Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Evolution of Security
Showing posts in English
Gilou Tenebro | 14 Aug 2009 21:28:54 GMT

In a previous post I provided an overview of W32.Waledac’s functionalities, tactics, origin, and connections. This time, I will discuss more on the bootstrap mechanisms and armoring techniques used by Waledac in order to sustain and protect itself.


Installation

When a Waledac executable is installed, it turns the compromised system into a zombie and acts as an agent for the botnet. It creates a window named  fhfhkjfhwefkwj and registers itself with a class name jfkljfilfj23fi32io. As a self-starting mechanism, it also adds any of the following entry in the registry so that it can run whenever Windows starts:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”PromoReg” = “[PATH TO EXECUTABLE]”

Or:


HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”PromoReg” = “[...
Liam O Murchu | 31 Jul 2009 20:20:49 GMT

Some of my colleagues from Symantec and I attended Black Hat in Las Vegas this past week. Wednesday was the first day of talks and there were some very interesting topics discussed. For me, the highlights were the following talks:

• “Stoned Boot Kit,” by Peter Kleissner
• “Using Guided Missiles in Drive-Bys: Automatic browser fingerprinting and exploitation with Metasploit,” by Egypt
• “Attacking Interoperability,” by Mark Dowd, Ryan Smith, and David Dewey

The papers for these presentations are available on the Black Hat website, but I did manage to talk to most of the presenters and get their views on various topics. In this post I’ll talk about the “Using Guided Missiles in Drive-Bys” and follow up with info on the other talks in later posts.

In his presentation “Using Guided Missiles in Drive-Bys,” James Lee (a....

Candid Wueest | 21 Jul 2009 15:57:46 GMT

Hopefully the readers of the Security Response Blogs are well aware of advance-fee fraud, which is also known as a 419 scam. A 419 scam typically pops up disguised as an email from some member of a royal family from a country far away, trying to transfer large amounts of money to you. The story used in the fraud schemes doesn’t vary much these days. However, these advance-fee scams have evolved and adapted to all of the new information sources that are available, including social networks. Such as with the following example, which was seen a couple of times at the beginning of June this year.

The scammer searched in Facebook for people who have highlighted the fact that they are disc jockeys. Since it is likely that such people usually want to be found and are proud to be DJs, it is quite easy for an attacker to create a very targeted user list for his scam. Simply browsing and comparing dedicated user interest groups can reveal all of the necessary information.

...
Shunichi Imano | 03 Jul 2009 16:21:48 GMT

 As previously promised, Security Researcher Aviv Raff officially launched the Month of Twitter Bugs (MoTB) website on July 1. Aviv will be posting a “Twitter bug a day” on MoTB in order to raise awareness of Twitter APIs and to warn end users of potential problems with the software and systems they use.

MoTB will be following a limited disclosure approach. On the bright side for Twitter, third-party service providers and Twitter themselves are notified of high-risk vulnerabilities at least 24 hours in advance, giving service providers time to create patches before the information goes public on MoTB. When a vulnerability notification is issued, it is hoped that having a deadline will push the affected provider to take action, and the resulting solution will protect end users. On the other hand, if the provider cannot—or will not—come up with a solution in time, the vulnerability information will be posted on MoTB and the bad guys are likely to...

Lorenzo Russo | 10 Jun 2009 21:53:01 GMT | 0 comments

The world of information security standards is always changing. While telecommunication organizations are reviewing the publication of the ISO/IEC 27011 Information Technology - Information security management guidelines for telecommunications organizations (published May 2009), the European Parliament is discussing the inclusion of further legal requirements to safeguard the security and privacy of European citizens as part of the review of Directive 2002/58/EC. This Directive covers legal, technical, and organizational measures that need to be in place for the security and privacy of the services provided by EU electronic communication providers.

So, what are the primary objectives of the additional regulations being proposed? Overall, the review of Directive 2002/58 aims to establish a higher level of network security and privacy...

Steve Trilling | 13 Dec 2008 00:47:53 GMT | 0 comments

You may have seen an article in the New York Times on December 6, 2008, by John Markoff, entitled "Thieves Winning Online War, Maybe Even in Your Computer." As we've previously discussed here, we're exploring an exciting new reputation-based security approach to protect against the continuing proliferation of the types of threats described in the article.

For more detail, please take a look at these two previous blog articles by Carey Nachenberg:

It's All About Reputation, and Losing Touch with Fingerprinting

Jesse Gough | 28 Aug 2008 17:29:02 GMT | 0 comments

There has been much debate recently that stems from discussions related to Linux kernel development, over whether or not security vulnerabilities should be treated differently than regular software bugs. This has meant there has been a slight departure from the exhausted “full disclosure” debate, in that some believe that the problem with the disclosure process isn't whether or not it best protects users, but that it unfairly praises those that uncover and fix security issues more than those that fix regular bugs. Personally, I think that there are two important distinctions that are not being made.

Security vs. Availability

Security and availability are two different things and should be treated as such. Some are quick to argue this, pointing out that a denial-of-service attack against a life support system would obviously be a drastic security problem. They would be right—I am not suggesting that the two are mutually exclusive. If we depend...

Jesse Gough | 26 Aug 2008 18:53:35 GMT | 0 comments

The PCI Security Standards Council has released a summary of changes and clarifications for version 1.2 of the PCI-DSS standard, which is scheduled for release on October 1, 2008. In an effort to combat the growing problem of card theft, the Payment Card Industry Data Security Standard has been established to ensure that through the use of imposed regulations, compromises of customer card data will not be easily possible. Virtually anyone wishing to handle or process customer card data is familiar with these regulations and probably equally aware of the costs associated with achieving and maintaining PCI compliance. For some people, security is difficult to invest in. You spend a lot of money on something, and you may feel like you don't receive any tangible or perceptible benefit afterwards. You may have even been forced to change some aspects of your business in order to adopt processes that feel less efficient. However, several retailers are now facing serious repercussions from...

Erik Kamerling | 12 Nov 2007 08:00:00 GMT | 0 comments

On October 25, 2007, Elcomsoft Co Ltd. in Moscow, Russia filed for a US patent on a reportedly new password recovery method that makes use of a video card's graphics processing unit (GPU). Elcomsoft credits the February 2007 release of the NVIDIA CUDA C-Compiler and developer's kit for providing the necessary low-level GPU access they needed to make this cryptographic advancement. The newest NVIDIA GPUs act as multiprocessors that utilize shared memory, cache, and multiple registers. The newest graphics cards utilize fixed point calculations, relatively massive amounts of memory, and multiple processing units. They differ significantly from a computer's central processing unit (CPU) in terms of their cryptanalytic processing capabilities and Elcomsoft claims to have leveraged newer GPU architectures to improve brute force password cracking by a factor of 25.

Statistics from Elcomsoft state that the new method can be used to exhaustively crack an eight character pseudo-...

Patrick Fitzgerald | 03 Oct 2007 07:00:00 GMT | 0 comments

Wireless Equivalency Protocol (WEP) has been one of the hottest topics in Irish news over the last few days. One of the leading providers of DSL in Ireland has supplied users with wireless routers protected using WEP. What made this newsworthy is that it has emerged that the WEP keys used to encrypt the network traffic and to control access to a private network were generated using the (Service Set Identifier) SSID. The algorithm used to generate the encryption keys has been analyzed and a tool is freely available which allows anyone within range of the router to trespass on a wireless network that has been secured using the default settings.

The DSL provider and media reports are advising customers that if they change their WEP keys, they will be safe from any trespassers or malicious attackers trying to get onto their network. While it is true changing the default WEP settings will mitigate this particular attack it will not make your wireless network secure.

WEP is...