Video Screencast Help
Security Response
Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Peter Coogan | 21 Jan 2010 17:51:15 GMT

In our last Trojan.Hydraq (Aurora) blog, The Trojan.Hydraq Incident, we mentioned that one of the components of this Trojan is based on VNC code and has the ability to allow an attacker to control and stream a live video feed of a compromised computer’s desktop to a remote computer in real-time. In this blog we will look at these components in more detail and demonstrate them being used.

Once Trojan.Hydraq is installed by means of an exploit, it downloads additional files from a remote location to aid with the attack. Two of the additional files downloaded are named VedioDriver.dll and Acelpvc.dll. These files are placed into the %System% folder on the exploited computer. Analysis of the files and communication protocol suggests that...

Symantec Security Response | 19 Jan 2010 02:47:15 GMT

It has been about a week since news of the mysterious Hydraq Trojan (also known as Aurora) attack broke with the unveiling of a threat by Google to pull its operations out of China. In between then and now there has been a lot of rumour and debate about all aspects of this attack with many truths and mistruths being carried in public.

As the fallout from this event begins to settle a little, it helps to step back a bit and try to figure out exactly what happened and when. We will try and tell you the facts about this Trojan as we see it.

Large companies are common targets for hackers and attackers of various kinds and it is not uncommon for these companies to be actively monitoring traffic to and from their critical IT infrastructure. So it comes as no surprise that Google announced in its blog on the 12th January 2010 that it was the target of what it termed as a “highly sophisticated” attack on its business assets. In addition the blog also mentioned...

Joji Hamada | 17 Jan 2010 08:39:28 GMT

News of an exploit being used to target a zero-day vulnerability in Internet Explorer (BID 37815) was announced on Thursday, January 14th. According to Microsoft, the vulnerability affects Internet Explorer 6, 7, and 8, which together make up the bulk of the versions used today. Reports, however, have confirmed that only Internet Explorer 6 has been targeted so far and the exploit has only been seen in targeted attacks. Since the exploit code has been made public and is available for anyone to download (and use to make attacks), it is highly likely we will see it being used in more Web-based attacks.

In this security issue Internet Explorer is prone to a remote code-execution vulnerability. This means that attackers can use exploit code to execute malicious code on a victim's computer and then compromise the computer. If you are using Internet Explorer 6, 7, or 8 you may be affected until such time as you...

Robert Keith | 12 Jan 2010 20:21:30 GMT

Hello and welcome to this month’s blog on the Microsoft patch releases. This month we also have a “Patch Tuesday” from Adobe, and Oracle is releasing their quarterly “Critical Patch Update.”

Microsoft’s patches

This is a very light month for Microsoft. The vendor released one bulletin covering a “critical” vulnerability that affects Embedded OpenType (EOT) Font. This is a user-level, client-side issue that requires a victim to view a Web page containing malicious content or to open a malicious file.

Adobe’s patches

Adobe is releasing a security update for Reader and Acrobat. Adobe rates these issues “Critical” and urges users to update as soon as possible. In this release, the vendor is addressing the zero-day issue that was first made public December 14, 2009. Exploit code for this issue is available and active exploits have been detected.

Oracle patches

Oracle is releasing their...

Symantec Security Response | 08 Jan 2010 16:46:58 GMT

Last December we saw a couple of malicious JavaScript strings being pasted into Web sites on compromised servers. The beginning of the scripts look like one of the following:

  • <script>/*GNU GPL*/ try{window.onload = function(){var ~
  • <script>/*CODE1*/ try{window.onload = function(){var ~

We’ve now confirmed a new version. One of the sites we saw was originally compromised with the "/*GNU GPL*/" script and was recently updated with the "/*LGPL*/" script. A top portion of the obfuscated script looks something like this:

<script>/*LGPL*/ try{ window.onload = function(){var C1nse3sk8o41s = document.createElement('s&c^$#r))i($p@&t^&'.repl

Once deobfuscated, it leads to a URL that looks something like this:

[http://]free-fr.rapidshare.com.hotlinkimage-com.thechocolateweb.ru:8080/51job.com/[REMOVED]/redtube.com/gittigidiyor.com/google.com/

The...

khaley | 06 Jan 2010 17:48:24 GMT

When I worked at a small business the IT guy also took care of the phone system, assembled bookcases if needed, and occasionally worked the front desk when the receptionist was on break. In a small business everyone wears many hats and you often don’t really have the skills necessary to do everything asked of you all that well. Or if you do, you probably don’t have the time.

But certainly small and medium businesses understand the importance of computer security and make sure they take all the steps necessary to protect their business from the potentially devastating losses of cybercrime! Well, that’s half right. According to a survey done last year by Symantec, SMBs know security is important but they are not taking proper steps to protect themselves. In fact, a stunning 33 percent of SMBs don’t even run basic antivirus software.

The SMBs surveyed said they don’t have the staffing, budget, or bandwidth to properly protect themselves. And...

Patrick Fitzgerald | 29 Dec 2009 12:26:36 GMT

Over the last few days there have been many articles written about an issue in Microsoft’s Internet Information Services (IIS).  This issue allows an attacker to bypass normal security restrictions when uploading a file to a Web application running on a vulnerable version of IIS.  This issue could allow an attacker to upload and execute arbitrary code with the privileges of the Web server.

There are varying reports on the severity of this issue, but according to Microsoft only poorly configured Web servers are at risk from this issue:

“An attacker would have to be authenticated and have write access to a directory on the web server with execute permissions which does not align with best practices or guidance Microsoft provides for secure server...

Mircea Ciubotariu | 17 Dec 2009 11:32:37 GMT

We have recently learned of yet another zero-day exploit in Adobe Acrobat. This time it's an overflow for a special type parameter in a function provided by the multimedia.api plugin that can be manipulated from JavaScript in the following manner:

media.newPlayer(null)

Somewhere deep in newPlayer, deinit_obj is set as the handler for deleting the object when it's no longer needed:

code1.png

And eventually deinit_obj calls the destroy function from the object's v_table:

code2.png

So far, so good, except the...

Andrea Lelli | 09 Dec 2009 17:24:13 GMT

A peak of new infections of Trojan.Mebroot has been found in the wild and after some investigation the data shows that there is a new wave of Mebroot Trojans being distributed through a popular exploit pack. The binary executables are using a newer packer to avoid detection from antivirus products.

Mebroot has been around for some time; apart from updating their packer, the most interesting thing about this infection is how Mebroot gets itself onto your machine in the first place. I had a glance at the network capture and the intrusion seems to be coming from Java:

one.jpg

...

two.jpg

Images 1 and 2: The network activity shows a series of http GET requests that end up downloading an executable onto the machine.

This data stream shows some requests being made to the malicious server....

Robert Keith | 08 Dec 2009 19:29:57 GMT

Hello and welcome to this month’s blog on the Microsoft patch releases. This month we also have a "Patch Tuesday" from Adobe.

Microsoft's patches

Microsoft released six security bulletins to address 12 vulnerabilities; seven are rated "critical." The critical issues affect Internet Explorer, Project, and Internet Authentication Service (IAS). Attackers could exploit the IAS remotely, without any interaction from victims. For the other issues, a user must visit a malicious Web page or open a malicious file.

The remaining issues, rated “Important” and “Moderate,” affect IAS, WordPad, Word, Active Directory Federated Services, and Windows LSASS.

Adobe's patches

Adobe is scheduled to release security updates for Flash Player and AIR (Adobe Integrated Runtime). Although both of the updates scheduled for release today are classified as "critical," all customers should apply the Flash Player update immediately because...