Cisco Talos Blog

November 3, 2011 15:00

Android Malware Analysis: A How-To

While mobile malware comprises only a tiny fraction of the overall landscape in terms of volume, it is fast becoming essential to address from an enterprise security standpoint. Unfortunately, very few people would even have a clue where to start if charged with analyzing a progr

October 6, 2011 09:09

Fishing For Malware: Tread Softly and Carry A Big Net

If you pay attention to the list of new rules in each SEU, you've probably noticed us adding a lot of malware rules lately. While on the surface it may appear that we're just picking random samples out of the millions of different pieces of malware available on the Intern

August 25, 2011 16:57

This is why we have nice things

A lot of people have been freaking out about the "Apache Killer" tool released on Full-Disclosure last Friday. While it's an effective way to cause a Denial of Service (DoS) against an Apache web server, and readily accessible to your average malfeasant, the good ne

August 16, 2011 15:54

Rawbytes is not the modifier you're looking for

I spend a lot of time working with Sourcefire customers and open-source Snort users who write their own custom rules. Many of them are extremely astute, and some of them write rules good enough to be in the official VRT set. Others, well, not so much. One of the biggest issues I

July 15, 2011 13:49

Do you really trust that certificate?

If you've read many of my posts on this blog, you've probably realized by now that I'm lazy when it comes to dealing with malware. I hate the "whack-a-mole" game of trying to stay on top of every new thing every new piece of malware does - not only because i

July 13, 2011 13:24

Binary C&C Over HTTP

A few weeks ago I gave a presentation at the CARO 2011 Workshop in Prague. Besides being set in a stunningly beautiful location, the conference was an excellent opportunity to meet malware researchers from around the world - a group who are, by and large, distinct from network se

April 5, 2011 14:42

Lizamoon attacks and generic detection

You've probably heard by now of the "Lizamoon" attacks, a rapidly spreading bit of SQL injection named for the domain that hosted the script dropped onto a variety of pages across the web. While not a particularly interesting attack from a technical perspective, it&

March 3, 2011 13:15

Attack Obfuscation - Not Just For JavaScript

Since his company purchased a Sourcefire IPS setup last summer, I've had a close working relationship with Mickey Lasky, the primary network security analyst at a company (which shall intentionally remain unnamed) that runs a number of public-facing web sites. He sends me PCA

February 8, 2011 17:25

Blocklist.rules, ClamAV, and Data Mining

We've received a number of queries recently about the source of the data in the blocklist.rules category. I'm posting the answer here, since it will be of broad interest to the Sourcefire/Snort user base. One of the side effects of our 2007 acquisition of the ClamAV proj