Latest Stories

Hi folks,

As you've probably noticed, Storm is back for Christmas. There are only two noteworthy points about it.

The first is that they've added another fairly new exploit to it, and that is for something called GomPlayer, or the Gretech Online Movie Player, which is apparently very popular in South Korea.

The exploit is from October 2007, and is explained here, http://www.milw0rm.com/exploits/4579, but the key point is that if you're using GomPlayer, you're potentially vulnerable.  read more »

Can't you see the pattern emerging??

Seriously though, uplink.space.com (careful) has had an iframe injected into it, and it's reaching out to another seemingly hacked site (www.forvideo.at - careful),

and launching a encrypted javascript  read more »

Hi folks,

We noticed a couple of Alabama county websites have been hacked, with a Neosploit call out to a website in Germany.

The two websites are...

hxxp://www.co.blount.al.us/ and
hxxp://www.blountrevenue.com/

(The actual exploit server in Germany seems to be 404 at the moment, but you should still be careful)

The second one is more interesting, particularly given the time of year. The front page looks like this ...  read more »

I'm kidding, I'm kidding!!!!!!!

Update number 2: Feb 26, 2008, 6:30am est

Dang, that was quick. Some of the sites, such as St Kilda, and the Geelong Cats sites, are now correctly marked as clean. They're not all correct though ... the Brisbane Lions site is still incorrectly marked as dangerous, for example, but that was still quick for the others, and we hope that all will shortly be corrected. Shout-outs to google for reacting quickly!

Update number 1:  read more »

Hi folks,

MalwareAlarm is so common now, we decided to give it it's own vid. Remember, it's not really scanning your pc, it's just pretending to, but it does a very good job of pretending. Enjoy...

Cheers

Roger

Update: We should note that CA has offered a patch for this vulnerability. What is not clear is how widely adopted that patch is.

Hi folks,

On about March 17, 2008, some folks, such as frsirt started talking about a vulnerability in dll/ ocx used in various CA products. See here http://www.frsirt.com/english/advisories/2008/0902 , for example.

Today we found it in the wild, in none other than a new NeoSploit framework.

This means several things...

Firstly, the Neo developers are _very_ active.  read more »

Hi folks,

Sorry for not writing something sooner... it's been a busy few days. We're pleased to announce that we've been acquired by Grisoft, the developer of AVG. Nearly all the tech and marketing folk, including me and the other researchers from XPL are joining Grisoft, and we're all very excited about it.

AVG is a great little anti virus program, with a huge number of users, and we're looking forward to adding our software to their product. I expect that standalone LinkScanner will continue to exist as long as there are users for it.  read more »

*UPDATE* I placed the wrong PoC, I had several of test cases and the one below should work.

Abstract.  read more »

Hi folks,

I'm sure most people know about the horrific attack on the poor NYC psych. In the news tonight, we noticed that the police had arrested someone named David Tarloff for allegedly being the perp. With the web being what it is, we often find that if you look quickly, you can find personal pages about these people, often before the police get them taken down. Ok, it's a little morbid, but it's interesting at the same time.

So, when we googled for David Tarloff, here was the result...  read more »

Hi folks,

Sorry for not writing something sooner... it's been a busy few days. We're pleased to announce that we've been acquired by Grisoft, the developer of AVG. Nearly all the tech and marketing folk, including me and the other researchers from XPL are joining Grisoft, and we're all very excited about it.

AVG is a great little anti virus program, with a huge number of users, and we're looking forward to adding our software to their product. I expect that standalone LinkScanner will continue to exist as long as there are users for it.  read more »

from Marco Crotta
"Hello

I recently wrote a small C program to modify PCAP files
to forge them and use them for test and so on
It allows you to change:
- IP address of packet
- Mac address of packet
- time of the capture
- Mbit/second
- Packets/second"
download here....

Can't you see the pattern emerging??

Seriously though, uplink.space.com (careful) has had an iframe injected into it, and it's reaching out to another seemingly hacked site (www.forvideo.at - careful),

and launching a encrypted javascript  read more »

Can't you see the pattern emerging??

Seriously though, uplink.space.com (careful) has had an iframe injected into it, and it's reaching out to another seemingly hacked site (www.forvideo.at - careful),

and launching a encrypted javascript  read more »

Can't you see the pattern emerging??

Seriously though, uplink.space.com (careful) has had an iframe injected into it, and it's reaching out to another seemingly hacked site (www.forvideo.at - careful),

and launching a encrypted javascript  read more »

Can't you see the pattern emerging??

Seriously though, uplink.space.com (careful) has had an iframe injected into it, and it's reaching out to another seemingly hacked site (www.forvideo.at - careful),

and launching a encrypted javascript  read more »

Correction: Sorry folks... there's so much happening at the moment, I've merged a couple of kits in my mind. It's not a mix of vbscript and javascript. It's just javascript, and thus far, we've only seen one exploit come out of it ... a mouldy, old MS06-014, although we expect there are more than that. The rest of the write-up is reasonably accurate, and we'll continue to correct things as we find more.

Hi folks,  read more »

or at least the Idaho variant.

Hi folks,

One of our in-house jokes is that the only real way to be safe on the Internet is to sell all your computers and move to Montana.

Regretably, today we noticed that the innocent and bucolic sounding boise.com was showing up as carrying a link to a known exploit site.

Thinking it couldn't possibly be so, we went to look at the website thusly...  read more »

or at least the Idaho variant.

Hi folks,

One of our in-house jokes is that the only real way to be safe on the Internet is to sell all your computers and move to Montana.

Regretably, today we noticed that the innocent and bucolic sounding boise.com was showing up as carrying a link to a known exploit site.

Thinking it couldn't possibly be so, we went to look at the website thusly...  read more »

from Marco Crotta
"Hello

I recently wrote a small C program to modify PCAP files
to forge them and use them for test and so on
It allows you to change:
- IP address of packet
- Mac address of packet
- time of the capture
- Mbit/second
- Packets/second"
download here....

Note: One of our users, John Thomson (no relation as far as I know :-) ) noticed this first and brought it to our attention. His blog entry is here ...
http://www.roundtripsolutions.com/blog/2008/02/06/317/forth-road-bridge-website-hacked/

Sorry John! :-)

Hi folks,

Sometime between the 1st Feb 2008, and the 3rd of Feb 2008, the official website for the Forth Estuary Transport Authority was hacked an obfuscated iframe, using Neosploit encoding, was injected.  read more »