Video Screencast Help

Security Response

Showing posts for January of 2007
Showing posts in English
Elia Florio | 31 Jan 2007 08:00:00 GMT | 0 comments

We've been getting a lot of requests from people asking what it looks like when your computer is compromised by one of these very limited targeted attacksthat involves any of the recent MS Word zero-day vulnerabilities. Atargeted attack begins with an incoming email that has a .DOC fileattached; a very common event that happens to almost everyone everyday. The email sender looks legitimate (it's spoofed of course!) andthe document name is selected to appeal to the recipient. For example,if the targeted user is an accountant, then the document would looklike a tax certificate or an invoice. For members of governments, itcould appear to be an important communication from a Minister. Forfinance brokers, a stocks analysis and so on...

Targeted attacks are not intended for the masses, so we're nevergoing to see the usual "Very exciting greeting postcard.exe" attachedto those emails. But the big question is: what happens when someoneopens the malicious...

Eric Chien | 30 Jan 2007 08:00:00 GMT | 0 comments

We have received some additional Worddocuments that exploit an unpatched Microsoft Word vulnerability. Thesedocuments are detected as Trojan.Mdropper.X. We believe this is a newvulnerability, making it the fifth currently unpatched Office fileformat vulnerability. While these documents are being used in atargeted attack consistent with previous cases, we have receiveddifferent documents that use this same exploit from multipleorganizations. The documents have been each designed specifically forthe targeted organization in both language and content.

The vulnerability could be a slight variation or may be covered bythe existing CVEs and we are awaiting confirmation from MicrosoftSecurity Response Center. Nevertheless, no patches appear to beavailable, so, as always, be careful opening unsolicited Word documents.

Update - Feb 1st, 2007 11:40 UTC: We have receivedconfirmation from Microsoft that the vulnerability being used in theseattacks is in...

Ollie Whitehouse | 30 Jan 2007 08:00:00 GMT | 0 comments

So, it's Tuesday morning in London town and I've been up since 6:00 a.m. staring at a monitor, trying to free myself from PowerPoint hell (it's all rock and roll I tell ya!). Anyway, this morning I stumbled across an InfoWorld article entitled “Hackers to target mobile banking, study says.” This article seems to have been spun out of a press release by the Tower Group entitled “Increases in Mobile Fraud and ID Theft Could Hamper Mobile Payment / Banking Initiatives.” The press release, in turn, references a report entitled “Fraud, Virus and ID Theft: Mobile Malware Stands to Create a New Beginning.” While I've not read the report and may not agree with the notion that security issues hamper payment / banking initiatives (just look at the world that is the Internet—yeah,...

Peter Ferrie | 29 Jan 2007 08:00:00 GMT | 0 comments

The latest news (as of January 23rd) is that the virus writing group29A is reforming, but with most of the coders missing. Gone are GriYo,Vecna, and Zombie. We knewthat Vecna had left, but that GriYo and Zombie have left as wellsuggests that the "internal issues" are a difference of opinion aboutwho should do what. A coup in a virus writing group? It's all sopolitical.

So that leaves VirusBuster, who has come out of retirement, andpresumably Vallez. It is unclear if roy g biv will join them, giventhat today he placed W32.Stutter on a popular VX website, under theDefjam label.

Ultimately, though, the point is "who cares"? A virus writing group that doesn't write viruses—that’s always a good thing.

Kelly Conley | 26 Jan 2007 08:00:00 GMT | 0 comments

The Symantec Messaging and Web Security team started off 2007 with the release of a new monthly report geared towards the media. This report, entitled The State of Spam: A Monthly Report was released last week, covers December 2006, and can be found here.

Do you want to know what the top spam type for last month was? Or how about what new techniques spammers are currently using? Did you see some unusual spam in your Inbox? Check out our report and see if it's a new trend. People interested in what’s going on in the ever-changing world of spam will want to get their hands on a copy of this report for the metrics, latest trends, new spam examples, and data points of interest.

Have you noticed more spam? You're not going crazy. Symantec AntiSpam tracking has shown an increase in spam by over 15 percent from the month of October to mid-December. In...

Dave Cole | 25 Jan 2007 08:00:00 GMT | 0 comments

We’re happy to report that so far today, Peacomm and Mixor.Q activity is lighter than the maelstrom of activity we’ve seen in previous days. We’ve noted no new spam runs today, with the malware submissions and activity levels tapering off a bit as well. Phew! Our Security Response team in Pune, India, has pulled together a slick Flash-based run through of the attack, which can be viewed using the following URL:
http://www.symantec.com/content/en/us/home_homeoffice/media/flash/peacomm.html

Just a little more info on this threat you may have not heard before—it is communicating over peer-to-peer using the Overnet protocol and network (of eDonkey fame). After connecting to the network, the threat then searches for some particular hashes (searches are done by hash, not by specific filename) and eventually it receives a reply that includes some 'meta tag' information...

Dave Cole | 25 Jan 2007 08:00:00 GMT | 0 comments

We’re happy to report that so far today, Peacomm and Mixor.Q activity is lighter than the maelstrom of activity we’ve seen in previous days. We’ve noted no new spam runs today, with the malware submissions and activity levels tapering off a bit as well. Phew! Our Security Response team in Pune, India, has pulled together a slick Flash-based run through of the attack, which can be viewed using the following URL:
http://www.symantec.com/content/en/us/home_homeoffice/media/flash/peacomm.html

Just a little more info on this threat you may have not heard before—it is communicating over peer-to-peer using the Overnet protocol and network (of eDonkey fame). After connecting to the network, the threat then searches for some particular hashes (searches are done by hash, not by specific filename) and eventually it receives a reply that includes some 'meta tag' information...

Eric Chien | 25 Jan 2007 08:00:00 GMT | 0 comments

While Trojan.Peacomm (aka Storm Worm) received its alias because of unprecedented storms that battered Europe, the threat deserves the name more because Peacomm itself is the perfect storm. Peacomm is a combination of an open source email worm, a file infecting virus, a polymorphic packer, a spam relay, a rootkit, and a botnet that operates over a peer-to-peer network. In the history of malicious code, we have never seen a malicious threat that contains a handful of these characteristics let alone all of them. Thus, the perfect storm.

We've been tracking Peacomm over the week and wanted to provide a high level summary of how Peacomm spreads and some of the unique and interesting aspects of Peacomm, including how it uses peer-to-peer communication with the ultimate goal of sending out spam.

In late December and early January, the authors of Peacomm...

Hon Lau | 25 Jan 2007 08:00:00 GMT | 0 comments

We’ve seen many threats using vulnerabilities based on MicrosoftOffice documents over the last year, so it’s no surprise that we haverecently observed new samples of a threat that follows the same theme.This threat named Trojan.Mdropper.W is using the new Microsoft Word 2000 Unspecified Code Execution Vulnerability (BID22225)to drop threats onto a compromised computer. When the infected Worddocument is opened, it uses an exploit to drop some files onto thecomputer. These files are back door Trojans that enable an attacker togain remote access to your computer.

This vulnerability comes on the back of three other recent and unpatched Microsoft Word vulnerabilities, which are:

BID21518...

Dave Cole | 25 Jan 2007 08:00:00 GMT | 0 comments

We’re happy to report that so far today, Peacomm and Mixor.Q activity is lighter than the maelstrom of activity we’ve seen in previous days. We’ve noted no new spam runs today, with the malware submissions and activity levels tapering off a bit as well. Phew! Our Security Response team in Pune, India, has pulled together a slick Flash-based run through of the attack, which can be viewed using the following URL:
http://www.symantec.com/content/en/us/home_homeoffice/media/flash/peacomm.html

Just a little more info on this threat you may have not heard before—it is communicating over peer-to-peer using the Overnet protocol and network (of eDonkey fame). After connecting to the network, the threat then searches for some particular hashes (searches are done by hash, not by specific filename) and eventually it receives a reply that includes some 'meta tag' information...