Video Screencast Help
Search Video Help Close Back
to help
New in the Rewards Catalog: Vouchers for "Symantec Technical Specialist" and "Symantec Certified Specialist" exams.

Security Response

Showing posts tagged with Security Response remove filter
Showing posts by Amado Hidalgo remove filter
A Monster Trojan
Amado Hidalgo | 16 Aug 2007 | 0 comments

Yesterday, we analyzed a sample of a new Trojan, called Infostealer.Monstres,which was attempting to access the online recruitment Web site,Monster.com. It was also uploading data to a remote server. When weaccessed this remote server, we found over 1.6 million entries withpersonal information belonging to several hundred thousand people. Wewere very surprised that this low profile Trojan could have attacked somany people, so we decided to investigate how the data could have beenobtained.

Interestingly, only connections to the hiring.monster.com andrecruiter.monster.com subdomains were being made. These subdomainsbelong to the “Monster for employers” only site, the section used byrecruiters and human resources personnel to search for potentialcandidates, post jobs to Monster, et cetera. This site requires recruiters to log in to view...

Read more
MPack - The Movie
Amado Hidalgo | 20 Jun 2007 | 0 comments

In the past few days, much has been written about MPack and the mass hacking of legitimate web sitesby inserting hidden iframes. These iframes had the purpose ofredirecting web surfers to malicious sites, which served exploits andeventually infected the computer of the unsuspected visitors.

We have created a little movie to help you understand the wholeprocess. So without further ado, Symantec Security Response presents… MPack, The...

Read more
MPack: the Strange Case of the Mass-Hacking Tool
Amado Hidalgo | 18 Jun 2007 | 0 comments

You always thought that by staying clear ofthe dark alleys of the Internet and visiting only “reputable” websites,you would be safe from attacks and dubious content. I am afraid that isnot enough. My colleagues Elia Florio and Hon Lau reported recently (here and here)about legitimate sites that had been compromised to include a maliciousIFRAME that, without your knowledge, redirects you to a site servingexploits.

As Elia mentioned, thousands of sites (mostly Italian, but withseveral other nationalities included) were compromised. We were puzzledas to how the MPack gang had managed to hack so many sites in a shortperiod of time, and how they could inject the malicious iframe soquickly.

...

Read more
Don’t (Just) Follow Our Advice
Amado Hidalgo | 26 May 2007 | 0 comments

We security folks always tell you that if you want to transactonline safely, you should type the address of the financial institutionin the browser instead of following a link, you should enter yourpersonal information only in trusted sites that use encryption, youneed to check that the little padlock in the corner of your browser islocked, you also need to verify the digital certificate is valid andmatches the site you want to visit, etc... Well, that’s not enough!

Recently we analysed a Trojan horse program (Infostealer.Banker.D)that, uses some cunning creativity. Using an HTML injection technique,it is capable of fooling even those who practice the standardprecautionary measures against online fraud.

When the user of an infected computer goes to the login page ofcertain websites, the Trojan intercepts the HTML page, checks forcertain blocks of...

Read more
This is no April Fool’s Day joke
Amado Hidalgo | 31 Mar 2007 | 0 comments

I wish I could have some humorous comment or a joke to mark the day. Unfortunately I have something more serious to write about.

Symantec Security Response has detected a new worm in the wild: W32.Fubalca.It infects executables and HTML-type files, inserting links tomalicious Animated Cursor files, and exploits the currently unpatchedMicrosoft Windows Cursor And Icon ANI Format Handling Remote BufferOverflow Vulnerability (BID 23194) to download further copies of the worm.

The worm infects executables on all drives (including removabledrives), except for the drive that Windows is installed upon (e.g.C:\). As well as exploiting the vulnerability, the worm appears tospread through removable drives and already-mapped network shares.

The malicious Animated...

Read more
This is no April Fool’s Day joke
Amado Hidalgo | 31 Mar 2007 | 0 comments

I wish I could have some humorous comment or a joke to mark the day. Unfortunately I have something more serious to write about.

Symantec Security Response has detected a new worm in the wild: W32.Fubalca.It infects executables and HTML-type files, inserting links tomalicious Animated Cursor files, and exploits the currently unpatchedMicrosoft Windows Cursor And Icon ANI Format Handling Remote BufferOverflow Vulnerability (BID 23194) to download further copies of the worm.

The worm infects executables on all drives (including removabledrives), except for the drive that Windows is installed upon (e.g.C:\). As well as exploiting the vulnerability, the worm appears tospread through removable drives and already-mapped network shares.

The malicious Animated...

Read more
Latest Office Zero-Day Vulnerability
Amado Hidalgo | 07 Feb 2007 | 0 comments

Last week, Microsoft published Security Advisory 932553to warn Windows users of a new vulnerability in Microsoft Office.Security Response has analysed a sample of a malicious Microsoft Excelfile that appears to be exploiting the vulnerability that is hinted atin that Advisory. Fully patched versions of Office 2000, XP, and 2003appear to be vulnerable to this exploit.

Upon opening the malicious Microsoft Excel document, which Symantec now detects as Trojan.Mdropper.Y, it drops a Trojan horse program by using the exploit referenced by CVE-2007-0671 (BID 22383).It proceeds to drop a back door Trojan onto the compromised computer.It then attempts to contact a remote...

Read more
Trojan.Peacomm Part 2 – The Botnet Evolves
Amado Hidalgo | 22 Jan 2007 | 0 comments

Since I posted my blog last Friday, the Trojan.Peacomm threat has (not surprisingly) evolved. The attachments have new filenames, some dropped files have changed, and the subject lines of the spam email are also changing. Please have a look at the full details in our updated write-up here.

The bot machines are now communicating over UDP port 7871, instead of port 4000. Symantec’s Threat Management System confirms this change:

peacomm_port7871-SRC_IPs.jpeg
Figure 1. IPs originating activity - UDP port 7871

More...

Read more
Trojan.Peacomm Part 2 – The Botnet Evolves
Amado Hidalgo | 22 Jan 2007 | 0 comments

Since I posted my blog last Friday, the Trojan.Peacomm threat has (not surprisingly) evolved. The attachments have new filenames, some dropped files have changed, and the subject lines of the spam email are also changing. Please have a look at the full details in our updated write-up here.

The bot machines are now communicating over UDP port 7871, instead of port 4000. Symantec’s Threat Management System confirms this change:

peacomm_port7871-SRC_IPs.jpeg
Figure 1. IPs originating activity - UDP port 7871

More...

Read more
Trojan.Peacomm Part 2 – The Botnet Evolves
Amado Hidalgo | 22 Jan 2007 | 0 comments

Since I posted my blog last Friday, the Trojan.Peacomm threat has (not surprisingly) evolved. The attachments have new filenames, some dropped files have changed, and the subject lines of the spam email are also changing. Please have a look at the full details in our updated write-up here.

The bot machines are now communicating over UDP port 7871, instead of port 4000. Symantec’s Threat Management System confirms this change:

peacomm_port7871-SRC_IPs.jpeg
Figure 1. IPs originating activity - UDP port 7871

More...

Read more

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
258,921