Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with Emerging Threats
Showing posts in English
Paterva Evolution – Data Mining for the Google Generation
Ollie Whitehouse | 02 Aug 2007 07:00:00 GMT | 0 comments

So in a world where data is king, peopleare obviously going to look for ways to mine the data in more effectiveways. I saw a talk in May last year by Ian Cook titled, “FindingInformation in the Darkweb,” with a subtitle of “Open SourceIntelligence Gathering on a Shoestring.” This was interesting andpretty cool on the whole, but required a number of tools and some timeto mine the data and glue all the bits together.

While data is cool, without context it can be a huge burden to mineand discover the relationships. Well, my friends, close your GoogleEarth as I’ve got something to show you that is so cool it’ll makewhizzing round the streets of San Francisco in Google Earth feel likepeeling potatoes.

Welcome to Evolution,the brain child of Roelof Temmingh of ex-SensePost fame. It’s a toolthat “associates data found in multiple search engines andsocial-networking Web sites… to find...

Read more
Unknown Exploit Compromises Ichitaro
Shunichi Imano | 02 Aug 2007 07:00:00 GMT | 0 comments

Symantec Security has received a sample ofan Ichitaro document that contains a currently unknown exploit. This isnot necessarily surprising as most software has vulnerabilities but auser who opens the document will surely be hit with a surprise.

Symantec detects the malicious document as Trojan.Tarodrop.D. When it is opened, malware is dropped onto the compromised computer, which Symantec detects as Trojan Horse. The dropped Trojan in turn drops more malware (detected as Hacktool.Keylogger) that logs keystroke and sends the stolen information to cvnxus.8800.org on TCP port 443.

Additionally, Hacktool....

Read more
Management Information Systems: Tools for the Malware Trade
Hon Lau | 31 Jul 2007 07:00:00 GMT | 0 comments

In the (legitimate!) business world,Management Information Systems (MIS) are typically used by managers andkey decision makers of a business to see at a glance how well abusiness is doing in its various key performance areas. They typicallysummarize masses of transactional data through tables and reports; andalso allow for more advanced analysis and drill-down to detailed data.The advantage of such systems in business is considerable, becausehaving such information available on hand allows these individuals tomake key decisions that affect the future of a business.

Moving over to the malware criminal world, we are seeing more andmore parallels to the world of legitimate business. As online criminalsget increasingly organized, we are seeing them employ more of the toolsand techniques that would be employed in running a normal business.Such is the amount of money to be made in online crime, it has reallybecome a sort of gold rush: just like in the...

Read more
Wii gets Flashed by a bug too!
Liam O Murchu | 20 Jul 2007 07:00:00 GMT | 0 comments

There have been lot of rumours and discussions about the recent Adobe Flash Player Remote Code Execution vulnerability.The most interesting thing is that it is a cross-platformvulnerability. Due to the fact that Flash can run in different browsersand on many different platforms, the discovery of this onevulnerability could leave all those operating systems and devices thatare Flash-enabled open (e.g., including some advanced smartphones) tothe attack.

The vulnerability has already been tested on Windows, Apple Mac, andsome Linux distributions, but many other devices that are Flash-enabledcould be affected by the problem too. For example, we verified that theNintendo Wii gaming console is also affected. Wii has an Internetchannel that runs a special version of the Opera browser with Flash,and yes… we verified that it is affected by the problem too! The Wiiconsole completely hangs while...

Read more
DNS Botnet Phun
Hon Lau | 29 Jun 2007 07:00:00 GMT | 0 comments

Over the years, IRC channels have been afavourite communications method between back doors and their commandcenters because they are so simple to set up and use. The IRC protocolis easy to use can also be easily configured to travel over anarbitrary TCP port so its not easy block IRC traffic based on wellknown port numbers. That said, IRC traffic generally has no placewithin corporate environments so that makes it a little easier to spotand control.

A recent proof of concept back door Trojan (Backdoor.Fonamebot)that we have examined here in Symantec has perhaps pointed the wayforward for the transmission of data between zombies and the botherder. What we have seen is a new kind of back door that sends andreceives its data through the DNS protocol.

You might ask yourself, "What is the big deal with thisdevelopment?"...

Read more
DRM and White-Box Cryptography
Symantec Security Response | 26 Jun 2007 07:00:00 GMT | 0 comments

Digital Rights Management (DRM) is a termused to refer to the various content protection schemes used by contentproviders to restrict the usage of digital media and devices toauthorized persons. Popular DRM schemes include Apple’s FairPlaysystem, which is used by their online iTunes Store, and Microsoft’sWindows Media DRM. These systems use strong cryptography to protectmedia from being viewed except by hardware or software that have theproper credentials.

For most DRM applications, the trusted media player contains adecryption key that is used to decrypt and play the protected media.This decryption key must be secret and inaccessible to the user.Finding this decryption key would allow someone to decrypt the data andshare it without restriction, defeating the DRM protection. This posesa major problem because the trusted media player is often running on anuntrusted platform: the user’s home computer. Keeping the encryptionkeys used by the trusted media...

Read more
The Beginning of the Arabic Virus Era
Masaki Suenaga | 06 Jun 2007 07:00:00 GMT | 0 comments

If a virus uses a language other than English, it is most oftenChinese, German, Spanish, Portuguese or Russian, and sometimesIndonesian/Malay, Japanese or Thai. It is rare to find an Arabic-awarevirus. At least we've thought so until now.

In the current trend where a worm that spreads through removablemedia is easily created and many types of Trojan horses such asInfostealer and Downloader are armored with worm capability, thisbeginner's worm has started to be developed in every corner of theworld. Such a worm just spreads and does not get much attention fromvirus analysts, so we often give it a trivial name such as W32.SillyFDC.

W32.Alnuh,discovered on June 1, is a kind of W32.SillyFDC, as all it does isspread and then terminate some programs to protect itself. What is newis that it checks for some Arabic window titles to close as well asEnglish ones. W32....

Read more
Bad Bunny
Stuart Smith | 06 Jun 2007 07:00:00 GMT | 0 comments

…was the case that they gave me. Specifically, SB.Badbunny, a fairlynovel OpenOffice macro virus that attempts to spread via IRC. Thenovelty comes partly from the attention-grabbing trendiness of workingon OpenOffice and many Unix-based operating systems (Linux andMacintosh included), but also with its use of a variety of scriptinglanguages to improve portability. Badbunny doesn't just use theOpenOffice macro language, but has components written in Ruby,JavaScript, Python and Perl.

What makes this virus worth mentioning is that it illustrates howeasily scripting platforms, extensibility, plug-ins, ActiveX, etc, canbe abused. All too often, this is forgotten in the pursuit to matchfeatures with another vendor. Fortunately, in this case the ease-of-useof these scripting languages attracted an amateur developer who wrotemultiple critical bugs in the code, causing Badbunny to barelyreplicate.

Given that Web servers are an area where operating systems are stillvery much...

Read more
Mespam meets Zunker (and targets German users)
Elia Florio | 18 May 2007 07:00:00 GMT | 0 comments

“Whenever I post my computer putssomething on the end of my post that I didn't type. Just look, it'sthat link and the text know will appear when I post this.P.S.Look,Super sreensaver! :)) …”

I wanted to start this blog by quoting a post picked up from one ofthe many forums contaminated by Mespam to show exactly what infectedusers experience without having a clue of what’s going on with theircomputer. If your friends are complaining that your e-mails, blog postsand chat sessions show a suspicious URL linking to photos, jokes orscreensavers that you hadn’t sent them, you’re probably another victimof this Trojan.

Trojan.Mespam was originally spotted in February and we described herethe new spreading technique, which uses an LSP component to attach textand malicious links to the outgoing HTTP traffic. In the Web...

Read more
Massively Multi-Online…Adware?
Dave Cole | 16 May 2007 07:00:00 GMT | 0 comments

For those of us who are not hardcore gamers (yours truly included),but have fond memories of playing Pitfall on the Atari 2600 or Pirateson an old Apple, the world of online gaming has been experiencing aperiod of explosive growth in recent years. The rapid increases inplayers and dollars flowing into the gaming industry go well beyond theconsole-based games such as Sony’s PS3 and Nintendo’s Wii and extend toPC-based games such as the hugely popular World of Warcraft (WoW) whichenjoys a thriving online population that recently reached over 6 million users worldwide.WoW is a massively multiplayer online game (MMOG) that allows playersfrom across the globe to interact socially in a persistent world wherethe player is represented by their in-game avatar who increases inskills, gains possessions and presumably builds relationships overtime. The MMOG market...

Read more