Special Delivery -- Phoenix Exploit Kit
You would think that spam masquerading as a delivery company would be getting a little long in the tooth, but that isn't the case.Last week the winner was "DHL Attention 846698", which looks something like this: Good day! Dear Consumer , Recipient's address
Adventures in Domain Takedowns
I gave a presentation entitled "Adventures in Domain Takedowns" recently at the APCERT 2012 conference in Bali, Indonesia. The conference itself was excellent - plenty of good technical material and lots of useful contacts - and the location, of course, couldn't hav
ClamAV vs. Content IQ Test, part 2
This is the second post in a series of blog posts about the Content IQ Test. Please see ClamAV vs. Content IQ Test, part 1. Let's see how ClamAV does with test files that contain auto-executing embedded active content. Test file 10 contains the target string in an obfuscate
MIDI Karaoke Background or Malware Vector?
MD5's of samples found in the wild up to now: - 6249ac0674574c7df2f81801a41b85a5 - 9d63609e49e18f87973e66bdbc4236b4 - d3410dd27ba25c780abcd5c4df573303 - 1a4c84227cbf6da8724699b9b6fbb71b - bbc2d8cb3f8ed9a3a5292408d476af14 - c91703bc8d5509003c1d0a634dcbbd06 - 2b988374bb9
Some Snort discussion about Murofet, Kazy, or whatever we're calling it..
One of the fun parts about malware analysis is the name you give it. I try to name my coverage in ClamAV similar to what other vendors are naming the same samples so there is some correlation and consistency. Sometimes it works...this is one of the cases where it doesn't.
Low Hanging Fruit
We spend a lot of time watching what is going on in the world. One of the advantages of having a customer-based intelligence sharing program as well as a distribution of our own sensors in the wild is that we are able to watch as threats change. When new threats come into play,
Razorback Appliance - Getting Started
With the recent release of Razorback 0.4.1 we decided to update the Virtual Appliance image to this release. The target audience for the appliance is people that want to test drive the system without going though the process of installing the system and its dependencies. You ca
A FABULOUS policy rule
Lots of people in the security space are familiar with the blog of Brain Krebs, a former Washington Post network security writer and one of a tiny number of IT security journalists who actually gets it. If you're not following him on Twitter (@briankrebs), you should be. Esp
ClamAV vs. Content IQ Test, part 1
This is the first in a series of blog posts about the Content IQ Test. A few days ago, we came across a test whose purpose is to gauge a security system's ability to detect client-side attacks. The Content IQ Test consists of detecting a set of test files that contain, at va