When an exploit kit is VERY simple
Ran across this "exploit kit" today. I'm holding up my hands with air quotes: Not really sure if it is an exploit kit, as so far, it is just a landing page with applet redirection to a jar file. The GoogleDocs.jar file that is mentioned above is a simple generate
I'm calling this Goon Exploit Kit, for now
We started seeing this exploit kit in our systems on November 21st. It has some similarities to Redkit and the Dotcache exploit kit. Cookiebomb redirection to: 192.168.0.58 1044 173.237.187.203 80 GET 173.237.187.203 /cnt.php?id=786629 Mozil
Exploit kits, they sure do like to change ports
Since the arrest of Paunch, (the author of the Blackhole and Cool exploit kits, that I talked about in my last post), exploit kits are clamoring for who will be number one. So I come with a status update of sorts, as of the writing of this blog post, Magnitude, aka, Popads seems
Sweet Orange Exploit Kit was the new king of the hill, until it went away.
Here in the VRT, we keep a pretty close eye on Exploit Kits, their trends, their pattern shifts, and how we can protect our customers against these exploit kits in the real world. Recent headlines from various news agencies stated that the author of the Blackhole and Cool exploi
EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible Exploit Kit
In our most recent rule pack, amongst the 39 new rules were two very important rules that may require a bit of analyst work when you see them alert. The two rules I am referring to are: * 1:25041 <-> ENABLED <-> EXPLOIT-KIT Java User-Agent flowbit set (exploit-kit.r
ClamAV and Snort coverage for Flashback and Sabpub
Being the resident VRT Apple fanboy that I am, I frequently am assigned every piece of Apple malware and Apple-related vulnerability research that comes through the office. Luckily that's not very much. (Fanboy jabs with his right!) However, lately, the variants of Flashba
Some Snort discussion about Murofet, Kazy, or whatever we're calling it..
One of the fun parts about malware analysis is the name you give it. I try to name my coverage in ClamAV similar to what other vendors are naming the same samples so there is some correlation and consistency. Sometimes it works...this is one of the cases where it doesn't.
Say Hello to the file-identify category
This week we are introducing a new rule category into the VRT rule set, named "file-identify.rules". The purpose of this category is to standardize the structure of rules that “set” a flowbit and to enhance detection by looking into file data. The changes will occur in
Mac "Trojans" this past weekend. OSX.Revir-1
Over the weekend a rash of articles appeared across the Internet referring to a "new" Mac Trojan named "Revir.A". The first one that came to my attention was on the F-Secure Blog last Friday. I was able to obtain a copy of the referenced sample for this "