Cisco Talos Blog

January 22, 2013 16:24

Bulgarian Android SMSsend

Reported by Dancho Danchev. Visiting a compromised Bulgarian website on an Android phone causes a redirect and download (if you have the option "Allow installation of apps from unknown sources" checked) of premium rate SMS Android malware. IP address involved in the ca

September 18, 2012 14:08

Internet Explorer use-after-free 0-Day vulnerability

A new vulnerability has been discovered that affects Internet Explorer 6, 7, 8 and 9 on Windows XP, Vista, 7, Windows Server 2003 and 2008 . It is still unpatched at the time of this blog post. Late Sunday Eric Romang reported that the Nitro cybercrimal gang, which just a few we

September 13, 2012 07:00

Dorifel (aka Quervar, XDocCrypt)

Dorifel (aka Quervar, XDocCrypt) is a worm that is allegedly related to the Citadel trojan. Although it's been found worldwide, the Netherlands have been particularly affected by this piece of malware for the past several weeks. Why is this noteworthy? Once executed, Dorifel

August 6, 2012 16:44

ClamAV vs. Content IQ Test, part 4

This is the fourth in a series of five blog posts about the Content IQ Test. Please see ClamAV vs. Content IQ Test, part 1, ClamAV vs. Content IQ Test, part 2 and ClamAV vs. Content IQ Test, part 3. How would ClamAV do against dangerous VBA (Visual Basic for Applications) embedd

May 16, 2012 13:43

Resurgence of Virut?

It seems like the infamous virus Virut is making a comeback. Over the past 10 days, one of our most popular ClamAV signatures has been HTML.Iframe-63: Virut is a file infector that has been around for over 5 years. It typically connects to its C&C servers at brenz.pl or tren

April 26, 2012 10:30

ClamAV vs. Content IQ Test, part 3

This is the third post in a series of blog posts about the Content IQ Test. Please see ClamAV vs. Content IQ Test, part 1 and ClamAV vs. Content IQ Test, part 2. Today we look at how ClamAV would handle detecting the target string when embedded in polymorphic files. If you were

March 21, 2012 13:14

ClamAV vs. Content IQ Test, part 2

This is the second post in a series of blog posts about the Content IQ Test. Please see ClamAV vs. Content IQ Test, part 1. Let's see how ClamAV does with test files that contain auto-executing embedded active content. Test file 10 contains the target string in an obfuscate

February 21, 2012 13:23

ClamAV vs. Content IQ Test, part 1

This is the first in a series of blog posts about the Content IQ Test. A few days ago, we came across a test whose purpose is to gauge a security system's ability to detect client-side attacks. The Content IQ Test consists of detecting a set of test files that contain, at va

June 28, 2011 14:08

A Close Look at Rogue Antivirus Programs

A couple of weeks ago I attended Hack In Paris (France, not Texas). It was a nice break from the crazy temperatures and humidity we had been experiencing in Washington, DC and I'm sure that all the attendees appreciated the fact that the conference took place on the grounds o