Video Screencast Help
Security Response
Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Karthik Selvaraj | 13 Sep 2010 10:35:53 GMT

While things had been quiet, we were quite certain that the gang behind Trojan.Hydraq hadn't gone away. It looks like they are back, as we've been seeing evidence of their attacks since January, including an attack I’d like to talk about below.

A PDF malware sample exploiting a critical Adobe zero-day vulnerability was reported in the wild a few days ago. In this post we want to provide more information about this in-the-wild malware and the attack rather than the vulnerability itself.

A public report of the PDF malware seen in the wild showed a social engineered email with following properties:

Subject “David Leadbetter’s One Point Lesson”
Sent date: “Monday, September 06, 2010 8:01 AM”
Attachment:  Golf Clinic.pdf (Md5: 9c5cd8f4a5988acae6c2e2dce563446a)

The PDF file attached to the...

Andrea Lelli | 13 Aug 2010 17:01:29 GMT

We have seen many threats that use file-sharing applications in order to spread to other computers. Typically these threats would scan a compromised computer for the shared folders of these programs, and if found would copy themselves into those folders mimicking names that are popular in search queries (e.g. popular pirated softwares, games, or cracks).

W32.Changeup does not scan for existing file-sharing applications, but it does do something unusual. It will actually install a well-known application called Emule and use it to share itself, mimicking tens of thousands of file names from popular user searches. Let’s have a closer look.

Infection
Changeup may arrive on a computer in several ways. As we have seen, it may use the Microsoft Windows Shortcut 'LNK' Files Automatic...

Robert Keith | 10 Aug 2010 20:00:40 GMT

Hello and welcome to this month’s blog on the Microsoft patch releases. This month’s release is the largest bulletin count since the start of the Patch Tuesday program, and a tie for the largest number of vulnerabilities addressed—the vendor is releasing 14 bulletins covering a total of 34 vulnerabilities.

Fourteen of the issues are rated “Critical” and affect Windows, SMB Server, Internet Explorer, Word, and Silverlight. Of particular note, the SMB Server issue can be exploited remotely, without authentication, to completely compromise an affected computer. The remaining issues, rated “Important” and “Moderate,” affect SMB Server, Windows, Word, and Excel.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid handling files from unknown or questionable sources....

Nicolas Falliere | 09 Aug 2010 13:46:28 GMT

A few months ago, I described the features of W32.Sality in these two blog entries. This well-known virus propagates by infecting Windows executable files. Infected computers also make up a fully decentralized peer-to-peer network, which is used to propagate digitally signed packages of URLs that the bots will download and run malicious files from. The discovery of the LNK vulnerability (BID 41732), initially used by Stuxnet, gave malware authors a cheap, easy, and effective way to propagate their creations.

The Sality gang didn’t waste much time and jumped on the bandwagon in the early days of August. However, it seems that it was only this past weekend that they decided to leverage their botnet to potentially infect even more computers. The latest...

khaley | 03 Aug 2010 17:35:57 GMT

It seems like almost everyone I know has an iPhone, or at least wants one. Among iPhone users in the U.S.—where the phone’s operating system is locked and customers are limited to just one carrier—jailbreaking the devices is almost as popular. Jailbreaking Apple devices such as the iPhone essentially unlocks the operating system to allow root access, enabling users to make additional customizations to their phones.
 
Jailbreaking iPhones has its risks, because it opens the door to the devices becoming more susceptible to attack and malware infection. Another concern is that the vulnerabilities in the devices that the jailbreak code exploits could also be used to carry out malicious attacks against the users of the phones.
 
Just yesterday, such an exploit was published, targeting the fourth generation iPhone for the purpose of jailbreaking the device. Thankfully, the details of the exploit are not publicly documented and the...

Symantec Security Response | 16 Jul 2010 22:05:04 GMT

Update: The infection figures below were produced using telemetry data generated by Symantec products, and are therefore weighted towards countries with a larger Symantec install base. For more comprehensive and up-to-date infection figures, generated from traffic going directly to W32.Stuxnet command and control servers, please see our blog from July 22 or our W32.Stuxnet whitepaper.

We have received some queries recently regarding the new rootkit threat being called “Tmphider" or "Stuxnet.” This threat, discovered recently, has been garnering some attention due to the fact that it uses a previously unseen technique to spread via USB drives—among other interesting features. We have compiled some of the questions we have been...

Robert Keith | 13 Jul 2010 18:06:47 GMT

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a fairly light month—the vendor is releasing four bulletins covering a total of five vulnerabilities.

Four of the issues are rated “Critical” and affect Help and Support Center, Access, and the Canonical Display Driver. The Help and Support Center issue was originally made public on June 10 of this year, and has seen in-the-wild exploit attacks. The remaining issue, rated “Important,” affects Outlook and can be exploited to bypass Outlook’s detection of unsafe file types when dealing with attachments. All of the issues are client-side, and require an attacker to trick a victim into performing some action in order to exploit.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid...

Security Intel Analysis Team | 14 Jun 2010 22:37:57 GMT

While investigating the malware and shellcode that were associated with the recent Adobe Flash Player, Adobe Reader, and Acrobat 'authplay.dll' Remote Code Execution Vulnerability (BID 40586), we came across some interesting similarities to the malware and shellcode that were used in the Microsoft Internet Explorer 'iepeers.dll' Remote Code Execution Vulnerability (BID 38615) targeted attacks from March 2010.

The first similarity is in the shellcode

The image below is the function-hooking shellcode that was used in the targeted attacks against the Microsoft Internet Explorer 'iepeers.dll' Remote Code Execution Vulnerability in March 2010:

Below is the function-hooking shellcode that was used in the targeted attacks...

Robert Keith | 11 May 2010 17:55:51 GMT

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a fairly light month—the vendor is releasing two bulletins covering a total of two vulnerabilities.

Both of the issues are rated “Critical” and affect Windows Mail, Windows Live Mail, Outlook Express, Office, and Visual Basic for Applications (VBA). Both issues are client-side and can result in remote code-execution in the context of the currently logged-in user if an attacker can trick an unsuspecting victim into performing some action.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid handling files from unknown or questionable sources.
- Never visit sites of unknown or questionable integrity.
- Block external access at the network perimeter to all key...

Greg Ahmad | 30 Apr 2010 12:49:13 GMT

Web browsers are an integral part of home and business computing environments and one of the most popular and ubiquitous applications on computer systems. Due to their popularity, the exploitation of security vulnerabilities in browsers is a common method for attackers to compromise computers. Vulnerabilities in browsers and browser plug-ins facilitate the propagation of malware, as well as aid in other attacks such as fraud and the theft of sensitive information. Not only are these issues used to compromise computers in targeted attacks, but vulnerabilities affecting browser applications are also exploited en masse by malware, bot networks, and exploit toolkits. Nowadays, attacks that take advantage of vulnerabilities in browsers and other associated applications such as browser plug-ins are very common. According the recent Symantec Global...