Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for June of 2007
Showing posts in English
Hon Lau | 01 Jul 2007 07:00:00 GMT | 0 comments

Security Response has received reports of a fake email purporting to have come from the US Department of Justice. The email informs the recipient of a complaint received by the IRS against the recipient’s business. The email looks reasonably well crafted and most people would tend to treat emails from the US Department of Justice with at least a bit of urgency.

The details of the email are as follows:

Complaint Case Number: 895285164 (Note the case number may vary)

US Department of Justice []

Email Body:
The email may contain the following text. Please note that the name of the plaintiff, the date and case number may vary. Despite the message that states an attachment is included with the email, there may or may not be any attachments.

Dear citizen ,

A complaint has been filled against your company in regards to the business...

Kaoru Hayashi | 29 Jun 2007 07:00:00 GMT | 0 comments

In the past few weeks, we have observed many Web sites that have been compromised to distribute browser exploits with the MPackkit. We’ve tracked many different MPack sources created with the intentof distributing different types of malicious codes. So far we’ve seenthe following malware samples installed while surfing sites compromisedby Mpack:

Trojan.Anserin - a Trojan that steals banking-related information
Trojan.Linkoptimizer.B - a dialer Trojan
Backdoor.IRC.Bot - an IRC bot

Hon Lau | 29 Jun 2007 07:00:00 GMT | 0 comments

Over the years, IRC channels have been afavourite communications method between back doors and their commandcenters because they are so simple to set up and use. The IRC protocolis easy to use can also be easily configured to travel over anarbitrary TCP port so its not easy block IRC traffic based on wellknown port numbers. That said, IRC traffic generally has no placewithin corporate environments so that makes it a little easier to spotand control.

A recent proof of concept back door Trojan (Backdoor.Fonamebot)that we have examined here in Symantec has perhaps pointed the wayforward for the transmission of data between zombies and the botherder. What we have seen is a new kind of back door that sends andreceives its data through the DNS protocol.

You might ask yourself, "What is the big deal with thisdevelopment?" Well, as it...

Dave Cole | 29 Jun 2007 07:00:00 GMT | 0 comments

Nothing could be more fitting to recap the colorful history of information security than the wonderfully off-kilter theatre of The Rocky Horror Picture Show. What a ride it’s been! The story of our craft now spans at least four decades (depending on how you count it), each one with its own hallmark events and memorable characters.

In order to commemorate Symantec’s 25th year of business, we thought we’d invite you to do the time warp with us. This is the first of a series of blogs that will go back and review the history of Internet security, stretching back to the 70s and all the way up the current age of rampant phishing, rootkits, splogs and SPIT.

The 70s
The deepest definition of youth is life as yet untouched by tragedy. ~ Alfred North Whitehead

Indeed, the 70s were a time in information security largely untouched by digital calamity but marked by exploration of emerging telecommunications technology....

Zulfikar Ramzan | 28 Jun 2007 07:00:00 GMT | 0 comments

I recently looked at some data collected from the NortonConfidential server on brands spoofed in phishing attacks from Junethrough December of 2006. In total, we saw phishing attacks on 343different brands. Looking further into the data, I wanted to get asense of which types of brands are consistently targeted by phishers.

I found that there 57 “core” brands that were consistently spoofedin each month from June through December. These core brands weredetermined by identifying seven lists of brands, one for each month inour data collection (June through December) in which a new Web sitespoofing that brand was reported. The core brands, then, made up theintersection of these lists.

There is a distinction between core brands and the most frequentlyspoofed brands. The former are brands that are consistently spoofedeach month. The latter are brands that are the most frequently spoofedoverall, measured by the number of Web sites that imitate these brands.

At first...

Kelly Conley | 27 Jun 2007 07:00:00 GMT | 0 comments

Hey, you put your Trojan in my spam!

A Trojan in my spam? True. The most recent version of malicious code that we are seeing being delivered by spam is a Trojan in greeting card spam. Malicious code in spam has been around off and on for some time. We’ve even blogged about it in the past; here (from January 2007) and it appears that at least one more spammer thinks it is a novel tactic.

We’ve observed over 18 million of these spam messages in the past few days and have successfully blocked the ones we have seen. Each of the messages we’ve seen so far has a Hong Kong domain (.hk ) in the subject line. Messages containing this Trojan are easy to spot, carrying subject lines such as:

Subject: Mima sent you a .hk! Greeting
Subject: Martha sent you a! Greeting

The body of the message appears to be a greeting...

Symantec Security Response | 26 Jun 2007 07:00:00 GMT | 0 comments

Digital Rights Management (DRM) is a termused to refer to the various content protection schemes used by contentproviders to restrict the usage of digital media and devices toauthorized persons. Popular DRM schemes include Apple’s FairPlaysystem, which is used by their online iTunes Store, and Microsoft’sWindows Media DRM. These systems use strong cryptography to protectmedia from being viewed except by hardware or software that have theproper credentials.

For most DRM applications, the trusted media player contains adecryption key that is used to decrypt and play the protected media.This decryption key must be secret and inaccessible to the user.Finding this decryption key would allow someone to decrypt the data andshare it without restriction, defeating the DRM protection. This posesa major problem because the trusted media player is often running on anuntrusted platform: the user’s home computer. Keeping the encryptionkeys used by the trusted media player from being...

Nicolas Falliere | 25 Jun 2007 07:00:00 GMT | 0 comments

Though the discovery of Microsoft Officezero-day exploits has dropped dramatically in the last six months, newfile format exploits are still being discovered (and exploited)regularly. After .zip and .rar file exploits, the latest archive formatvulnerability affects the Lhaca archiver and its LZH compressionsupport. While not very well known in the US and Europe, Lhaca appearsto be a popular archive tool in Japan, as is the compression format LZH.

On Friday, June 22nd, one of our Japanese customers submitted an.lzh file. The file in question, after quick analysis, raised immediatesuspicion. It contained several NOP-sleds, shell code-like code blocks,decryptors, and an encoded executable in the archive itself! All theingredients required by file format exploit recipes. The difficulty inthis case is finding the application that could be vulnerable. Cheersto Masaki Suenaga in Security Response, Japan for doing the initialanalysis and finding out that...

Marc Fossi | 25 Jun 2007 07:00:00 GMT | 0 comments

Many people have said that the lack of attacks upon Apple’s operating systems and devices can be attributed to a lower market share than Microsoft Windows-based PCs. With the shift towards malicious code being written for financial gain, it makes more economic sense. (I know that there are other arguments to be made, but bear with me.) Why write a Trojan that only runs on about 10% of computers when you can write one that is capable of affecting closer to 90% of them? Far more bang for the buck.

At the same time, there haven’t been many attacks on cellular phones and mobile devices. There have been several proof of concept Trojans, worms, and viruses for Symbian Smart Phones as well as a few for the Windows Mobile platform. Some of these have even resulted in small, localized outbreaks. Again, the lack of attacks on these devices has been attributed to a smaller user base.

On June 29th, however, these two platforms will converge when Apple’s iPhone is released in the...

Ron Bowes | 22 Jun 2007 07:00:00 GMT | 0 comments

I recently stumbled upon a site that advertised an impossibleservice for Web sites: protecting a site's content from being copied,or "stolen." It's a service that is impossible. I know it's impossible,and that every Web developer knows is impossible. However, for only$37.99, this man offers to do it. At $37.99, it's a deal! And he hasall kinds of testimonials, not to mention snazzy clip-art on his site.

Of course, his solution, much like whitewashing over dirt, appearsto work. That is, until the paint starts peeling, or, in this case,until a user with any kind of experience realizes how easy it is tobypass these restrictions. I can think of a half-dozen waysimmediately, and none of them are difficult. Before long, the whitewashpeels off and the site administrator is left in the same situation theystarted in, only with $37.99 less.

Of course, there are no guarantees. You read the agreement, right?This type of service gives the site administrator a false sense...