Security Blog

Fake-Java Malvertising

August 20, 2013 - By Chris Larsen
There's a rather large malvertising-driven attack running at the moment, that's attempting to trick people into installing or upgrading a fake version of Java. It looks pretty believable, if you disregard the domain name (tartd.info having no obvious linguistic connection to "Java"):

Exploit Kits Skin an Innocent Site

August 16, 2013 - By Chris Larsen
[From our internal blog, 8/12 (Monday).]   In the classic move Men In Black, there's a wonderful villain: an alien who kills a back-country farmer and steals his skin to wear as camouflage.   I thought of "Edgar" the alien when I was researching a network of exploit kit sites. They looked like this:

A Classic Snooper Page from a Shady Ad Network

August 12, 2013 - By Chris Larsen
Last week, while digging into a site with relatively high traffic and a weird name (zupaluzutirtuf.net), I came across a classic "snooper page" -- a page put up by malicious or shady sites as camouflage for their activities, or to convince people like me who come snooping around that there's "nothing to see here": Yep, nice site.   So, what's it up to? Danger or nuisance?

Advanced System Protection? Not!

July 29, 2013 - By Chris Larsen
Last week, I was taking a look at some traffic when an interesting domain name jumped out at me. (Well, it didn't literally jump out at me, of course. I'd probably describe its behavior more along the lines of "a needle trying to hide behind a bunch of hay"...) The domain was advancedprotector.com, and since I reflexively don't trust protection-themed domain names (after years of chasing "Fake Antivirus" malware), I went to take a look:

How Many Exclusive Offers Does One Person Need?

July 16, 2013 - By Chris Larsen
I've always had a weakness for the kooky domain names that some Bad Guys register. Today while I was browsing through some of our spam logs, I found a batch that I had to share. (Actually, several batches...)   These domain names were interesting not just because of the "exclusive offers today" cluster they formed, but because the second one was misspelled:

A Couple of Interesting Mobile Malware Sites

June 28, 2013 - By Chris Larsen
Although mobile malware has been a hot topic for a couple of years now, we're still very much in the early phase of adapting to life on this new frontier. In some ways, the mobile malware world is quite different from traditional desktop/laptop malware. One of these ways is in the lifespan of malicious sites, and today I'll highlight a couple of examples that illustrate this.  

A Shady "Recruitment" Network

June 19, 2013 - By Chris Larsen
Here are a couple of interesting sites: and (There are also some variants on the "TJL" initials -- mixing their order -- but these all resolve to the tjlrecruitment.org site. No variants for the knlrecruitment.org domain have shown up, but we'll keep our eyes open.)

Some Changes in Continuing .PW Spam

June 17, 2013 - By Chris Larsen
A month ago, we advised people to consider blocking the .PW top level domain (TLD). There is still a lot of spam happening there, but there have been some changes recently. In particular, there are more "normal" TLDs mixed in with the .PW ones. However, even though the TLD may be normal -- like .com -- the domain name itself won't necessarily be...

Malvertising Quick Look: Kooora.com

June 6, 2013 - By Chris Larsen
[Disclaimer: This analysis deals largely with circumstantial evidence, for reasons laid out in the introductory blog post to this series. Any conclusions are preliminary, and subject to change based on further research.]  

What If Your CEO Is a Foolish Zebra?

June 4, 2013 - By Chris Larsen
Occasionally when I travel, I indulge in reading an old-fashioned paper edition of a newspaper. Last week, in Hong Kong, I happened across an interesting article in the Asia edition of the Wall St. Journal (linked here, so you don't have to go find it on paper).