in the VRT uncovered a sample that dropped three files. VirusTotal had no record of two of them, and the third was a DLL that was well covered.The...
View ArticleClik here to view.
Delivering an executable without an executable
The VRT looks at a massive amount of exploit kits a day, but this one caught our eye so we thought we'd share. While this technique isn't new, it is very interesting and further illustrates what we...
View ArticleAndroid Basic Block Signatures
Writing ClamAV signatures is a bit of an art. When matching bytes in a file, you need to make a selection that most, if not all of the malicious files will have, and hopefully, no clean files will...
View ArticleClik here to view.
IE Zero Day CVE-2013-3897 -- You've been protected for more than a week.
A little over a week ago the VRT discovered a very interesting bit of javascript on a popular JS unpacker site. Several things immediately piqued our interest in this sample. First of all, we found...
View ArticleMicrosoft Update Tuesday October 2013: Another IE 0-day release
This month's Microsoft Tuesday Update brings us 8 bulletins for a total of 26 CVEs. Four of these bulletins are marked as critical, while the rest are marked as important.First, let's take a look at...
View ArticleSweet Orange Exploit Kit was the new king of the hill, until it went away.
Here in the VRT, we keep a pretty close eye on Exploit Kits, their trends, their pattern shifts, and how we can protect our customers against these exploit kits in the real world.Recent headlines from...
View ArticleClik here to view.
Exploit kits, they sure do like to change ports
Since the arrest of Paunch, (the author of the Blackhole and Cool exploit kits, that I talked about in my last post), exploit kits are clamoring for who will be number one. So I come with a status...
View ArticleMicrosoft Update Tuesday November 2013: HyperV vulnerability and fix for 0day
We have a relatively light Update Tuesday this month: 8 bulletins covering 19 CVEs, 3 of which are marked critical. The most interesting vulnerability this month is actually in the non-critical ones: a...
View ArticleI'm calling this Goon Exploit Kit, for now
We started seeing this exploit kit in our systems on November 21st. It has some similarities to Redkit and the Dotcache exploit kit.192.168.0.58 1044 173.237.187.203 80 GET 173.237.187.203...
View ArticleA quick tutorial on ClamAV detection: Win.Adware.Bprotector
Bprotector is a fairly popular yet unexceptional family of adware. The thing that distinguishes it from other families is its prevalence. A specific sample, first seen in October 2013, has consistently...
View ArticleClik here to view.
When an exploit kit is VERY simple
Ran across this "exploit kit" today. I'm holding up my hands with air quotes:Not really sure if it is an exploit kit, as so far, it is just a landing page with applet redirection to a jar file.The...
View ArticleMicrosoft Update Tuesday: December 2013, some 0-day fixes
Microsoft’s final update for the year brings us 11 bulletins covering 24 CVE issues.As is customary, there is the critical IE bulletin, MS13-097. This time it covers 7 CVE issues. As in other months,...
View ArticleMicrosoft Update Tuesday: January 2014, fix for the XP/2003 0-day vulnerability
The first Microsoft Update Tuesday of 2014 is here and it’s a very light month this time around. We’ve got 4 bulletins covering 6 CVEs. What’s remarkable is that there’s no Internet Explorer bulletin...
View ArticleFiesta Exploit Kit, is no party
Recently, when our Cisco TRAC team contacted us about some work that we did concerning the Fiesta Exploit Kit for an article they were writing, we were happy to work with them.As discussed in the...
View ArticleOur coverage for the Recent Point of Sale Compromises
On December 19th, 2013, Target Corp announced that it fell victim to a very sophisticated cyber-attack that took place around the Thanksgiving holiday. This led to the theft of information pertaining...
View ArticleVRT-2013-1003 (CVE-2013-6486): Pidgin uses clickable links to untrusted...
Sourcefire Vulnerability Report VRT-2013-1003: Pidgin uses clickable links to untrusted executablesDescriptionAn exploitable remote code execution vulnerability exists in Pidgin's implementation of...
View Article