VRT-2013-1004 (CVE-2013-6490): Buffer overflow in SIMPLE header parsing
Sourcefire Vulnerability Report VRT-2013-1004 (CVE-2013-6490):Buffer overflow in SIMPLE header parsing DescriptionAn exploitable remote code execution vulnerability exists in Pidgin's implementation of...
View ArticleVRT-2013-1002 (CVE-2013-6489): Buffer overflow in MXit emoticon parsing
Sourcefire Vulnerability Report VRT-2013-1002 (CVE-2013-6489): Buffer overflow in MXit emoticon parsingDescriptionAn exploitable remote code execution vulnerability exists in Pidgin's implementation of...
View ArticleVRT-2013-1001 (CVE-2013-6487): Buffer overflow in Gadu-Gadu HTTP parsing
Sourcefire Vulnerability Report VRT-2013-1001 (CVE-2013-6487): Buffer overflow in Gadu-Gadu HTTP parsing DescriptionAn exploitable remote code execution vulnerability exists in Pidgin's implementation...
View ArticleFour vulnerabilities in Pidgin
The VRT is announcing the discovery and patching of 4 CVE vulnerabilities in Pidgin. These vulnerabilities were discovered by the VRT VULNDEV team and reported to the Pidgin team. The VRT also created...
View ArticleMicrosoft Update Tuesday: February 2014, huge fix for Internet Explorer
The Microsoft Updates are pretty significant this month. Internet Explorer, which was missing from the updates for the first time in a long time last month is back with a whopping 24 vulnerabilities....
View ArticleClik here to view.
Decoding Domain Generation Algorithms (DGAs) - Part I
Part 1 - Unpacking the binary to properly view it in IDA Pro Recently, I came across an executable(MD5: 3D5060066056369B3449606F3E87F777) that was expected to be malicious in nature, but its network...
View ArticleClik here to view.
Decoding Domain Generation Algorithms (DGAs) Part II - Catching ZeusBot...
Last week, I talked about unpacking this binary for static analysis. This week, I am going to talk about catching its injected entry point inside explorer.exe. This makes it easier to dynamically...
View ArticleMicorosft Update Tuesday: March 2014, all about IE (including two 0-day fixes)
It's Microsoft Update Tuesday. While this month is relatively minor, a total of 5 bulletins, it is pretty large for the requisite Internet Explorer bulletin. There’s a total of 23 CVEs covered by the...
View ArticleClik here to view.
Osx.Trojan.Leverage, a Breakdown Using Dtrace
This article provides a brief introduction to canned DTrace scripts for the purposes of analyzing the malwaresample, Osx.Trojan.Leverage. For this sample, I only needed to use a few of the canned...
View ArticleClik here to view.
Using the Immunity Debugger API to Automate Analysis
While analyzing malware samples I came across many simple but annoying problems that should be solved through automation. This post will cover how to automate a solution to a common problem that comes...
View ArticleClik here to view.
Dynamically Unpacking Malware With Pin
A common approach that malware takes to hide itself is packing. Traditionally, packing was a means to compress your executable, then unpack and execute it at run time. Packing can also be used as an...
View ArticleClik here to view.
CVE-2014-1761, Oh did you mean CVE-2012-2539?
When the VRT first received word of a new Microsoft Word 0-day I anxiously awaited details and the ever important hash of the in-the-wild exploit to be able to research it and provide coverage through...
View ArticleMicrosoft Update Tuesday: April 2014, two final XP and Office 2003 fixes
It’s the last Microsoft Update Tuesday before the end-of-life of both Windows XP and Office 2003 and Microsoft is patching two vulnerabilities that also impact XP and two that also impact Office 2003...
View ArticleHeartbleed Memory Disclosure - Upgrade OpenSSL Now!
Heartbleed is a serious vulnerability in OpenSSL 1.0.1 through 1.0.1f. If you have not upgraded to OpenSSL 1.0.1g or installed a version of OpenSSL with -DOPENSSL_NO_HEARTBEATS it is strongly...
View ArticleHeartbleed Continued - OpenSSL Client Memory Exposed
The Heartbleed vulnerability is bad. Not only does it pose a risk to servers running the vulnerable version of OpenSSL (1.0.1 through 1.0.1f) with heartbeats enabled, it also poses a serious risk to...
View ArticlePerforming the Heartbleed Attack After the TLS Handshake
Over the past several days, many IPS rules for detecting the Heartbleed attack have been suggested that attempt to compare the TLS message size to the heartbeat message size. This method works with...
View ArticleHeartbleed for OpenVPN
Core to the VRT's mission is challenging the general intrusion detection industry's view of "adequate" vulnerability coverage. One way we do this is to seek out new attack vectors for critical...
View ArticleVRT Job Postings added
We're hiring, and looking for exceptional candidates to join our expanding team here at the Vulnerability Research Team (VRT) at Sourcefire, now a part of Cisco.I've posted the current job offerings...
View ArticleClik here to view.
Snake Campaign: A few words about the Uroburos Rootkit
Over the past few days, analyzing the new Uroburos (aka Turla) rootkit has been exciting. That's because the sample dropper (MD5: a86ac0ad1f8928e8d4e1b728448f54f9) includes a lot of clever features. We...
View ArticleMicorosft Update Tuesday: March 2014, all about IE (including two 0-day fixes)
It's Microsoft Update Tuesday. While this month is relatively minor, a total of 5 bulletins, it is pretty large for the requisite Internet Explorer bulletin. There’s a total of 23 CVEs covered by the...
View Article