Zscaler Research

Phishers target Yahoo users

2013-06-04T15:37:00.000-07:00

Yahoo Mail introduced two-factor authentication in December 2011. Two-factor authentication can be used to prevent suspicious access to an account (login from a different country, numerous failed login attempts, etc.) and can be used to verify a user's identity when asking for a password reset. Two-factor authentication has been in the news a fair bit lately as LinkedIn and Twitter have

Rise in Red Kit Exploit Kit Activity

2013-06-01T10:15:00.000-07:00

This week, a malicious pattern of activity was observed in websites being compromised, which in turn redirected to a Red Kit exploit kit (EK) landing page. Some infected websites that were seen: neptunebenson[dot]com route66marathon[dot]com whitesteeple[dot]com (Warning! these sites may still be infected). Two different mechanisms were used to infect the websites. The first one being a

Darkleech attack continues to grow

2013-05-21T07:57:00.000-07:00

The Apache Darkleech attack has been in the news for quite some time now. The first compromise that we identified in our transactions dates back to mid-March. This Darkleech exploit (aka Linux.Cdorked) injects malicious redirections into a website that leads to a Blackhole exploit kit (BEK) landing page. Sucuri published up a great write up about the Darkleech infection mechanism on the server

Fake YouTube page targets Chrome users

2013-05-16T13:10:00.000-07:00

Fake YouTube pages are one of the favored ways attackers leverage to get users to click on malicious content. These fake pages often look the same, but the source code can reveal a new twist. This time, a recently encountered fake YouTube page host at http://facebook-java.com targets Google Chrome users only. Fake YouTube page We have found a many malicious sites that specifically target

Facebook Scam for Stalkers

2013-05-07T15:49:00.000-07:00

If you are like me, you might feel bad about leaving your dog home alone all day while you are at work. So to alleviate his boredom, I've let him sign up for his own Facebook. Being new to the social media scene has already resulted in one tragedy. Well, my dog has done it again. This time he was paranoid over whether his girlfriend from across the street was cheating on him. So of course

Popular Media Sites Involved in Mass Compromise

2013-05-06T14:42:00.000-07:00

Update (May 9): OSIRT had the opportunity to review the infected web app code for one of the compromised sites and has a great write-up to explain what was happening from a server-side vantage point. Today, Zscaler identified yet another mass website compromise, this one impacting a number of popular media sites, including two radio stations in Washington, DC - Federal News Radio and WTOP. It's

Fake Flash player on DropBox

2013-05-03T14:23:00.000-07:00

Fake Flash updates are leveraged as a very popular trick amongst attackers to fool users into downloading and installing malware. This week we found a three websites distributing Win32.Sanity.N malware disguised as Flash updates: hxxp://kivancoldu.com/, redirects to hxxp://click-videox.com/ http://kivancoldu.com on 05/02/2013 hxxp://fastcekim.com/, redirects to hxxp://click-videox.com/

More Fake SourceForge Websites Show Up

2013-04-30T13:38:00.006-07:00

Two weeks ago we reported on a fake SourceForge website, sourceforgechile.net, which was used to distribute malware. We have since seen more of these fake sites this past week: sourceforgebulgaria.net, registered on 05/06/2013 sourceforgesweden.net, registered on 05/06/2013 sourceforgecyprus.net, registered on 05/02/2013 sourceforgeniger.net, registered on 05/01/2013 sourceforgeestonia.net,

scanning binaries for PE format anomalies

2013-04-26T15:34:00.000-07:00

After processing tons of malicous binaries, I would like to share my findings about anomalies found in PE binaries. These anomaly information will be helpful for security researchers on suspicious sample validation and sample clustering. 1. Binary strings nearby EP Of course, EP binary is very popular for AV companies to work out malware signatures. So I put it at first.

Bitcoin: Regulations and Security

2013-04-26T12:51:00.001-07:00

You have probably heard about Bitcoin, a relatively new virtual currency. It made headlines recently because it is starting to present a real alternative for traditional online payments, and has recently experienced wild swings in value. One of the advantages of Bitcoin is the lack of regulation, which means it is largely free from the rules and regulations that govern banks and payment

Fake SourceForge site distributes malware

2013-04-17T15:46:00.002-07:00

We spotted malware hosted on hxxp://sourceforgechile.net/ a couple of days ago. The website is not currently responding, but appears to been set up as a fake and malicious version of the popular open-source hosting site SourceForge. sourceforgechile.net was registered on 04/05/213 in the US and is hosted in the Ukraine. One of the malicious files downloaded was hxxp://sourceforgechile.net/

Pinhout: Pinterest clone or phishing site?

2013-04-09T15:00:00.000-07:00

Recently I stumbled upon pinhout.com. Look familiar? Pinhout.com looks awfully familiar to... It looks like a Turkish copy of Pinterest, a growing social network to share web content. .. Pinterest (home page). Official site? I was wondering if this site is a Phishing site, a clone, or an official site from Pinterest. Whois records show that the domain has been registered by a Turkish

Gone Phishin' on the Facebook

2013-03-29T16:16:00.000-07:00

Social Media sites are rife for exploitation and malicious intent. They have become a staple of connectivity between colleagues, family, and friends to the point that they are in many cases the focal point of communication. Chief among these social media sites, is Facebook. Not quite professional a network as Linkedin, not quite as informal as Twitter. Facebook is a perfect storm of chat,

Guess who am I? PE or APK

2013-03-15T14:53:00.000-07:00

Update: I happened to find this sample. However, it was corrupted. So I made a demo file by myself. Notepad.exe was used as PE stub, and I embedded a MALICIOUS APK sample into it. So the magic number was also MZ. It ran better than the previous sample since it bypassed zipfile.py and you can see its internal apk information. If you need this sample, leave your email or drop me a

Hey AndroGuard, I will crash you or your Python buddy!

2013-03-13T11:40:00.001-07:00

AndroGuard is a popular tool to be used to analyze android APK files by security professionals. Quite a few APK analysis tools have been built based on it. They usually call Python library to unzip APK files before reverse-engineering. No wonder some android malware were trying to applied some anti-debugging tricks to crash AndroGuard or Python, just like what PC malware had done on Ollydbg and

Door-to-Door Worm Cleaner

2013-03-08T19:03:00.000-08:00

Stop me if you’ve heard this one before. I’m telling a new acquaintance that I work in IT, particularly the security sector. “Neat…so my computer has been running slow recently…” I want to make a good impression so I schedule some time and roll up my sleeves for however long it may take. Given that this is someone else’s PC, I’m not going to risk plugging in any of my personal equipment to

Android application obfuscation

2013-03-07T10:53:00.002-08:00

I had the opportunity to attend 2013 RSA last week. Compared with less than five vendors last year, there were more than 20 vendors focusing on mobile security. I found something interesting on android application obfuscation. Arxan was one of them. This company showcased its Mobile Application Protection Suite to protect code integrity and intellectual property from reversing engineering mobile

The move to plugin-free browsers

2013-02-22T12:57:00.000-08:00

Apple was the first major player to offer a browser with no plugins with Safari for iOS. Even the very popular Flash plugin cannot run in the browser. However, no vendor, including Apple, has had such restrictions on their desktop products. Microsoft has now also gone plugin-free with Internet Explorer 10 Metro. This version of Internet Explorer does not support plugins (except for the embedded

“Say cheese!” Let’s take a picture for you guys, packer families.

2013-02-08T17:37:00.000-08:00

<!--[if gte mso 9]>

HTTPS Everywhere for IE: faster, auto-update enabled

2013-02-08T13:12:00.000-08:00

I've released HTTPS Everywhere for Internet Explorer v0.0.0.3. Additional details about the update can be found in the version history of the PDF documentation. Changes in 0.0.0.3 Faster start up The start up time is now much faster. You should no longer receive a popup from Internet Explorer asking you to disable certain add-ons. I also switched to a different XML parser to load the HTTPS