Blog
Recent
- February 14, 2013 December 6, 2012
February 14, 2013 13:16

More Targeted PDF 0-Day

Much like other vendors in the security space, the VRT spent yesterday scrambling to address the latest Adobe/PDF vulnerability. The attack - which works across multiple operating systems, bypasses Adobe's sandbox, and which has been used in recent targeted campaigns - is sti

By Alex Kirk
January 24, 2013 15:39

The 0-day That Wasn't: Dissecting A Highly Obfuscated PDF Attack

By Nick Randolph
January 22, 2013 16:24

Bulgarian Android SMSsend

Reported by Dancho Danchev. Visiting a compromised Bulgarian website on an Android phone causes a redirect and download (if you have the option "Allow installation of apps from unknown sources" checked) of premium rate SMS Android malware. IP address involved in the ca

By Alain Zidouemba
January 17, 2013 14:22

How To Become an Infosec Expert, Part I

I recently put a post on my personal blog seeking applicants for a position with the VRT, working directly with me on public-facing issues (such as writing for this blog, talking to customers, etc.). Since the skill set involved there is subtly, but importantly, different from a

By Alex Kirk
January 10, 2013 14:32

The Ruby on Rails vulnerability that made Metasploit release a patch

This post on the Ruby on Rails Security group January 8th contained a few phrases that cause alarm when used together: "inject arbitrary SQL", "inject and execute arbitrary code" and "perform a DoS attack on a Rails application". Without going into d

By Alex McDonnell
January 10, 2013 12:49

Generic Exploit Kit Detection & The First Java 0-Day of 2013

By Nick Randolph
December 19, 2012 17:10

EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible Exploit Kit

In our most recent rule pack, amongst the 39 new rules were two very important rules that may require a bit of analyst work when you see them alert. The two rules I am referring to are: * 1:25041 <-> ENABLED <-> EXPLOIT-KIT Java User-Agent flowbit set (exploit-kit.r

By Joel Esler
December 11, 2012 16:29

Triggering Miniflame's C&C Communication to Create a Pcap

There are times when a malware's payload doesn't trigger because of a condition or an environment that the malware requires in order for it to execute its payload. Such is the behavior of the miniflame malware that we encountered recently. To create a Snort signature, th

By Aldrich De Mata
December 6, 2012 09:41

Quarian: Reversing the C&C Protocol

Win.Trojan.Quarian was reportedly first found in a leaked email from the Syrian Ministry of Foreign Affairs. It arrives on the victim's machine via a PDF document. The PDF contains an exploit for CVE-2010-0188 which, if successful, passes execution to embedded shellcode. The

By Brandon Stultz