Bulgarian Android SMSsend
Reported by Dancho Danchev. Visiting a compromised Bulgarian website on an Android phone causes a redirect and download (if you have the option "Allow installation of apps from unknown sources" checked) of premium rate SMS Android malware. IP address involved in the ca
Internet Explorer use-after-free 0-Day vulnerability
A new vulnerability has been discovered that affects Internet Explorer 6, 7, 8 and 9 on Windows XP, Vista, 7, Windows Server 2003 and 2008 . It is still unpatched at the time of this blog post. Late Sunday Eric Romang reported that the Nitro cybercrimal gang, which just a few we
Dorifel (aka Quervar, XDocCrypt)
Dorifel (aka Quervar, XDocCrypt) is a worm that is allegedly related to the Citadel trojan. Although it's been found worldwide, the Netherlands have been particularly affected by this piece of malware for the past several weeks. Why is this noteworthy? Once executed, Dorifel
ClamAV vs. Content IQ Test, part 4
This is the fourth in a series of five blog posts about the Content IQ Test. Please see ClamAV vs. Content IQ Test, part 1, ClamAV vs. Content IQ Test, part 2 and ClamAV vs. Content IQ Test, part 3. How would ClamAV do against dangerous VBA (Visual Basic for Applications) embedd
Resurgence of Virut?
It seems like the infamous virus Virut is making a comeback. Over the past 10 days, one of our most popular ClamAV signatures has been HTML.Iframe-63: Virut is a file infector that has been around for over 5 years. It typically connects to its C&C servers at brenz.pl or tren
ClamAV vs. Content IQ Test, part 3
This is the third post in a series of blog posts about the Content IQ Test. Please see ClamAV vs. Content IQ Test, part 1 and ClamAV vs. Content IQ Test, part 2. Today we look at how ClamAV would handle detecting the target string when embedded in polymorphic files. If you were
ClamAV vs. Content IQ Test, part 2
This is the second post in a series of blog posts about the Content IQ Test. Please see ClamAV vs. Content IQ Test, part 1. Let's see how ClamAV does with test files that contain auto-executing embedded active content. Test file 10 contains the target string in an obfuscate
ClamAV vs. Content IQ Test, part 1
This is the first in a series of blog posts about the Content IQ Test. A few days ago, we came across a test whose purpose is to gauge a security system's ability to detect client-side attacks. The Content IQ Test consists of detecting a set of test files that contain, at va
A Close Look at Rogue Antivirus Programs
A couple of weeks ago I attended Hack In Paris (France, not Texas). It was a nice break from the crazy temperatures and humidity we had been experiencing in Washington, DC and I'm sure that all the attendees appreciated the fact that the conference took place on the grounds o