Security Lab

Blue Coat Security Blog

Lazy Bad Guys

May 15, 2012 - By Chris Larsen
Near the end of April, shortly before taking off on a couple weeks of heavy travel, I was poking around in some of the sites involved in the big Fake-AV attack we blogged about a couple of times last month. One domain caught my eye because it showed up as a relay site (in this case, a hacked site being used as a relay to an attack site). When the attack site came up, I knew I had to grab a screenshot to share:

The Bad Guys Can't Shake WebPulse

May 1, 2012 - By Chris Larsen | Co-Authored By Jon Dinerstein
[A nice post from Dr. Jon in our internal blog a week ago, that deserves a larger audience. -- C.L.] The Bad Guys are well-known for rapidly changing domain names in an effort to avoid being blocked. They're like bank robbers fleeing the scene of a crime before the police can arrive -- they're betting that speed and recklessness will allow them to get away with the crime.  Typically, the Bad Guys change domain names once every few hours to once every few days. However, there are some occassional examples that take me by surprise.

Big Fake-AV Attack Rolls On...

April 24, 2012 - By Chris Larsen
Another item in the post-vacation queue for the blog is an update on the big Fake AV attack we posted about at the beginning of the month. From last Friday's logs, I pulled data on one sample server. Here's what it had been up to: - 2400+ URLs in the week from 4/13 (when it joined the attack) to 4/20. - 63 different "sibling sites" (on various creatively named .info domains)

A Look Back (and Forward) at the Flashback Attack

April 20, 2012 - By Chris Larsen | Co-Authored By Patrick Cummins
[I sneaked an occasional peak at my e-mail last week while on vacation, and saw that there was a lot of discussion happening about the "Flashback" attack. Since I could see that the team was already researching, I didn't worry much, and figured I'd catch up on the story when I got back. As it turns out, there was a lot to catch up on.... Special thanks to Patrick, who heads our botnet team, and who did much of the research legwork that I used as a starting point. --C.L.]  

Webpulse In A Nutshell

April 13, 2012 - By Tim Chiu
  You may have seen references to Webpulse in various Blue Coat blog posts, on different parts of the website, or just in a discussion on Blue Coat technology.  But it may not be completely obvious just what Webpulse is or does.  Sure it's a collaborative defense in the cloud with 75 million users, but just what does that mean to the average IT administrator?  This blog post will attempt to give you just that, a quick description of what Webpulse is all about and how it helps you get your job done.

Tracking a Large Fake-AV Campaign

April 3, 2012 - By Chris Larsen
Time for a quick blog post on an attack we've been following for several weeks now. I've seen a few news articles and blog posts that could be describing it, at least in general terms (i.e., hacked Wordpress sites redirecting victims to Fake AV malware sites), so let's flesh it out a bit. (It's also been several months since I've blogged about one of the "gold standard" attack vector combos: Search Engine Poisoning (SEP) + Fake Antivirus, so let's kill two malware birds with one stone...)  

What Are Web Application Controls?

March 28, 2012 - By Tim Chiu
If you've been following Web Security trends lately, you've probably seen the term "Web Application Control" or even just "Application Control" being used quite a bit lately.  You may also be wondering, just what Web Application Controls are and how they differ from the web security you've already got in place today.  Traditional web security involves controlling web access using categories, and the simple controls of blocking and allowing web pages based on their categorization(s).  Web Application Controls takes this one step further.

Latest SEP (Search Engine Poisoning) Research, Part 7

March 16, 2012 - By Chris Larsen
[This is part seven of a series of blog posts providing some of the backstory for my RSA presentation on Search Engine Poisoning. There was a lot of material that simply wouldn't fit into 45 minutes...]   RESEARCH QUESTION #5: WHAT ABOUT "BIG EVENT" SEARCHES? One last interesting question remained: What about the notion that SEP gangs specifically target people who are searching for information about a current or upcoming "Big Event"? You know, like the Olympics, or the World Cup, or the Oscars, or a Celebrity Death, or the presidential election...

Latest SEP (Search Engine Poisoning) Research, Part 6

March 13, 2012 - By Chris Larsen
[This is part six of a series of blog posts providing some of the backstory for my RSA presentation on Search Engine Poisoning. There was a lot of material that simply wouldn't fit into 45 minutes...]   RESEARCH QUESTION #4: WHAT ABOUT IMAGE SEARCHES? One of the questions that I've wondered about since we started looking at Image SEP is how prevalent it is. This project was a perfect opportunity to gather some hard data... I was initially biased toward expecting a relatively large percentage of SEP attacks to be based on image searches, for the following reasons:

Latest SEP (Search Engine Poisoning) Research, Part 5

March 9, 2012 - By Chris Larsen
[This is part five of a series of blog posts providing some of the backstory for my RSA presentation on Search Engine Poisoning. There was a lot of material that simply wouldn't fit into 45 minutes...]   RESEARCH QUESTION #3: WHAT ABOUT CELEBRITY SEARCHES? Probably the single most interesting part of the chart in Part 4 was the "Celebrity" SEP category. Just 2.7%??? Don't we all know that the Bad Guys love to target people searching for celebrity content? The security industry sure likes to get press coverage for these attacks!
Subscribe to Blue Coat Security Blog