Security Response

While investigating the worm W32.Waledac recently, we got a shock (and a few laughs) from what popped up on ours screens (yes, unfortunately this is what passes for kicks in the virus lab during the holiday season):

(to see how we received this – skip to “Arnold Surprise” below)

First, I’ll tell you a little bit about the worm. W32.Waledac is a worm that sends emails containing a link to an apparent Christmas e-card that you have received. However, when the link for the e-card in the email is visited, you receive a copy of the worm instead of a greeting card. The file name used by the worm is ecard.exe and the links are all Christmas related, such as:

hxxp...

After the shutdown of McColo, which was aiding the distribution of about half of all spam on the internet globally, spam volumes dropped. However, since mid-November, spam volumes have been slowly inching their way back up as old botnets are being brought back online and potential new botnets are being created.

At this point, spam volumes have slowly crept back up to 80 percent of their pre-McColo shutdown levels (when reviewing daily averages):

The types of spam being seen in new attacks are similar to what was being sent around the Internet prior to the shutdown. The spam messages can be categorized into the following groups:

• Replica watches
• Generic pharmacy
• Erectile dysfunction drugs
• Weight loss
• Software

The spam is...

Like so many forms of donations today, contributions to cancer research and treatment can be made online. Unfortunately, any online business or charity can be prone to phishing attacks against unsuspecting users. We have come across messages posing as though they have been sent from a legitimate cancer institute, but with spoofed URLs inside. These spoofed URLs redirect users to fake websites where online donations can be made. When a user enters their email address and password for making payments, an error is shown and they are redirected to the legitimate site. This is common behavior seen with such attacks. The actual intention of these phishing websites is to harvest email addresses and steal confidential information.

Simple preventive measures such as manually typing legitimate URLs directly in the browser can...

    从12月9日IE漏洞发布至今，赛门铁克密切监测可能针对此漏洞的计算机威胁，并陆续发布漏洞分析和IE zero-day漏洞警示， 帮助用户了解此漏洞的潜在威胁，提高防范意识。与此同时，赛门铁克迅速更新病毒特征库。针对此漏洞的 Bloodhound.Exploit.219 和 IPS 特征 23241 - HTTP MSIE Malformed XML BO 能够使用户计算机得到有效的安全防范。截至目前，根据赛门铁克的监测，针对此漏洞的攻击十分活跃，并已迅速跃居病毒攻击排行的前列。其中，中国用户受攻击数量居全球之首，美国，韩国和中国香港地区次之。

    亚洲是受此次漏洞影响的“重灾区”，因为目前利用比较广泛的针对该漏洞的SQL注入式攻击主要针对亚洲地区的用户。该攻击将计算机重新定向到含有恶意代码的网站，并自动下载 ...

You may have seen an article in the New York Times on December 6, 2008, by John Markoff, entitled "Thieves Winning Online War, Maybe Even in Your Computer." As we've previously discussed here, we're exploring an exciting new reputation-based security approach to protect against the continuing proliferation of the types of threats described in the article.

For more detail, please take a look at these two previous blog articles by Carey Nachenberg:

It's All About Reputation, and Losing Touch with Fingerprinting

What is an IDN? IDN stands for “internationalized domain name.” These are the domain names that contain one or more characters that do not belong to a Latin-based western language (or characters that are not available in the ASCII character set).

Domain Name System or DNS (a naming system that links domain names to IP addresses) has the technical support for these IDNs, but many applications such as Web browsers, email services, etc. are not yet able to support them. Such compatibility issues arising from IDNs necessitated a conversion from an international character to a suitable ASCII character. The conversion is achieved by the use of certain algorithms that converts these characters into a code called Punycode. A Punycode contains ASCII characters prefixed with the string “xn—.”

The following is an example for a Chinese domain converted to its Punycode:

Domain name -  例如.com

...

    继昨日微软发布Internet Explorer漏洞以后，赛门铁克立即对漏洞进行分析并为用户提出防范建议。

    IE7漏洞可能允许远程执行代码，并影响其XML解析功能。当用户运行某些受影响的程序时，系统便会受到恶意攻击。

    此漏洞源自Internet Explorer的一个设计失误。尤其当HTML代码<span>之后没有</span>做结束标志，而是紧接着开始另一个<span>段落时，容易出现问题。<span>会引用一个将XML数据和HTML代码捆绑的XML ID。如果被捆绑的XML数据中包含具有“src”属性的HTML代码，“src”属性的值可导致内存冲突。所以当漏洞被触发，一旦位于“mshtml.dll”动态链接库中的“TransferFromSrc()”函数开始执行，便会导致内存访问冲突。

    我们已经在一些公开网站上监测到据称是针对此漏洞的病毒，并正在对他们进行检测，初步显示这些病毒会从[http]://baik[REMOVED].cn/down/ko.exe网站下载恶意代码。然而在测试中我们也发现，这些病毒并非每次都能运行成功。    进一步调查表明，攻击代码隐藏于[http]://sllwrn[REMOVED].cn网站的“ss.html”文件中。当用户访问“[http]://taish[REMOVED].org”，“[http]://www.oiuy[REMOVED].net...