Video Screencast Help
Security Response
Showing posts tagged with Endpoint Protection (AntiVirus)
Showing posts in English
Ollie Whitehouse | 01 Mar 2007 08:00:00 GMT | 0 comments

ASLR (Address Space Layout Randomization) is one of the cornerstones of Windows Vista and its enhanced security posture. ASLR workson the basis that it will move an application and its associated memoryaround, either each time it’s executed or when the host is rebooted,depending on the element concerned. The purpose of this is to hinder aclass of vulnerabilities commonly referred to as memory manipulation vulnerabilitiesby making it difficult for an attacker to know where an application isin memory. This would impede successful exploitation, which relies onfixed memory addresses.

Back in December, I decided to take a brief look at theimplementation of ASLR on Vista. I had seen some findings emerge duringits development, but these really didn’t show if the implementation wasgood, bad, or indifferent. Since my work load was winding down, as Ihad December off, and a tool I had written indicated there might besome problems, I decided to look at this in more detail. My...

Eric Chien | 28 Feb 2007 08:00:00 GMT | 0 comments

Soon after information was released about a vulnerability in the in.telnetd daemon in Solaris 10, Symantec's Deepsight monitoring system began to see spikes in port 23 traffic. Most of this traffic was due to people scanning for vulnerable systems. However, yesterday we saw a renewed spike in traffic that has been correlated to a worm known as Wanuk, which uses the vulnerability to spread.

wanuk_fig1.jpg

Once Wanuk is on the system, it drops an executable that creates a /bin/sh back door, which listens on port 32982/TCP. In addition, Wanuk's payload includes sending out system broadcast messages of creatively designed shout-outs to a...

Elia Florio | 28 Feb 2007 08:00:00 GMT | 0 comments

People using Web 2.0 have personal Web spaces, blogs, and online discussions on forums and public boards. Everyone can create Web content from his or her own computer just by using the browser. So what would be the perfect vector for spreading malwares in the Web 2.0 world? The Web itself, of course.

On Monday we posted a blog about a new variant of Trojan.Mespam distributed via StormWorm/Peacomm botnet. We noticed that this new Mespam takes advantage of new Web technologies and spreads by injecting malicious links when users interact with the Web.

What does it mean? When users are going to post something on any Web site running VBulletin or phpBB, the Trojan will sneakily add a malicious link into the outgoing Web packet. The same also happens when users are sending emails using clients such as Gmail, Yahoo, Lycos, Tiscali...

Stephen Doherty | 28 Feb 2007 08:00:00 GMT | 0 comments

From time to time virus writers leave messages in their code. Sometimes these are shout-outs to other virus writers, sometimes it is their own nickname, and other times they send messages to us.

Here is one that speaks for itself:

Dear Symantec: For years I have longed for just one thing, to make malware with just the right sting, you detected my creation and got my domains killed, but I will not stop, I can rebuild. P.S. F@?k you a**^$les, especially Stephen Doherty who is the biggest f@??#t I know of.

Message Edited by SR Blog Moderator on 08-26-2008 12:36 PM
Mat Carter | 28 Feb 2007 08:00:00 GMT | 0 comments

As any regular reader of security industrynews will tell you, over the past few years the quality that is mostprized by malicious coders is stealth. Loud, reputation-enhancingattacks are strictly for the teenage malcontents of a previous century.Today’s malicious coders are professionals who prefer a more commercialmodel, which aims to compromise as many machines as possible, asquietly as possible, with the minimum amount of effort—and they areadopting increasingly diversified tactics to this end.

Older malicious code tended to rely on the static hosting of themalicious payload and this was always susceptible to filtering andtargeted action from law enforcement. Consequently a trend developed totry and keep the payload moving and hard to shut off using fast fluxDNS techniques, or to store it on "bullet proof" hosting from providersthat usually ignore complaints. However, the Security Response team hasrecently noticed a simpler approach that can be utilized by...

Oliver Friedrichs | 28 Feb 2007 08:00:00 GMT | 0 comments

Last July, I discussed how Windows Vista™ was one of the mostimportant technologies that we would see in 2007. Last year, SymantecAdvanced Threat Research released four research papers on the then betaversion of Windows Vista. These papers provided a security analysis ofthe new Windows Vista network stack, user-mode security defenses,kernel-mode security technologies, and the Teredo protocol—a key IPv6over IPv4 transition technology in Vista. Being one of the firstthird-party assessments on the progression of Windows Vista security,these papers were extremely well received in the technology industry.

Fast forward to today, and Windows Vista has now been released tobusinesses and consumers alike. Throughout its release, Symantec hastracked the evolution of Vista very closely and continued to assess itspotential in defeating today’s attackers. We’ve documented our findingsin a series of six research papers that are being released in thecourse of the next week. The goal of this...

Oliver Friedrichs | 28 Feb 2007 08:00:00 GMT | 0 comments

Last July, I discussed how Windows Vista™ was one of the mostimportant technologies that we would see in 2007. Last year, SymantecAdvanced Threat Research released four research papers on the then betaversion of Windows Vista. These papers provided a security analysis ofthe new Windows Vista network stack, user-mode security defenses,kernel-mode security technologies, and the Teredo protocol—a key IPv6over IPv4 transition technology in Vista. Being one of the firstthird-party assessments on the progression of Windows Vista security,these papers were extremely well received in the technology industry.

Fast forward to today, and Windows Vista has now been released tobusinesses and consumers alike. Throughout its release, Symantec hastracked the evolution of Vista very closely and continued to assess itspotential in defeating today’s attackers. We’ve documented our findingsin a series of six research papers that are being released in thecourse of the next week. The goal of this...

Brian Hernacki | 27 Feb 2007 08:00:00 GMT | 0 comments

Today most of the identity oriented transactions on the Internet are done via plain old HTML forms and, if we're lucky, over SSL. And once again, something that seemed sufficient at first, is showing strain as usage grows. HTML/HTTP ends up providing a pretty clumsy and inadequate way to do identity transactions. It offers a poor user experience and wasn't really designed with security in mind. This has contributed to much of the grief over fraud, phishing, etc. Our primary defense mechanism against such threats has historically been the SSL certificate, but we know users don't read those. We also know users don't look too carefully at URLs (even when they are not obsfucated). Some of the...

Masaki Suenaga | 26 Feb 2007 08:00:00 GMT | 0 comments

A fake installer for the Korean version of ALZIP – a commercial archiver application and a component of the ALTOOLS series created by ESTsoft Corp – was recently discovered, which Symantec detects as Trojan.Dropper.

When the fake installer is executed, it displays the same window as the genuine application and then installs the genuine archiver. During installation, it drops another executable file, which in turn drops Backdoor.Trojan and Hacktool.Keylogger. These two files are hidden by a third dropped file detected as Hacktool.Rootkit.

The rootkit does not hide the files in Safe Mode however. The files are:
%System%\yoorycom.d1l
%...

Eric Chien | 26 Feb 2007 08:00:00 GMT | 0 comments

A variety of bulletin boards are being spammed with the message to visit mailfreepostcards.com (don't visit that domain!) for a fun video. However, when visiting that site, users are prompted to download an executable. Message board spam is nothing new, but what is different about this message board spam is the spam text is actually integrated into legitimate messages posted by real users.

Posters are infected with an updated version of Trojan.Mespam, which is downloaded by Trojan.Peacomm. This threat has the ability to watch all your network traffic via a layered service provider (LSP) and when it notices you posting to a bulletin board, it modifies your posting to include the spam text.

Trojan.Mespam can not only inject text into your outgoing...