Video Screencast Help
Security Response
Showing posts for February of 2008
Showing posts in English
Silas Barnes | 29 Feb 2008 08:00:00 GMT | 0 comments

Due to some confusion with this particularthreat, we’ve decided to provide some further details on the Orkut wormwe blogged on earlier in the week. The worm, recently renamed toW32.Scrapkut, uses active code injection as a vehicle to propagate tothe Orkut friends of its unfortunate victim.

Initially, a malicious scrap is posted to the victim’s scrapbook, containing a link to what appears to be a YouTube video:


When a victim clicks on the link, they are redirected to an externalsite which prompts them to download the file “flashx_player_9.8.0.exe”.For those who read Symantec’s Security Response Blog regularly, you mayrecognize the page in question:


Marvin Fabuli | 27 Feb 2008 08:00:00 GMT | 0 comments

We are currently in the process of compiling the upcoming Symantec Internet Security Threat Report. I am putting together the phishing sections for the Asia-Pacific and Europe, Africa, and Middle East ISTRs. One of the things that we've noticed is that there are several instances of very small countries hosting high numbers of phishing Web sites. Obviously this raised the question of why this would be.

After we'd gone through related data—bot-infected computers, spam zombies, phishing hosts, etc.—we couldn't come up with any data that would explain this emerging phenomenon. We asked ourselves what in the political-economic profiles of these small nations would make them attractive for, or susceptible to, phishing Web sites, when one of our analysts pointed out that they are often used to host online gambling sites. In part, this is because gambling sites that use real money (as opposed to free poker sites, for instance) are illegal in the United...

Liam O Murchu | 26 Feb 2008 08:00:00 GMT | 0 comments

Old school virus methods appear to be invogue at the moment! Hot on the heels of Trojan.Mebroot, whichoverwrote the MBR, we have discovered a new worm that is revivinganother old school trick in order to hide itself. At first glance itappears to be a regular worm, but there is more going on here thanmeets the eye.

The worm in question is called W32.Joydotto and it initiallyappeared to be just another worm that spreads by copying itself and anautorun.inf file to all removable devices. However, upon closerexamination it was seen that the worm copies itself to removabledevices without using a file name for itself. By doing this the wormcannot be seen using any file-listing tools since there is no filenameto find. In addition to this the worm ensures its longevity by markingpart of the disk as being corrupted. In this way it will not beoverwritten because that part of the disk is thought to be corrupt. Infact the only way to find the worm on the disk is to know its...

Symantec Security Response | 26 Feb 2008 08:00:00 GMT | 0 comments

Social networking sites with large userbases are attracting more attention as malicious code propagationvectors these days. There have already been a few worms that havecirculated through social networking sites.

This isn’t the first worm on Orkut, and the worm works in a similarmanner to its predecessors by using “scraps”- messages considered partof a “scrapbook”. A user receives a scrap from an acquaintancecontaining a pornographic image that is designed to look like a Flashmovie. If the user clicks on the image file, in an attempt to play the“movie”, they are directed to a malicious Web site.

Let us look at some of the steps in the infection process in more detail.

A copy of the malicious scrap is sent to all members listed in the user’s friend list
The user clicks the Flash-like image, which redirects to a maliciousWeb site. The malicious Web site contains JavaScript which composes thesame scrap and sends it to all users...

Hon Lau | 25 Feb 2008 08:00:00 GMT | 0 comments

Today, Adobe officially launched their newinfrastructure for delivering rich Internet applications to yourdesktop- Adobe Integrated Runtime, or "AIR" for short. At first glance,Adobe AIR looks like a mash up of many of the existing Web and Adobetechnologies such as HTML, AJAX, ActionScript, Flash, and Flex. Bycombining rich media and user interface features, and leveraging theexisting expertise in these technologies, Adobe hopes to bring highlyinteractive and engaging Web applications to the desktop.

Technologies provided by Adobe, such as Flash, enable a multimediadeveloper to easily create fantastic-looking and engaging applicationsand deploy them across various platforms by operating within a browserenvironment. Adobe AIR takes it a step further by liberating thesetechnologies and placing them within their own desktop-basedenvironment in a similar fashion to Java or .NET. Using this approach,it can achieve a number of aims:

• Impose its own security...

Andrea DelMiglio | 22 Feb 2008 08:00:00 GMT | 0 comments

Earlier this afternoon in Italy hundreds ofthousands of people received an email from a “friend” stating(approximately) the following:

You’re under investigation! Hide everything and be quick!!!Your name appeared this morning together with 150 more persons on thewebsite of CAFF in Rome. Check it by yourself, you’re on January’slist: the website is the following:

The email is relatively convincing and Symantec believes many users have actually visited the Web site:

The Web site look and feel is very similar to other Italiangovernment Web sites and also the choice of the name—Comando...

Nishant Doshi | 21 Feb 2008 08:00:00 GMT | 0 comments

How many of us click on the links sent tous by trusted friends? Does the trust implicitly extend to the linksthey are sending? This trust is precisely what phishers take advantageof. Traditionally phishers have mainly used instant messaging (IM) andemail to take advantage of the average user. However, with the rise insocial networking sites the phishers have bought themselves a brand newplaying field.

Symantec has recently observed millions of user profiles of acertain social networking site carrying malicious links. Here is anexample of one of them:


The interesting thing here is that the malicious link appears to bea comment from a trusted friend. In most cases the trusted friend isnot the perpetrator behind these attacks. The most likely scenario isthat the trusted friend’s social networking site credentials have beencompromised and...

Sean Hittel | 20 Feb 2008 08:00:00 GMT | 0 comments

As seems to be the trend lately, anytime avulnerability is disclosed in an ActiveX control, it is only a shorttime before it is bundled into the Web attack toolkits. For thisFacebook vulnerability, it was less than a day from the vulnerabilitybeing disclosed on February 12th to it first showing up on ourhoneypots on February 13th.

So far, the exploits that have shown up are encoded versions of the public exploit, bundled with an exploit for Yahoo Jukebox and several other routinely exploitable vulnerabilities.

Oddly enough, this Facebook exploit kit is being served from aMySpace phishing site, though unsurprisingly, hosted on a numbered .cndomain. Detections for this attack will be as “Facebook Photo Uploader'ImageUploader4.1.ocx' FileMask Method ActiveX Buffer...

Peter Coogan | 20 Feb 2008 08:00:00 GMT | 0 comments

Social networking Web sites have become apopular pastime and are a means of staying in touch with friends formany people. Yesterday, Websensereported on a Trojan keylogger aimed at users of Habbo, a popularsocial networking site for teenagers. This is not the first timeteenagers and children have been targeted. One of the first instanceswas a worm called W32.Pokey that used the Pikachu character from Pokemon as a social engineering tactic.

In the Habbo case, users are duped into believing they are gettingtools that will give them the opportunity to make a name for themselvesin Habbo without having to fork out the costs. In fact what they aregetting is a malicious Trojan horse program that logs keystrokes on thecompromised computer and sends the logs...

M.K. Low | 18 Feb 2008 08:00:00 GMT | 0 comments

It is very easy to post your public information onto socialnetworking sites. It took me less than five minutes to create andactivate my account and half an hour to populate the data with mybirthday, my home town, my status, my education, and my likes (puppies)and dislikes (chicken balls with red sauce). In another half hour, Iwas able to upload pictures of my Asia trip, my friends and family, andeven my Hello Kitty small kitchen appliance collection.

But, it's not so easy to remove personal information off these sites. In a recent BBC articleit was shown that users on a popular social networking site who, afterterminating their accounts, found it difficult to delete personalinformation. A popular social networking site states that "Deactivationwill completely...