Video Screencast Help
Security Response
Showing posts for December of 2009
Showing posts in English
Patrick Fitzgerald | 29 Dec 2009 12:26:36 GMT

Over the last few days there have been many articles written about an issue in Microsoft’s Internet Information Services (IIS).  This issue allows an attacker to bypass normal security restrictions when uploading a file to a Web application running on a vulnerable version of IIS.  This issue could allow an attacker to upload and execute arbitrary code with the privileges of the Web server.

There are varying reports on the severity of this issue, but according to Microsoft only poorly configured Web servers are at risk from this issue:

“An attacker would have to be authenticated and have write access to a directory on the web server with execute permissions which does not align with best practices or guidance Microsoft provides for secure server...

John McDonald | 22 Dec 2009 07:16:54 GMT

Theft
As we discussed in Part I, the primary purpose of Qakbot is to steal information from the compromised computer. In addition to targeting login details for FTP, POP3 and IMAP, the worm also attempts to steal Cookies - not only regular browser session cookies but also Flash cookies. A discussion of Flash cookies is beyond the scope of this article, but be aware that unlike traditional browser cookies, Flash cookies are not controlled through the cookie privacy controls in a browser which means they cannot be cleared or deleted in the simple manner that normal tracking cookies are removed.

Qakbot uses several techniques to collect private keys from the system certificates contained on the compromised computer. First, it replaces all certificate-related dialog boxes so that the “OK” button is automatically pushed as soon as the dialog is created...

Shunichi Imano | 21 Dec 2009 07:54:47 GMT

Motive
We recently had the opportunity to revisit a threat that first appeared on our radar back in May of this year. W32.Qakbot (hereafter referred to as Qakbot) is a somewhat benign worm that is capable of spreading through network shares, downloading additional files and opening a back door on the compromised computer, all in aid of its ultimate goal. Benign not because it is harmless - stealing login details, reporting keystrokes and uploading system certificates is malicious behavior indeed - but as will become obvious as we describe it in more detail below, because it moves slowly and with caution, trying not to bring attention to its presence.

The motive of Qakbot is quite clear, to steal information. Taking a peak under the proverbial covers, we see that it  uses several components to accomplish the task, including the following:

  • ...
Samir_Patil | 18 Dec 2009 18:09:15 GMT

Spammers are recycling their old spamming methods after more than two years. Symantec reported an .mp3 version of pump-and-dump stock spam back in October 2007.

In this recent spam attack, a small .mp3 file promoting a meds domain is attached in the email messages. These email messages contain no subject line or message body. The .mp3 file is a five-second message recorded in a female voice and promotes a particular meds domain. The file is approximately 11 KB in size and recorded at a 16 kbps bit rate. The voice is heavily distorted with background noise. The domain name described in the file is a recently registered domain in China.

Some of the random filenames used are as follows:

milksoppy.mp3
enwomb.mp3
realiser.mp3
escort.mp3
recarboniser.mp3
unlights.mp3
scathing.mp3
byproduct.mp3
lewes.mp3
micrometers.mp3
...

Hon Lau | 18 Dec 2009 17:01:03 GMT

Those looking to see the latest 3D blockbuster movie, The Avatar, on the cheap will have to take great care in what they search for. We have become aware of at least one site that has been rigged to redirect users to a page that presents the now-familiar "play video/need codec" screen. In an unusual twist, this time it is offering a new ActiveX update rather than the usual codec or Flash player updates.

FreeAvatarMovie_2.png

avatar2_2.png

Clicking on the play button or icon will send a request to update-activex.com, which will then eventually offer you a file named along the lines of Activex_Setup[1].45158.exe from the standardmultimedia.com domain. This is now detected as Trojan.FakeAV.

In addition to this malware page there are literally hundreds of other scam sites and pages trying to cash in on the...

Mircea Ciubotariu | 17 Dec 2009 11:32:37 GMT

We have recently learned of yet another zero-day exploit in Adobe Acrobat. This time it's an overflow for a special type parameter in a function provided by the multimedia.api plugin that can be manipulated from JavaScript in the following manner:

media.newPlayer(null)

Somewhere deep in newPlayer, deinit_obj is set as the handler for deleting the object when it's no longer needed:

code1.png

And eventually deinit_obj calls the destroy function from the object's v_table:

code2.png

So far, so good, except the...

Vivian Ho | 16 Dec 2009 23:09:25 GMT

We’ve monitored a great deal of Christmas sales spam (in English) for the upcoming holiday. Compared to English holiday spam, Chinese spammers seem to have fewer activities for Christmas, most likely because it is not a major holiday in the Chinese calendar. The Christmas holiday is popular among younger Chinese generations, however, and shopping for gifts is still expected. We have observed a couple of notable Chinese samples covering the topic of Christmas shopping. In the first sample, a spammer has sent a random Christmas sales ad, and we found that the spammer purposely set the promotion text background color in gray (<FONT style="BACKGROUND-COLOR: gray" color=gray>); you have to highlight the gray line in order to see the promotion text. In the header we observed a forged and randomized “From” alias. They used a shortened URL service in the body image, which led to an actual business website.

Sample Header:
...

Vivian Ho | 16 Dec 2009 22:11:19 GMT

Didn’t shop enough on Black Friday? Still looking for Christmas Gifts? Need to send holiday greetings? Spammers will send them all at your convenience! We started seeing Christmas-related spam just after the Thanksgiving holiday—spammers are just as busy as the rest of us are this holiday season.

We have recently observed many different types of Christmas-related spam, such as medical/replica/gift shopping offers, loan offers, lotto scams, fraud and viruses, etc. Many of them have Christmas themed key words in the header to lure users to open emails. We saw some last year and have already observed the familiar “festive” headers.

The following are some sample headers:

From: "Shop Smart this Christmas" <Details Removed>
From: "X-mas Loan Offer" <Details Removed>
From: "Christmas Gift Ideas" <Details Removed>
From: "Christmas" <Details Removed>  ...

Joji Hamada | 15 Dec 2009 02:21:56 GMT

Earlier today, we received a tip from a source that there is a possible Adobe Reader and Acrobat 0-day vulnerability in the wild. We have indeed confirmed the existence of a 0-day vulnerability in these products. The PDF files we discovered arrives as an email attachment. The attack attempts to lure email recipients into opening the attachment. When the file is opened, a malicious file is dropped and run on a fully patched system with either Adobe Reader or Acrobat installed. Symantec products detect the file as Trojan.Pidief.H.

We have reported our findings to Adobe who have acknowledged the vulnerability in this blog.

The analysis is still ongoing, so more details to follow. In the meantime, I recommend everyone to be extra vigilant during this holiday season,...

Dermot Harnett | 14 Dec 2009 17:00:49 GMT

Notable highlights this month include the continuing shift of the region of message origin to APJ and South America, and changes in the average size of spam messages.
 
•    The EMEA region has been firmly displaced as the primary region of origin for spam—the APJ region has obtained that mantle. The APJ region currently accounts for 26 percent of all spam, which is a nine percentage point increase since June 2009.
•    With respect to the average size of spam messages, 71.08 percent of messages now have an average message size between 2kb – 5 kb, while 19.53 percent have an average message size between 5kb – 10kb.
•    With respect to spam categories, Internet spam decreased by four percent and now accounts for 35 percent of all spam messages, with leisure and fraud increasing by three and two percent, respectively.

Click...