Video Screencast Help
Search Video Help Close Back
to help
New in the Rewards Catalog: Vouchers for "Symantec Technical Specialist" and "Symantec Certified Specialist" exams.

Security Response

Showing posts tagged with Endpoint Protection (AntiVirus) remove filter
Showing posts by Elia Florio remove filter
Downadup—Advanced Crypto Protection
Elia Florio | 23 Feb 2009 | 0 comments

Editor’s Note: This is the concluding article in Symantec’s multi-part series covering specific and interesting aspects of W32.Downadup.

The conclusion of my previous blog posed an interesting question to readers: “...seeing as the list of the future domains was publicly disclosed on the Web, why hadn’t any other cyber criminals taken advantage of the predictions?” Antivirus companies and many independent security researchers were able to crack the domain prediction algorithm used by the worm, so it is reasonable to believe that other people were able to achieve the same result, but with different intentions. In fact, predicting what the next domain will be creates the perception that someone can take control over the botnet, and, for example, start pushing a bank Trojan to these millions of...

Read more
MBR Rootkit paper from VB2008
Elia Florio | 19 Feb 2009 | 0 comments

Back in 2008, the infamous MBR rootkit (a.k.a. Mebroot or Sinowal) proved to be one of the most complicated pieces of malicious code ever seen. Clearly written by professional developers, the Mebroot rootkit has pushed stealth technologies to an extreme level in order to support a bigger criminal project.

In fact, Mebroot can be considered as a real e-crime platform that binds itself to the core of the operating system in order to provide support to the higher layer of modules, designed to steal sensitive information for access to bank accounts. This speculation became a fact in November 2008, when law enforcement and a group of researchers were able to gain access to a remote server used by the Mebroot gang, where it was soon discovered that the servers contained around 500,000 stolen credit card and bank account numbers.

We have posted some...

Read more
Downadup: Small Improvements Yield Big Returns
Elia Florio | 22 Jan 2009 | 0 comments

Editor’s Note: This is the fourth installment of a multi-part series on specific and interesting aspects of W32.Downadup.  

 

Back in November 2008, Symantec raised the ThreatCon level in response to a significant increase of exploitation activity of MS08-067, even when other vendors were still downplaying or ignoring this large increase of network attacks. This was just the beginning of W32.Downadup saga.

Downadup wasn’t the first worm exploiting MS08-067, but it clearly had something “special” when compared to its previous competitor threats (see W32.Kernelbot.A and W32.Wecorl). From the programming style, the tricks, and the ideas used in Downadup code, we could easily say that Downadup wasn’t the average threat that we would normally see in the wild. The...

Read more
Yes, There’s a Zero-Day Exploit for Internet Explorer Out There
Elia Florio | 10 Dec 2008 | 0 comments

A new and previously unknown vulnerability affecting the Microsoft Internet Explorer 7 browser has been reported, just at the start of the Microsoft “Patch Tuesday” cycle for the month of December. Bad luck, or an intentional strategy by the attackers? It’s not clear at the moment, but the reality is that users around the world started to download and patch their systems just yesterday, while at the same time a new and dangerous exploit surfaced on the Web, trying to infect computers in China and other parts of Asia.

We ran some tests and confirmed that the new vulnerability is, unfortunately, not fixed by the current set of patches released yesterday. The attack is indeed new and it works successfully against a fully patched Windows XP SP3 with Internet Explorer 7, including all recent Microsoft Tuesday patches. Also, Internet Explorer 6 could potentially be affected by the same problem and is therefore only temporarily immune to this initial exploit,...

Read more
DNS Pharming Attacks Using Rogue DHCP
Elia Florio | 04 Dec 2008 | 0 comments

Following Dan Kaminsky’s research on DNS insecurities, we saw attackers racing with their DNS servers to hijack network connections. It was only a matter of time before the bad guys decided that racing against DNS was not enough.

DHCP is a widely used network protocol that has been around for a while—it’s used to automatically assign IP addresses on a local network. When you connect your laptop on the wireless router at your home or to your office network, it is most likely that a DHCP server assigns an IP address to your machine and will provide all of the important parameters such as a gateway IP and DNS servers. The DHCP protocol is simple, transparent, and efficient for end users, but it is also non-secure. There’s nothing new and sensational in that statement, because it’s something well known and is really just a lack of authentication. Wikipedia has a pretty good description...

Read more
The (File)Name Game!
Elia Florio | 03 Oct 2008 | 0 comments

Digging into our honeypots and spam-trap systems to look for malicious attachments is always an interesting exercise. We can identify different spam campaigns and map together malicious binaries by correlating attachments and filenames. Nevertheless, it's also funny to see how the bad guys are still trying to entice users to run executable attachments-pushing their creativity and social engineering skills to extreme levels. Invoices, contracts, delivery notices, and all types of tickets are travelling by mail everyday, hitting millions of mailboxes; all in the hope that a few users, sooner or later, will be fooled by a perfectly orchestrated malicious e-mail (yes, it does still work, and old tricks are always the best).

Just for fun, I tried to create a picture of the breakdown of the most common malicious spam campaign observed on a set of emails received during...

Read more
Another Reason to Patch Microsoft Jet Vulnerabilities
Elia Florio | 19 Mar 2008 | 0 comments

Vulnerabilities in Microsoft Access and MSJET40.DLL have been discussed in many blogs recently. Our friends at Panda blogged about a possible (new?) vulnerability of the MS Jet library on March 3rd and McAfee also blogged this past December about a different vulnerability reported on Bugtraq. Here at Symantec we also reported some of these vulnerabilities to Microsoft and also the many targeted attacks carried with .mdb files since March 2006, but this is almost the usual sort of response:

"You appear to be reporting an issue with a file type Microsoft considers to be unsafe. Many programs, such as Internet Explorer and Outlook, automatically block these files. For more information, please visit http://support.microsoft.com/kb/925330"

This sentence translates into a very simple equation: .mdb = .exe...

Read more
The Flow of MBR Rootkit Trojan Resumes
Elia Florio | 08 Feb 2008 | 0 comments

Back in final weeks of 2007 the GMER team discovered the emergence of a new rootkit that hooked into the Windows master boot record (MBR)in order to take control of a compromised computer. The peopleresponsible for this threat kept busy cranking out newly compiledversions of this Trojan in the weeks following its discovery. However,near the beginning of January the output of new variants mysteriouslyhalted. Taking a quick look at the following table of Trojan.Mebrootsample data it appears as though a massive QA plan was performed by thegang, starting back in November 2007.

Untitled-1.jpg

This is also confirmed by many clues found...

Read more
From BootRoot to Trojan.Mebroot: A Rootkit in Your MBR!
Elia Florio | 08 Jan 2008 | 0 comments

There have been recent reports of an MBR(Master Boot Record) rootkit in the wild and, of course, we have beenfollowing up these reports and doing our own analysis. An MBR is thefirst sector of a storage device such as a hard disk, and is generallyused for bootstrapping the operating system after the computer's BIOShas done its startup checks. Basically, if you can control the MBR, youcan control the operating system and therefore the computer it resideson.

MBR-based attacks have been around since the MS-DOS era. Virusessuch as Stoned, Michelangelo, Junkie and Tequila used this technique toinfect systems, and it is quite incredible to see that almost ten yearslater, we are again facing attacks on the MBR. As we have seen,malicious code that modifies a system's MBR is not a new idea – notableresearch in the area of MBR-based rootkits was undertaken by DerekSoeder of eEye Digital Security in 2005. Soeder created “...

Read more
Zero-Day Exploit for Apple QuickTime Vulnerability
Elia Florio | 25 Nov 2007 | 0 comments

Proof of concept exploit code for a newlydiscovered vulnerability in Apple's QuickTime player has been madeavailable to the public today. The vulnerability (Apple QuickTime RTSP Response Header Content-Length Remote Buffer Overflow Vulnerability) was first reported on November 23rd by Polish security researcher Krystian Kloskowski.

The publicly released exploit works successfully when tested withthe latest stand-alone QuickTime player application version 7.3. Itdoes not seem to execute any shellcode when tested with the QuickTimebrowser plugin even though the browser crashes due to the bufferoverflow.

At the moment we believe the most likely attack scenarios to appear using this vulnerability could be:
1. Email based attacks.
2. Web browser based attacks.

In the email attack scenario the user receives a malicious emailwith an attachment containing a file with...

Read more

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
258,915