Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for October of 2007
Showing posts in English
Joji Hamada | 01 Nov 2007 07:00:00 GMT | 0 comments

Many Internet surfers learned a lesson whentheir computers were infected by visiting questionable Web sites. Thesesurfers began using Macs as most malware target the Windows operatingsystem. Well, soon enough, it may not matter which OS you are using.

According to Intego's press release,a Trojan horse has been found on several pornography sites that claimsto install a video codec required to view the content on Macs.

Symantec Security Response has also confirmed this, and added detection for the threat as OSX.RSPlug.A.It appears that the Mac is becoming popular enough that the "bad guys"think it is worth spending time and effort in developing malware forthe Mac OS. If we see a rise in Mac malware, then we will have toassume that there are profits to be made in...

Liam O Murchu | 01 Nov 2007 07:00:00 GMT | 0 comments

Recent reports have shown thatTrojan.Bayrob is scamming people again. The latest victim lost over€5,000 to the scam but luckily was able to track down where the moneyhad been sent. Unfortunately the final destination for the money was aWestern Union outlet in Greece, after having been first sent through amoney mule in the US.

Once Trojan.Bayrob is executed on a user’s system it can interceptall traffic to eBay. It can then show the infected user any contentthat it chooses instead of the real pages and it can also alterinformation that is shown to the user from the real pages.Trojan.Bayrob is used to scam people who are trying to buy cars oneBay.

The attack is a targeted attack and as such it is difficult toestablish the exact methods that are used to distribute the Trojan;however, from evidence gathered thus far the attack works in a mannersimilar to the following:
• The attacker posts an auction on eBay.
• This auction is used to gain information...

Thomas Parsons | 01 Nov 2007 07:00:00 GMT | 0 comments

The authors of the Storm worm (also know asTrojan.Peacomm) have shown an uncanny knack of changing or shedding keycomponents of the threat in order to enhance its persistence andspread. This week saw the latest incarnation of the threat, Trojan.Peacomm.D,reveal itself as halloween.exe or sony.exe. What is most interestingabout this latest variant of the Storm worm is that its authors haveremoved some key functionality that was present in the previousvariant, Trojan.Peacomm.C. Specifically, the threat no longer;
1. infects other legitimate drivers on the system. Previous variantsinfected drivers such as Tcpip.sys and Kbdclass.sys. This was astealth-like feature used by the threat to start early with theoperating system and without loading points...

Joji Hamada | 01 Nov 2007 07:00:00 GMT | 0 comments

Many Internet surfers learned a lesson whentheir computers were infected by visiting questionable Web sites. Thesesurfers began using Macs as most malware target the Windows operatingsystem. Well, soon enough, it may not matter which OS you are using.

According to Intego's press release,a Trojan horse has been found on several pornography sites that claimsto install a video codec required to view the content on Macs.

Symantec Security Response has also confirmed this, and added detection for the threat as OSX.RSPlug.A.It appears that the Mac is becoming popular enough that the "bad guys"think it is worth spending time and effort in developing malware forthe Mac OS. If we see a rise in Mac malware, then we will have toassume that there are profits to be made in...

Liam O Murchu | 01 Nov 2007 07:00:00 GMT | 0 comments

Recent reports have shown thatTrojan.Bayrob is scamming people again. The latest victim lost over€5,000 to the scam but luckily was able to track down where the moneyhad been sent. Unfortunately the final destination for the money was aWestern Union outlet in Greece, after having been first sent through amoney mule in the US.

Once Trojan.Bayrob is executed on a user’s system it can interceptall traffic to eBay. It can then show the infected user any contentthat it chooses instead of the real pages and it can also alterinformation that is shown to the user from the real pages.Trojan.Bayrob is used to scam people who are trying to buy cars oneBay.

The attack is a targeted attack and as such it is difficult toestablish the exact methods that are used to distribute the Trojan;however, from evidence gathered thus far the attack works in a mannersimilar to the following:
• The attacker posts an auction on eBay.
• This auction is used to gain information...

Vikram Thakur | 01 Nov 2007 07:00:00 GMT | 0 comments

A few days ago our good friends at SANS posted an entry in their diaryabout a possible IRS scam about to happen. Well, it happened. We wereable to acquire a copy of the spammed email and analyze the maliciousbehavior—we believed that the email itself had to be included in ouranalysis.

The email was very detailed and included the recipient’s completename with a message, allegedly from the Internal Revenue Service (IRS).The spammed email talked about some supposed IRS e-File issues andasked the email recipient to download and print the correct PDF fileusing a link. As you might have guessed, the link wasn't to a sitehosted by the real IRS.

Here is a picture of what the email looked like (click for a larger image):

...

Tim Gallo | 01 Nov 2007 07:00:00 GMT | 0 comments

I recently attended a pair of conferences in Las Vegas (yes, lovely Las Vegas). Not only was it hot, but because I was staying in one hotel and the conferences were in two other hotels, I had a long hike between where I was sleeping and where I was attending. Needless to say, walking through the desert heat I had lots of time to think about why I was dumb enough not to bring water with me, think about where the nearest air conditioning was, and also to think about things that I’ve said in front of crowds or things I’ve heard other people say. One of the most common phrases I heard at the conferences was “risk mitigation.” Well really, what does that mean?

I hear a lot of vendors talk about how they help clients mitigate their risks and how they use technical infrastructure to do so. But, should we mitigate risks? Well, let’s start with reminding ourselves what “mitigate” means. Dictionary.com defines “mitigate” as: to lessen in force or intensity, as wrath, grief,...

Liam O Murchu | 01 Nov 2007 07:00:00 GMT | 0 comments

Recent reports have shown thatTrojan.Bayrob is scamming people again. The latest victim lost over€5,000 to the scam but luckily was able to track down where the moneyhad been sent. Unfortunately the final destination for the money was aWestern Union outlet in Greece, after having been first sent through amoney mule in the US.

Once Trojan.Bayrob is executed on a user’s system it can interceptall traffic to eBay. It can then show the infected user any contentthat it chooses instead of the real pages and it can also alterinformation that is shown to the user from the real pages.Trojan.Bayrob is used to scam people who are trying to buy cars oneBay.

The attack is a targeted attack and as such it is difficult toestablish the exact methods that are used to distribute the Trojan;however, from evidence gathered thus far the attack works in a mannersimilar to the following:
• The attacker posts an auction on eBay.
• This auction is used to gain information...

Erik Kamerling | 31 Oct 2007 07:00:00 GMT | 0 comments

Welcome back. In my previous blog I was telling you about Kohno et al discovering how we can manipulate a Windows machine into starting to timestamp in the middleof a non-Tsopt enabled flow. If we have control of a machine that aWindows client connects to or we act in a man-in-the-middle (MiTM)capacity on a flow involving Windows hosts, we can perform a simpletrick. The “attacker” must actively modify a TCP SYN/ACK packet halfwaythrough the regular TCP handshake with a Windows host (server toclient) to incorrectly contain Tsval in violation of thetimestamp standard. If RFC 1323 guidance was adhered to in thissituation, a Windows system facing such an unexpected Tsopt in SYN/ACKwould not begin to timestamp its packets. However, it was discoveredthat if we introduce such a Tsopt-enabled SYN/ACK we can trick Windowssystems into...

Andrea DelMiglio | 30 Oct 2007 07:00:00 GMT | 0 comments

As anticipated in my first blog post,email service providers play a central role in the battle againstonline fraud. This is because they are often the only organization toown the data needed to support financial institutions and lawenforcement agencies in prosecuting criminals.

Most phishing sites are hosted on compromised Web servers and in thepast, stolen accounts were stored on local log files that phishers usedto save, using rather standard filenames (like “data.log” or “cc.txt,”where “cc” obviously stands for credit card). Web servers withdirectory listings that were enabled together with phishing kitanalysis quickly made this simple technique ineffective, becausefinancial institutions were able to read those files as well.Therefore, they were able to block stolen Internet banking accounts andcredit cards, thus preventing further...