Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Security Risks
Showing posts in English
Zulfikar Ramzan | 26 Dec 2006 08:00:00 GMT | 0 comments

Now that we’re near the end of the year, Ithought I’d spend some time looking back at the phishing threat andreviewing some of the noteworthy trends. There are three high-levelaspects that I’d like to touch upon:
1) The overall increase in phishing activity
2) New phishing attack vectors
3) New antiphishing techniques

Overall activity

First, phishing activity has steadily increased during the course of2006. We’ve seen increases in both the number of phishing Web sitesthat go up as well as the number of unique phishing emails being sentout. Most targets are in financial services, but phishers have expandedtheir scope to include retailers, social networking sites, serviceproviders, government sites, and even certificate authorities.

In addition, we’re seeing semblances of “corporate” behavior inphishing attack patterns. For example, phishers seem to be workingnormal business workdays and, therefore, are less active during...

Robert Keith | 20 Dec 2006 08:00:00 GMT | 0 comments

December 9, 2006, marks the day when long standing contributor to the PHP Security Response Team, Stefan Esser, retired.He has stated a few reasons for this latest move, primarily focusing on(in his opinion) the lack of response from his fellow colleagues and anextended delay in the patching of known vulnerabilities. Possiblyanother example of how some individuals or groups may choose to view “responsible disclosure.”

Over the years, SecurityFocus has reported on multiple vulnerabilities affecting PHP, such as BIDs 20879 (PHP HTMLEntities HTMLSpecialChars Buffer Overflow Vulnerabilities), 19582 (PHP Multiple Input...

Marc Fossi | 04 Dec 2006 08:00:00 GMT | 0 comments

‘Tis the season to spend money. As theholiday season approaches, people tend to loosen their purse strings inthe desperate search for the perfect gift for that special someone.Unfortunately, scammers and criminals are well aware of this fact anddo what they can to take advantage of it. Two common ways of doing thisare through “second chance” auction scams and “overpayment” scams.

If someone on your list wants that hot new gaming console that’ssold out in all the stores, you may turn to online auction sites tofind one. Because so many people are after these hot items, the auctionprices can get quite high. This is where the scammer steps in.Frequently, the winner of an auction may drop out or be unable to makegood on their bid for whatever reason. Most online auction sites allowthe seller to contact the next-highest bidder and offer the item tothem rather than re-listing it. As a result, scammers are checkingauctions for these items a day or two after the listing has...

Peter Ferrie | 01 Dec 2006 08:00:00 GMT | 0 comments

It's been more than two months since thedisbanding of the 29A virus writing group, and in typical 29A fashion,we're still waiting for the official announcement. Of course, that'sfine – as long as they're no longer writing viruses we don't care ifthey tell us or not. Maybe they're waiting for January 1. ;-)

What fun we can have speculating on the “hows” and “whys”, such asthat Vecna left the group and nobody noticed, or that roy signs hisviruses with a different group name and nobody cares. Zombie's site hasbeen closed for a long time already; now the 29A site, hosted by GriYo,is gone. First it was replaced by GriYo's radio interviews and then itwas removed completely. Benny's real name is known and probablyRatter's and Vecna's are, too. They must know that they can't movefreely anymore. As for roy, I think he is actually not just one personbut several, although that's a topic for another day (although theyshould all quit).

Anyway, these are all promising signs....

Sarah Gordon | 27 Nov 2006 08:00:00 GMT | 0 comments

Here at Symantec, one of our beliefs isthat keeping people safe online requires more than just a knowledge oftechnology. It requires a knowledge of how people - both good guys andbad guys - actually use technology. It also requires an understandingof how people view technology and safety. It requires the ability tocommunicate different types of ideas to a wide variety of people; fromteenaged users to the CFO, from the college educator to the data entryoperator. It's a huge job and I was just reflecting today on how veryfortunate I am to be working within a group that not only sees thevalue of the multi-disciplinary and inter-disciplinary approaches, butone that actively supports and encourages it.

I recently spent a week at the Santa Fe Institute,learning about scientific advances in everything from the communicationpatterns of male...

Al Hartmann | 24 Nov 2006 08:00:00 GMT | 0 comments

I posted a blog earlier this weekthat introduced an abstract host security metasystem and the sensor andeffector instrumentation laws, which are two components of the laws ofhost security. Today’s blog outlines the security and policy componentlaws. Symantec posted a draft proposal on an abstract host securitymetasystem and the laws of host security in order to gain discussionand suggested improvements from interested parties in the securityindustry. Symantec posted this draft to openly solicit constructivecomments and helpful suggestions for draft refinements. The intent isto reach industry consensus on an architectural framework to guidedesigners of future host security subsystems and supportinginstrumentation.

metasystem.jpg...

John Canavan | 20 Nov 2006 08:00:00 GMT | 0 comments

VB-Oct06_small.jpg

In the early part of this year, W32.Blackmal.E@mm and OSX.Leap.Areceived near blanket coverage from the technical media.W32.Blackmal.E@mm was a mass-mailing worm with two particular featuresthat ensured it quickly became a focus of attention. When run, the wormwould execute a Web-based php script, which was intended to function asan infection counter. Cue the daily tech-blog updates: "Clock tickingfor Nyxem virus" (Slashdot), "Blackworm worm over 1.8 millioninfestations and climbing" (Sunbelt). Even the fancy animated .gifs ofa counter shot up from 398,000 to 440,000 in seconds (F-Secure). Couplethis with the fact that the worm was programmed to delete files with anumber of common extensions on the third of the next month, and there'sa storm a brewin': "Kama Sutra worm seduces PC users" (cnet),"Countdown for Windows virus" (BBC), "Urgent...

Liam O Murchu | 15 Nov 2006 08:00:00 GMT | 0 comments

While analyzing a sample of W32.Graybirdrecently, I noticed a request for a picture from a well-known photohosting site. The picture was of a cute fluffy bird (not gray, though);-) holding a bunch of roses (see below). The request seemed unusualand caught my attention.

bird2.jpg

Why was a back door connecting to a photo hosting site andrequesting a picture like this? We often see threats connecting out forwhat appears to be a picture, but what is downloaded is actually anexecutable. In this case, it really was a picture that was downloaded.In other cases, the downloaded picture may contain executable codehidden within it, but here there was no executable code found insideeither.

Upon closer inspection, a URL was found appended to the end of theimage. The Graybird sample was downloading the image and parsing it tofind this URL, then the sample was...

Liam O Murchu | 15 Nov 2006 08:00:00 GMT | 0 comments

While analyzing a sample of W32.Graybird recently, I noticed a request for a picture from a well-known photo hosting site. The picture was of a cute fluffy bird (not gray, though) ;-) holding a bunch of roses (see below). The request seemed unusual and caught my attention.

bird2.jpg

Why was a back door connecting to a photo hosting site and requesting a picture like this? We often see threats connecting out for what appears to be a picture, but what is downloaded is actually an executable. In this case, it really was a picture that was downloaded. In other cases, the downloaded picture may contain executable code hidden within it, but here there was no executable code found inside either.

Upon closer inspection, a URL was found appended to the end of the image. The Graybird sample was downloading the image and parsing it to find this URL, then the...

Mimi Hoang | 08 Nov 2006 08:00:00 GMT | 0 comments

Symantec is the most effective at detecting and removing spyware versus five other vendors. AV-Test (Andreas Marx), under the supervision of TUEV Saarland, conducted a test to determine how each vendor handled the spyware/adware anti-removal techniques.

This test was conducted in June, 2006, with 50 security risk samples randomly chosen by AV-Test from the “top 10” lists of various antispyware vendors, including the vendors that were tested. Further information on testing methodology and samples used can be downloaded at http://www.symantec.com/enterprise/security_response/toughsecurity/index.jsp (refer to the Appendix at the end of the technical brief) or visit www.tekit.de.

The results showed Symantec’s lead in the detection and removal of spyware, adware, and other security risk programs. We...