Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Stuxnet Before the .lnk File Vulnerability
Liam O Murchu | 24 Sep 2010 08:42:33 GMT | 0 comments

Code to exploit the zero-day .lnk file vulnerability (BID 43073) used by Stuxnet was added to the threat around March 2010; we know this because the samples we observed before this date did not contain code to exploit that vulnerability. This leads us to the following question: how did previous Stuxnet variants spread through removable devices?

 
The answer is that older versions did not use a vulnerability but instead an AutoRun trick to spread. The worm’s trick was to create an autorun.inf file in the root of removable drives that served two different purposes. The specially crafted file could be interpreted as either an executable file or as a correctly formatted autorun.inf file. When Windows parses autorun.inf files the parsing is quite forgiving. Specifically, any characters...
Read more
Stuxnet Print Spooler Zero-Day Vulnerability not a Zero-Day at All?
Liam O Murchu | 18 Sep 2010 04:29:21 GMT | 0 comments

We have been made aware of a recent blog posting pointing to the fact that the print spooler vulnerability used by W32.Stuxnet and addressed in the Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability was in fact known about since 2009. An article was published in a security magazine that showed how the vulnerability worked in late 2009. We are currently investigating this; however, from our initial review of that article it appears to do exactly what Stuxnet does when exploiting the Print Spooler vulnerability. We will update this article with more information shortly.

Update: We have confirmed with Microsoft that this issue is indeed one that was patched with the release of Microsoft Security Bulletin MS10...

Read more
Microsoft Patch Tuesday - September 2010
Robert Keith | 14 Sep 2010 19:43:49 GMT | 0 comments

Hello and welcome to this month’s blog on the Microsoft patch releases. This is an average size month for releases —the vendor is releasing nine bulletins covering a total of 11 vulnerabilities.

Four of the issues are rated “Critical” and affect Windows, Office, and Outlook. Of particular note is the issue in the Windows Print Spooler service. That issue is currently being exploited by the Stuxnet malware and can be exploited remotely to completely compromise an affected computer. The remaining issues, rated “Important”, affect Windows, WordPad, and Internet Information Services (IIS).

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.

- Run all software with the least privileges required while still maintaining functionality.

- Avoid handling files from unknown or questionable sources.

- Never visit sites of unknown or...

Read more
Hydraq (Aurora) Attackers Back?
Karthik Selvaraj | 13 Sep 2010 10:35:53 GMT | 0 comments

While things had been quiet, we were quite certain that the gang behind Trojan.Hydraq hadn't gone away. It looks like they are back, as we've been seeing evidence of their attacks since January, including an attack I’d like to talk about below.

A PDF malware sample exploiting a critical Adobe zero-day vulnerability was reported in the wild a few days ago. In this post we want to provide more information about this in-the-wild malware and the attack rather than the vulnerability itself.

A public report of the PDF malware seen in the wild showed a social engineered email with following properties:

Subject “David Leadbetter’s One Point Lesson”
Sent date: “Monday, September 06, 2010 8:01 AM”
Attachment:  Golf Clinic.pdf (Md5: 9c5cd8f4a5988acae6c2e2dce563446a)

The PDF file attached to the...

Read more
W32.Changeup Installing and Running eMule
Andrea Lelli | 13 Aug 2010 17:01:29 GMT | 0 comments

We have seen many threats that use file-sharing applications in order to spread to other computers. Typically these threats would scan a compromised computer for the shared folders of these programs, and if found would copy themselves into those folders mimicking names that are popular in search queries (e.g. popular pirated softwares, games, or cracks).

W32.Changeup does not scan for existing file-sharing applications, but it does do something unusual. It will actually install a well-known application called Emule and use it to share itself, mimicking tens of thousands of file names from popular user searches. Let’s have a closer look.

Infection
Changeup may arrive on a computer in several ways. As we have seen, it may use the Microsoft Windows Shortcut 'LNK' Files Automatic File Execution...

Read more
Microsoft Patch Tuesday - August 2010
Robert Keith | 10 Aug 2010 20:00:40 GMT | 0 comments

Hello and welcome to this month’s blog on the Microsoft patch releases. This month’s release is the largest bulletin count since the start of the Patch Tuesday program, and a tie for the largest number of vulnerabilities addressed—the vendor is releasing 14 bulletins covering a total of 34 vulnerabilities.

Fourteen of the issues are rated “Critical” and affect Windows, SMB Server, Internet Explorer, Word, and Silverlight. Of particular note, the SMB Server issue can be exploited remotely, without authentication, to completely compromise an affected computer. The remaining issues, rated “Important” and “Moderate,” affect SMB Server, Windows, Word, and Excel.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid handling files from unknown or questionable sources....

Read more
Sality Goes LNK
Nicolas Falliere | 09 Aug 2010 13:46:28 GMT | 0 comments

A few months ago, I described the features of W32.Sality in these two blog entries. This well-known virus propagates by infecting Windows executable files. Infected computers also make up a fully decentralized peer-to-peer network, which is used to propagate digitally signed packages of URLs that the bots will download and run malicious files from. The discovery of the LNK vulnerability (BID 41732), initially used by Stuxnet, gave malware authors a cheap, easy, and effective way to propagate their creations.

The Sality gang didn’t waste much time and jumped on the bandwagon in the early days of August. However, it seems that it was only this past weekend that they decided to leverage their botnet to potentially infect even more computers. The latest package downloaded...

Read more
Beware: Attackers Could Use New iPhone 4 Jailbreak Code to Carry Out Malicious Attacks
Kevin Haley | 03 Aug 2010 17:35:57 GMT | 0 comments

It seems like almost everyone I know has an iPhone, or at least wants one. Among iPhone users in the U.S.—where the phone’s operating system is locked and customers are limited to just one carrier—jailbreaking the devices is almost as popular. Jailbreaking Apple devices such as the iPhone essentially unlocks the operating system to allow root access, enabling users to make additional customizations to their phones.
 
Jailbreaking iPhones has its risks, because it opens the door to the devices becoming more susceptible to attack and malware infection. Another concern is that the vulnerabilities in the devices that the jailbreak code exploits could also be used to carry out malicious attacks against the users of the phones.
 
Just yesterday, such an exploit was published, targeting the fourth generation iPhone for the purpose of jailbreaking the device. Thankfully, the details of the exploit are not publicly documented and the...

Read more
W32.Stuxnet – Commonly Asked Questions
Symantec Security Response | 16 Jul 2010 22:05:04 GMT | 0 comments

Update: The infection figures below were produced using telemetry data generated by Symantec products, and are therefore weighted towards countries with a larger Symantec install base. For more comprehensive and up-to-date infection figures, generated from traffic going directly to W32.Stuxnet command and control servers, please see our blog from July 22 or our W32.Stuxnet whitepaper.

We have received some queries recently regarding the new rootkit threat being called “Tmphider" or "Stuxnet.” This threat, discovered recently, has been garnering some attention due to the fact that it uses a previously unseen technique to spread via USB drives—among other interesting features. We have compiled some of the questions we have been...

Read more
Microsoft Patch Tuesday - July 2010
Robert Keith | 13 Jul 2010 18:06:47 GMT | 0 comments

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a fairly light month—the vendor is releasing four bulletins covering a total of five vulnerabilities.

Four of the issues are rated “Critical” and affect Help and Support Center, Access, and the Canonical Display Driver. The Help and Support Center issue was originally made public on June 10 of this year, and has seen in-the-wild exploit attacks. The remaining issue, rated “Important,” affects Outlook and can be exploited to bypass Outlook’s detection of unsafe file types when dealing with attachments. All of the issues are client-side, and require an attacker to trick a victim into performing some action in order to exploit.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid...

Read more