Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrade.
Please accept our apologies in advance for any inconvenience this might cause.

Security Response

Showing posts for October of 2008
Showing posts in English
Davide Veneziano | 29 Oct 2008 15:59:40 GMT | 0 comments

My previous post was intended to demonstrate that malicious software could also be affected by security vulnerabilities. The example considered a remote code execution in a PHP page used in a phishing attack. However, the debate is still open concerning the possibility that the security issue had been intentionally introduced as a back door.

I want to now focus my attention on another piece of malicious code used to control and coordinate the systems belonging to a particular botnet. A botnet is a group of infected zombie machines under a common control infrastructure; usually, a Web application is employed to remotely instruct the systems in order to pursue a variety of illicit purposes.

An authentication bypass vulnerability was found to be affecting the command and control Web interface used in this particular botnet, thereby allowing users to bypass the authentication mechanism and take the control of the botnet...

Parveen Vashishtha | 28 Oct 2008 18:38:25 GMT | 0 comments

In a blog article from last year, I discussed the rise in popularity of exploits using ActiveX overwrite/delete vulnerabilities due to their ease of use. Since that time, we have seen over 100 such vulnerabilities.

Microsoft requires developers of ActiveX controls to mark their controls “not safe for scripting” if they can arbitrarily write or delete files. However, developers not realizing the security implications or the full capabilities of their ActiveX control often fail to do so, allowing unauthorized remote users to arbitrarily write files to disk. In some cases, the ActiveX control does not even need to be installed by the user—as was the case with the Access Snapshot Viewer ActiveX Vulnerability.

Recently we’ve seen a sharp rise in these types...

Antonio Forzieri | 27 Oct 2008 18:01:57 GMT | 0 comments

My previous blog article was intended to highlight two new features observed in a number of phishing kits that held the aim of making the lives of security analysts more difficult. I want to now focus my attention on another trick that has been used in phishing kits in order to protect the attack against a technique called "dilution." Dilution is a method of providing a certain amount of false credentials, names, account numbers, and other personal information to a phishing website. With this technique, real credentials are diluted in a sea of false data, making the fraudster's job harder.

There are several different kinds of dilution strategies, classified by the type of data provided to the phishing site:

•    Random Data: a large amount of random unformatted data is submitted. This strategy attempts to fill up the collection point, but has a drawback in that the...

Sean Hittel | 24 Oct 2008 22:32:08 GMT | 0 comments

I am sure by now that many have read about Trojan.Gimmiv exploiting the new MSRPC vulnerability. While we have not seen any evidence of Gimmiv replicating by itself, we analyzed a second component, related to Gimmiv, which is able to exploit the vulnerability patched on Wednesday. Interestingly though, Gimmiv exploits a 2006 vulnerability described in MS06-040 along with its MS08-067 exploit. Because of the way that Gimmiv does this, Symantec IPS definitions circa August 2006 will block this attack.

Because the MS08-067 vulnerability can be exploited without...

Symantec Security Response | 23 Oct 2008 23:42:58 GMT | 0 comments

This morning Microsoft released an out-of-band security update -MS08-067 -for a vulnerability in the Server service. This issue is tracked asBugTraq ID 31874. Thisissue affects all supported versions of the Windows operating system.

Theweakness allows an attacker to effectively take complete control of avulnerable system. It is imperative that end users apply the patch fromMicrosoft as soon as possible.

While we haven't seen widespreadexploitation of this issue, there have been reports of a certain file, "n2.exe," being downloaded on compromised computers. This file copiesanother piece of malicious code onto the compromised computer. Symantecproducts already detect both of these files as...

Security Intel Analysis Team | 23 Oct 2008 14:35:13 GMT | 0 comments

The Symantec DeepSight ThreatAnalysis team recently observed an interesting attack developmentrelated to a known vulnerability type. This seemingly new techniqueallows attackers to execute a malicious payload immediately on avictim's system, where in the past they weren't able to achieve instantcode execution by exploiting such vulnerabilities.
 
Publicexamples of this new attack typically employ file-overwrite andfile-download vulnerabilities in ActiveX controls to download amalicious file onto the target machine. In the past, attackers wereable to download files without much difficulty, but until recently theoptions for attackers seeking to have malicious programs executed on avictim's system were limited. In order to execute a malicious file onan affected computer, attackers generally needed to place the file inone of the load points such as the "Startup" directory in MicrosoftWindows, or use social-engineering or other attacks to have the fileexecuted...

Kelly Conley | 21 Oct 2008 23:37:52 GMT | 0 comments

Phishing is a way for individuals who are known as "phishers" to obtain your private information such as bank account details and passwords. Phishing messages come in the form of an email message that is directed to you and appears to be from a reputable company or business-often one that you have an association with and trust. But, it is not. The message will tell you to confirm your bank details, password, or login credentials or "your account may be closed." You are then directed to click on a link in the email to take you to a website to enter in the requested details. By employing scare tactics such as the threat of account closure, phishers are hoping to lure you in to their trap.

Once you click the link you are taken to a website that looks like the real website of the company the email is purporting to be from. But it is not. You enter your details and the phishers now have the information they need to steal your identity. What just...

Davide Veneziano | 17 Oct 2008 17:52:50 GMT | 0 comments

Volume XIII of the Symantec Internet Security Threat Report highlighted the fact that the number of vulnerabilities affecting web applications is growing. However, these security issues are not only affecting common legitimate applications, but also malicious code. In fact, a source code analysis of several samples revealed serious vulnerabilities that could, ironically, open security holes in programs designed to compromise other users' security.

The investigation originated while analyzing a phishing kit (that is, a package containing a clone website of a financial institution) including a PHP page that was neither called nor apparently used by the fraudster to accomplish his task. The phishing kit contained the following code:

 

 

...

Liam O Murchu | 16 Oct 2008 11:39:57 GMT | 0 comments

When someone is asked to present an analysis of a modern threat, the explanation often becomes complicated very quickly. Here I will present a brief analysis of a Trojan that uses the KISS approach-"keep it simple, stupid."

The reason for this article is that upon hearing what I do for a living, people often ask, "why do people write viruses?" After explaining the various dangers of using a computer online, people often follow up with the following question: "I don't bank online, I don't shop online, etc... so why would someone want to attack my computer?" This article is dedicated to anyone who has ever sat beside me on a plane/train/automobile and asked me these questions. ;-)

The Trojan that is shown below will help to explain why a computer is still valuable to an attacker, even if that computer contains no sensitive data. The Trojan presented is a Trojan that does not steal private data (such as banking credentials, etc.); however,...

Kelly Conley | 15 Oct 2008 12:47:16 GMT | 0 comments

Symantec has observed an increase in the use of image spam attacks over the past few weeks. Symantec defines image spam as an unsolicited message containing an image in the body.

In August, image spam attacks accounted for approximately 1.6% of total spam. In September we observed that image attacks almost doubled, representing approximately 2.6% of total spam. Over 50% of image attacks observed are English, and the second largest group of messages is Russian. In the first ten days of October, image spam messages have averaged approximately 8.6% of total spam. This is the highest mark to date over the last 90 days. From May of this year up to September, image spam was relatively quiet. As stated above, these numbers have been increasing since mid-September. We have not seen image spam of this volume since February of this year.

Commonly seen image spam messages have included Russian online dating offers, random product offerings with an image opt-out, and the all too...