Security Blog

Javascript Obfuscation in "Canadian Pharmacy" Spam Sites

December 14, 2012 - By Chris Larsen, Adnan Shukor
[Another good post from Adnan on our internal blog. We've blogged a little bit this year about our anti-spam research -- basically, we find a lot of spam networks in the course of our malware work, and we block them for our customers as a side benefit -- and this is a good example. --C.L.]  

Search Engine Poisoning, a Holiday Tradition

December 10, 2012 - By Chris Larsen
I seem to gotten myself pigeonholed this year as the "search engine poisoning guy", since I get asked about SEP attacks on a consistent basis. Especially now, as America is in the middle of its Thanksgiving-Christmas holiday season -- I was asked about "Black Friday" SEP attacks by several people last week. Well, I had hoped to do some SEP research before Thanksgiving, but it has slipped to "pre-Christmas research" instead, one of several downsides to a heavy travel schedule...  

Craigslist Car Scam Phishing Attack

December 6, 2012 - By Chris Larsen, Christian Mills
[Nice first post from Christian, our newest analyst. When I heard him talking about this, I said, "You've got to write that up for the blog!" The story is now several days old, but when I asked him to check if we were still seeing traffic from this network, he confirmed that it's still active. --C.L.]  

BlackHole Kit Doesn't Like Chrome

December 5, 2012 - By Chris Larsen, Adnan Shukor
[Adnan, who is already an accomplished security researcher and blogger, has recently joined Blue Coat. He did this research a week or so ago, and wrote it up for our internal blog this week. Sorry about the delay in pushing it out, Adnan! -- C.L.] Recently, we’ve started to see the BlackHole Exploit Kit (BHEK) using plain HTML files (instead of iframes) as redirectors to the exploit page.

A Quick Look at the Crimeboss Exploit Kit

November 26, 2012 - By Chris Larsen, Nate Clark and Jacob Siebach
[Nate and Jacob are analysts on the WebPulse team. A week or so ago, they did some poking around a site running the Crimeboss exploit kit, and I thought their findings were worth sharing. --C.L.]   An exploit kit known as "Crimeboss" has been in the news for a couple of months. There's a good write-up about the Java exploits it serves here. [My favorite part is that it will actually prompt you to install Java if you don't have it, so that it can then infect you.]

Malvertising Attack Quick Look: The Pirate Bay

November 21, 2012 - By Chris Larsen
[Disclaimer: This analysis deals largely with circumstantial evidence, for reasons laid out in the introductory blog post to this series. Any conclusions are preliminary, and subject to change based on further research.]   Our first drill-down into a breaking malvertising attack (via our Popular Site Monitor list) looks at the (in)famous Pirate Bay (

Malnets and Malvertising

November 20, 2012 - By Chris Larsen
Modern malvertising is nasty stuff, for several reasons:

Ransomware is Nasty Stuff

November 9, 2012 - By Chris Larsen, Jeff Doty
A day or two ago, our friends at Symantec released a blog post about the growing success of "ransomware". (They also have a whitepaper here, and a nice gallery of screenshots of several variations here.)

A Malware Hall of Fame

October 31, 2012 - By Chris Larsen
A couple of weeks ago, just prior to taking off on a vacation, I was asked by one of our marketing folks for a list of significant and/or famous malware. So, I spent some time thinking about what examples I would include in a "Malware Hall of Fame" if I were in charge of the museum, and came up with the following two lists of favorite and/or significant malware...   Memorable/significant attacks from the "old days":

Negative-day Blocks

October 20, 2012 - By Chris Larsen
Last year, some of us were talking about how to explain the power of malnet tracking, and Alex suggested that we call it "negative-day blocking", as a play on the well know phrase "zero-day attack". If a zero-day is a new, never-before-seen attack, against a vulnerability for which no patch exists, then a negative-day block is a defense put in place for a new attack one or more days before the attack takes place -- even if that new attack is a zero-day. We liked the "negative-day" term, and it stuck.