Video Screencast Help
Security Response
Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Elia Florio | 15 Jun 2007 07:00:00 GMT | 0 comments

We verified a report of a large-scale web attack on going in Italy at the moment. The attack is similar to what we described in our previous blog; it just uses a new different final domain which runs the hostile exploits of Mpack 0.86 kit.



The gang behind the attack had successfully compromised the homepagesof hundreds of legitimate Italian websites. We checked many of them andwe verified that they include now a malicious IFRAME (detected asTrojan.Mpkit!html) which redirects to the same bad IP address. The listof compromised sites is huge and from Mpack statistics this attack isworking efficiently (the...

Greg Ahmad | 13 Jun 2007 07:00:00 GMT | 0 comments

On April 27, 2007, various Internet resources from the Republic of Estonia came under a series of DDOS or distributed denial of service attacks.According to claims by Estonian government officials and media, theattacks originated in Russia and followed a dispute between thegovernment and ethnic Russians over the relocation of a Soviet warmemorial from the Estonian capital of Tallinn. The attacks targetedwebsites belonging to government ministries, banks, media, politicalparties and businesses.

Though DDOS attacks against various networks have taken place onnumerous occasions in the past, the particularly interesting aspect ofthese attacks was that they appear to be...

Ben Greenbaum | 12 Jun 2007 07:00:00 GMT | 0 comments

Hello again... this month's update contains 6 advisories with atotal of 15 patched vulnerabilities. Major apps for this month wereonce again IE and Outlook/Windows Mail, coming in with 6 and 4 patchedvulnerabilities respectively. This month we also see updates forfile-based attack vectors against Visio, remotely exploitablevulnerabilities in both a dev library and a security package patched,and a fairly low profile information disclosure vulnerability in Vistadealt with.
As usual details are given below in order of descending urgency. Happypatching, and we'll be back for another round next month...

MS07-034; KB929123
Cumulative Security Update for Outlook Express and Windows Mail

This release addresses four issues in Windows Mail (vista) andOutlook...

Yazan Gable | 08 Jun 2007 07:00:00 GMT | 0 comments

A couple of extremely critical vulnerabilities were discovered anddisclosed in Yahoo! Messenger two days ago, on June 6th. Late lastnight and early this morning, exploits were released to take advantageof these issues. At the time of the release, Yahoo had not yet patchedthe issues, so Yahoo! Messenger users were at significant risk of beingattacked.

The two vulnerabilities are both buffer overflows in the ActiveXcontrol that handles Yahoo’s Webcam functionality [1][2]. Due to theexploits being released publicly, anyone can carry out an attack bypersuading a user into following a link to a malicious file.

Fortunately, Yahoo has released an update to their Yahoo! Messengerproduct to resolve this issue. The latest version of the software,version 8.1, is reportedly not vulnerable. Users should update as soonas possible to reduce their exposure to potential attacks.

[1] http://www....

Hon Lau | 27 May 2007 07:00:00 GMT | 0 comments

A nasty piece of malware was sent our way this weekend that we are detecting as Trojan.Mpkit!html and Downloader.This malware is yet another malware distribution and attack kit in thesame vein as other kits, such as WebAttacker. This kit, called MPack,is a professionally written collection of PHP software componentsdesigned to be hosted and run from a PHP server with a databasebackend. It is sold by a Russian gang and comes ready to install on aPHP server, and it also comes complete with a collection of exploitmodules to be used out of the box.


How it infects computers

Once the server is installed and running, all the owner has to do isto start generating some web browser traffic to it. They can do this byvarious...

Ron Bowes | 25 May 2007 07:00:00 GMT | 0 comments

The Internet is home to billions of computers, all of which performthe jobs they have been programmed to do. Each of these computers has ahard drive and RAM. It’s a rare case that either is completely full. Abillion computers, each with a couple spare megabytes, works out to afew terabytes in a very conservative estimate.

There are several ways that this space can be harnessed to varyingdegrees, depending on what the ultimate goal of an attacker is. A tinybit of RAM on a large number of computers can be used to store secretdata that an attacker wants to hide, while a lot of information can bestored on some servers at the risk of being found and removed.Harnessing this space is often referred to as "parasitic storage."

One parasitic storage technique, called "juggling," can be used forextremely sensitive or illegal information. The goal for the attackeris to ensure that the complete body of information is never on theircomputer all at once, but that part of it is...

Liam O Murchu | 08 May 2007 07:00:00 GMT | 0 comments

No, I’m not talking about typing 53704 intoyour calculator and turning it upside down! I’m referring to theincreasing popularity of inserting links to exploits into legitimateHTML pages in an attempt to infect users who visit the affected page,multiplying the effectiveness of the original infection. I’ll outlinebelow the steps used in one such attack that we recently received inour lab.

In this case the malicious links were added by hand after the Web server had been hacked. However, W32.Fujacks and W32.Fubalcause similar techniques to the ones discussed here to automaticallyinfect asp, aspx, htm, html, php and jsp files residing on the infectedmachine in order to spread themselves further. Infostealer.Lingling wasalso distributed...

Ben Greenbaum | 08 May 2007 07:00:00 GMT | 0 comments

May proves to be a busy month for Windowsadministrators as we received information on no less than 21vulnerabilities being addressed in this month's 7 patches. If youhappen to be responsible for any DNS servers running on Server 2000,2003 Server or SBS, you will most likely want to skip to the last oneand work your way up. For the rest of us, we'll start with the IEissues and continue from there:

MS07-027; 931768 Cumulative Security Update for Internet Explorer
This is the seemingly monthly cumulative patch for IE issues. Sixdistinct issues are addressed in IE this month, as well as two issuesin third-party ActiveX controls. Note that these two are only mentionedas footnotes in the advisory and therefore do not have their ownUrgency Ratings from Microsoft...

Robert Keith | 03 May 2007 07:00:00 GMT | 0 comments

In a recent staff meeting, someone mentioned that one of ourcompetitors was trying to steal our customers. In this or any otherbusiness, that should not come as too much of a shock. However, thecompetitor’s critique seemed to focus on trivial, nit-picky thingsrather than on what makes our products and services really stand out inthe field.

My role as part of Symantec’s DeepSight Research Team is to scourthe Internet for information related to known and as-yet unpublishedvulnerabilities in software and hardware. The information comes frommany sources, including Bugtraq,Full-Disclosure, independent researchers, and of course directly fromvendors themselves. We correlate and document these pieces ofinformation, then publish them as BIDs (Bugtraq IDs) available in thepublic repository at Security Focus and distributed...

Nicolas Falliere | 27 Apr 2007 07:00:00 GMT | 0 comments

A few days ago, we received yet anothersubmission containing a strange Animated Cursor file. Thisvulnerability made quite some noise, and though we thought it washandled by now, this file was definitely not the usual ANI exploit…

An ANI file follows the RIFF standard, with a few exceptions. It isa collection of data chunks, all having the same format of "header |size | data". Therefore, spotting malicious files attempting to exploitthe vulnerability should be easy. But is it? For the human eye, it is.For a heuristic detection, in spite of what was said before, it is not.Despite the supposedly easy structure of the Animated Cursor file,Microsoft’s implementation of its parser is quite loose.

First, invalid chunks will get properly parsed. Though not affectingthe ANI file itself, such chunks should not be encountered in cursorfiles, but the ANI parser just allows and skips them. Fair enough, ourdetections can handle that as well. Attackers, after a few days of‘...