Flame Malware, Targeted Attacks, and You
It seems no good holiday goes by without some quality new malware being dropped, and this year's Memorial Day was no exception. Announced in posts by Kaspersky, Symantec, the Iranian National CERT and the Budapest University of Technology and Economics, a targeted piece of ma
PHP-CGI Leads To C99 Shell
While reviewing the events on one of the network the VRT monitors, we decided to do some digging on an event triggered by scan for the recently released PHP-CGI vulnerability. Knowing what attackers were actually trying to drop onto vulnerable systems would be itneresting, we fig
Resurgence of Virut?
It seems like the infamous virus Virut is making a comeback. Over the past 10 days, one of our most popular ClamAV signatures has been HTML.Iframe-63: Virut is a file infector that has been around for over 5 years. It typically connects to its C&C servers at brenz.pl or tren
PHP-CGI vulnerability - exploits in the wild and Snort coverage
You've probably heard about the PHP-CGI command-line parameter vulnerability (CVE-2012-1823) released last Thursday, especially if you're defending a PHP-based web application environment. While it makes use of a non-default configuration for exploitation, for users who c
ClamAV and Snort coverage for Flashback and Sabpub
Being the resident VRT Apple fanboy that I am, I frequently am assigned every piece of Apple malware and Apple-related vulnerability research that comes through the office. Luckily that's not very much. (Fanboy jabs with his right!) However, lately, the variants of Flashba
Razorback 0.5.0 released
The Razorback team has released version 0.5.0. You can find the new version of Razorback here: http://sfi.re/JlWZ0U. We have also updated the virtual machine, which you can get here: http://sfi.re/IAW1oa. This release adds support for running inspection nuggets on Windows. At t
ClamAV vs. Content IQ Test, part 3
This is the third post in a series of blog posts about the Content IQ Test. Please see ClamAV vs. Content IQ Test, part 1 and ClamAV vs. Content IQ Test, part 2. Today we look at how ClamAV would handle detecting the target string when embedded in polymorphic files. If you were
Prototyping Mitigations with DBI Frameworks
A couple weeks ago I had the privilege of both attending my first Austin Hackers Association meeting and speaking at the first Infosec Southwest conference in Austin, Texas. I had been wanting to visit Austin for several years now and was excited to see the dynamics of the local
Snort Performance and IP-Only Rules
One of the most frequent topics that comes up when I'm out speaking to customers, or when anyone from the VRT is discussing Snort on a mailing list, IRC channel, etc., is performance. Everyone wants to know how to make their rules faster - and many people are willing to go to