Andrew Martin

Gumblar compromises clients using 2 different exploits. The first is a Adobe Acrobat PDF exploit CVE-2008-2992 and the second is a Adobe Flash exploit. Unfortunately I haven’t been able to figure out which Flash exploit is employed as decoding flash is not an expertise of mine.
Here is the Wepawet output of the exploit script employed [...]

Lets take a look at a facebook phish I received recently. I received this message from a friend:
XXXXX sent you a message.
Subject: Hi
“Look at bestspace.be”
I’ve included a screenshot of the site below, note that it looks like the facebook login page complete with poor spelling of “helps”.
The form sends your stolen credentials back to bestspace.be [...]

I first found out about Gumblar a couple days ago via one of Scan Safe’s blog posts. Responsible for 42% of “all malicious infections found on websites” (Sophos) during a 7 day period, Gumblar (JSRedir-R)  has been extremely effective at propagating. Many bloggers have been focusing on the script involved in the attack, not so [...]

For my next installment on RFI attacks we will look at the extremely popular FX29 shell.
To find if you or someone else has been compromised with this shell search for the following:
intitle:”FaTaLisTiCz_Fx”
At the time of writing this, the above search query returns 17,400 matches which certainly indicates the prevalence of this shell.
Here is what the [...]

One of the constant threats out on the internet are Remote File Inclusion (RFI) attacks. This class of threat is simple to execute and can yield very valuable results to the attacker. With the multitude of web applications out there, there are constantly new vulnerabilities discovered. The subject is rather large so I will have [...]

It’s my first day back on the job and I decided to do a little hunting to see what this notorious hosting provider has been up to while I was gone. Unsurprisingly, we saw a large number of attacks from this hosting company. They all appear to be fake anti virus related.
Given the age of [...]