Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

Security Response

Showing posts for November of 2007
Showing posts in English
Vikram Thakur | 30 Nov 2007 08:00:00 GMT | 0 comments

A few days ago we posted a blog entryabout how some pharmaceutical sites were using link farms and spammingin their marketing campaign. The hackers were injecting links intocompromised sites, which raised the marketed sites in search engineresults. We followed up with some of the owners and administrators ofsites that were being used in this spam campaign and found mostadministrators cleaning up the infections and closing holes in theirWeb applications promptly.

Ironically, after we posted the previous article the spammers beganto use text from our blog to redirect traffic to their sites. Thisshotgun seeding technique allows the link farmers to rapidly manipulatethe metadata and skew search results. Here is a screenshot of what wegot by searching for one specific line from our previous blog entry.

...

Liam O Murchu | 30 Nov 2007 08:00:00 GMT | 0 comments

The Mpack and IcePack exploit packages havebeen on sale for some time. Now, free releases of these tools are beingdistributed, but are these free distributions all they are supposed tobe? While examining these free releases we discovered some surprises.

 

The Mpack and IcePack exploit packages are designed fornon-technical users. They group exploits together into one easy toinstall package and using this package, non-technical users can runexploits on the browsers of unsuspecting visitors. Ultimately thisgrants non-technical attackers the ability to infect visitors to theirsites without having to know how exactly it happens.

 

When these packs were first released they sold in the undergroundfor over $1,000 apiece. The packs are installed with minimumconfiguration and effort and all that the controller needs to do isattract users to the exploit site. When one of these exploit sites isopened in a visitor's browser, the exploits are run and...

Téo Adams | 29 Nov 2007 08:00:00 GMT | 0 comments

Recently there have been several reports of security flaws in a product provided by a company called Mobile Spy. The product is an application for Windows Mobile smartphones. The application logs various forms of communication data transmitted to and from the phone and sends it to a hosted database. A user can log in to the web service and view all the data that has been logged.

The idea behind this product is that it’s installed on a device without the knowledge of that device’s user (for example, an employee, child, spouse, etc.). The party who installed it can then monitor the user’s activity to ensure that the device is not being abused. A company manager, for example, can make sure that an employee is not making personal calls or sending personal text messages from a company device.

For the most part, this seems like a reasonable idea, but the security flaws in both the...

Brian Ewell | 29 Nov 2007 08:00:00 GMT | 0 comments

On November 29 the FBI announced the results of its second Bot Roast (see the FBI release).This is the FBI operation responsible for hunting out and attempting tobring to justice cyber criminals involved in cultivating botnets. Thesebotnets, which can call home to millions of computers, are responsiblefor millions of dollars in financial losses at both a corporate andconsumer level. The FBI operation has resulted in the successfulcapture, indictment, and/or sentencing of multiple criminals. In thelong run it may be only a small slice of the world of botnets, but makeno mistake, any gains in fighting this epidemic are well received. TheFBI and those involved should be commended.

Of course, what's a blog entry without the standard "practice safecomputing" comment: Insure your system is patched and protected as bestas possible through the use of a security package. Anything we...

Jitender Sarda | 28 Nov 2007 08:00:00 GMT | 0 comments

Malicious code writers have always usedpopular Web brand names to spread malicious code through spam vectorsand these days the YouTube brand name is popping up more and more.However, the spoofed URL in this latest scam redirects visitors todynamic domain names with seemingly unusual top level domains (TLDs),such as .li, .ch, and .es. Last month, spammers used the YouTube brandname in an attempt to spread spam regarding male enhancement pills andget-rich-quick schemes.

The email looks harmless enough, because the “From” header is spoofed to appear as if it's coming from "YouTube Service" ,which helps it to look like a legitimate invitation. The video'sdescription is enticing and seems innocuous, inviting potential victimsto open a shared video file, which is a fake YouTube link. Here is asample of one of these scam emails:

From: "YouTube Service" service@youtube.com
To: [REMOVED]
Bcc: [...

Ben Nahorney | 28 Nov 2007 08:00:00 GMT | 0 comments

Four days after news of the recent Apple QuickTime vulnerabilitybegan to spread, a new proof-of-concept exploit, with a twist, has beenpublished. While the shell code in the previous exploit was containedwithin a malicious RTSP data stream, this time the shell code is sentvia JavaScript, separate from the stream.

Let’s break down how this might play out. A client requests a Webpage from a malicious site. The page that is sent contains maliciousshell code and a request for a QuickTime movie. If the client is usingInternet Explorer, the shell code is written to a heap area for lateruse. Meanwhile, the browser receives the QuickTime movie and then opensit with QuickTime, creating an RTSP stream to the malicious server.Only the RTSP server in this scenario is hosting a hacked version,which actually sends back a stream that overwrites the...

Jitender Sarda | 28 Nov 2007 08:00:00 GMT | 0 comments

Malicious code writers have always usedpopular Web brand names to spread malicious code through spam vectorsand these days the YouTube brand name is popping up more and more.However, the spoofed URL in this latest scam redirects visitors todynamic domain names with seemingly unusual top level domains (TLDs),such as .li, .ch, and .es. Last month, spammers used the YouTube brandname in an attempt to spread spam regarding male enhancement pills andget-rich-quick schemes.

The email looks harmless enough, because the “From” header is spoofed to appear as if it's coming from "YouTube Service" ,which helps it to look like a legitimate invitation. The video'sdescription is enticing and seems innocuous, inviting potential victimsto open a shared video file, which is a fake YouTube link. Here is asample of one of these scam emails:

From: "YouTube Service" service@youtube.com
To: [REMOVED]
Bcc: [...

Zulfikar Ramzan | 27 Nov 2007 08:00:00 GMT | 0 comments

On November 2, 2007 I had the opportunityto participate in a panel at the Federal Trade Commission on the futureof online behavioral advertising. While this topic is not one that isnormally associated with information protection issues, there are someinteresting implications that I touched upon at the panel and that Ithought I’d reiterate here.

First, let’s think about some of the overall trends related to Webadvertising. To begin with, the Web has certainly exploded inpopularity and people are spending more and more time each day surfingtheir favorite sites.

Second, online advertising has proven itself to be a viable businessmodel for many companies. Countless Web sites display ads that areviewed by an even greater number of people.

Third, along these same lines the online advertising supply chain isfairly complex. In the simplest incarnation, an advertiser might workwith an ad network who will arrange to have the ad published throughone or more...

Vikram Thakur | 27 Nov 2007 08:00:00 GMT | 0 comments

Earlier today there was a report about AlGore's site, climatecrisis.net, being hacked. The site contained linksthat weren't visible to the visitors, which pointed to variouspharmaceutical products. The links could be viewed by looking into thesource code of the page being displayed. The fact that Al Gore's sitegot hacked or compromised, while definitely of significance, uncovers amuch bigger technique now being used by spammers. Here is a snapshot ofthe links from the hacked climatecrisis.net site:


(Click for larger image)

As you can see, there are loads of links to a university's server.None of the links work. However, the hackers were able to get to thetop of search results by creating links such as these. No one visitingthe...

Zulfikar Ramzan | 27 Nov 2007 08:00:00 GMT | 0 comments

On November 2, 2007 I had the opportunityto participate in a panel at the Federal Trade Commission on the futureof online behavioral advertising. While this topic is not one that isnormally associated with information protection issues, there are someinteresting implications that I touched upon at the panel and that Ithought I’d reiterate here.

First, let’s think about some of the overall trends related to Webadvertising. To begin with, the Web has certainly exploded inpopularity and people are spending more and more time each day surfingtheir favorite sites.

Second, online advertising has proven itself to be a viable businessmodel for many companies. Countless Web sites display ads that areviewed by an even greater number of people.

Third, along these same lines the online advertising supply chain isfairly complex. In the simplest incarnation, an advertiser might workwith an ad network who will arrange to have the ad published throughone or more...