Cisco Talos Blog

May 23, 2012 17:02

PHP-CGI Leads To C99 Shell

While reviewing the events on one of the network the VRT monitors, we decided to do some digging on an event triggered by scan for the recently released PHP-CGI vulnerability. Knowing what attackers were actually trying to drop onto vulnerable systems would be itneresting, we fig

May 8, 2012 15:44

PHP-CGI vulnerability - exploits in the wild and Snort coverage

You've probably heard about the PHP-CGI command-line parameter vulnerability (CVE-2012-1823) released last Thursday, especially if you're defending a PHP-based web application environment. While it makes use of a non-default configuration for exploitation, for users who c

April 17, 2012 14:50

Snort Performance and IP-Only Rules

One of the most frequent topics that comes up when I'm out speaking to customers, or when anyone from the VRT is discussing Snort on a mailing list, IRC channel, etc., is performance. Everyone wants to know how to make their rules faster - and many people are willing to go to

April 4, 2012 14:52

Adventures in Domain Takedowns

I gave a presentation entitled "Adventures in Domain Takedowns" recently at the APCERT 2012 conference in Bali, Indonesia. The conference itself was excellent - plenty of good technical material and lots of useful contacts - and the location, of course, couldn't hav

February 23, 2012 08:29

A FABULOUS policy rule

Lots of people in the security space are familiar with the blog of Brain Krebs, a former Washington Post network security writer and one of a tiny number of IT security journalists who actually gets it. If you're not following him on Twitter (@briankrebs), you should be. Esp

February 17, 2012 15:56

An Exploit Kit Was Sent To You

Unless you've got the world's best spam filter, you've probably seen one of the latest spam techniques used by malware-dropping bad guys: what appears to be an automated email informing you that a multi-function scanner/copier was used to send you a document. It's

January 30, 2012 13:00

Android.Counterclank: Malware or Adware?

This weekend I noticed a ComputerWorld article titled "Massive Android malware op may have infected 5 million users". After reading, it seemed to be exactly the sort of thing many people have been suggesting - an increasingly large-scale outbreak of malicious activity i

December 28, 2011 15:08

Cross-Platform Single-Request Web Server DoS From CCC

Security never sleeps, even if it is the week between Christmas and New Year's, and most of you are on vacation, enjoying time with your family, or just goofing off because the office is empty. Today's reminder of that reality comes from Alexander Klink and Julian Walde,

November 18, 2011 20:25

Malware Mythbusting

The malware sandbox that I've previously discussed on this blog has made for a lot of useful Snort rules - but it's also helped get me some excellent speaking slots around the world this year. This time, I've just wrapped up a presentation titled "Malware Mythbus