Now Available -- Razorback 0.2 Release Candidate
0.2 Release CandidateThis week we’re putting out the Razorback 0.2 release candidate. You can find it here: http://sourceforge.net/projects/razorbacktm/files/Razorback/razorback-0.2.0-rc.tbz/download This release, and the 0.2 final release scheduled for next week, contains all
A Close Look at Rogue Antivirus Programs
A couple of weeks ago I attended Hack In Paris (France, not Texas). It was a nice break from the crazy temperatures and humidity we had been experiencing in Washington, DC and I'm sure that all the attendees appreciated the fact that the conference took place on the grounds o
MacDefender and its variants
MacDefender showed up on the radar last week, as the first fake Anti-Virus (AV) ScamWare for MacOSX. Currently, its distributed under a couple of different names (that all display the same functionality); MacDefender, MacProtector, and "Mac Security". In the Windows wor
Razorback Roadmap and Status Report
In which we get our first introduction to Tom Judge, the Amish Hammer. Yep, you're right, we've been kinda quiet lately. Some of that has been because we are the VRT in addition to the developers of Razorback and we had some big things to tackle in our other roles. But
Lizamoon attacks and generic detection
You've probably heard by now of the "Lizamoon" attacks, a rapidly spreading bit of SQL injection named for the domain that hosted the script dropped onto a variety of pages across the web. While not a particularly interesting attack from a technical perspective, it&
Razorback - Whats going on?
Its been almost 3 weeks since I joined the VRT and started working on Razorback. Over that time we have made some good progress with the project and I wanted to share what we have done and what we are going to be working on over the next few weeks. What we have completed so far:
Attack Obfuscation - Not Just For JavaScript
Since his company purchased a Sourcefire IPS setup last summer, I've had a close working relationship with Mickey Lasky, the primary network security analyst at a company (which shall intentionally remain unnamed) that runs a number of public-facing web sites. He sends me PCA
Blocklist.rules, ClamAV, and Data Mining
We've received a number of queries recently about the source of the data in the blocklist.rules category. I'm posting the answer here, since it will be of broad interest to the Sourcefire/Snort user base. One of the side effects of our 2007 acquisition of the ClamAV proj
In which kpyke looks behind the green curtain
From an operations perspective, there is very little that is less useful and more aggravating than vendor magic. What I mean by this is anything that "happens" in the background that you have no visibility into. While many organizations enjoy the simplicity provided by