Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for May of 2008
Showing posts in English
Zulfikar Ramzan | 27 May 2008 21:09:26 GMT | 0 comments

In my most recent blog entry, I mentioned that Markus Jakobsson and I recently collaborated on a new book:  “Crimeware:  Understanding New Attacks and Defenses.” Network World is hosting a live chat session, and attendees will be eligible to win one of ten copies of the book.

To attend the chat, please go to: on Wednesday, May 28, 2008 from 2:00 – 3:00 PM Eastern.

We’ll be happy to answer any questions you have about the book or about crimeware and the threat landscape in general. I hope you’ll be able to join!

Message Edited by SR Blog...

Ben Nahorney | 23 May 2008 11:43:40 GMT | 0 comments

We’ve all done foolish things for romance. The exhilaration of discovering a new partner is one of the more exciting feelings in the human experience. However, this flutter of emotions can also drive us to distraction—so much so that reason and logic are often thrown out at its height.

It seems the online scammers of the world have realized this, if phony romance scams are any testament. Such “phomance” scams can sometimes go on for months, as the scammer slowly wins over the victim’s trust. These schemes generally lead to a request for money, under the guise that the scammer plans to visit. Ultimately, the meeting never occurs, the money is gone, and the victim is quite possibly left with nothing but a broken heart.

Fortunately many such scammers aren’t clever enough to achieve this final result, often giving away clear indications that they aren’t who they say they are. But by keeping an eye out for a few telltale signs, it...

Silas Barnes | 15 May 2008 21:20:35 GMT | 0 comments

The term "hacktivism" often conjures up images of small groups of left-wing hackers defacing Web sites of political parties in an expression of outrage, coupled with demands of truth and justice for the down-trodden. This may have been the case ten years ago, but more recently hacktivism has broken the predefined mold in more ways than one.

The features of the Internet that make it such an invaluable tool for communicating with the global population also provide an avenue for disgruntled groups to voice their options, send messages of unity to the like-minded at great speed, and coordinate electronic attacks. The development of distributed denial-of-service kits, combined with their ease of use and the ability to globally distribute them in minutes, effectively means that an entire country can mobilize a group of dedicated attackers, numbering in the millions, in a relatively short time. Though a vast proportion of these 'net warriors are not security...

Robert Keith | 13 May 2008 20:36:29 GMT | 0 comments
Hello and welcome to this month’s blog on the Microsoft patch releases. This is a relatively light month; the vendor is releasing four bulletins that cover a total of six vulnerabilities. Of those, four issues are rated “critical”; the rest are “moderate”. All the critical issues are client-side and require a victim to open a malicious file to trigger. The vulnerability affecting Microsoft Jet Database Engine is the only update of the bunch. Evidence of this issue being exploited in the wild has been detected.

As always, customers are advised to follow security best practices, specifically refusing to accept or open files from unknown sources.

Microsoft’s summary of the May releases can be found here:


Yazan Gable | 13 May 2008 14:19:34 GMT | 0 comments

CAPTCHAs (completely automated public Turing tests to tell computers and humans apart) are common these days. In case you aren’t familiar with the terminology, they are those images with obscured letters that you need to transcribe into a text box whenever you sign up for a new Web mail or forum account, for example. They may be annoying, and sometimes a bit difficult to puzzle through, but they have likely saved the world from a lot of spam.

When they were introduced, their goal was to make it impossible for automated processes to create email or forum accounts, making it difficult for spammers to use these free Web mail accounts to post or send spam. However, that was almost ten years ago, and the times seem to be changing.

This year, the CAPTCHA algorithms of three major Web mail services were cracked (see references below). ...

Sean Hittel | 08 May 2008 22:23:43 GMT | 0 comments

Lately, I have been feeling like a bit of a broken record, each week singing nearly the same tune. Well, this week is no exception. Neosploit has updated again. Starting on May 2, our honeypots again picked up an update to the omnipresent exploit kit.

This time, the update includes a new packer, apparently designed to restrict the unlicensed deployment of the exploit toolkit. The Neosploit packer has always been (dare I say it) innovative. In addition to scrambling variables and ensuring that the exploit delivered is different each time a victim is iframed to an infectious site, Neosploit also uses itself as the key to decode itself. This means that clumsy attempts to modify the decoder in attempt to decode it will result in gibberish, rather then the properly decoded exploits. In addition to this, the new version adds a check to ensure that the exploit is hosted on the intended site. Essentially, what the authors of Neosploit did was append the URL...

Kelly Conley | 07 May 2008 21:59:10 GMT | 0 comments

As April came to a close, NDR (non-delivery report) spam diminished. In the April State of Spam Report, Symantec reported that NDR spam was 3.7% of all spam observed. Spammers appeared to be playing with the viability of this technique. At this time the numbers of this spam type are down to less than 2%. Symantec has been tracking this spam type over the past couple of months and has provided a graph in the May State of Spam Report that shows the changing volume levels.

However, the loss of momentum with NDR spam does not mean that spammers were resting. This was evidenced by the emergence of "calendar invite" spam in April. The samples observed were "419" or "Nigerian" spam sent with a meeting or calendar invitation attached. While the volume of this emerging spam was low, it does still illustrate the lengths that spammers are willing to go to spread their messages.

"Spear phishing" attacks are also discussed in the latest State of Spam Report...

Vikram Thakur | 06 May 2008 00:27:46 GMT | 0 comments

No sooner had various agencies commented on the reduction of the size of the Storm network than we started seeing signs of another wave of malware in the offing. We are currently tracking some fast-flux domains related to Trojan.Peacomm (a.k.a. Storm). These domains were registered just a few days ago. Simply visiting the sites presents the user with a blank page; however, modifying the URLs to access a specific file runs a script which attempts to exploit several different vulnerabilities. Some of the vulnerabilities targeted are Bugtraq IDs 20047, 28157, 23224,...

Sean Hittel | 06 May 2008 00:07:41 GMT | 0 comments

On about April 18th, Symantec's DeepSight honeypots began capturing a new iteration of the Neosploit exploit toolkit. It appears that the pervasive exploit kit has been updated to take advantage of a circa February 2008 vulnerability in Adobe Acrobat Professional and Reader. What makes this attack vector of particular concern is that it will work reasonably silently through most browsers. If a user is enticed to a hostile Web site (who knows which ones are hostile these days) using the browser of their choice, it is reasonably likely that their computer will become infected provided that they have Acrobat installed on their computer. Although the vulnerability has been patched since early February, I suspect that many users have not applied this patch yet. We highly recommend that if you haven’t done so, go and get the latest patched versions of Adobe Acrobat...