community news

community news

Community news and analysis: January 2015

Posted on February 6, 2015 - 13:44 by ccondon

General security news

Google looks back on how its security rewards programs did in 2014 and details a new vulnerability research grant it will offer in 2015. (Google Online Security Blog Jan 31)

Mozilla on referers [sic]: “This HTTP header has become quite problematic and not very useful...What’s needed is a better way for referring sites to reduce the amount of data transmitted and thus providing a more uniform referrer that’s less privacy invasive.” Firefox 36 Beta supports a “meta referrer” feature that gives sites tighter control over their referrers. (Mozilla Security Jan. 21)

Mozilla is also progressing in its project to phase out certificates with 1024-bit RSA keys. See the post for a list of affected root certificates. (Mozilla Security Jan. 28)

A WordPress security Q&A with VaultPress Vaultkeeper and lead developer Mark George (Automattic Jan. 30)


Qualys, SiteLock, and Sophos on what you need to know about the much-mentioned GHOST vulnerability in the Linux glibc library. Patches were available as of Jan. 27, 2015.

Qualys (Jan. 21 and Feb. 2) and Sophos (Jan. 23 and Jan. 24) have also offered excellent coverage of multiple recent Adobe zero-day vulnerabilities.

Webmaster warnings from Sucuri: Security vulnerabilities in Pagelines and Platform themes for WordPress (Jan. 21), remote code execution vulnerability in vBSEO (Jan. 13), and a fake “mobile-shortcuts” WordPress plugin that injects SEO spam into websites. (Jan. 30)


CTB-Locker: New campaigns spread malware that demands Bitcoin ransoms from victims; Poland, the Czech Republic, and Mexico have the highest infection rates. (ESET Jan. 21)

Apparently, it’s such an ordeal for Belarusians wanting Polish visas to get an appointment at the Consulate of Poland that someone created a botnet with the express purpose of filling out forms to secure an appointment slot. Yes, really. (ESET Jan. 29)

5 ways to protect your website from malware (SiteLock Jan. 20)

Fortinet malware analysis: Cracked version of an old Andromeda botnet malware variant spreads Bitcoin miner (Jan. 7), analysis of recent VBA macros (Jan. 6)

After a multinational takedown operation in December 2013, the ZeroAccess click fraud botnet has reappeared. At the end of January 2015, around 50K computers were compromised by the resurgent botnet, although researchers noted it doesn’t appear to be growing. (Sophos Jan. 31)

A mid-January malvertising campaign abused AdSense to redirect users to fake health websites. (Sucuri Jan. 14)


Community news and analysis: December 2014

Posted on January 16, 2015 - 14:12 by ccondon

Here's a quick (late) roundup of security community happenings from last month. Naturally, the SoakSoak malware campaign has been foremost on our minds, but December brought a number of other announcements and some neat malware analysis from our partners, too.

Security news

  • Google released code for End-to-End Chrome extension to open source (GitHub repository). As of last month, the extension, which enables end-to-end encryption for Gmail within Chrome, was not yet ready for the Chrome Web Store.
  • Qualys on December Patch Tuesday


  • ESET and Sophos on Win32/VirLock, a parasitic, polymorphic hybrid strain of ransomware
  • Sucuri on the massive SoakSoak malware campaign, the RevSlider vulnerability that led to it, and infection evolution
  • Automattic on scanning for SoakSoak and how to begin fixing a compromised site
  • Fortinet: Analysis of a JAR obfuscated malware packer

Community news and analysis: September/October 2014

Posted on November 4, 2014 - 16:19 by ccondon

We’ve been extra busy at StopBadware this fall. We're organizing some cool research, we trained a fabulous new website tester (check out last week’s website PSA), and we attended a few different security conferences and meetings. Our community news roundup this week covers both September and October.

Featured news: A trio of security vulnerabilities

Shellshock: A serious security vulnerability was discovered in bash, a commonly used tool on many Unix, Linux, and Mac OS X systems. When exploited, the bug allows attackers to run arbitrary shell commands on vulnerable servers. See excellent coverage here from AutomatticSiteLockFortinet, and CloudFlare.  

POODLE: Google researchers disclosed a vulnerability in SSLv3 that can allow an attacker to access private information from within an encrypted transaction. POODLE affects any browser or site that supports SSLv3. Sites using this version of SSL should upgrade to a newer version of TLS. See our partners’ coverage of POODLE: GoogleMozillaQualysFortinet.

Highly critical security vulnerability in Drupal: We can't stress this one enough. On October 15, the Drupal team released a highly critical security advisory about a SQL injection vulnerability in the Drupal core. On October 29, Drupal published a follow-up PSA stating that automated attacks began compromising vulnerable Drupal sites as soon as the initial security advisory was released, and webmasters should assume every Drupal 7 website was compromised unless updated within seven hours of when Drupal disclosed the security flaw on October 15. Sophos and Sucuri have more details.

Malware news and analysis

ESET: Two recently patched Adobe Flash exploits now used in exploit kits, an excellent technical paper on bootkits (PDF via Virus Bulletin), another great paper on the evolution of webinject, and details on August BlackEnergy PowerPoint campaigns.

Fortinet: A look at the crypto in Android’s Emmental malware (see also Axelle Apvrille’s post on how to undermine the malware and redirect intercepted messages), a new variant of third-generation Pushdo malware, and the evolution of Tinba malware.

Sophos: A resurgence in VBA malware, what you need to know about the Sandworm zero-day malware, and a (Down Under) speed camera phish that leads to CryptoLocker-esque ransomware.

Sucuri: Manipulating WordPress plugin functions to inject malware, WordPress websites still being hacked via MailPoet plugin vulnerability, CMD process contributing to reinfection on Microsoft IIS servers.

Other security news

Google on strengthening two-step verification with Security Key: “Security Key is a physical USB second factor that only works after verifying the login site is truly a Google website.”

Mozilla on implementing a faster Content Security Policy, and why using CSP improves security for those building new websites.