Web Proxies, User-Agent Strings, and Malware Detection
One of the simpler ways to identify malware-infected machines communicating with their command and control servers is to watch for known malicious User-Agent strings in HTTP requests. For those not familiar with them, User-Agent strings are added to almost all HTTP queries on the
Information Superiority
I presented yesterday at the 9th annual Hackers2Hackers conference in Sao Paulo on the subject of information superiority, a subject the VRT has long been fond of. My slides are here for those who'd like to read them. In a nutshell, the talk made the point that, if you know
itsoknoproblembro, the VRT has you covered
When the large-scale DDoS attacks on American banks began a couple of weeks ago, the VRT started digging through all of our sources of information, looking to understand the precise tactics being used, so that we could put together the best possible protection strategy for potent
Internet Explorer use-after-free 0-Day vulnerability
A new vulnerability has been discovered that affects Internet Explorer 6, 7, 8 and 9 on Windows XP, Vista, 7, Windows Server 2003 and 2008 . It is still unpatched at the time of this blog post. Late Sunday Eric Romang reported that the Nitro cybercrimal gang, which just a few we
Using negative distance to create detection windows
A common method for delivering malicious pages to clients is with the use of hidden iframes. Before I get started I want to say that I have seen hidden iframes used legitimately and the rule discussed will not be in any policies by default, due to the risk of false positives. Th
Dorifel (aka Quervar, XDocCrypt)
Dorifel (aka Quervar, XDocCrypt) is a worm that is allegedly related to the Citadel trojan. Although it's been found worldwide, the Netherlands have been particularly affected by this piece of malware for the past several weeks. Why is this noteworthy? Once executed, Dorifel
The Best Defense is a Good Defense
As things stand, Snort is at version 2.9.3.1 and is constantly being developed to integrate new and more powerful features and detection. The VRT fairly regularly receives inquiries from folks on how to get our current rule packages to seamlessly integrate with their existing ver
Anomaly Detection Rules & The Success of Open-Source Rule Testing: Don't Do That, Part 2
Last November, the VRT established an open-source rule testing group, composed of a number of Snort users from around the planet in industries as diverse as defense contracting and education. To date, we've tested well over a hundred rules with this group, and have had a grea
Matryoshka packets
I have heard many people talk about ICMP and UDP tunnels but very rarely observed them in the wild. We recently had the opportunity to examine a sample that uses this technique for C&C. It communicates by either an ICMP echo with a data section that includes a full TCP SYN pa