Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Irfan Asrar | 11 Feb 2010 23:07:50 GMT

Several reports have been published detailing a Blackberry proof of concept (PoC) exploit called txsBBSpy that was recently presented at a security conference. Although it may not have been the aim of the original presenter, some reports have framed the PoC as being able to exploit so-called vulnerabilities that the writers believe to be present in the Blackberry platform. The “vulnerabilities” involve secretly forwarding incoming emails, locating devices by way of their GPS capabilities, eavesdropping on conversations by surreptitiously turning on microphones, and other such nefarious behavior.

Although the vectors used for the PoC itself weren’t exactly ground-breaking—we described the concept behind attacks in a whitepaper back in 2007—it does highlight the fact that competition between mobile platform vendors to provide easy-to...

Robert Keith | 09 Feb 2010 21:01:19 GMT

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a busy month—the vendor is releasing 13 bulletins covering a total of 26 vulnerabilities.

Eight of the issues are rated “Critical” and affect SMB Server, SMB Client, Windows, and Data Analyzer ActiveX control. An attacker could exploit the SMB Server issues remotely to gain complete control of an affected computer. However, to exploit the SMB Client issues to compromise a computer, the attacker must first entice a victim to connect to a malicious server.

The remaining issues, rated “Important” and “Moderate,” affect SMB Server, Windows, Windows Kernel, Office, PowerPoint, and Paint. Although the kernel issues are rated only “Important” by Microsoft, we consider them to be a high security risk because exploit code already exists for one of the issues.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are...

Con Mallon | 03 Feb 2010 21:01:06 GMT

Well, it looks that way. We are only just into the second month of 2010 and yet we can now see, in prospect, a whole new raft of innovation coming our way. At CES a lot of the attention was with respect to eBook readers and new slate/tablet based PCs. These new devices are squarely focused on digital content. The success of Amazon and Apple in the digital content arena clearly shows that there is a big market for digital content and that money can be made as a result. We have seen a lot of activity in the eBook reader market, with many companies starting to launch products. Amazon, with the Kindle, has very much been the vanguard of showing how this can all come together.
CES also witnessed a range of announcements with respect to tablet computers. We saw products from HP, Lenovo (interesting cross-over laptop/tablet device), Sony, Archos, etc. Many of these products will start to come to market mid-point this year. Some people commented that these CES...

Patrick Fitzgerald | 29 Jan 2010 16:05:48 GMT

If you have been following this series on Trojan.Hydraq over the last week you may have noticed that the blog entries have been well, boring. Because of its profile in the media and varying assessments of the threat posed by and the complexity of Trojan.Hydraq we decided to present the facts of the threat.

Threats make their way into mainstream media for various reasons. Sometimes it’s the effectiveness of a threat or the elegance associated with a particular approach taken by a piece of malware. Some use near impenetrable packers to make analysis extremely difficult and some have novel approaches to make the malware more robust and harder to take down.

2010 saw Trojan.Hydraq hit the media. This incident was dubbed “Operation Aurora”. In case there is still any confusion at this stage, the malware used in the Aurora attack is Trojan.Hydraq.


Andrea Lelli | 22 Jan 2010 04:12:37 GMT

You probably have heard the recent news about a widespread attack that was carried out using a 0-Day exploit for Internet Explorer as one of the vectors. This exploit is also known as the "Aurora Exploit". The code has recently gone public and it was also added to the Metasploit framework.

This exploit was used to deliver a malicious payload, known by the name of Trojan.Hydraq, the main purpose of which was to steal information from the compromised computer and report it back to the attackers.

The exploit code makes use of known techniques to exploit a vulnerability that exists in the way Internet Explorer handles a deleted object. The final purpose of the exploit itself is to access an object that was...

Peter Coogan | 21 Jan 2010 17:51:15 GMT

In our last Trojan.Hydraq (Aurora) blog, The Trojan.Hydraq Incident, we mentioned that one of the components of this Trojan is based on VNC code and has the ability to allow an attacker to control and stream a live video feed of a compromised computer’s desktop to a remote computer in real-time. In this blog we will look at these components in more detail and demonstrate them being used.

Once Trojan.Hydraq is installed by means of an exploit, it downloads additional files from a remote location to aid with the attack. Two of the additional files downloaded are named VedioDriver.dll and Acelpvc.dll. These files are placed into the %System% folder on the exploited computer. Analysis of the files and communication protocol suggests that...

Symantec Security Response | 19 Jan 2010 02:47:15 GMT

It has been about a week since news of the mysterious Hydraq Trojan (also known as Aurora) attack broke with the unveiling of a threat by Google to pull its operations out of China. In between then and now there has been a lot of rumour and debate about all aspects of this attack with many truths and mistruths being carried in public.

As the fallout from this event begins to settle a little, it helps to step back a bit and try to figure out exactly what happened and when. We will try and tell you the facts about this Trojan as we see it.

Large companies are common targets for hackers and attackers of various kinds and it is not uncommon for these companies to be actively monitoring traffic to and from their critical IT infrastructure. So it comes as no surprise that Google announced in its blog on the 12th January 2010 that it was the target of what it termed as a “highly sophisticated” attack on its business assets. In addition the blog also mentioned...

Joji Hamada | 17 Jan 2010 08:39:28 GMT

News of an exploit being used to target a zero-day vulnerability in Internet Explorer (BID 37815) was announced on Thursday, January 14th. According to Microsoft, the vulnerability affects Internet Explorer 6, 7, and 8, which together make up the bulk of the versions used today. Reports, however, have confirmed that only Internet Explorer 6 has been targeted so far and the exploit has only been seen in targeted attacks. Since the exploit code has been made public and is available for anyone to download (and use to make attacks), it is highly likely we will see it being used in more Web-based attacks.

In this security issue Internet Explorer is prone to a remote code-execution vulnerability. This means that attackers can use exploit code to execute malicious code on a victim's computer and then compromise the computer. If you are using Internet Explorer 6, 7, or 8 you may be affected until such time as you...

Robert Keith | 12 Jan 2010 20:21:30 GMT

Hello and welcome to this month’s blog on the Microsoft patch releases. This month we also have a “Patch Tuesday” from Adobe, and Oracle is releasing their quarterly “Critical Patch Update.”

Microsoft’s patches

This is a very light month for Microsoft. The vendor released one bulletin covering a “critical” vulnerability that affects Embedded OpenType (EOT) Font. This is a user-level, client-side issue that requires a victim to view a Web page containing malicious content or to open a malicious file.

Adobe’s patches

Adobe is releasing a security update for Reader and Acrobat. Adobe rates these issues “Critical” and urges users to update as soon as possible. In this release, the vendor is addressing the zero-day issue that was first made public December 14, 2009. Exploit code for this issue is available and active exploits have been detected.

Oracle patches

Oracle is releasing their...

Symantec Security Response | 08 Jan 2010 16:46:58 GMT

Last December we saw a couple of malicious JavaScript strings being pasted into Web sites on compromised servers. The beginning of the scripts look like one of the following:

  • <script>/*GNU GPL*/ try{window.onload = function(){var ~
  • <script>/*CODE1*/ try{window.onload = function(){var ~

We’ve now confirmed a new version. One of the sites we saw was originally compromised with the "/*GNU GPL*/" script and was recently updated with the "/*LGPL*/" script. A top portion of the obfuscated script looks something like this:

<script>/*LGPL*/ try{ window.onload = function(){var C1nse3sk8o41s = document.createElement('s&c^$#r))i($p@&t^&'.repl

Once deobfuscated, it leads to a URL that looks something like this: