Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Evolution of Security
Showing posts in English
Hon Lau | 16 Nov 2009 15:00:47 GMT

When trawling the Web today we came across a website that has been compromised and rigged so that it is returned in search engine results for many different search terms. The site in question belongs to a UK-based company that specializes in hiring out holiday homes and is a legitimate business. However, the site has been compromised and is being used in a major ongoing SEO-based misleading applications attack, and has been for some time now. As you can see in the sample search results below, you may wonder what college football, a Ukraine vs. Greece soccer match, Penn State basketball, and Robin Williams have to do with renting a holiday home—and with good reason, too.


The key to identifying malicious pages in the search results is looking for the string...

Robert Keith | 10 Nov 2009 19:57:46 GMT

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a moderate month—the vendor is releasing six bulletins covering a total of 15 vulnerabilities.

Three of the issues are rated “Critical” and affect Web Services on Devices API, License Logging Server, and the Windows kernel. An attacker could exploit these issues remotely to gain complete control of a vulnerable computer.

The remaining issues, rated “Important”, affect Excel, the Windows kernel, Office, and Active Directory. Although these are only rated “Important” by Microsoft, we consider the Office and Excel issues quite serious and advise customers to apply updates as soon as possible.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid handling files from unknown or...

Nicolas Falliere | 10 Nov 2009 12:31:22 GMT

Trojan.Clampi is an interesting threat, which we described in many blog entries over the past month. We’ve now compiled these entries, along with some new material, into a research paper—Inside the Jaws of Trojan.Clampi.

In a nutshell, Clampi is an Infostealer threat. Its executable can be seen as a host for separate modules, containing the real payloads of the threat. These modules are heavily protected from reverse-engineering as well. The functionalities range from banking-site password stealing, to local credential gathering, to a SOCKS proxy. The communication with Clampi’s command & control servers, the “Gates”, uses HTTP and is encrypted. Clampi...

khaley | 09 Nov 2009 22:08:08 GMT

One thing I see again and again in this job is that people usually don’t think about security until after they are hit with an incident. Companies create disaster recovery plans after the disaster. They come up with incident response teams after the incident. And consumers get antivirus software after they’ve had a virus infect their system.

People, here is a chance to turn that all around. We’ve seen several incidents of mobile phones being hacked. So far it’s been by old school hackers, those that are doing it just to prove that it can be done. But history shows us that the cyber criminals follow closely behind the old school hackers, and they will not be doing it for kicks—they’ll be doing it to rip you off.
Security professionals approach any situation like this by a risk assessment; in other words, they try to figure out what bad things could happen. Then they can hope for the best, but prepare for the worse. If...

Ben Nahorney | 03 Nov 2009 20:40:05 GMT

Threats targeting the Macintosh platform are much less common than those targeting Windows. The same can be said about video games, where Windows is the dominate platform of the two. Combining games and malware has happened before, but a Mac game performing malicious activities? That’s something relatively new.

Takashi Katsuki, one of our Tokyo engineers, came across just that today. The game looks to be a throw-back to the classic Space Invaders/Galaga style of games from the early 1980s. However, what brings this game into the realm of malicious code is that for every alien ship you destroy, the game deletes a file from your home directory.

Nicolas Falliere | 27 Oct 2009 04:06:33 GMT

Clampi goes to unusual measures to bypass the local firewall on the compromised computer, such as the Windows Firewall. Usually, such firewalls allow only specific programs to communicate using specific ports and protocols. For instance, your browser would be allowed to use outbound TCP port 80.

As we’ve previously discussed, Clampi needs to communicate with a “Gate” gateway server in order to get its orders and send information. Any firewall would block the program if it tried to connect to the outside world. Bypassing this can be done in many ways, the most common one in the malware world being to add an entry in the Windows registry, added the program to the trusted file list.

The Clampi gang decided to inject their networking code into Internet Explorer, which is granted Web access by any standard firewall configuration out there. Fair enough—that’s another approach, but not a new one. Yet you’ve seen these guys don’t do...

Gaurav Dixit | 22 Oct 2009 16:39:27 GMT

Misleading applications, also known as rogue applications, have always tried to lure users into their traps by using various techniques such as fake security scans, misleading task bar notifications, popup windows, etc. To take this to a new level, developers of these applications are now frequently changing the product name and its associated website name in order to mislead users and antivirus vendors. Clones of the same product—with different names—continue to appear almost every day. Earlier this week Symantec published its Report on Rogue Security Software, which discusses misleading apps in greater detail. A couple of examples of rogue security software are given below. We identify one such family of rogue or misleading applications as WiniGuard:


Those who...

M.K. Low | 21 Oct 2009 17:26:34 GMT

Rogue security software programs, also known as misleading applications or scareware, are programs that pretend to be legitimate security software, such as an antivirus scanner or registry cleaner, but which actually provide the user with little or no protection whatsoever. Well known examples of rogue security software include AntiVirus 2009, Malware Defender 2009, and System Guard 2009.

The recently published Symantec Report on Rogue Security Software includes a discussion on a number of servers that Symantec observed hosting these misleading applications from July to August 2009....

Nicolas Falliere | 20 Oct 2009 15:40:27 GMT

This chapter in our Clampi saga brings us back to the malware’s logging facility. As we saw before, one of Clampi’s modules, codenamed LOGGER, is responsible for logging outgoing information going to a determined list of URLs – stored in a data file as CRCs.

One problem arises with banking sites that preprocess the user’s personal information before sending it over HTTPS—it’s done using client-side JavaScript.  For instance, a hash of the input PIN number could be sent instead of the PIN number itself. This mechanism adds an extra layer of security, preventing malware from sniffing network traffic at one end of the SSL tunnel. But still, it’s only covering one end. It’s more secure than no encryption, but still not great. At least two methods exist to get around this:

  • Setting up a keylogger using either software (...
David McKinney | 20 Oct 2009 15:12:40 GMT

The Symantec Report on Rogue Security Software includes an in-depth analysis of the methods scammers use to distribute rogue security applications. This blog presents some of the highlights of the research into the distribution of these scams.

In the report, the following distribution and advertising trends were observed:

•    Ninety-three percent of the top 50 most prevalent rogue security applications were distributed as intentional downloads. This means that victims are tricked into believing they are downloading legitimate security software and subsequently installing the rogue application.
•    Seventy-six percent of the top 50 most prevalent rogue security applications were classified as unintentional downloads. This means that the software may be installed unintentionally through drive-by downloads or...