February 11, 2013 | Alberto Ortega

Set up your keylogger to report by email? Bad idea! (The case of Ardamax)

A couple of days ago, I was surfing our wild Internet when I came up with a dirty piece of software dedicated to steal accounts of a popular build-with-bricks videogame.The program offered a premium account of the videogame for free. The real fact is that it was a stealer, which installs a keylogger on your computer to record and…

February 8, 2013 | Jaime Blasco

Adobe patches two vulnerabilities being exploited in the wild

Yesterday, Adobe released a patch for Adobe Flash that fixed a zeroday vulnerability that was being exploited in the wild. According to Adobe, CVE-2013-0633 is being exploited using Microsoft Office files with embedded flash content delivered via email. They are also aware of CVE-2013-0634 being exploited trough web browsers such as Firefox and Safari on MacOSX. FireEye released…

Get the latest security news in your inbox.

Subscribe via Email

January 21, 2013 | Jaime Blasco

Red October - Indicators of Compromise and Mitigation Data

Together with our partner, Kaspersky, we’re releasing a whitepaper on the “indicators of compromise” that can be useful to detect and mitigate the threats from Red October. It contains indicators to detect most of the Red October activity in your systems and networks. Inside the whitepaper you will find snort rules as well as an OpenIOC file that you…

January 10, 2013 | Jaime Blasco

New year, new Java zeroday!

Earlier this morning @Kafeine alerted us about a new Java zeroday being exploited in the wild. With the files we were able to obtain we reproduced the exploit in a fully patched new installation of Java. As you can see below we tricked the malicious Java applet to execute the calc.exe in our lab.The Java file is highly…

December 29, 2012 | Jaime Blasco

Just another water hole campaign using an Internet Explorer 0day

At the beginning of the week we started to analyze a water hole campaign that was present on the Council on Foreign Relations (CFR) portal. After studying the attack and the payload and realizing that it was likely using a zeroday exploit against Internet Explorer, we  sent the information to Microsoft Security Response Center (MSRC) that is still investigating the…

December 19, 2012 | Alberto Ortega

Hardening Cuckoo Sandbox against VM aware malware

Some time ago, we wrote a post about how a lot of malware samples check the execution environment, and if it is unwanted (VM, debugger, sandbox, ...) the execution unexpectedly finishes.We use Cuckoo Sandbox in the lab for our analysis tasks, we really love how customizable it is.Sometimes we have to deal with malware aware of the execution environment,…

December 17, 2012 | Jaime Blasco

Batchwiper: Just Another Wiping Malware

A few days ago, The Iranian CERT (Maher Center) released information about a new identified targeted malware with wiping capabilities. The piece of code is very simple and it deletes files on different drives on specific dates.The original dropper is a self-extracting RAR file with the name GrooveMonitor.exe. Once executed it extracts the following files:\WINDOWS\system32…

December 12, 2012 | Dominique Karg

The Eternal Life of Malware

2012 proves that modern malware never dies, just morphs and reappears.Download OSSIM and check out the global contributions that are making OTX so valuable.Embed this image in your site by copying/pasting the following code:<p><a href=”http://www.alienvault.com/alienvault-labs/open-threat-exchange/”><img src=”https://www.alienvault.com/images…

November 5, 2012 | Alberto Ortega

Your malware shall not fool us with those anti analysis tricks

It is well known that a big amount of malware samples are aware of the execution environment. This means that a malware sample can change his behavior if it detects that the running environment is unwanted.There are resources, public source code, and even programs that detail how to bypass automatic malware analysis systems and make things awkward for malware…

October 31, 2012 | Jaime Blasco

Georbot Botnet - A cyber espionage campaign against Georgian Government

A few days ago, CERT-Georgia published a great report describing a cyber spionage campaign. ESET wrote a great report (http://blog.eset.com/wp-content/media_files/ESET_win32georbot_analysis_final.pdf) [no longer available] a few months ago as well. The report said the malware was found in Georgian Governmental Agencies including ministries, parliament, banks, ngo’s.…

September 19, 2012 | Jaime Blasco

New versions of the IExplorer ZeroDay emerge targeting Defence and Industrial companies

As we related in our previous blog post the latest Internet Explorer ZeroDay is being used to target specific sectors including the Defence and Industrial ones.Following our investigations on the servers found serving the Internet Explorer Zeroday and using OSINT, we were able to use the WHOIS mail address and the ip addresses used by the attackers…

September 18, 2012 | Jaime Blasco

The connection between the Plugx Chinese gang and the latest Internet Explorer Zeroday

Some hours ago my friend PhysicalDrive0 pointed me to a new version of Moh2010.swf that was found in the wild as part of some content exploiting the last Internet Explorer Zeroday.The exploit code was being served on www.nod32XX.com hosted on:The exploit scheme is the same one, the original vector is hosted under /Exploit.html.…

Watch a Demo ›