Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Evolution of Security
Showing posts in English
khaley | 26 Mar 2010 13:29:33 GMT

I am convinced that the readers of the Symantec Security Response blog are the smartest around! The results from our Password Survey prove it. Actually, the number of responses itself proves it to me. At best, I thought 20 or so of you would take the time to fill out the survey—and that would include most of my close relatives. Instead, we got more than 400 responses in a few short days (not even including my relatives). So, thank you to all who took the time to complete the survey.

I want to comment on some of the results. It may be a stretch to draw too many definitive conclusions from the data, but it will be fun nonetheless. If anyone wants to comment, correct, or vehemently disagree with any of my conclusions, I’ve set up a place to do all that here.

Let’s get started!

My answer to question 1...

Alessandro Tatti | 17 Mar 2010 10:40:37 GMT

In 2005, the European Commission embarked on a new policy framework that embraced all aspects of the “information society.” This framework, called i2010 - A European information society for growth and employment, provides the broad policy guidelines for the information, communication, and audiovisual sectors in the years up to 2010.

One of the priorities of the EU's i2010 program is to focus on E-Health to boost innovation and jobs. The aim is to provide user-friendly and interoperable information systems for patients and health professionals across Europe. E-Health provides many benefits, such as making it easier for doctors to access patients’ medical records, gain immediate access to test results from the laboratory, and deliver prescriptions directly to pharmacists.

The electronic health...

Vikram Thakur | 02 Mar 2010 23:52:16 GMT

In October 2009 we started tracking the Mariposa, or Butterfly, botnet. At that time, a security company had reported that a large number of Fortune 100 companies had been infected with this threat. Earlier today, news came out that the same firm had worked with the appropriate authorities in arresting alleged key members of the Mariposa botnet.

Back in October 2009 we also blogged about this bot's capabilities, in a brief post called The Mariposa Butterfly. Later that month we were able to get our hands on a toolkit being sold in underground forums that clearly demonstrated the bot's capabilities. More information about that is...

Gerry Egan | 19 Feb 2010 19:01:38 GMT

We recently upgraded our scanner on Virus Total to include our new reputation-based security engine. That has caused a spike in our detection rates, in particular Suspicious.Insight detections, and so I thought I’d take a few minutes to explain some of the background and what is going on.

So what exactly is a Suspicious.Insight detection? These detections are derived from Symantec’s new reputation-based security technology. They highlight files that have not yet developed a strong reputation (either good or bad) amongst Symantec’s community of users. Our goal is to keep our users’ machines safe, and part of achieving that goal means helping our users make informed choices about the files they allow on to their systems. Suspicious.Insight detections help shine a...

Con Mallon | 03 Feb 2010 21:01:06 GMT

Well, it looks that way. We are only just into the second month of 2010 and yet we can now see, in prospect, a whole new raft of innovation coming our way. At CES a lot of the attention was with respect to eBook readers and new slate/tablet based PCs. These new devices are squarely focused on digital content. The success of Amazon and Apple in the digital content arena clearly shows that there is a big market for digital content and that money can be made as a result. We have seen a lot of activity in the eBook reader market, with many companies starting to launch products. Amazon, with the Kindle, has very much been the vanguard of showing how this can all come together.
CES also witnessed a range of announcements with respect to tablet computers. We saw products from HP, Lenovo (interesting cross-over laptop/tablet device), Sony, Archos, etc. Many of these products will start to come to market mid-point this year. Some people commented that these CES...

Patrick Fitzgerald | 29 Jan 2010 16:05:48 GMT

If you have been following this series on Trojan.Hydraq over the last week you may have noticed that the blog entries have been well, boring. Because of its profile in the media and varying assessments of the threat posed by and the complexity of Trojan.Hydraq we decided to present the facts of the threat.

Threats make their way into mainstream media for various reasons. Sometimes it’s the effectiveness of a threat or the elegance associated with a particular approach taken by a piece of malware. Some use near impenetrable packers to make analysis extremely difficult and some have novel approaches to make the malware more robust and harder to take down.

2010 saw Trojan.Hydraq hit the media. This incident was dubbed “Operation Aurora”. In case there is still any confusion at this stage, the malware used in the Aurora attack is Trojan.Hydraq.


Patrick Fitzgerald | 26 Jan 2010 16:40:57 GMT

Yesterday’s blog spoke about the obfuscation techniques employed by Trojan.Hydraq.  As it turns out these techniques are not new, had been used by various malware in the past, and are not too tricky to get around.  This entry examines the techniques employed by this threat in order to stay active on a compromised computer and survive a restart.

Hydraq takes advantage of the Svchost.exe process in Windows.  When a Windows system starts up it checks the following registry key:


These entries are referred to as service groups.  The information under this key will have all the information required by the operating system in order to load the service group into memory.  The following screenshot shows the services loaded into a particular instance of svchost on a clean computer:


Patrick Fitzgerald | 25 Jan 2010 17:17:17 GMT

While Trojan.Hydraq has been described as sophisticated, the methods used to obfuscate the code are relatively straight forward to deobfuscate.  Trojan.Hydraq has spaghetti code, which is a technique used to make analyzing the code of program more difficult.  The basic blocks of a function are identified, and then completely rearranged so one cannot easily follow the code in a linear fashion.  The rearranged code blocks are connected by jump instructions that connect them in the proper order during execution.

However, spaghetti code has been used in the past and, due to the simple method of implementation by Hydraq, is easily reversed.  We posted one of the first blogs about spaghetti code in malware back in 2006 in regards to LinkOptimizer.  Most security companies have tools to simply reverse this type of obfuscation in an automated fashion and even off...

Peter Coogan | 21 Jan 2010 17:51:15 GMT

In our last Trojan.Hydraq (Aurora) blog, The Trojan.Hydraq Incident, we mentioned that one of the components of this Trojan is based on VNC code and has the ability to allow an attacker to control and stream a live video feed of a compromised computer’s desktop to a remote computer in real-time. In this blog we will look at these components in more detail and demonstrate them being used.

Once Trojan.Hydraq is installed by means of an exploit, it downloads additional files from a remote location to aid with the attack. Two of the additional files downloaded are named VedioDriver.dll and Acelpvc.dll. These files are placed into the %System% folder on the exploited computer. Analysis of the files and communication protocol suggests that...

Symantec Security Response | 20 Jan 2010 16:12:20 GMT

Symantec Security Response has repeatedly warned that looking for free movies and videos online often results in malware infection, and here we go again with yet another example. We recently became aware of a campaign, centered around the YouTube Web site, to trick users into following malicious links.

YouTube is one of the most popular video sharing sites and therefore is often picked by online criminals hoping for an easy catch. Performing a search using a (generally female) celebrity’s name followed by "sex tape" or a recent movie name yields results such as the following: