During July 2007, I noticed some sites serving up pages that were trying to take advantage of the Windows Media Player Plug-In EMBED Overflow Universal Exploit (MS06-006). So I took some time to dig through one of the pages just to see what it was doing. I have waited a few months to post this, just to make sure everyone has had enough time to patch, update, and otherwise protect their systems. I figure 6 months should be enough time for even the most busy folks to get their stuff updated and that any addresses referenced here would be dead. Which at the time of this writing the address was not active.

Read more! »

I was looking through some suspicious files last night, I am way behind on this so this information, while interesting, may be a little dated.

Through my travels I had discovered a web site that was using the RDS DataSpace object to download and execute virus code on unsuspecting visitors. I was curious about the downloaded executable so I grabbed it and the web page for further review. The downloaded file was named vnn.exe on the server, which was identified as W32.Imaut.S worm by Symantec.

Read more! »