Video Screencast Help

Security Community Blog

Showing posts tagged with 11.x
Showing posts in English
vikram3500 | 23 Apr 2009 | 2 comments

 Very interesting article i read the past hour up

Marshal8e6, a global provider of Secure Web Gateway and email security products, announced today the findings of its extensive botnet research conducted by the company's TRACElabs threat research group. The data, compiled during the first quarter of 2009, represents two years of in-depth research and observation which provides detailed analysis of the inner workings of major botnets that Marshal8e6 has identified as the biggest spammers.

As part of the study's findings, TRACElabs determined that the Rustock and Xarvester malware provided the most efficient spambot code, enabling individual zombie computers to send 600,000 spam messages each over a 24 hour period.

More of the Article at http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=217000203&subSection=Antivirus

Symantec World | 23 Apr 2009 | 0 comments

Hi All,

You want your network secure so have to folow the following points.

• File system protection
Consider how your network resources should be protected. All file servers should have an antivirus solution that actively scans the file system in real time so that, as files are modified or added, the antivirus application can quarantine or repair the affected files before they spread to client systems or other servers. The server should also be protected at the file system level in other ways. For example, all Windows servers should use NTFS, since FAT offers essentially no security. You should also eliminate unnecessary shares, require share permissions for all shares, and use hidden shares where possible to further protect the server from worms that propagate through unprotected shares.

• Don't open an attached file if you do not know what it is, who sent it to you, or you were not expecting it (even if it is from somebody that you know.)...

SAM_SHAIKH | 23 Apr 2009 | 3 comments

W32.Sality

Overview
W32.Sality is a parasitic virus which infects shared drives and Windows executable files by putting its code to host files. It contains downloader functionality to further install Trojan or key logger components. Sality opens a backdoor that allow the remote attacker to get the full control over the infected computer and in turn the confidential information, representing a serious security risk.

Aliases
Microsoft - Virus: Win32/sality.am
Kaspersky - Virus.Win32.Sality.aa

Symptoms
W32.Sality has the following symptoms:

• Modifies System.ini files (Check for the modified date)
• Services listening on the network port(s).
• Unexpected network trafic to one or more of the domain(s).
• No access to File Monitor.
• Disables Safe mode boot
• Disables regedit and taskmanager
• Disables Antivirus

Characteristics
Upon execution, it starts...

BNH | 21 Apr 2009 | 1 comment

In the past, we see threats modify Windows host file to redirect AV vendor websites to 127.0.0.1 loopback address.
Some security software also injects known bad URLs into the same host file with 127.0.0.1 loopback address.

Well nowadays the bad guys are getting smart and does more advanced stuff than host file modification.

In few recent malwares [ie. Conficker aka Downadup], we see that infected machines are unable to access AV vendor sites although the host file is empty.
And ping to av website yield a 127.0.0.1 address resolution.

Well now there are a few tricks we can do to evade this issue.

Its an old trick by removing DNS cache on our machine and check it everytime required to the DNS server.
Microsoft has a KB for this as written in support.microsoft.com/kb/318803 .
It is as simple as typing : 'net stop dnscache' or 'sc servername stop...

binayak | 20 Apr 2009 | 6 comments

Copy the contents of the following folder

C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Inetpub\ClientPackages\<your own group id here>\full

to a network share ex. \\someserver\sep that every user has read/execute access to

Then create a Group Policy Object to run the following script (.bat file) at login/startup (this can also be used with landesk and psexec):

  1. IF EXIST "c:\Program Files\Symantec\Symantec Endpoint Protection" GOTO END
  2. NET USE Z: \\someserver\sep /PERSISTENT:NO
  3. z:\setup.exe /s /v"/qn"
  4. NET USE Z: /DELETE
  5. :END
     
ShadowsPapa | 20 Apr 2009 | 0 comments

I was facing another issue - being a gov't agency, we run at short staff all the time. The boss wants central management of everything, but that still takes people to manage it.
One of the things deemed most critical is the antivirus protection on our clients. Yes, there are audits one can perform, be it by SMS (but it has to know what to look for) or by Symantec's own products, but that takes people to RUN the audit, then filter through and understand what one is seeing. And if you have 45 different subnets, then searching computers via subnet is painstaking. There's the old "get a list from xxx and search from that list" trick, but computers constantly change, they must be turned on to successfully audit, and what if they are off at that very moment of your audit? Some were always falling through the cracks.
There is only one constant - any time a person here logs in, they run our login script. Period. I've found not exceptions (hope not, I set it up that...

erikw | 20 Apr 2009 | 2 comments

Thousands of websites have been rigged to deliver a powerful piece of malicious software that many security products may be unprepared to handle.
An earlier version of Mebroot, which is what Symantec named it, first appeared around December 2007 and used a well-known technique to stay hidden. It infects a computer's Master Boot Record (MBR). It's the first code a computer looks for when booting the operating system after the BIOS runs.
Read more on:

http://www.computerworlduk.com/management/security...

khaley | 01 Apr 2009 | 0 comments

Conficker; there has probably never been a virus or worms with so much written about it.  And now that’s it’s April 1st and the world has not come to an end, many people are no doubt questioning whether Conficker was a bust and nothing we didn’t needed to worry about, if the threat itself was over hyped, and it all the electronic ink spilled about this threat was worth it.  I’ll give you my opinion, but first a status update of Conficker.

 

April 1st has come and as predicted machines infected with Downadup.C have switched to the new communication algorithm.  But when these infected machines are able to communicate back to a Command & Control server they are not getting updated with a malicious code payload.  In other words, no large or small, malicious attack has been unleashed by Conficker.

So is Conficker a bust for the bad guys?  No.  One thing we can tell about this worm is that whoever...

HimalayanITGuy | 30 Mar 2009 | 2 comments

 

"Many have been worrying that the Conficker worm will somehow rise up and devastate the Internet on April 1. These fears are misplaced, security experts say. April 1 is what Conficker researchers are calling a trigger date, when the worm will switch the way it looks for software updates. But the worm has already had several such trigger dates, including Jan. 1, none of which had any direct impact on IT operations, according to Phil Porras, a program director with SRI International who has studied the worm. 'Technically, we will see a new capability, but it...

Symtec Exp | 28 Mar 2009 | 0 comments

Hi,

Has anybody come accross a situation where system restarts in mdist of  Endpoint installation and installation doesn't complete?
Please tell me how to overcome this situation without formatting the computer.

Thanks in advance.