Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Endpoint Protection (AntiVirus)
Showing posts in English
Josh Harriman | 09 Mar 2007 08:00:00 GMT | 0 comments

No, this is not a new Monty Python skit.This is a real operation and is being implemented right now by theSecurities and Exchange Commission (SEC). Operation Spamalothas halted trading in 35 companies. Their reason is basically thatinformation regarding these companies have been spammed out throughemail to millions of people touting false or misleading information inorder to drive up stock prices. We in Security Response have spoken ofthis phenomenon before in a couple of recent blogs, Spam and Stock Speculation and Trojan.Peacomm Part 2.

But now, the SEC has stepped in and is trying to put a stop to thisactivity and...

Liam O Murchu | 08 Mar 2007 08:00:00 GMT | 0 comments

A threat that we see very frequently in the lab is the back doornamed Backdoor.GrayBird or Backdoor.HuiPigeon. Today, I will shed somelight on this back door both to show how easy it has become to create apowerful back door with a rich feature set, and also to show why we seeso much of this particular back door.

Backdoor.Graybird gets its name from the Chinese company that makesthe product, which translates to Gray Bird. It is a commercial Chineseremote access tool that sells for about $100 for a 100 user license. Itcan be configured to run silently on the victim's machine and isnormally distributed via email or via drive-by downloads. (If sent viaemail, the user still needs to execute the file.) It can be packed tomake each sample unique and, most recently, NsAnti has been the packerof choice.

Backdoor.Graybird is very popular in underground Chinese hackingforums partly because it is all written in Chinese, so it is easilyunderstood, and also because...

Elia Florio | 08 Mar 2007 08:00:00 GMT | 0 comments

Following further research and also some feedback received fromSunbelt (thanks to Alex for that) we are posting a short follow upabout the Windows Live hijack story reported yesterday.First of all, we notice that some of the domains returned by WindowsLive open popup boxes and pages with false Windows errors and problems.

This is the usual social engineering scam to induce people toinstall programs like WinFixer or ErrorSafe. Those programs aresecurity risks that may give exaggerated reports of threats on thecomputer, and they only get installed on the machine if users agree andclick “Yes” to begin the installation.

Today we were able also to verify that a subset of the bad domainsreturned by Windows Live redirect Italian computers to some maliciousWeb sites hosting several exploits and delivering malwares. Thisbehavior affects, at the...

Elia Florio | 08 Mar 2007 08:00:00 GMT | 0 comments

Following further research and also some feedback received fromSunbelt (thanks to Alex for that) we are posting a short follow upabout the Windows Live hijack story reported yesterday.First of all, we notice that some of the domains returned by WindowsLive open popup boxes and pages with false Windows errors and problems.

This is the usual social engineering scam to induce people toinstall programs like WinFixer or ErrorSafe. Those programs aresecurity risks that may give exaggerated reports of threats on thecomputer, and they only get installed on the machine if users agree andclick “Yes” to begin the installation.

Today we were able also to verify that a subset of the bad domainsreturned by Windows Live redirect Italian computers to some maliciousWeb sites hosting several exploits and delivering malwares. Thisbehavior affects, at the...

Liam O Murchu | 08 Mar 2007 08:00:00 GMT | 0 comments

A threat that we see very frequently in the lab is the back doornamed Backdoor.GrayBird or Backdoor.HuiPigeon. Today, I will shed somelight on this back door both to show how easy it has become to create apowerful back door with a rich feature set, and also to show why we seeso much of this particular back door.

Backdoor.Graybird gets its name from the Chinese company that makesthe product, which translates to Gray Bird. It is a commercial Chineseremote access tool that sells for about $100 for a 100 user license. Itcan be configured to run silently on the victim's machine and isnormally distributed via email or via drive-by downloads. (If sent viaemail, the user still needs to execute the file.) It can be packed tomake each sample unique and, most recently, NsAnti has been the packerof choice.

Backdoor.Graybird is very popular in underground Chinese hackingforums partly because it is all written in Chinese, so it is easilyunderstood, and also because cracked...

Liam O Murchu | 07 Mar 2007 08:00:00 GMT | 0 comments

On March 5, we posted a blog about a new threat called Trojan.Bayrob that targets users of the eBay auction site and, more specifically, motor auctions. Following further research, we are able to shed some more light on the mechanics of Trojan.Bayrob. As stated previously, this attack is targeted at users who will be highly likely to buy a car on eBay, (e.g. second-hand car sales companies).

In this attack, victims are sent an email about a car that is being offered for sale. The email contains a legitimate slide show program that shows images of the car on offer; however, the email also contains the Trojan.Bayrob file. Below are two examples of what the slide show looks like. While the victim views the slide show, the Trojan is...

Eric Chien | 07 Mar 2007 08:00:00 GMT | 0 comments

Symantec has recently received a phishing email that makes use of an interesting technique of hiding a phishing site URL. When receiving a suspected phishing message, one of the methods of determining if the embedded URLs are legitimate or not is to simply pass your cursor over the underlined hyperlink and then check the URL in the status bar of your browser. In the status bar, you can see if the link belongs to the appropriate domain or not.

Using Javascript, one can alter the text in the status bar. So, when browsing on the Web in general, this isn't always a reliable technique to verify the underlying URL. However, when receiving an HTML email in an email client (including Webmail), Javascript is generally neutered so it does not execute, preventing the obfuscation of the status bar via Javascript, making this technique more reliable. However, this phishing message we recently received is able to modify what is displayed in the status bar without the use...

Elia Florio | 07 Mar 2007 08:00:00 GMT | 0 comments

Windows Live is “everything you need, all in one place” and it looks like the search engine really does know what exactly it is that Italians need! Today, we came across a story that was reported by Sunbelt about a takeover of the Italian version of the Windows Live search engine. We decided to do a bit more investigating into those rumors.

At the moment, the problem is that when someone searches a combination of specific Italian keywords on the Windows Live portal, that person will always get a set of weird links in the search results. These weird links will most likely be related to the Linkoptimizer gang (aka Gromozon)—so this likely means that the Gromozon gang has managed to take over and manipulate the search results of Windows Live by getting their links to end up on the top of the search result lists.

...

Elia Florio | 07 Mar 2007 08:00:00 GMT | 0 comments

Windows Live is “everything you need, allin one place” and it looks like the search engine really does know whatexactly it is that Italians need! Today, we came across a story thatwas reported by Sunbelt about a takeover of the Italian version of theWindows Live search engine. We decided to do a bit more investigatinginto those rumors.

At the moment, the problem is that when someone searches acombination of specific Italian keywords on the Windows Live portal,that person will always get a set of weird links in the search results.These weird links will most likely be related to the Linkoptimizer gang(aka Gromozon)—so this likely means that the Gromozon gang has managedto take over and manipulate the search results of Windows Live bygetting their links to end up on the top of the search result lists.

...

Liam O Murchu | 07 Mar 2007 08:00:00 GMT | 0 comments

On March 5, we posted a blog about a new threat called Trojan.Bayrob that targets users of the eBay auction site and, more specifically, motor auctions. Following further research, we are able to shed some more light on the mechanics of Trojan.Bayrob. As stated previously, this attack is targeted at users who will be highly likely to buy a car on eBay, (e.g. second-hand car sales companies).

In this attack, victims are sent an email about a car that is being offered for sale. The email contains a legitimate slide show program that shows images of the car on offer; however, the email also contains the Trojan.Bayrob file. Below are two examples of what the slide show looks like. While the victim views the slide show, the Trojan is...