Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Backdoor.Tidserv and x64
Mircea Ciubotariu | 06 May 2011 07:21:10 GMT

On April 12, 2011, KB2506014 was released to address a vulnerability affecting Windows Vista and later operating systems running on the AMD64 platform. Malware was exploiting the vulnerability to load unsigned drivers and stay resident in kernel mode.

Backdoor.Tidserv (a.k.a. TDL4) is one such threat that is patching operating systems’ loader files on-the-fly in order to ensure that its advanced rootkit capabilities work. As may be expected, Tidserv attempted to work around the KB2506014 patch, as noted in the following code snippets taken from the ldr16 entry of the threat’s encrypted file system:


 
Here, the hooked int13 (the 16-bit disk operations interrupt) attempts to identify the moment when the operating...

Read more
Vulnerabilities Abound in 2010
David McKinney | 06 Apr 2011 07:00:20 GMT

Volume 16 of the Symantec Internet Security Threat Report covers trends in the Internet security threat landscape during 2010. It has been an interesting year, to say the least. We saw vulnerabilities implicated in major events such as the Trojan.Hydraq Incident, the Stuxnet attacks, and numerous zero-day attacks.

Here are some highlights:

-          In terms of the sheer number of new vulnerabilities discovered, 2010 was a record year. At the time of writing, we documented 6,253 new vulnerabilities over the year.

-          The rise in vulnerabilities was influenced by an increase in the number of new vendors that were affected by vulnerabilities in 2010. In 2010, Symantec documented 1,914 new vendors that were impacted by vulnerabilities, compared to 734 new vendors in 2009.

-    ...

Read more
The Symantec Internet Security Threat Report (ISTR) Volume 17 Is Here!
Téo Adams | 05 Apr 2011 03:56:08 GMT

We are pleased to announce that Volume 17 of the Symantec Internet Security Threat Report (ISTR) is now available. There are some significant changes to the report this year, including several new metrics, a revamping of existing metrics, and a revised format. Aspects of the new format were first seen in the Report on Attack Kits and Malicious Websites, which was released earlier this year.

One point of interest in this most recent report is the continued prevalence of malicious code propagation through the sharing of malicious executables on removable media. This propagation mechanism has been ranked at the top for quite some time now, with no signs of coming down. However, in February 2011, right in midst of writing the report, we read an...

Read more
2011 Internet Security Threat Report Identifies Increased Risks for SMBs
Kevin Haley | 05 Apr 2011 03:55:29 GMT

2011 Internet Security Threat Report Identifies Increased Risks for SMBs
Kevin Haley, Director, Symantec Security Technology and Response

Small businesses have flexibility that can provide them with a competitive edge in today’s Internet-based market. And, with ever more business being conducted online, keeping your sensitive information safe is more critical than ever.

Hackers do not care what the size of your business is. They only care if they can get past your defenses and relieve you of your valuables. What hackers do like about a small business is that they tend to have more money in the bank than an end-user and less cyber defenses than a larger company. And these hackers are no longer limited to highly skilled computer geeks. Using easily available attack toolkits, even a relative novice can infect your computers and extract all the information they...

Read more
New XSS Facebook Worm Allows Automatic Wall Posts
Candid Wueest | 29 Mar 2011 15:23:35 GMT

Currently a new and unpatched cross-site scripting (XSS) vulnerability in Facebook is being widely used to automatically post messages to other user’s walls. The vulnerability was used for some time in some smaller cases; however, it is now widely being used for the first time by many different groups—especially in Indonesia, where we are seeing thousands of infected messages being posted by unknowing users.

The vulnerability exists in the mobile API version of Facebook due to insufficient JavaScript filtering. It allows any website to include, for example, a maliciously prepared iframe element that contains JavaScript or use the http-equiv attribute’s “refresh” value to redirect the browser to the prepared URL containing the JavaScript. Any user who is logged into Facebook and visits a site that contains such an element will automatically post an arbitrary message to his or her wall. There is no other user interaction required, and there are...

Read more
The BlackHole Fever Continues
Hardik Suri | 04 Mar 2011 17:53:20 GMT

A mass injection campaign has been started by attackers who are using the BlackHole exploit kit, in which a number of high traffic influx websites are hacked and injected with an iframe that redirects users to a BlackHole server. The number of websites infected gives a fair idea about the popularity of this toolkit in the crimeware industry. Among the number of websites hacked there is a popular news website in Africa, a popular website among techies, and an official website for colleges overseas. The below image shows the common iframe injected across all affected websites:

The script is decoded by the “getSeconds();” value retrieved from the Date Class. The below image shows the decoded iframe:

...

Read more
The BlackHole Theory
Hardik Suri | 18 Feb 2011 11:26:09 GMT

Symantec has been monitoring the BlackHole toolkit, which has a powerful set of exploits and is spreading like wildfire. At present, it is the most prevalent exploit toolkit in the wild and can easily be compared with the likes of Neosploit and Phoenix in terms of the number of affected users.

In recent times, BlackHole has clearly emerged as the most used toolkit among hackers. The following IPS graph proves this fact, since more than 100,000 malicious hits are reported each day:


 

End-to-end Analysis of the BlackHole Exploit Kit

 

•    When a victim visits a clean...

Read more
Scammers Gear Up to Phish in Troubled Waters
Samir_Patil | 20 Jan 2011 14:48:12 GMT

Many countries are going through turbulent times due to natural disasters. In fact, emotions do run high when disasters strike—people are moved and understandably want to share in helping affected victims by donating to relief funds. The most recent natural disaster that Australia, Brazil, and the Philippines are grappling with is the flash flooding and the immense loss that it has caused to life and property.

History tells us that when natural disasters such as bush fires, floods, earthquakes and other natural calamities strike, they cause untold repercussions. Rehabilitation, restructuring, and methods to curtail further losses become a formidable challenge. One method used to combat such situations is the appeal for relief funds, donations, and government compensations in cash or kind.

Spammers would never let any such opportunities pass by without preying on them. Don’t be surprised to see your inbox bombarded with heart-wrenching emails requesting you...

Read more
Exploiting Jnanabot for Fun and Profit
Harshit Nayyar | 17 Jan 2011 14:45:08 GMT

Lest we forget, malware is a software application, albeit a malicious one. And, like any other software application, it can have vulnerabilities that can be exploited.

Our analysis of Trojan.Jnanabot has revealed several serious vulnerabilities. One of the more interesting features of Jnanabot is its custom peer-to-peer (P2P) networking protocol. In other words, its bots are designed to be a part of a P2P network and use a custom-designed protocol for communicating with each other. This ensures that there is no single point of failure and that it is harder to trace the source of the infection and to take the botnet down. While the protocol was designed to provide some degree of robustness to the botnet, it has some flaws that allow anyone (provided they have the right know-how) to exploit them for fun and/or profit. At the very least, these flaws can be used to collect information...

Read more
Internet Security Predictions for 2011: The Shape of Things to Come
Kevin Haley | 17 Nov 2010 13:50:44 GMT

My prediction is that we are all going to become nostalgic for the days of fame-seeking mass mailers and network worms. Think of LoveLetter, SQL Slammer, and Melissa all crashing millions of systems within hours of being released into the wild. Those threats seem quite quaint these days as we enter the third significant shift in the threat landscape.

We moved from fame to fortune (which we have dubbed “crimeware”) in the last ten years. Mass mailers were replaced by malware that steals credit card information and sells phony antivirus products. Malware has become a successful criminal business model with billions of dollars in play. The goal became stealth and financial gain at the expense of unsuspecting computer users. And Trojans and toolkits, like Zeus, are the modern tools of the trade.

We have now entered a third stage—one of cyber-espionage and cyber-sabotage. Cyber-espionage did not begin with Stuxnet, and crimeware does not end with it. In...

Read more