Video Screencast Help
Security Response
Showing posts tagged with Vulnerabilities & Exploits
Showing posts in English
Samir_Patil | 20 Jan 2011 14:48:12 GMT

Many countries are going through turbulent times due to natural disasters. In fact, emotions do run high when disasters strike—people are moved and understandably want to share in helping affected victims by donating to relief funds. The most recent natural disaster that Australia, Brazil, and the Philippines are grappling with is the flash flooding and the immense loss that it has caused to life and property.

History tells us that when natural disasters such as bush fires, floods, earthquakes and other natural calamities strike, they cause untold repercussions. Rehabilitation, restructuring, and methods to curtail further losses become a formidable challenge. One method used to combat such situations is the appeal for relief funds, donations, and government compensations in cash or kind.

Spammers would never let any such opportunities pass by without preying on them. Don’t be surprised to see your inbox bombarded with heart-wrenching emails requesting you...

Harshit Nayyar | 17 Jan 2011 14:45:08 GMT

Lest we forget, malware is a software application, albeit a malicious one. And, like any other software application, it can have vulnerabilities that can be exploited.

Our analysis of Trojan.Jnanabot has revealed several serious vulnerabilities. One of the more interesting features of Jnanabot is its custom peer-to-peer (P2P) networking protocol. In other words, its bots are designed to be a part of a P2P network and use a custom-designed protocol for communicating with each other. This ensures that there is no single point of failure and that it is harder to trace the source of the infection and to take the botnet down. While the protocol was designed to provide some degree of robustness to the botnet, it has some flaws that allow anyone (provided they have the right know-how) to exploit them for fun and/or profit. At the very least, these flaws can be used to collect information...

khaley | 17 Nov 2010 13:50:44 GMT

My prediction is that we are all going to become nostalgic for the days of fame-seeking mass mailers and network worms. Think of LoveLetter, SQL Slammer, and Melissa all crashing millions of systems within hours of being released into the wild. Those threats seem quite quaint these days as we enter the third significant shift in the threat landscape.

We moved from fame to fortune (which we have dubbed “crimeware”) in the last ten years. Mass mailers were replaced by malware that steals credit card information and sells phony antivirus products. Malware has become a successful criminal business model with billions of dollars in play. The goal became stealth and financial gain at the expense of unsuspecting computer users. And Trojans and toolkits, like Zeus, are the modern tools of the trade.

We have now entered a third stage—one of cyber-espionage and cyber-sabotage. Cyber-espionage did not begin with Stuxnet, and crimeware does not end with it. In...

Robert Keith | 09 Nov 2010 19:50:44 GMT

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a relatively light month —the vendor is releasing three bulletins covering a total of 11 vulnerabilities. One of the issues is rated “Critical” and it affects Microsoft Office when handling malicious RTF (rich text format) files. The remainder of the issues are rated ‘Important’ and affect Office, PowerPoint, and Forefront Unified Access Gateway (UAG). As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.

- Run all software with the least privileges required while still maintaining functionality.

- Avoid handling files from unknown or questionable sources.

- Never visit sites of unknown or questionable integrity.

- Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the...

Robert Keith | 12 Oct 2010 21:24:12 GMT

Hello and welcome to this month’s blog on the Microsoft patch releases. This is, by far, the largest Patch Tuesday release since the start of the program. The vendor is releasing 16 bulletins covering a total of 49 vulnerabilities, including one of the zero-day vulnerabilities used by the Stuxnet threat.

Five of the issues are rated “Critical” and affect Internet Explorer, Embedded OpenType Fonts, .NET, and Media Player. The majority of the issues being addressed this month affect Excel (13 issues), Office (11 issues), and Internet Explorer (10 issues). The remaining issues affect Windows kernel-mode drivers, SChannel, OpenType Fonts, Shared Cluster Disks, Common Control Library, Local Procedure Call (LPC), Microsoft Foundation Classes (MFC), Active Template Library, Sharepoint, and Groove.

 As always, customers are advised to follow these security best practices:
 
-     Install vendor patches as soon as...

Liam O Murchu | 24 Sep 2010 08:42:33 GMT

Code to exploit the zero-day .lnk file vulnerability (BID 43073) used by Stuxnet was added to the threat around March 2010; we know this because the samples we observed before this date did not contain code to exploit that vulnerability. This leads us to the following question: how did previous Stuxnet variants spread through removable devices?

 
The answer is that older versions did not use a vulnerability but instead an AutoRun trick to spread. The worm’s trick was to create an autorun.inf file in the root of removable drives that served two different purposes. The specially crafted file could be interpreted as either an executable file or as a correctly formatted autorun.inf file. When Windows parses autorun.inf files the parsing is quite forgiving. Specifically, any characters that...
Liam O Murchu | 18 Sep 2010 04:29:21 GMT

We have been made aware of a recent blog posting pointing to the fact that the print spooler vulnerability used by W32.Stuxnet and addressed in the Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability was in fact known about since 2009. An article was published in a security magazine that showed how the vulnerability worked in late 2009. We are currently investigating this; however, from our initial review of that article it appears to do exactly what Stuxnet does when exploiting the Print Spooler vulnerability. We will update this article with more information shortly.

Update: We have confirmed with Microsoft that this issue is indeed one that was patched with the release of ...

Robert Keith | 14 Sep 2010 19:43:49 GMT

Hello and welcome to this month’s blog on the Microsoft patch releases. This is an average size month for releases —the vendor is releasing nine bulletins covering a total of 11 vulnerabilities.

Four of the issues are rated “Critical” and affect Windows, Office, and Outlook. Of particular note is the issue in the Windows Print Spooler service. That issue is currently being exploited by the Stuxnet malware and can be exploited remotely to completely compromise an affected computer. The remaining issues, rated “Important”, affect Windows, WordPad, and Internet Information Services (IIS).

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.

- Run all software with the least privileges required while still maintaining functionality.

- Avoid handling files from unknown or questionable sources.

- Never visit sites of unknown or...

Karthik Selvaraj | 13 Sep 2010 10:35:53 GMT

While things had been quiet, we were quite certain that the gang behind Trojan.Hydraq hadn't gone away. It looks like they are back, as we've been seeing evidence of their attacks since January, including an attack I’d like to talk about below.

A PDF malware sample exploiting a critical Adobe zero-day vulnerability was reported in the wild a few days ago. In this post we want to provide more information about this in-the-wild malware and the attack rather than the vulnerability itself.

A public report of the PDF malware seen in the wild showed a social engineered email with following properties:

Subject “David Leadbetter’s One Point Lesson”
Sent date: “Monday, September 06, 2010 8:01 AM”
Attachment:  Golf Clinic.pdf (Md5: 9c5cd8f4a5988acae6c2e2dce563446a)

The PDF file attached to the...

Andrea Lelli | 13 Aug 2010 17:01:29 GMT

We have seen many threats that use file-sharing applications in order to spread to other computers. Typically these threats would scan a compromised computer for the shared folders of these programs, and if found would copy themselves into those folders mimicking names that are popular in search queries (e.g. popular pirated softwares, games, or cracks).

W32.Changeup does not scan for existing file-sharing applications, but it does do something unusual. It will actually install a well-known application called Emule and use it to share itself, mimicking tens of thousands of file names from popular user searches. Let’s have a closer look.

Infection
Changeup may arrive on a computer in several ways. As we have seen, it may use the Microsoft Windows Shortcut 'LNK' Files Automatic...