WTF, Ubuntu?
I just finished installing Ubuntu 9.10 server edition on a shiny new Dell PowerEdge R805 box, as part of expanding our malware analysis labs. No big deal - half an hour of babysitting an installer, right? Wrong. It took me 5 hours, thanks to some really stupid decisions made by
Matt's Primer for PDF Analysis
For obvious reasons, the VRT has been spending a lot of time on the PDF format lately. While the attack researchers have been concentrating on fuzzing, reverse engineering and data flow analysis, the defense researchers have been automating the backend analysis of PDF submissions
What in the name!...
If you are confused by the naming of ClamAV products, here's a quick breakdown: * ClamAV®: open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. Available here. * ClamAV® (Win32 binaries): Win32 port of ClamAV. Availa
New Mac OSX Module for Snort
Today, the VRT is excited to announce a revolutionary new module for the Snort Intrusion Detection System. The extraordinary capability of Snort to be molded through rules, so_rules, preprocessors and the fact that the entire code base is open gives us unprecedented capability t
Rule release for today - March 30th, 2010
Microsoft Security Advisory (MS10-018): Microsoft Internet Explorer contains several programming errors that may allow a remote attacker to execute code on an affected system. Details here: http://www.snort.org/vrt/advisories/2010/03/30/vrt-rules-2010-03-30.html
Rule release for today - March 23rd, 2010
Apple Safari RCE (CVE-2010-0049): Apple Safari contains a programming error that may allow a remote atttacker to execute code on an affected system. The issue presents itself when the browser fails to properly process certain HTML elements concerning RTL text. Additionally, as a
Rule release for today - March 17th, 2010
A maintenance release mostly, lots of changes to rules and quite a few deletions. Two new rules added. Check out the changes here
The New Disclosure Debate and the Evil Mr. Moore
So, let's pretend you are Rob, Mr. Head of IT, and that you are sitting in your office on March 9th, working on your fantasy baseball (I hear Albert Pujols is the way to go...) when one of your staff walks in and says that Microsoft has another 0-day running around. Internet
Rule release for today - March 10th, 2010
Microsoft Internet Explorer (2010-0806): Microsoft Internet Explorer contains a programming error that may allow a remote attacker to execute code on an affected system. Check it here Oh, and the rule is a shared object rule, so the changelog won't actually show it. If you