Internet Explorer & Adobe Flash 0-Day Coverage
Recently several "0day" releases have come out in the security world, and the VRT has released coverage for two critical vulnerabilities, so we wanted to notify you of this coverage so you can use the...
View ArticleMicorosft Update Tuesday: March 2014, all about IE (including two 0-day fixes)
It's Microsoft Update Tuesday. While this month is relatively minor, a total of 5 bulletins, it is pretty large for the requisite Internet Explorer bulletin. There’s a total of 23 CVEs covered by the...
View ArticleClik here to view.
Anatomy of an exploit: CVE 2014-1776
This post is co-authored by Brandon Stultz, Joel Esler, Patrick Mullen, and Craig WilliamsWhen the Internet Explorer 0-day CVE 2014-1776 was announced, we turned to our intelligence feeds for more...
View ArticleClik here to view.
Continued analysis of the LightsOut Exploit Kit
At the end of March, we disclosed the coverage of an Exploit Kit we called “Hello”: http://vrt-blog.snort.org/2014/03/hello-new-exploit-kit.html, or “LightsOut”, we thought we’d do a follow up post to...
View ArticleClik here to view.
Betabot Process Injection
IntroductionA few weeks ago I received a PE file (MD5: 34105EF38CEA1B4B2ABADD0CB3404E69) and was asked to figure out if it is related to the Betabot malware family. It didn’t take long to figure out...
View ArticleMicrosoft Update Tuesday May 2014: relatively light month
It’s time for another Microsoft Update Tuesday, the first one which will not feature any XP updates (except of course for the out-of-band patch (MS14-021) which was released to deal with the IE 0-day...
View ArticleClik here to view.
An Introduction to Recognizing and Decoding RC4 Encryption in Malware
There is something that we come across almost daily when we analyze malware in the VRT: RC4. We recently came across CVE-2014-1776 and like many malware samples and exploits we analyze, RC4 is used to...
View ArticleMicrosoft Update Tuesday June 2014: Internet Explorer, Internet Explorer,...
Once again it’s time for Microsoft’s Update Tuesday and this time it’s almost all about Internet Explorer. We had a bit of a lull in the past months with respect to IE vulnerabilities, especially due...
View ArticleThe never ending Exploit Kit shift - Bleeding Life
Recently we've been able to observe several shifts in exploit kit techniques, so I thought it would be good to share the IOC information for the exploit kits so that administrators and network...
View ArticleEtumbot Detection, more prior coverage
Arbor Networks recently posted details about a backdoor they named Etumbot. It provides technical detail about the functionality of the malware and it includes hashes of known samples.The Arbor write...
View ArticleDetection for PutterPanda, we got this.
Recently a post by Crowdstrike was released detailing an attack being used, allegedly, by the Chinese Military "PLA Unit 61486". The post is a great demonstration of the use of OSINT (Open Source...
View ArticleExceptional behavior: the Windows 8.1 X64 SEH Implementation
In my last post, you may remember how the latest Uroburos rootkit was able to disarm Patchguard on Windows 7. I was recently looking into how Patchguard is implemented in Windows 8.1 and decided to dig...
View ArticleClik here to view.
Threat Spotlight: "A String of Paerls", Part 2, Deep Dive
This post has been coauthored by Joel Esler, Craig Williams, Richard Harman, Jaeson Schultz, and Douglas GoddardIn part one of our two part blog series on the “String of Paerls” threat, we showed an...
View ArticleMicrosoft Update Tuesday July 2014: light month, mostly Internet Explorer
This month’s Microsoft Update Tuesday is relatively light compared to the major update of last month. We’re getting a total of six bulletins this month, two marked critical, three as important and...
View ArticleClik here to view.
Apple ID Harvesting, now this is a good phish.
Phishing isn't new. "So, why are you writing about it?", you ask.I received this one today and it was very well done, so I thought I'd write it up. Chances are, you've seen these before:If you are...
View ArticleMicrosoft Update Tuesday August 2014: Media Center and Internet Explorer
Another Update Tuesday has arrived, this time bringing us a total of nine bulletins covering a total of 37 CVEs. Two bulletins are marked critical: one for Media Center and the other for Internet...
View ArticleClik here to view.
The Windows 8.1 Kernel Patch Protection
In the last 3 months we have seen a lot of machines compromised by Uroburos (a kernel-mode rootkit that spreads in the wild and specifically targets Windows 7 64-bit). Curiosity lead me to start...
View ArticleClik here to view.
Discovering Dynamically Loaded API in Visual Basic Binaries
Performing analysis on a Visual Basic (VB) script, or when Visual Basic is paired with the .NET Framework, becomes an exercise of source code analysis. Unfortunately when Visual Basic is compiled to a...
View ArticleClik here to view.
Malware Using the Registry to Store a Zeus Configuration File
This blog was co-authored by Andrea Allievi. A few weeks ago I came across a sample that was reading from and writing a significant amount of data to the registry. Initially, it was thought that the...
View ArticleMicrosoft Update Tuesday September 2014: another generally light month but...
This month’s Microsoft Update Tuesday is pretty light save for the Internet Explorer bulletin. While there’s only a total of 4 bulletins, they cover a total of 42 CVEs. The IE bulletin, as is usual,...
View Article