Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

(December 2010) Posts

In 2011, this exploit kit won't work

Posted: 30 Dec 2010 10:30 | Chris Astacio | 1 comment(s)


And some Web sites will be a lot safer! While reviewing incidents and deobfuscating a Web site today, I discovered an installation of a particular exploit kit that won't work after New Year's Eve.  The site I found caught my attention because the code simply looks like garbage.  As the saying goes, "One man's trash is another man's treasure."  So I started digging into the obfuscation of the code and found something that I thought would be topical considering today's date.  The code in this exploit kit will actually expire at midnight on New Year's Eve local time!  In this post, I'll cover how I came across this and show you how and why the exploit kit installations will expire.

 

Here is a screen shot of the code in the original state as I found it:

...

Read more > 

Filed under: , ,

Installation Protection Mechanisms of Phoenix Exploit's Kit

Posted: 27 Dec 2010 12:00 PM | Chris Astacio | 2 comment(s)


As part of my research within Websense Security Labs, I collaborate with a group of researchers tasked with profiling exploit kits.  This helps us refine the analytics used in ACE, our Advanced Classification Engine.  In this post I want to cover the installation of Phoenix Exploit's Kit.  I'm not going to tell you how to install and use it, but I will cover some of the more interesting aspects of installation.  Specifically, I want to cover how the developers protect their code from being reverse engineered and how the developers have attempted to keep researchers from poking around in installed kits. 

...

Read more > 

Filed under: , , ,

This Month in the Threat Webscape - November 2010

Posted: 13 Dec 2010 06:32 PM | Jay Liew | no comments


Month of November Major Hits Amnesty International's Web site in Hong Kong was compromised and was attempting to infect its visitors using various exploits for Adobe Flash, Adobe Shockwave, Apple Quicktime, and even the latest zero-day for Internet Explorer. In other parts of Asia, India's number...

Read more > 

Filed under: