Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Emerging Threats
Showing posts in English
Vikram Thakur | 27 Dec 2007 08:00:00 GMT | 0 comments

t’s been less than 24 hours since the former Prime Minister ofPakistan was assassinated. As expected, the malware authors anddistributors have already begun exploiting the morbid curiosity aboutBenazir Bhutto's death as a lure to spread their malice.

A simple search with terms such as "pakistan prime ministerassassination" yields results that include pages like the one shownbelow:


As some would expect, clicking on some of these links will mean that the old (technique-wise) ActiveX message box will appear:


The problem with many of these links is that the ActiveX Object ismalicious. For example, following the link in the above image downloadsa malicious file hosted on a server in Denmark...

Samir_Kapuria | 20 Dec 2007 08:00:00 GMT | 0 comments

I know, it sounds like the name of an oldschool rock band, but it’s not. It’s actually going to be one of themost pressing issues for IT in 2008. With millions beginning to enterthe workforce from Generation Y, CIOs are scrambling to understand andaddress perhaps their greatest risk ever.

In 2007 IT is just beginning to get its hands around the concept ofIT risk management and figuring out how to translate that forexecutives and the board. Now they’re confronted by the millennialworker, which is almost cause to rethink IT risk management all overagain. Trying to implement IT risk management policies with a"Millennial" workforce—one with members who have been labeled as "risktakers"—is very problematic. In general most "Millennials" tend tobelieve in a "no-walls" approach when it comes to sharing information.Why shouldn’t all information be shared? Their strength is digitalsophistication; some would even claim that the true concept ofinformation technology is their...

M.K. Low | 19 Dec 2007 08:00:00 GMT | 0 comments

There’s been a lot of coverage on the FBI Bot Roast II campaignwhere they released information about eight suspects who have beenindicted for conducting criminal botnet activity. Bot herder suspectsfrom across the United States have been linked to criminal activitiessuch as DDoS attacks, conducting multi-million dollar phishing andspamming scams, and in particular stealing personal information thatcould lead to identity theft.

Thousands of pieces of personal information are sold and traded inunderground economy servers found in Internet relay chat (IRC) rooms.When I look around the servers that we monitor, it reminds me ofCauseway Bay at night in Hong Kong. Large advertisements bombard youwith capital letters and carders repeat their sales pitches acrossmultiple lines to attract people to their bargains. They list off theirbest deals and even offer cheaper prices if...

Sai Narayan Nambiar | 18 Dec 2007 08:00:00 GMT | 0 comments

Antiphishing filters basically work eitheron block listing or on heuristics. "Rock phish" attacks are quite arecent phenomenon that has posed a major challenge to both of the abovementioned antiphishing filters, simply because the unique structure ofa Rock phish attack circumvents antiphishing filters. This phishingtechnique can be traced back to somewhere around August 2006. The URLstructure was comparatively simpler then, consisting of a randomizedroot domain and three sub folders. But the principle cause in therecent surge in the number of such attacks is traced to the botnetphenomenon. So, what then is so special about Rock phish? Well, thistechnique has a trademark method of striking naïve targets.

The URLs that navigate to the fraudulent Web sites have a uniquestructure. For example, the structure of this URL is Rock phishingspecific: a matter of fact, it gets...

Nishant Doshi | 17 Dec 2007 08:00:00 GMT | 0 comments

In a recent blogI discussed the ill effects of Web 2.0 and the main theme revolvedaround security for users of social networking sites. Well, what if youdon’t use social networking sites? What if you only just visit knownand legitimate "good" sites? For example, you read an online newspaperor view your government's national defense Web site, or look up wordson a popular online Web dictionary? Do these actions sound more likeyou? Are you protected in that case?

What most average users don’t know is that legitimate sites can beinfected as well. Symantec has seen a sharp increase in legitimate Websites becoming infected and serving browser-based exploits. For themost part, these sites are innocent victims themselves and in mostcases are unaware of the exploits hosted on their Web sites.

Symantec has recently discovered that the main page of a...

Robert Keith | 11 Dec 2007 08:00:00 GMT | 0 comments

Hello, and welcome to this month’s blog onthe Microsoft patch releases. Microsoft released seven bulletins thismonth, covering a total of eleven vulnerabilities. Nine of thevulnerabilities affect Microsoft Vista either directly or throughapplications running on that operating system.

The first three bulletins discuss seven client-side vulnerabilitiesrated “Critical” by Microsoft. Four of those are vulnerabilities inInternet Explorer, two more affect DirectX, and the seventh is avulnerability affecting the Windows Media Format Runtime. These issuesdo require some sort of user interaction (such as visiting a maliciousWeb page, opening a malicious email, or opening a malicious file), butcan aid in the remote compromise of a victim’s computer. Users areadvised to use security best practices, including avoiding sites ofunknown or questionable integrity.

The remaining vulnerabilities (four issues rated as “Important”) areeach documented in their own bulletin. They...

Vikram Thakur | 30 Nov 2007 08:00:00 GMT | 0 comments

A few days ago we posted a blog entryabout how some pharmaceutical sites were using link farms and spammingin their marketing campaign. The hackers were injecting links intocompromised sites, which raised the marketed sites in search engineresults. We followed up with some of the owners and administrators ofsites that were being used in this spam campaign and found mostadministrators cleaning up the infections and closing holes in theirWeb applications promptly.

Ironically, after we posted the previous article the spammers beganto use text from our blog to redirect traffic to their sites. Thisshotgun seeding technique allows the link farmers to rapidly manipulatethe metadata and skew search results. Here is a screenshot of what wegot by searching for one specific line from our previous blog entry.


Zulfikar Ramzan | 27 Nov 2007 08:00:00 GMT | 0 comments

On November 2, 2007 I had the opportunityto participate in a panel at the Federal Trade Commission on the futureof online behavioral advertising. While this topic is not one that isnormally associated with information protection issues, there are someinteresting implications that I touched upon at the panel and that Ithought I’d reiterate here.

First, let’s think about some of the overall trends related to Webadvertising. To begin with, the Web has certainly exploded inpopularity and people are spending more and more time each day surfingtheir favorite sites.

Second, online advertising has proven itself to be a viable businessmodel for many companies. Countless Web sites display ads that areviewed by an even greater number of people.

Third, along these same lines the online advertising supply chain isfairly complex. In the simplest incarnation, an advertiser might workwith an ad network who will arrange to have the ad published throughone or more...

Vikram Thakur | 27 Nov 2007 08:00:00 GMT | 0 comments

Earlier today there was a report about AlGore's site,, being hacked. The site contained linksthat weren't visible to the visitors, which pointed to variouspharmaceutical products. The links could be viewed by looking into thesource code of the page being displayed. The fact that Al Gore's sitegot hacked or compromised, while definitely of significance, uncovers amuch bigger technique now being used by spammers. Here is a snapshot ofthe links from the hacked site:

(Click for larger image)

As you can see, there are loads of links to a university's server.None of the links work. However, the hackers were able to get to thetop of search results by creating links such as these. No one visitingthe...

Con Mallon | 23 Nov 2007 08:00:00 GMT | 0 comments

While the scale of the data loss by theUK’s Revenue and Customs is indeed stunning, there is still noindication that the missing disks containing information from 25million UK residents has actually fallen into unfriendly hands.However, this is now almost irrelevant as we in the security industrysit and wait for the first scam or phishing attack that plays onpeople’s doubts and fears.

For those unaware of this issue, on November 20th Her Majesty’sRevenue & Customs (HMRC - the UK's tax and excise agency)acknowledged that it had lost two computer disks containing largeamounts of confidential information, including names, addresses, datesof birth, and in some cases bank account information. The missing disks— apparently lost while being transported — may include information onas many as 25 million individuals, including recipients of childbenefits.

HMRC believe the disks are still within one of their sites, butafter an exhaustive search, they have failed to...