Security Blog

Redkit Malvertising Attack Via Zedo

March 7, 2013 - By Chris Larsen, Jeff Doty
[Great post from Jeff yesterday on our internal blog. --C.L.]   Meet the Face of Evil. Would you believe that this: is actually a cover for this?

Comparing the New APT Report With Webpulse

March 5, 2013 - By Tim Chiu
When you’re touting technology like Blue Coat’s Webpulse with Negative Day Defense, where you claim you’re protecting users well before an attack actually happens, it’s sometimes hard to have proof points to show you’ve been protecting an organization all along (even after an attack goes live), that you’ve been successful in preventing that attack from doing any damage.  Our malware research team does a great job of describing how we’re successful in protecting users from all sorts of malware in the man

Malvertising Quick Look:

February 18, 2013 - By Chris Larsen
[Disclaimer: This analysis deals largely with circumstantial evidence, for reasons laid out in the introductory blog post to this series. Any conclusions are preliminary, and subject to change based on further research.]

Grab Your Trenchcoat! It's "MalNet - A Detective Story"

February 8, 2013 - By Chris Larsen, An Analyst Who Wishes to Remain Anonymous
[It seems one of our Analysts has been watching too many old-time cop shows, and sees himself as a hard-boiled detective, hot on the trail of the Bad Guys. I know who "Donovan" is, and would say he's more "lightly sauteed" than hard-boiled... I haven't figured out who "Badger" and "Dirk" are, but I'm working on it. Queue the "Dragnet" theme music! --C.L.]   NOTE: The names in this story have been changed to protect the identities of those involved, but the events are described as they actually occurred…for the most part.  ;)

Phishing, The Overlooked Mobile Threat

February 5, 2013 - By Tim Chiu
Most people associate phishing threats with emails, but really it's a web security threat.  It may start by receiving an email, one that's made to look like it's from a company or service you normally deal with on a regular basis.

Blocking a Long-running Facebook Attack

January 30, 2013 - By Chris Larsen
Part One: Today I took a look at what sorts of malicious activity we have been seeing lately coming from the Facebook ecosystem. Following a likely-looking link we had blocked as Malware, I was able to reach the following page:

A Dive into the Water Hole

January 18, 2013 - By Chris Larsen, Adnan Shukor
[Good research from Adnan, posted this morning to our internal blog; clearly deserving of a wider audience... C.L.]   Today, let's get our hands dirty by analyzing an "interesting" sample that I found in-the-wild earlier today. There are multiple interesting parts of this sample; the first one is that they don’t really hide/obfuscate their stuff. They left it in plain text, and exposed the contents of their server. (By accident, I think.)

All Hail the New King? (A Look at the Cool Exploit Kit)

January 9, 2013 - By Chris Larsen, Jeff Doty
[Following up on his look at the Sweet Orange exploit kit, Jeff returns with a look at the Cool exkit. I've been seeing this show up in large numbers in the daily submissions from our analyst team, so I knew they were finding a lot, but Jeff's numbers were eye-opening. Good stuff! -- C.L.]  

Malvertising Quick Look:

January 7, 2013 - By Chris Larsen
The next in our periodic looks at malvertising on popular sites is a different animal. This one looks like a case of a legitimate ad provider who simply made a bad choice about which clients to accept ads from...

Forbidden Fruit: The Sweet Orange Exploit Kit

December 17, 2012 - By Chris Larsen, Jeff Doty
[I've been seeing quite a few submissions from our malware-hunting analysts lately with notes that here was another "Sweet Orange" host, so I was glad to see Jeff take time to write up a post about this exploit kit. --C.L.]   Exploit Kits Malware is a business; people make their living writing and distributing it. Exploit kits are an effective and streamlined methodology of distributing malware; they allow the Bad Guys to distribute payloads at a higher level than we have seen in the past. For this reason we've seen exploit kits grow in popularity over the last few years.