Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for July of 2009
Showing posts in English
Liam O Murchu | 31 Jul 2009 20:20:49 GMT

Some of my colleagues from Symantec and I attended Black Hat in Las Vegas this past week. Wednesday was the first day of talks and there were some very interesting topics discussed. For me, the highlights were the following talks:

• “Stoned Boot Kit,” by Peter Kleissner
• “Using Guided Missiles in Drive-Bys: Automatic browser fingerprinting and exploitation with Metasploit,” by Egypt
• “Attacking Interoperability,” by Mark Dowd, Ryan Smith, and David Dewey

The papers for these presentations are available on the Black Hat website, but I did manage to talk to most of the presenters and get their views on various topics. In this post I’ll talk about the “Using Guided Missiles in Drive-Bys” and follow up with info on the other talks in later posts.

In his presentation “Using Guided Missiles in Drive-Bys,” James Lee (a....

John McDonald | 30 Jul 2009 07:19:36 GMT

A lot of water has passed under the proverbial bridge since the Donut virus of 2002. W32.Donut was of course a concept virus (named "dotNET" by its creator) to demonstrate weaknesses in the Microsoft .NET architecture that, at the time, was brand new. Although Microsoft started development on the .NET framework in the late 1990s, version 1.0 wasn't officially released until February 13, 2002. With the release of Windows 7 this October, .NET has suddenly taken on a greater significance. While previous Microsoft operating systems did not include the .NET framework by default, starting with Vista and Windows Server 2008 and continuing into Windows 7, it is now a native part of the OS installation. What makes this especially significant is the widespread belief that Windows 7 will become the Microsoft operating system of choice, whereas the uptake of Vista was relatively poor.

Vivian Ho | 29 Jul 2009 16:48:10 GMT

We have recently observed Chinese spammers selling personal account cracking software. This is not a typical pirated software promotion, because it already violates privacy law. The observed email promises to teach and help users to break into others’ accounts such as MSN or Yahoo instant messaging clients accounts, email accounts, and all popular social networking accounts.

Sample Header:

From: false <xxxxxxxxxx@xxxxxxxx.xxxxxx>
Subject: ∴帳密破解諮詢∴

Subject: ∴Accounts cracking consultation service∴

imagebrowser image

imagebrowser image

Body Translation:

Professional Accounts cracking consultation service

Services including crack yahoo, msn,...

Mayur Kulkarni | 29 Jul 2009 12:32:06 GMT

Ever dreamt of owning devices that would let you roll like a secret agent from spy movies? Why not? Spammers are offering a solution—not a spy bug to be attached to a phone, but software that once installed on the target phone sends back information on all of the calls, including messages originating from one phone to another.

This proposition offers the option of peeping into someone’s phone to obtain desired information. The spammer claims that the surveillance functions of the target phone (after being installed) can be used to obtain valuable information from people such as your girlfriend, manager, key employees, business partners, etc. The scammers promote that you can track valuable information, which can be compiled by listening to outgoing calls, receiving copies of incoming and outgoing SMS messages, and tracking precise locations of the phone device using GPS satellites.

However, this miraculous spy device requires a few steps in order begin use...

Samir_Patil | 27 Jul 2009 20:13:44 GMT

As excited as I was prior to the release of the sixth film of the Harry Potter series, it proved to be fairly disappointing in terms of the number of spam messages spawned using the book/film title. The latest film, “Harry Potter and the Half-Blood Prince,” was released worldwide on July 15.

We monitored the probe network traffic over the past couple of weeks to track the prevalence and volume of Harry Potter related spam. However, it seems that spammers are less passionate about the idea of using the magic of this tale for their spam campaigns. The recent Harry Potter-related spam that we did see arrived as either Nigerian scams or health-type spam.

One scam message is disguised as an online lottery winning notification. In this fake and non-existent lottery, the name “Potter” is misspelled as “Porter.” Interestingly, the scammer used J. K. Rowling as the name for the online lottery—Rowling is the author of Harry Potter...

Samir_Patil | 27 Jul 2009 19:37:06 GMT

How close can they get to you? So close that they can actually talk to you, no matter where in the world they are located? Nigerian 419 scams are not new and have been a nuisance to email users for years. Traditionally, Nigerian scammers have reached out to email users through text-based emails, Word documents, PDF documents, and are increasingly targeteting social networking sites. However, all of these techniques have one thing in common—rubbish stories of a huge money inheritance, kinship, and financial assistance that is communicated via typed messages.

Spammers are constantly in search of techniques that will allow them to reach users’ inboxes by beating anti-spam filters. Any deceit used is fair game for them. Recently, we noticed one such technique used by spammers to make their way into users’ inboxes exploiting VoIP (voice over IP) services. The spammers are creating fake accounts on sites providing VoIP services and then, using these fake...

Fred Gutierrez | 25 Jul 2009 04:15:04 GMT

We have already written about threats that can encrypt files or lock victims out of their computers in order to extract a ransom. Today I want to talk about yet another similar threat. It uses scare or nuisance tactics—similar to rogue antivirus programs—in an attempt to demand ransom from its victims.

Once infected with Trojan.Ransompage, a victim’s browser will display a persistent inline ad on every page that the victim visits. The ad will cover part of the original Web page, as shown below.

imagebrowser image

The ad will stay on the screen even if the page is scrolled:

imagebrowser image

This ad is written in Russian and states that in order to remove the ad (and to...

Mayur Kulkarni | 23 Jul 2009 19:21:46 GMT

Over the last few months we have been keeping you informed about a rise in the category of image spam. This was mentioned in our April and June 2009 blogs on the topic, which specifically concentrated on how an old spamming method (image spam) is being reintroduced on a wider scale. Spammers have now shifted their focus from image spam attacks to obfuscated URL attacks—again, an old spamming technique. This type of obfuscation includes inserting white spaces and special symbols into the URL string to evade anti-spam filters. For image spam attacks, we have observed lines relating to intimacy in the subject header:

imagebrowser image

Later, we witnessed the same pattern again being used with the obfuscated URL attacks. We can...

Mayur Kulkarni | 22 Jul 2009 21:58:08 GMT

Mysterious stories about Michael Jackson still being alive have been developing on the Internet in the form of websites, discussion forums, as well as some news sites bringing in theories behind such stories. Even spammers do not wish to believe, or perhaps they don’t want to miss the prospect of tricking curious Internet users into opening their messages—particularly targeting those die-hard M.J. fans that would want him to live eternally.

Michael Jackson-related spam and malware campaigns were discussed in detail in our July ’09 State of Spam report. More than three weeks after M.J.’s death have passed and there are continuous spam and malware campaigns still being waged. Spammers still feel confident that they can get users to open messages using Michael Jackson’s death and, now, the “Michael Jackson’s still alive” news.


Patrick Fitzgerald | 22 Jul 2009 18:04:10 GMT

Recently we came into possession of an Adobe Acrobat PDF file that upon opening drops and executes a malicious binary. It was quite clear that this PDF was exploiting some vulnerability in order to drop its payload. And, during the analysis it soon became apparent that this vulnerability was not one we had seen in the wild before. What was even more surprising was that this vulnerability affects Adobe Flash—not Adobe Reader as we initially suspected.

An issue in Adobe Flash is more serious. Most vulnerabilities are confined to one technology; for example, a vulnerability may affect a particular browser or a particular operating system, but it is rare for a vulnerability to span multiple platforms and products. This is not the case with Flash. Flash exists in all popular browsers and is also available in PDF documents. It is also largely operating system independent; therefore, the threat posed by this issue is not to be taken lightly. Flash has become an integral part...