Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

Security Response

Showing posts in English
Ollie Whitehouse | 04 Jun 2007 07:00:00 GMT | 0 comments

So time for another Mind Map. My generic one for Mobile devices last time was received pretty well. I put together the one below for Windows Mobile 6 as part of an internal research project on the new features Microsoft introduced (click for the bigger version) as well as ensuring that functionality in the previous version was captured.



I think it pretty much speaks for itself…. With ubiquity comes a vector/surface explosion... .

P.S. As with last time if you’re going to borrow the picture, feel free, but please...

Liam O Murchu | 01 Jun 2007 07:00:00 GMT | 0 comments

Last week saw the release of the Spanish Instant Messaging Worm W32.Posse.This week we have seen a similar Instant Messaging worm but this timeit can use messages in Spanish, German, Dutch, Italian, French andEnglish.

Although the default language that the worm uses is English, beforedeciding whether to use English messages the worm first checks thelocale of the infected computer. It then randomly chooses one of thefollowing messages depending on that locale.

If the infected machine has a locale value of:

ES (Spain), ME (?? – see not below) or VE (Venezuela) the worm uses:
"mis fotos calientes"
"mi fotograffas :p"
"mis fotos calientes"
"mis fotos calientes"
"mis fotos calientes"
"el lol mi hermana quisiera que le envia este album de foto"

DE (Germany) the worm uses:
"meine hei¯en Fotos...

Zulfikar Ramzan | 01 Jun 2007 07:00:00 GMT | 0 comments

Recently, Mikko Hypponen proposed the idea of a .bank top-level domain extension as a way to combat phishing attacks (see 21 Solutions to Save the World: Masters of Their Domain). The proposal garnered some significant interest including two Slashdot threads: A Foolproof Way To End Bank Account Phishing? and F-Secure Responds To Criticism of .bank.Since phishing is a topic that I spend a considerable amount of timethinking about, I thought I’d spend some time considering the benefitsand drawbacks of Mikko’s proposal.

First, let me summarize my understanding of the proposal. The ideawould be to have a top-level domain along the lines of .bank (inaddition...

Aaron Adams | 01 Jun 2007 07:00:00 GMT | 0 comments

On May 14, 2007 a number of interesting heap-corruptionvulnerabilities were disclosed in Samba 3.0.25rc3 and earlier. On thesame day, Immunity released a private exploit for one of the issues on Solaris. A few days later, an exploit modulewas released for the Metasploit framework that reliably exploited theissue on a number of Linux distributions. The module specificallytargeted the flaw in the lsa_io_trans_names function.

Over the past few years, the discovery of high profilevulnerabilities in widespread Unix applications seems to be decreasing.Additionally, a variety of security mechanisms are more commonlydeployed on Linux distributions, such as non-executable stacks, stackcanaries, and secure heaps, all of which make the release of...

Peter Ferrie | 31 May 2007 07:00:00 GMT | 0 comments

A new virus has appeared for a new platform. Nothing really newabout that, except that this time, the platform is a...calculator. Yes,the Texas Instruments TI89 is now the target of infection. The TIcalculators are very powerful, and allow modules to be installed in theRAM. There are thousands of applications already, lots of games, hacksto display grayscale instead of just black and white, and of courselots of mathematics routines.

We don't even have a name yet for this virus, because we're still inthe process of deciding on a proper platform name. TI89 is not accurateenough, since it's the underlying software layer that determines if thecode can run, rather than the hardware. It might be AMS, after the nameof the ROM software. Anyway, we'll see.

The virus itself is interesting, since it is not only a parasiticinfector of other modules, but it is entry point obscuring. That is,instead of simply changing the entry point of a module to pointdirectly to the virus code,...

David Curran | 30 May 2007 07:00:00 GMT | 0 comments

On Friday the top story on the social bookmarking site reddit.comlinked to a website that downloaded malware onto visitors’ computers.Social bookmarking sites like Reddit and Digg link to stories ranked bythe popularity of these stories with their users. The malware on thesite appeared to be a variant of Trojan.ByteVerify that downloaded more malicious programs onto the users’ machines.

It is interesting to consider how effective in spreading malware alink on a social bookmarking site is. How many infections can beachieved by a story linked to a popular social bookmarking site thatinstalls malware on the viewer’s computer? The number of infections amalicious website can cause is the number of people who view thewebsite multiplied by the fraction of these viewers who are susceptibleto this malware.

...

Orla Cox | 30 May 2007 07:00:00 GMT | 0 comments

A new Trojan Horse called Backdoor.Robofohas been spammed out today, which uses a variety of social engineeringtactics to aid its propagation. First it masquerades as an email fromthe US Internal Revenue Service (IRS), including the use of the IRSlogo in the message body to make it appear more legitimate:



The use of legalese in the message content may intimidate some usersinto opening the attachment. The attachment is called COMPLAINT.rtfand, when launched, displays the following bogus error message:


...

Ron Bowes | 29 May 2007 07:00:00 GMT | 0 comments

I recently posted a blog that details apotential attack malware can use to bypass Vista's User Access Control(UAC) protection. What the attack really comes down to, however, isthat if you run any untrusted code under a user account, that useraccount can no longer be trusted. Any shortcuts or programs in thataccount may be infected, waiting for an opportunity to seize control.The problem is, this isn't a mistake on Vista's part; it's an artifactof the entire concept of user-separation. This time, I'm going todetail a similar attack against UNIX and Linux operating systems.

"Sudo" (super user do) is a command that can be used on Unix-basedoperating systems to allow a user to run certain programs with thehighest possible privilege (root). Sudo is similar to UAC in that itallows users to easily run programs with elevated privileges.

If a user runs a malicious program with a regular account, theprogram cannot install in a system-wide directory. On a typicalUNIX-...

Candid Wueest | 28 May 2007 07:00:00 GMT | 0 comments

“Because that's where the money is” was apparently the reason givenby Willie Sutton when asked why he kept robbing banks. Even though thatstatement may be correct, Willie Sutton never said it like this – as heexplains in his book “Where the Money Was.” Still, it evolved into oneof those urban myths, quoted many times. But there is an even betteranalogy to be made between the life of this bank robber from the 1940sand today’s online crime.

One of his nicknames was “The Actor,” which he gained aftercommitting robberies in broad daylight, impersonating trustedpersonnel. He varied his disguise from telegraph messenger tomaintenance man to policeman. He had realized that an acetylene torchwas not the best way into a safe – it was much easier to abuse people’strust, as no one really expected such assaults from within their ownranks. It was like an insider job, but without actually belonging tothe team in the first place. Those old-school social engineering tricksare comparable...

Candid Wueest | 28 May 2007 07:00:00 GMT | 0 comments

“Because that's where the money is” was apparently the reason givenby Willie Sutton when asked why he kept robbing banks. Even though thatstatement may be correct, Willie Sutton never said it like this – as heexplains in his book “Where the Money Was.” Still, it evolved into oneof those urban myths, quoted many times. But there is an even betteranalogy to be made between the life of this bank robber from the 1940sand today’s online crime.

One of his nicknames was “The Actor,” which he gained aftercommitting robberies in broad daylight, impersonating trustedpersonnel. He varied his disguise from telegraph messenger tomaintenance man to policeman. He had realized that an acetylene torchwas not the best way into a safe – it was much easier to abuse people’strust, as no one really expected such assaults from within their ownranks. It was like an insider job, but without actually belonging tothe team in the first place. Those old-school social engineering tricksare comparable...