Video Screencast Help
Search Video Help Close Back
to help
New in the Rewards Catalog: Vouchers for "Symantec Technical Specialist" and "Symantec Certified Specialist" exams.

Security Response

Showing posts tagged with Endpoint Protection (AntiVirus) remove filter
通过电驴传播的感染型蠕虫病毒W32.Noobert
Livian Ge | 29 Dec 2009 | 0 comments
电驴是一个很受欢迎的互联网分享平台,用户可以通过电驴快速共享、高速下载互联网上的各类文件。但是,网络攻击者也会趁机借此途径传播病毒。W32.Noobert就是这样一种蠕虫病毒。
W32.Noobert能感染受害计算机主机磁盘上的.exe和.scr文件。感染后,当用户运行这些文件时,该蠕虫会被解压到%TEMP%\NOO%RANDOM%目录下并且继续执行其文件感染功能。此外,它还会随机地删除以*.avi,*.xls,*.jpg ,*.doc为后缀名的文件,并且会通过修改注册表项键值HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\NT\CurrentVersion\Winlogon\"SFCDisable" = "1"以及修改%System%\和%System%\dllcache\路径下的系统文件SFC_OS.dll来关闭Windows的文件保护功能。
W32.Noobert还会将自身拷贝到电驴的incoming目录下,以达到通过电驴的文件共享网络进行传播的目的。因此,我们建议用户在下载P2P网络共享文件时先使用诺顿安全软件对其进行威胁扫描,确认安全后再打开下载。
Read more
Metasploit Releases Module for IIS Local File Include Vulnerability
Patrick Fitzgerald | 29 Dec 2009 | 0 comments

Over the last few days there have been many articles written about an issue in Microsoft’s Internet Information Services (IIS).  This issue allows an attacker to bypass normal security restrictions when uploading a file to a Web application running on a vulnerable version of IIS.  This issue could allow an attacker to upload and execute arbitrary code with the privileges of the Web server.

There are varying reports on the severity of this issue, but according to Microsoft only poorly configured Web servers are at risk from this issue:

“An attacker would have to be authenticated and have write access to a directory on the web server with execute permissions which does not align with best practices or guidance Microsoft provides for secure server configuration.”

...

Read more
Adobe新漏洞尚无补丁,木马Trojan.Pidief.H伺机攻击
Livian Ge | 23 Dec 2009 | 0 comments
病毒类型:木马
受影响的操作系统: Windows 95/98/2000/Me/XP/Vista/NT, Windows Server 2003
 
    Trojan.Pidief.H是一个利用尚无补丁的Adobe Reader和Acrobat零日漏洞(CVE-2009-4324)的木马。它利用此漏洞在被入侵的计算机中释放并运行恶意程序。
 
    恶意的文件将被释放到Temp目录,并重命名为AdobeUpdate.exe以达到迷惑用户的目的。攻击者可以根据其攻击意图来选择使用不同的被释放文件,如盗窃用户的机密信息和偷渡式下载其它恶意文件等。该木马可能通过包含特殊JavaScript的PDF文件以邮件附件的形式来到受害用户的计算机,并会诱导用户点击打开附件;此外网页挂马也是它的一种传播方式。
 
    目前Adobe还没有发布针对该漏洞的补丁,用户需格外小心。建议用户尽量不要访问可疑网站,不要轻易打开来历不明的邮件附件。

Read more
Qakbot, Data Thief Unmasked: Part II
John McDonald | 21 Dec 2009 | 0 comments

Theft
As we discussed in Part I, the primary purpose of Qakbot is to steal information from the compromised computer. In addition to targeting login details for FTP, POP3 and IMAP, the worm also attempts to steal Cookies - not only regular browser session cookies but also Flash cookies. A discussion of Flash cookies is beyond the scope of this article, but be aware that unlike traditional browser cookies, Flash cookies are not controlled through the cookie privacy controls in a browser which means they cannot be cleared or deleted in the simple manner that normal tracking cookies are removed.

Qakbot uses several techniques to collect private keys from the system certificates contained on the compromised computer. First, it replaces all certificate-related dialog boxes so that the “OK” button is automatically pushed as soon as the dialog is created...

Read more
Qakbot, Data Thief Unmasked: Part I
Shunichi Imano | 20 Dec 2009 | 0 comments

Motive
We recently had the opportunity to revisit a threat that first appeared on our radar back in May of this year. W32.Qakbot (hereafter referred to as Qakbot) is a somewhat benign worm that is capable of spreading through network shares, downloading additional files and opening a back door on the compromised computer, all in aid of its ultimate goal. Benign not because it is harmless - stealing login details, reporting keystrokes and uploading system certificates is malicious behavior indeed - but as will become obvious as we describe it in more detail below, because it moves slowly and with caution, trying not to bring attention to its presence.

The motive of Qakbot is quite clear, to steal information. Taking a peak under the proverbial covers, we see that it  uses several components to accomplish the task, including the following:

  • ...
Read more
Recycled .mp3 Spam for Cheap Pills
Samir Patil | 18 Dec 2009 | 0 comments

Spammers are recycling their old spamming methods after more than two years. Symantec reported an .mp3 version of pump-and-dump stock spam back in October 2007.

In this recent spam attack, a small .mp3 file promoting a meds domain is attached in the email messages. These email messages contain no subject line or message body. The .mp3 file is a five-second message recorded in a female voice and promotes a particular meds domain. The file is approximately 11 KB in size and recorded at a 16 kbps bit rate. The voice is heavily distorted with background noise. The domain name described in the file is a recently registered domain in China.

Some of the random filenames used are as follows:

milksoppy.mp3
enwomb.mp3
realiser.mp3
escort.mp3
recarboniser.mp3
unlights.mp3
scathing.mp3
byproduct.mp3
lewes.mp3
micrometers.mp3
...

Read more
There's No Such Thing as a Free Movie
Hon Lau | 18 Dec 2009 | 0 comments

Those looking to see the latest 3D blockbuster movie, The Avatar, on the cheap will have to take great care in what they search for. We have become aware of at least one site that has been rigged to redirect users to a page that presents the now-familiar "play video/need codec" screen. In an unusual twist, this time it is offering a new ActiveX update rather than the usual codec or Flash player updates.

FreeAvatarMovie_2.png

avatar2_2.png

Clicking on the play button or icon will send a request to update-activex.com, which will then eventually offer you a file named along the lines of Activex_Setup[1].45158.exe from the standardmultimedia.com domain. This is now detected as Trojan.FakeAV.

In addition to this malware page...

Read more
New Adobe Acrobat Zero-Day
Mircea Ciubotariu | 17 Dec 2009 | 0 comments

We have recently learned of yet another zero-day exploit in Adobe Acrobat. This time it's an overflow for a special type parameter in a function provided by the multimedia.api plugin that can be manipulated from JavaScript in the following manner:

media.newPlayer(null)

Somewhere deep in newPlayer, deinit_obj is set as the handler for deleting the object when it's no longer needed:

code1.png

And eventually deinit_obj calls the destroy function from the object's v_table:

code2.png...

Read more
岁末,Adobe又曝新漏洞
Livian Ge | 16 Dec 2009 | 0 comments

    时值年末假期,Adobe和Adobe Reader又被曝出新的零日漏洞(CVE-2009-4324)。

    该Adobe Reader and Acrobat 'newplayer()' JavaScript 漏洞位于多媒体插件Multimedia.api。目前针对该漏洞的攻击主要是通过包含有特殊JavaScript的PDF文件。这类特制的PDF文件可能通过邮件附件的形式进入用户计算机,并会诱导用户点击打开文件。赛门铁克已发布针对该病毒的定义Trojan.Pidief.H

     当用户打开这类PDF文件时,攻击者会利用newplayer() 函数中出现的系统漏洞进行攻击,该漏洞出现在newplayer() 函数创建player object的过程中,以null作为创建对象的参数,迫使Adobe Reader在创建player object的参数检查时抛出异常,并在其处理函数中访问了未初始化完成的对象指针,造成系统异常,如图一所示。

                                                  ...

Read more
Chinese Christmas Gift Shopping Options
Vivian Ho | 16 Dec 2009 | 0 comments

We’ve monitored a great deal of Christmas sales spam (in English) for the upcoming holiday. Compared to English holiday spam, Chinese spammers seem to have fewer activities for Christmas, most likely because it is not a major holiday in the Chinese calendar. The Christmas holiday is popular among younger Chinese generations, however, and shopping for gifts is still expected. We have observed a couple of notable Chinese samples covering the topic of Christmas shopping. In the first sample, a spammer has sent a random Christmas sales ad, and we found that the spammer purposely set the promotion text background color in gray (<FONT style="BACKGROUND-COLOR: gray" color=gray>); you have to highlight the gray line in order to see the promotion text. In the header we observed a forged and randomized “From” alias. They used a shortened URL service in the body image, which led to an actual business website.

Sample Header:...

Read more

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
258,887