Security Blog

Some Changes in Continuing .PW Spam

June 17, 2013 - By Chris Larsen
A month ago, we advised people to consider blocking the .PW top level domain (TLD). There is still a lot of spam happening there, but there have been some changes recently. In particular, there are more "normal" TLDs mixed in with the .PW ones. However, even though the TLD may be normal -- like .com -- the domain name itself won't necessarily be...

Malware Payload Inserts Copy of Itself into RARs

June 13, 2013 - By Andrew Brandt

Malvertising Quick Look: Kooora.com

June 6, 2013 - By Chris Larsen
[Disclaimer: This analysis deals largely with circumstantial evidence, for reasons laid out in the introductory blog post to this series. Any conclusions are preliminary, and subject to change based on further research.]  

What If Your CEO Is a Foolish Zebra?

June 4, 2013 - By Chris Larsen
Occasionally when I travel, I indulge in reading an old-fashioned paper edition of a newspaper. Last week, in Hong Kong, I happened across an interesting article in the Asia edition of the Wall St. Journal (linked here, so you don't have to go find it on paper).

They Definitely Spammed the Wrong Guy

May 26, 2013 - By Chris Larsen
Last Friday (5/24), as I was packing for a trip, I took a quick look at the in-box for my Blue Coat e-mail account. There was one from a name I didn't recognize, with a subject line of "Successful Business". It was a spam: (It was interesting that they didn't have the person's name match the e-mail address more closely. Even if the e-mail content wasn't a dead giveaway, this by itself would have raised a yellow flag.)

Spammer’s Summer Holiday in Paradise TLD

May 20, 2013 - By Andrew Brandt

Google Code Hosting Malware... Again

May 20, 2013 - By Chris Larsen, Adnan Shukor
[Apologies to Adnan for letting his post languish on our internal blog for a week. I remembered last night that I hadn't pushed it out on the public blog yet. --C.L.]  

SEP, Porn, and Malware - Lurking in the Boondocks

May 13, 2013 - By Chris Larsen
Out in the Boondocks of DynDNS I find myself spending a lot of time in the jungles of Dynamic DNS (DynDNS) hosted sites these days -- there is a lot of shady stuff going on in there. (And very little useful content, comparatively speaking, so it's probably a good idea to consider just blocking off this whole area, from a security standpoint...)

Health and Finance (The Spam Version of Death and Taxes)

May 7, 2013 - By Chris Larsen
It's been a while since we've posted about good old spam (the non-malicious kind, although sometimes the lines blur), so I thought I'd share some findings from last weekend's honeypot traffic.   Recent Trends First, we're seeing a *lot* of ".PW" domains involved in spam these days. In fact, unless you've got customers in Palau, you should probably consider blocking anything on their TLD (top-level domain).

Malnet: Wrath of the Gods

April 18, 2013 - By Chris Larsen, An Anonymous Analyst
[Our anonymous analyst is back with another Donovan adventure. As always, the story is fictional, but the events described are true to life. --C.L.]   It started like any other day: gray clouds filling the sky, the rain dripping from the eaves, and not enough hot chocolate in the machine. I sat down at my computer and got to work. Who am I? The name's Donovan. I'm a Private Eye in the fight against malware.