Video Screencast Help
Security Response
Showing posts for December of 2008
Showing posts in English
Security Intel Analysis Team | 31 Dec 2008 00:07:48 GMT | 0 comments

This has been an interesting year for high-profile vulnerabilities and security research. In 2008, awareness has been raised about a number of high impact, remote code-execution vulnerabilities affecting both server- and client-side applications. Published attacks targeted important protocols used by critical Internet infrastructure. A number of flaws in the implementation of a number of cryptographic implementations have also been made public. In addition to the aforementioned issues, new exploitation techniques were demonstrated that emphasized the growing trend toward application-specific attacks targeting Web technologies. 

Let's begin with a few high-profile memory corruption flaws on the Microsoft Windows front. The year started with a bang, MS08-001, which is a remotely exploitable memory-corruption vulnerability affecting the Microsoft Windows kernel. Then, in October we saw in-the-wild exploitation of a previously undisclosed RPC vulnerability affecting...

Liam O Murchu | 29 Dec 2008 12:06:47 GMT | 0 comments

While investigating the worm W32.Waledac recently, we got a shock (and a few laughs) from what popped up on ours screens (yes, unfortunately this is what passes for kicks in the virus lab during the holiday season):

(to see how we received this – skip to “Arnold Surprise” below)

First, I’ll tell you a little bit about the worm. W32.Waledac is a worm that sends emails containing a link to an apparent Christmas e-card that you have received. However, when the link for the e-card in the email is visited, you receive a copy of the worm instead of a greeting card. The file name used by the worm is ecard.exe and the links are all Christmas related, such as:


Sai Narayan Nambiar | 23 Dec 2008 21:00:55 GMT | 0 comments

There are varying types of technologies used by online attackers these days. There are old tricks and of course new ones, but it is the newer ones that make it even more difficult to handle the dilemmas faced in the world of Internet security. One of the trends of attack that was noticed a little while ago was an attack based on a website’s “port number.” A port number is a way to identify a specific process to which an Internet or other network message is to be forwarded when it arrives at a server. We can identify a port number after a colon (“:”) following the host name. For example, consider, in which the port number in the URL is 8080.

According to the IANA (Internet Assigned Numbers Authority), the port numbers are divided into three ranges: well known ports, registered ports and the dynamic and/or private ports.


1. ...

Dylan Morss | 20 Dec 2008 00:26:04 GMT | 0 comments

After the shutdown of McColo, which was aiding the distribution of about half of all spam on the internet globally, spam volumes dropped. However, since mid-November, spam volumes have been slowly inching their way back up as old botnets are being brought back online and potential new botnets are being created.

At this point, spam volumes have slowly crept back up to 80 percent of their pre-McColo shutdown levels (when reviewing daily averages):



The types of spam being seen in new attacks are similar to what was being sent around the Internet prior to the shutdown. The spam messages can be categorized into the following groups:

  • Replica watches
  • Generic pharmacy
  • Erectile dysfunction drugs
  • Weight loss
  • Software

The spam is being sent from various countries...

Mayur Kulkarni | 18 Dec 2008 15:37:59 GMT | 0 comments

Spammers always try to come up with new tricks to bypass antispam filters. This time, they have shown an ability to partly (or sometimes completely) hide essential headers, ruling filters on headers out of picture. Except for the "Received" lines, we do not find any headers in the message.


Analyzing the samples, we see very few SMTP commands before the actual message. We think that spammers may be using a slamming technique where all of the SMTP commands necessary to transmit an email message to another mail server are fired without waiting for the normal SMTP responses from the remote machine. Most of the time the remote server will end up accepting the message, although this clearly disobeys SMTP behavior as per various Internet standards. Slamming is primarily done to send unsolicited emails as rapidly as possible or, in this case possibly to hide all of the headers.



Mayur Kulkarni | 18 Dec 2008 15:31:21 GMT | 0 comments

Like so many forms of donations today, contributions to cancer research and treatment can be made online. Unfortunately, any online business or charity can be prone to phishing attacks against unsuspecting users. We have come across messages posing as though they have been sent from a legitimate cancer institute, but with spoofed URLs inside. These spoofed URLs redirect users to fake websites where online donations can be made. When a user enters their email address and password for making payments, an error is shown and they are redirected to the legitimate site. This is common behavior seen with such attacks. The actual intention of these phishing websites is to harvest email addresses and steal confidential information.

Simple preventive measures such as manually typing legitimate URLs directly in the browser can be employed to make your...

Peter Coogan | 15 Dec 2008 19:08:45 GMT | 0 comments

Since our blog Yes, There’s a Zero-Day Exploit for Internet Explorer Out There was posted in relation to the now known Microsoft Security Advisory (961051) for IE, we have been closely monitoring the
uptake of this vulnerability. Symantec provides the antivirus signature Bloodhound.Exploit.219 and IPS signature 23241 - HTTP MSIE Malformed XML BO to protect users againstthis exploit. To date, since the release of our antivirus signature for this vulnerability, we have observed over 33,000 hits on...

Steve Trilling | 13 Dec 2008 00:47:53 GMT | 0 comments

You may have seen an article in the New York Times on December 6, 2008, by John Markoff, entitled "Thieves Winning Online War, Maybe Even in Your Computer." As we've previously discussed here, we're exploring an exciting new reputation-based security approach to protect against the continuing proliferation of the types of threats described in the article.


For more detail, please take a look at these two previous blog articles by Carey Nachenberg:


It's All About Reputation, and Losing Touch with Fingerprinting

Security Intel Analysis Team | 13 Dec 2008 00:02:41 GMT | 0 comments

Hello, this is Anthony from the Symantec Intelligence Analysis Team. Earlier this week we had the opportunity to analyze an interesting shellcode that is associated with the initial malicious exploit attempts against the Microsoft Internet Explorer XML Handling Remote Code Execution Vulnerability (BID 32721). Currently this vulnerability is not patched and there are several public exploits available to leverage the issue. The vulnerability exists due to a flaw in how Internet Explorer handles XML data bindings. Specially crafted XML can lead to object corruption and code execution. I am not going to go into describing the vulnerability in detail because this has already been done well elsewhere. However, I think that the shellcode is unique enough to warrant some...

Mathew Maniyara | 12 Dec 2008 17:47:58 GMT | 0 comments

What is an IDN? IDN stands for “internationalized domain name.” These are the domain names that contain one or more characters that do not belong to a Latin-based western language (or characters that are not available in the ASCII character set).

Domain Name System or DNS (a naming system that links domain names to IP addresses) has the technical support for these IDNs, but many applications such as Web browsers, email services, etc. are not yet able to support them. Such compatibility issues arising from IDNs necessitated a conversion from an international character to a suitable ASCII character. The conversion is achieved by the use of certain algorithms that converts these characters into a code called Punycode. A Punycode contains ASCII characters prefixed with the string “xn—.”

The following is an example for a Chinese domain converted to its Punycode:

Domain name -  例如.com