Security Blog

Blocking a Fake "Browser Update" Site

October 14, 2013 - By Chris Larsen
[A post from our internal blog last week, the roll-out of which was delayed due a short family vacation... :)   The junk site is still on line, and the ad networks are still feeding it traffic, so it's worth a public run. --C.L.]  

More Fake-Java Malvertising

October 4, 2013 - By Chris Larsen
A month ago, we blogged about a malvertising attack centered around fake Java updates... We're currently tracking a similar ad-driven campaign, with a somewhat different-looking landing page: Or, you may see the "scary" version:

A Quick Look at Some Updates to the Blackhole Exploit Kit

October 3, 2013 - By Chris Larsen, Jeff Doty
[Our "exkit expert" returns, with his take on recent changes in BHEK. --C.L.] Today I am looking at some of the updates that we have been seeing in the Blackhole Exploit Kit.

They're Baaaaack... (Return of the Malvertisers)

September 23, 2013 - By Chris Larsen
Along with the public release of information about a large, long-running malvertising campaign, I also sent the full list of steathy malvertising domains to several contacts in the WebAd/anti-malvertising community. This led to a two-front war on the malvertisers, with the ad industry cutting off traffic to the domains at the top, and Blue Coat (and other security companies that follow our blog) blocking the traffic at the bottom.

Stopping a Big Facebook Spam Campaign

September 20, 2013 - By Chris Larsen
While poking around in our shady-traffic logs Wednesday, I found a network big enough to be worthy of a blog post. It's what we usually call a "spam/scam" network, although the spam aspect is a bit different, being based on Facebook rather than e-mail. Here's a sample page from Facebook:

Follow-up on Major Malvertising Network

September 13, 2013 - By Chris Larsen
Partly because the previous post got a bit of publicity, but mostly due to the fact that there were a lot more sites to research, I decided to do a follow-up post on the big malvertising network that's been running for months. To begin with, I should answer the most-asked question, namely, "Is the LA Times still serving the malicious ads?"

A Look at Evasion Techniques in the Pushdo Botnet

September 11, 2013 - By Chris Larsen, Jeff Doty
[Some nice research from Jeff in our internal blog a few days ago. Needs a wider audience, since we've seen some folks following the wrong C&C trail. --C.L.]  

Untangling a Major Malvertising Network

September 4, 2013 - By Chris Larsen
[This post is from our internal blog a week ago. It's a big post, and its size kept it from being edited for official release until now. (And also because even malware researchers need to take an occasional vacation...) --C.L.]  

Foolish Zebra "Tails": The Hazards of Browsing Porn

August 27, 2013 - By Chris Larsen
[Twice last week, in the course of an investigation, I noticed high-traffic "Foolish Zebras" in our logs: K9 users whose carelessness, foolishness, and/or stubbornness have gotten themselves infected. Each time, following my own principle, I side-tracked from the main investigation to retrace the Foolish Zebra's tracks through the jungle. It's always enlightening to "tail" a Foolish Zebra... Due to the size of the internal blog post, I'm going to split it into two parts for the public blog.

Foolish Zebra "Tails": A Multiprong Attack

August 26, 2013 - By Chris Larsen
[Twice last week, in the course of an investigation, I noticed high-traffic "Foolish Zebras" in our logs: K9 users whose carelessness, foolishness, and/or stubbornness have gotten themselves infected. Each time, following my own principle, I side-tracked from the main investigation to retrace the Foolish Zebra's tracks through the jungle. It's always enlightening to "tail" a Foolish Zebra... Due to the size of the internal blog post, I'm going to split it into two parts for the public blog.