Security Blog

Foolish Zebra "Tails": The Hazards of Browsing Porn

August 27, 2013 - By Chris Larsen
[Twice last week, in the course of an investigation, I noticed high-traffic "Foolish Zebras" in our logs: K9 users whose carelessness, foolishness, and/or stubbornness have gotten themselves infected. Each time, following my own principle, I side-tracked from the main investigation to retrace the Foolish Zebra's tracks through the jungle. It's always enlightening to "tail" a Foolish Zebra... Due to the size of the internal blog post, I'm going to split it into two parts for the public blog.

Foolish Zebra "Tails": A Multiprong Attack

August 26, 2013 - By Chris Larsen
[Twice last week, in the course of an investigation, I noticed high-traffic "Foolish Zebras" in our logs: K9 users whose carelessness, foolishness, and/or stubbornness have gotten themselves infected. Each time, following my own principle, I side-tracked from the main investigation to retrace the Foolish Zebra's tracks through the jungle. It's always enlightening to "tail" a Foolish Zebra... Due to the size of the internal blog post, I'm going to split it into two parts for the public blog.

Fake Adobe Trojan Posts Spyware Spam to Craigslist

August 25, 2013 - By Andrew Brandt
A Trojan in the wild, masquerading as an update for a browser add-on named Adobe Photo Loader, is quietly using the victim’s infected computer to post spam messages to random categories in the online classified-ads service Craigslist.

Fake-Java Malvertising

August 20, 2013 - By Chris Larsen
There's a rather large malvertising-driven attack running at the moment, that's attempting to trick people into installing or upgrading a fake version of Java. It looks pretty believable, if you disregard the domain name (tartd.info having no obvious linguistic connection to "Java"):

Exploit Kits Skin an Innocent Site

August 16, 2013 - By Chris Larsen
[From our internal blog, 8/12 (Monday).]   In the classic move Men In Black, there's a wonderful villain: an alien who kills a back-country farmer and steals his skin to wear as camouflage.   I thought of "Edgar" the alien when I was researching a network of exploit kit sites. They looked like this:

A Classic Snooper Page from a Shady Ad Network

August 12, 2013 - By Chris Larsen
Last week, while digging into a site with relatively high traffic and a weird name (zupaluzutirtuf.net), I came across a classic "snooper page" -- a page put up by malicious or shady sites as camouflage for their activities, or to convince people like me who come snooping around that there's "nothing to see here": Yep, nice site.   So, what's it up to? Danger or nuisance?

Advanced System Protection? Not!

July 29, 2013 - By Chris Larsen
Last week, I was taking a look at some traffic when an interesting domain name jumped out at me. (Well, it didn't literally jump out at me, of course. I'd probably describe its behavior more along the lines of "a needle trying to hide behind a bunch of hay"...) The domain was advancedprotector.com, and since I reflexively don't trust protection-themed domain names (after years of chasing "Fake Antivirus" malware), I went to take a look:

How Many Exclusive Offers Does One Person Need?

July 16, 2013 - By Chris Larsen
I've always had a weakness for the kooky domain names that some Bad Guys register. Today while I was browsing through some of our spam logs, I found a batch that I had to share. (Actually, several batches...)   These domain names were interesting not just because of the "exclusive offers today" cluster they formed, but because the second one was misspelled:

A Couple of Interesting Mobile Malware Sites

June 28, 2013 - By Chris Larsen
Although mobile malware has been a hot topic for a couple of years now, we're still very much in the early phase of adapting to life on this new frontier. In some ways, the mobile malware world is quite different from traditional desktop/laptop malware. One of these ways is in the lifespan of malicious sites, and today I'll highlight a couple of examples that illustrate this.  

A Shady "Recruitment" Network

June 19, 2013 - By Chris Larsen
Here are a couple of interesting sites: and (There are also some variants on the "TJL" initials -- mixing their order -- but these all resolve to the tjlrecruitment.org site. No variants for the knlrecruitment.org domain have shown up, but we'll keep our eyes open.)