Security Blog

Blocking a Long-running Facebook Attack

January 30, 2013 - By Chris Larsen
Part One: Today I took a look at what sorts of malicious activity we have been seeing lately coming from the Facebook ecosystem. Following a likely-looking link we had blocked as Malware, I was able to reach the following page:

A Dive into the Water Hole

January 18, 2013 - By Chris Larsen, Adnan Shukor
[Good research from Adnan, posted this morning to our internal blog; clearly deserving of a wider audience... C.L.]   Today, let's get our hands dirty by analyzing an "interesting" sample that I found in-the-wild earlier today. There are multiple interesting parts of this sample; the first one is that they don’t really hide/obfuscate their stuff. They left it in plain text, and exposed the contents of their server. (By accident, I think.)

All Hail the New King? (A Look at the Cool Exploit Kit)

January 9, 2013 - By Chris Larsen, Jeff Doty
[Following up on his look at the Sweet Orange exploit kit, Jeff returns with a look at the Cool exkit. I've been seeing this show up in large numbers in the daily submissions from our analyst team, so I knew they were finding a lot, but Jeff's numbers were eye-opening. Good stuff! -- C.L.]  

Malvertising Quick Look:

January 7, 2013 - By Chris Larsen
The next in our periodic looks at malvertising on popular sites is a different animal. This one looks like a case of a legitimate ad provider who simply made a bad choice about which clients to accept ads from...

Forbidden Fruit: The Sweet Orange Exploit Kit

December 17, 2012 - By Chris Larsen, Jeff Doty
[I've been seeing quite a few submissions from our malware-hunting analysts lately with notes that here was another "Sweet Orange" host, so I was glad to see Jeff take time to write up a post about this exploit kit. --C.L.]   Exploit Kits Malware is a business; people make their living writing and distributing it. Exploit kits are an effective and streamlined methodology of distributing malware; they allow the Bad Guys to distribute payloads at a higher level than we have seen in the past. For this reason we've seen exploit kits grow in popularity over the last few years.

Javascript Obfuscation in "Canadian Pharmacy" Spam Sites

December 14, 2012 - By Chris Larsen, Adnan Shukor
[Another good post from Adnan on our internal blog. We've blogged a little bit this year about our anti-spam research -- basically, we find a lot of spam networks in the course of our malware work, and we block them for our customers as a side benefit -- and this is a good example. --C.L.]  

Search Engine Poisoning, a Holiday Tradition

December 10, 2012 - By Chris Larsen
I seem to gotten myself pigeonholed this year as the "search engine poisoning guy", since I get asked about SEP attacks on a consistent basis. Especially now, as America is in the middle of its Thanksgiving-Christmas holiday season -- I was asked about "Black Friday" SEP attacks by several people last week. Well, I had hoped to do some SEP research before Thanksgiving, but it has slipped to "pre-Christmas research" instead, one of several downsides to a heavy travel schedule...  

Craigslist Car Scam Phishing Attack

December 6, 2012 - By Chris Larsen, Christian Mills
[Nice first post from Christian, our newest analyst. When I heard him talking about this, I said, "You've got to write that up for the blog!" The story is now several days old, but when I asked him to check if we were still seeing traffic from this network, he confirmed that it's still active. --C.L.]  

BlackHole Kit Doesn't Like Chrome

December 5, 2012 - By Chris Larsen, Adnan Shukor
[Adnan, who is already an accomplished security researcher and blogger, has recently joined Blue Coat. He did this research a week or so ago, and wrote it up for our internal blog this week. Sorry about the delay in pushing it out, Adnan! -- C.L.] Recently, we’ve started to see the BlackHole Exploit Kit (BHEK) using plain HTML files (instead of iframes) as redirectors to the exploit page.

A Quick Look at the Crimeboss Exploit Kit

November 26, 2012 - By Chris Larsen, Nate Clark and Jacob Siebach
[Nate and Jacob are analysts on the WebPulse team. A week or so ago, they did some poking around a site running the Crimeboss exploit kit, and I thought their findings were worth sharing. --C.L.]   An exploit kit known as "Crimeboss" has been in the news for a couple of months. There's a good write-up about the Java exploits it serves here. [My favorite part is that it will actually prompt you to install Java if you don't have it, so that it can then infect you.]