Zscaler Research

Fake YouTube page targets Chrome users

2013-05-16T13:10:00.000-07:00

Fake YouTube pages are one of the favored ways attackers leverage to get users to click on malicious content. These fake pages often look the same, but the source code can reveal a new twist. This time, a recently encountered fake YouTube page host at http://facebook-java.com targets Google Chrome users only. Fake YouTube page We have found a many malicious sites that specifically target

Facebook Scam for Stalkers

2013-05-07T15:49:00.000-07:00

If you are like me, you might feel bad about leaving your dog home alone all day while you are at work. So to alleviate his boredom, I've let him sign up for his own Facebook. Being new to the social media scene has already resulted in one tragedy. Well, my dog has done it again. This time he was paranoid over whether his girlfriend from across the street was cheating on him. So of course

Popular Media Sites Involved in Mass Compromise

2013-05-06T14:42:00.000-07:00

Update (May 9): OSIRT had the opportunity to review the infected web app code for one of the compromised sites and has a great write-up to explain what was happening from a server-side vantage point. Today, Zscaler identified yet another mass website compromise, this one impacting a number of popular media sites, including two radio stations in Washington, DC - Federal News Radio and WTOP. It's

Fake Flash player on DropBox

2013-05-03T14:23:00.000-07:00

Fake Flash updates are leveraged as a very popular trick amongst attackers to fool users into downloading and installing malware. This week we found a three websites distributing Win32.Sanity.N malware disguised as Flash updates: hxxp://kivancoldu.com/, redirects to hxxp://click-videox.com/ http://kivancoldu.com on 05/02/2013 hxxp://fastcekim.com/, redirects to hxxp://click-videox.com/

More Fake SourceForge Websites Show Up

2013-04-30T13:38:00.006-07:00

Two weeks ago we reported on a fake SourceForge website, sourceforgechile.net, which was used to distribute malware. We have since seen more of these fake sites this past week: sourceforgeniger.net, registered on 05/01/2013 sourceforgeestonia.net, registered on 04/26/2013 sourceforgegrenada.net, registered on 04/26/2013 sourceforgepalau.net, registered on 04/22/2013 sourceforgeecuador.net,

scanning binaries for PE format anomalies

2013-04-26T15:34:00.000-07:00

After processing tons of malicous binaries, I would like to share my findings about anomalies found in PE binaries. These anomaly information will be helpful for security researchers on suspicious sample validation and sample clustering. 1. Binary strings nearby EP Of course, EP binary is very popular for AV companies to work out malware signatures. So I put it at first.

Bitcoin: Regulations and Security

2013-04-26T12:51:00.001-07:00

You have probably heard about Bitcoin, a relatively new virtual currency. It made headlines recently because it is starting to present a real alternative for traditional online payments, and has recently experienced wild swings in value. One of the advantages of Bitcoin is the lack of regulation, which means it is largely free from the rules and regulations that govern banks and payment

Fake SourceForge site distributes malware

2013-04-17T15:46:00.002-07:00

We spotted malware hosted on hxxp://sourceforgechile.net/ a couple of days ago. The website is not currently responding, but appears to been set up as a fake and malicious version of the popular open-source hosting site SourceForge. sourceforgechile.net was registered on 04/05/213 in the US and is hosted in the Ukraine. One of the malicious files downloaded was hxxp://sourceforgechile.net/

Pinhout: Pinterest clone or phishing site?

2013-04-09T15:00:00.000-07:00

Recently I stumbled upon pinhout.com. Look familiar? Pinhout.com looks awfully familiar to... It looks like a Turkish copy of Pinterest, a growing social network to share web content. .. Pinterest (home page). Official site? I was wondering if this site is a Phishing site, a clone, or an official site from Pinterest. Whois records show that the domain has been registered by a Turkish

Gone Phishin' on the Facebook

2013-03-29T16:16:00.000-07:00

Social Media sites are rife for exploitation and malicious intent. They have become a staple of connectivity between colleagues, family, and friends to the point that they are in many cases the focal point of communication. Chief among these social media sites, is Facebook. Not quite professional a network as Linkedin, not quite as informal as Twitter. Facebook is a perfect storm of chat,

Guess who am I? PE or APK

2013-03-15T14:53:00.000-07:00

Update: I happened to find this sample. However, it was corrupted. So I made a demo file by myself. Notepad.exe was used as PE stub, and I embedded a MALICIOUS APK sample into it. So the magic number was also MZ. It ran better than the previous sample since it bypassed zipfile.py and you can see its internal apk information. If you need this sample, leave your email or drop me a

Hey AndroGuard, I will crash you or your Python buddy!

2013-03-13T11:40:00.001-07:00

AndroGuard is a popular tool to be used to analyze android APK files by security professionals. Quite a few APK analysis tools have been built based on it. They usually call Python library to unzip APK files before reverse-engineering. No wonder some android malware were trying to applied some anti-debugging tricks to crash AndroGuard or Python, just like what PC malware had done on Ollydbg and

Door-to-Door Worm Cleaner

2013-03-08T19:03:00.000-08:00

Stop me if you’ve heard this one before. I’m telling a new acquaintance that I work in IT, particularly the security sector. “Neat…so my computer has been running slow recently…” I want to make a good impression so I schedule some time and roll up my sleeves for however long it may take. Given that this is someone else’s PC, I’m not going to risk plugging in any of my personal equipment to

Android application obfuscation

2013-03-07T10:53:00.002-08:00

I had the opportunity to attend 2013 RSA last week. Compared with less than five vendors last year, there were more than 20 vendors focusing on mobile security. I found something interesting on android application obfuscation. Arxan was one of them. This company showcased its Mobile Application Protection Suite to protect code integrity and intellectual property from reversing engineering mobile

The move to plugin-free browsers

2013-02-22T12:57:00.000-08:00

Apple was the first major player to offer a browser with no plugins with Safari for iOS. Even the very popular Flash plugin cannot run in the browser. However, no vendor, including Apple, has had such restrictions on their desktop products. Microsoft has now also gone plugin-free with Internet Explorer 10 Metro. This version of Internet Explorer does not support plugins (except for the embedded

“Say cheese!” Let’s take a picture for you guys, packer families.

2013-02-08T17:37:00.000-08:00

<!--[if gte mso 9]>

HTTPS Everywhere for IE: faster, auto-update enabled

2013-02-08T13:12:00.000-08:00

I've released HTTPS Everywhere for Internet Explorer v0.0.0.3. Additional details about the update can be found in the version history of the PDF documentation. Changes in 0.0.0.3 Faster start up The start up time is now much faster. You should no longer receive a popup from Internet Explorer asking you to disable certain add-ons. I also switched to a different XML parser to load the HTTPS

Super Bowl 2013 Web Traffic

2013-02-05T09:23:00.003-08:00

It's always fascinating to see how a major global event can impact Internet traffic patterns. There aren't many sporting events larger than the Super Bowl, so we took a look at the web traffic that we were seeing on the day of the event and leading up to it. Even though Zscaler has enterprise customers and therefore most traffic traverses our cloud during the work week, an event the size of the

Is your Windows 8 packed?

2013-02-01T11:34:00.000-08:00

Windows 8 is HOT! Security researchers are busy finding Windows 8 vulnerabilities while users are figuring out how to find the restart button in the new interface UI. Windows 8 is definitely one of the big targets for hackers in 2013 based on McAfee 2013 Threats Predictions report. Currently, more than 60% of malware samples are packed by PE packers. What is a packer? A packer is a type

HTTPS Everywhere for Internet Explorer: source code and new version available

2013-02-01T10:31:00.000-08:00

I have released the source code for HTTPS Everywhere for Internet Explorer on GitHub as promised in the last blog post. You need Visual Studio Profession 2010 to compile the project and NSIS to build the installer. Feel free to submit patches and open issues directly via GitHub. If you missed the previous post, we have ported the browser extension HTTPS Everywhere (Firefox and Chrome, offered