Cisco Talos Blog

December 9, 2013 16:17

When an exploit kit is VERY simple

Ran across this "exploit kit" today.  I'm holding up my hands with air quotes: Not really sure if it is an exploit kit, as so far, it is just a landing page with applet redirection to a jar file. The GoogleDocs.jar file that is mentioned above is a simple generate

November 22, 2013 17:04

I'm calling this Goon Exploit Kit, for now

We started seeing this exploit kit in our systems on November 21st.  It has some similarities to Redkit and the Dotcache exploit kit.  Cookiebomb redirection to:    1044 80      GET            /cnt.php?id=786629      Mozil

October 31, 2013 15:33

Exploit kits, they sure do like to change ports

Since the arrest of Paunch, (the author of the Blackhole and Cool exploit kits, that I talked about in my last post), exploit kits are clamoring for who will be number one.  So I come with a status update of sorts, as of the writing of this blog post, Magnitude, aka, Popads seems

October 21, 2013 10:00

Sweet Orange Exploit Kit was the new king of the hill, until it went away.

Here in the VRT, we keep a pretty close eye on Exploit Kits, their trends, their pattern shifts, and how we can protect our customers against these exploit kits in the real world. Recent headlines from various news agencies stated that the author of the Blackhole and Cool exploi

December 19, 2012 17:10

EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible Exploit Kit

In our most recent rule pack, amongst the 39 new rules were two very important rules that may require a bit of analyst work when you see them alert. The two rules I am referring to are: * 1:25041 <-> ENABLED <-> EXPLOIT-KIT Java User-Agent flowbit set (exploit-kit.r

May 7, 2012 09:45

ClamAV and Snort coverage for Flashback and Sabpub

Being the resident VRT Apple fanboy that I am, I frequently am assigned every piece of Apple malware and Apple-related vulnerability research that comes through the office.  Luckily that's not very much.  (Fanboy jabs with his right!) However, lately, the variants of Flashba

March 7, 2012 16:51

Some Snort discussion about Murofet, Kazy, or whatever we're calling it..

One of the fun parts about malware analysis is the name you give it.  I try to name my coverage in ClamAV similar to what other vendors are naming the same samples so there is some correlation and consistency.  Sometimes it works...this is one of the cases where it doesn't.

November 2, 2011 15:56

Say Hello to the file-identify category

This week we are introducing a new rule category into the VRT rule set, named "file-identify.rules". The purpose of this category is to standardize the structure of rules that “set” a flowbit and to enhance detection by looking into file data. The changes will occur in

September 29, 2011 13:04

Mac "Trojans" this past weekend. OSX.Revir-1

Over the weekend a rash of articles appeared across the Internet referring to a "new" Mac Trojan named "Revir.A". The first one that came to my attention was on the F-Secure Blog last Friday. I was able to obtain a copy of the referenced sample for this "