Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for March of 2008
Showing posts in English
Joji Hamada | 28 Mar 2008 07:00:00 GMT | 0 comments

Web servers being hacked is nothing new and Web administrators continue to maintain their servers in the attempt to prevent this from happening. Well, it might a good time for everyone to audit their servers again because we have confirmed yet again another campaign of IFRAME injection attacks today. Earlier this month, we had a similar mass attack as well, making this a popular theme so far this year.

Earlier today, Dancho Danchev, a security consultant, published a blog about another batch of servers getting injected with malicious code and we have confirmed the attack here at Symantec. IFRAME code has been inserted into Web pages on these servers, leading to rogue security software and codec sites, further leading to downloads of Trojan.Zlob variants and dowloaders. These threats ultimately attempt to install misleading applications onto the compromised computers.

Please avoid the IP addresses below, which are hosting the unwanted files, for the time being...

Joshua Talbot | 27 Mar 2008 07:00:00 GMT | 0 comments

Building on the Cold Boot research that was released in February of 2008, Tom Liston and Sherri Davidoff of Intelguardians presented “Cold Memory Forensics Work Shop” at CanSecWest 2008. When a system is cold booted, research discovered that the supposed volatility of conventional RAM is a half truth. In many cases memory will continue to hold state for seconds and sometimes even minutes after a system has been powered off.

In a Cold Boot attack, an attacker with physical access to a system reboots the computer and dumps the contents of RAM for forensic analysis, recovering sensitive information (passwords, encryption keys, documents etc). In the Cold Memory Forensics Work Shop, Tom and Sherri discussed their findings in leveraging the Cold Boot techniques to harvest information from systems exposed during penetration testing, as well as their work in developing tools that will help quickly identify passwords that were stored in memory. Their goal is to be able retrieve...

Sean Hittel | 26 Mar 2008 07:00:00 GMT | 0 comments

Sometime over the recent Easter weekend, an update to the Neosploit Web attack toolkit showed up on DeepSight honeypots. The new Neosploit version is being served mainly from traffic exchange sites, but some mainstream sites, such as those for restaurants, were also serving up the infectious content.

The main addition that was found in the new iteration of Neosploit is the addition of an exploit for the CA BrightStor 'AddColumn()' ListCtrl.ocx ActiveX Control Buffer Overflow Vulnerability. There is no patch available for this vulnerability as of this writing.

The 2008 versions of NAV, NIS, and N360v2 will catch this exploit as “MSIE CA BrightStor ActiveX BO”, although most of the time the new Neosploit version will be detected as the other vulnerabilities exploited by the toolkit: MDAC, NCTAudioFile2, GOM Player, WebViewFolderIcon setSlice(), and Daxctle.OCX KeyFrame.

CA BrightStor 'AddColumn()' ListCtrl.ocx ActiveX Control Buffer Overflow...

Vikram Thakur | 25 Mar 2008 07:00:00 GMT | 0 comments

A couple of weekends ago, I was doing
exactly what most computer users do in their free time. I was sitting
front of the computer, visiting sites that I have no business with. One
site led to another and I eventually started looking for some old
friends I had lost contact with over the years. One such search led me
to, a business networking site. Using the Spoke search box
soon had me believing that my computer might be infected and I would
soon need to scan it for malicious programs. OK, I didn't really
believe it because I was laughing a bit too much, trying to understand
what the "warning" was trying to tell me:


Hannah Chen | 24 Mar 2008 07:00:00 GMT | 0 comments

Recently, we observed some suspicious activity on the Chinese Yahoo astrology site, Upon investigation, we determined that the site in question contained an iframe that was linking to the domain, an astrology-based match finding company. This page contained an embedded iframe that linked to a malicious site that was exploiting the Real Player ierpplug.dll ActiveX Control Buffer Overflow Vulnerability and the MSIE ADODB.Stream Object File Installation Weakness to download malicious code onto a compromised machine.

We contacted our friends at Yahoo, who subsequently removed all iframe references pointing to Symantec antivirus products that include Browser...

Alfredo Pesoli | 21 Mar 2008 07:00:00 GMT | 0 comments

This week, our friends at Trend blogged
about a new misleading application for the Mac. We decided to take a
look at it as well. The application, named iMunizator, is a variant of
the well known rogue antivirus product called Macsweeper, which we have blogged about previously.

When launched, iMunizator performs a full scan of the system and
soon after it reports the “problems” that it found. Worryingly, some of
the files detected by iMunizator are actually safe system binaries that
should never be removed—files with "app" extensions. See the screenshot


Symantec Security Response | 21 Mar 2008 07:00:00 GMT | 0 comments

This sort of news certainly doesn't come around as frequently or on a strict schedule, but it is nonetheless just as important as (for example) Microsoft's well known "Patch Tuesdays." On Tuesday, March 18th, Apple released a comprehensive security update for Mac OS X 10.4.11 and Mac OS X 10.5.2, as well as a security update package for its Safari Web browser. Apple doesn't follow the same monthly release schedule as their best competitor, but that doesn't affect the importance of such a security update.

Since the release of these security updates, we have come across all kinds of news feeds and blogs that refer to it as a patch release. Those writers calling it a "patch release" has of course raised the ire of users and readers alike, with arguments ranging from the size of the downloads to comparisons with Microsoft or Linux updates. Some people have referred to it as a software upgrade, but we must call for calm in the industry. :-) Instead of...

Elia Florio | 20 Mar 2008 07:00:00 GMT | 0 comments

Vulnerabilities in Microsoft Access and MSJET40.DLL have been discussed in many blogs recently. Our friends at Panda blogged about a possible (new?) vulnerability of the MS Jet library on March 3rd and McAfee also blogged this past December about a different vulnerability reported on Bugtraq. Here at Symantec we also reported some of these vulnerabilities to Microsoft and also the many targeted attacks carried with .mdb files since March 2006, but this is almost the usual sort of response:

"You appear to be reporting an issue with a file type Microsoft considers to be unsafe. Many programs, such as Internet Explorer and Outlook, automatically block these files. For more information, please visit"

This sentence translates into a very simple equation: .mdb = .exe...

Samir_Kapuria | 19 Mar 2008 07:00:00 GMT | 0 comments

This is an issue I explored in a blog post several months ago, IT Risk and the Millennials, which really seemed to resonate with customers and industry peers. Feedback ranged from "great article," to "how are others addressing this choice vs. control dilemma?" to skepticism about this theory and the desire to see more quantifiable research validating my previous thoughts.

So, with all of this in mind, we did just that. We went out and commissioned a study with Applied Research-West to measure IT risk issues surrounding the emerging millennial workforce within companies. The study was conducted with 600 people, including three groups of 200 respondents each: IT decision makers, millennial workers (born after 1980), and older workforce (born before 1980). Our goal was to measure millennial workers' perceptions and...

Kelly Conley | 17 Mar 2008 07:00:00 GMT | 0 comments

As reported in the February State of Spam report, we have observed spammers disguising themselves as the IRS and dangling an offer of a tax refund to unwitting recipients. That is, a refund made available once you input your credit card information into their site. A site that does not bear the IRS URL. A site that is fraudulent and nothing more than a collection tool for credit card and other personal information. And while we are still seeing this, we have recently observed a few new types of spam in relation to tax season. This spam being of a more sinister type as it directs you to download a virus.

In one example, the spammer indicates that a new law requires you to download tax software. Well, that in itself is ridiculous because taxes are traditionally done on paper and there is no existing law...