Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Carey Nachenberg | 15 Aug 2007 07:00:00 GMT | 0 comments

Back in June of 1992, I joined Symantec’s nascent antivirus team as a scruffy intern after a brief stint with the Norton Commander and Norton Desktop teams. At the time, Norton AntiVirus was a third-tier product with virtually no market-share. But that was about to change. That summer, Symantec hired over a dozen contractors to drastically improve Symantec’s detection rate and make us a world-class product. To give you an idea, back in 1993, top-notch products detected about 1,400 virus strains.

Over the course of that summer, and during my follow-up internships over the next few years, my teammates and I quickly realized that viruses were evolving at an extremely rapid pace, and would soon prove impossible for NAV’s core detection engines to detect. A detection engine is the heart and brains of the antivirus product; it performs all of the actual virus fingerprint scanning, and ours was quickly becoming obsolete.

Clearly the word was getting up to our...

Ollie Whitehouse | 14 Aug 2007 07:00:00 GMT | 0 comments

So, in the Future Watch section of the last Internet Security ThreatReport and in our Windows Vista research, we stated that drivers wereincreasingly being attacked and that we would expect this trend tocontinue. We also stated that these third-party drivers posed one ofthe greater areas of exposure to technologies such as driver signing,PatchGuard and general kernel integrity on Windows Vista 64bit. I recently blogged about an example of one third-party hardware driver from ATI and the issues it was causing Microsoft. Before that, I discussed a third-party driver which was specifically designed to allow the loading of arbitrary unsigned kernel drivers.

Anyway, before these came another example, though I've...

David McKinney | 14 Aug 2007 07:00:00 GMT | 0 comments

This month Microsoft has released nine security bulletins. All ofthese vulnerabilities could let an attacker execute arbitrary code onan affected computer. All of the issues are also classified as“client-side vulnerabilities”, meaning that they require someinteraction on the part of the user for exploitation to occur. Thiswill usually entail visiting a malicious Web page or opening amalicious file that is sent through email or other means.

Microsoft’s summary of the bulletins can be found here.

  1. MS07-042 Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (936227)

    This bulletin consists of a code execution vulnerability(CVE-2007-2223/BID 25301) affecting Microsoft XML Core Services.Attackers could exploit this issue through a malicious Web page.

    Affects: Microsoft XML Core Services 3.0/4.0/6.0 on...

Zulfikar Ramzan | 13 Aug 2007 07:00:00 GMT | 0 comments

Part I on Friday discussed the early days of phishing from relatively harmless spam to targeting the financial sector and then to an increasingly professional operation with serious consequences for both organizations and individuals.

The threat evolves further

In a technical sense, phishing has evolved in a number of ways. Phishers are conscious of the different anti-phishing technologies out there – many of which employ block lists of suspicious Web sites. Block lists work by matching the URL that appears in the address bar of the Web browser with a list of known phishing Web sites. If there is a match, the user is warned. To get around that, in September 2006 many phishers started randomizing the sub-domain portion of the URL. While these URLs lead to the same site, no two are the same, and therefore the technique circumvents basic block lists.

Phishers are also privy to the fact that their pages are being viewed...

Zulfikar Ramzan | 10 Aug 2007 07:00:00 GMT | 0 comments

Symantec is celebrating its 25-year anniversary and, during the course of the company’s history, we’ve seen the threat landscape evolve continuously. Many of the threats we routinely address today were practically unheard of in the early days. While much of the activity back then was centered around viruses and other forms of malicious code designed to wreak havoc on customers' personal computers, today’s landscape now includes new threats that can wreak havoc on customers’ personal lives, stealing their money and also their identity.

One of these emerging threats is phishing. Phishing is a threat whereby attackers use social engineering mechanisms, in a fairly automated way, to trick victims into divulging sensitive data that can later be used to assume a victim’s identity on an online site or in a financial transaction. Throughout 2006, Symantec observed over 300,000 unique phishing emails and blocked these messages in nearly three billion phishing instances. Phishing...

Michael Smith | 09 Aug 2007 07:00:00 GMT | 0 comments

Firewalls, intrusion detection and prevention systems, antivirus – they’re all old tricks of the trade that IT has traditionally deployed to maintain the security of large and complex networks.

But are they enough? Threat volume is rising, propagation speed is increasing, and attacks are becoming more advanced and elusive. Luckily, there are innovative new ways to complement the traditional approach. And security’s bright side may be on the ‘dark’ side.

A growing number of organizations are leveraging darknets to increase their security intelligence and, in turn, enhance their security posture. A darknet is an area of routed IP address space in which no active services reside.

IT is increasingly using this ‘dark’ network as a powerful security tool. Because no legitimate packets should be sent to or from a darknet, the majority are likely sent by malware that scans for vulnerable devices with open ports in order to download, launch, and propagate malicious code...

Ollie Whitehouse | 08 Aug 2007 07:00:00 GMT | 0 comments

The other day, I blogged about the latest happenings in the Atsiv saga. Today I’m providing an update, which I couldn’t have made up even if I tried.

This can only be described as one of those moments that would makeanyone in Microsoft’s situation start to sob. Alex Ionsecu published anentry on his blog (whichsubsequently got pulled) with a supporting tool called Purple Pill.This tool had embedded in it an ATI signed driver that would be droppedto disk and loaded (a similar approach to Atsiv). However it wouldappear that this signed driver contained a design error which allowsyou to use it to load any arbitrary driver even if they are not signed(similar functionality to Atsiv). You can imagine this came about dueto a requirement to extend this core driver with arbitrary...

David McKinney | 08 Aug 2007 07:00:00 GMT | 0 comments

The hacker's place in the pop culture continuum is as anti-hero. This is an image portrayed in movies and novels - the hacker is a wild-card with the power of deus ex machina who can be called upon to cheat technology or exploit a loophole in the system. Since computers don't lie and the system is perfect, the hacker invokes black arts in gross defiance of reality and the law in order to accomplish his (as hackers are overwhelmingly portrayed as male) goals. Yet we often sympathize with the fictional hacker for this exact reason. The system irks us and we often wish we could circumvent it.

The nineties had its own hacker anti-hero: Kevin Mitnick.

Most of Mitnick's story has been told by the media and in a book entitled Takedown...

Peter Ferrie | 07 Aug 2007 07:00:00 GMT | 0 comments

I just got back from Black Hat 2007 Las Vegas, where I wasco-presenting with Nate Lawson and Thomas Ptacek regarding detection ofhypervisors. Previously, we had asked Joanna Rutkowska to prove her"100% undetectable" claim, but she had declined. However, we did manageto prove that our methods work.

Joanna agreed that the TLB timing method that I first described in detailin 2006 works against BluePill. As she understood it, though, shethought that I presented it as a 'foolproof method for "BluePilldetection"'. While I did present it as a foolproof method, I didn'trefer to BluePill at all: I said that it would reliably detect ahypervisor, which it does. That it detects BluePill is a corollary.

At the forum last week, she said that it can be defeated, but hermethod to do so is to single-step the code following the RDTSCinstruction. That assumes, of course, that RDTSC is the...

Kelly Conley | 07 Aug 2007 07:00:00 GMT | 0 comments

The August State of Spam Reporthighlights the continuing decline of image spam, which reached a low inJuly from its peak in January. In addition, we observed the emergenceof a new focus - greeting card spam, PDF and other file attachmentsspam, and the rise in URLs with Chinese top-level domains (TLDs)marketing spam. This month’s spotlight includes regional spam trends inEMEA.

Though still steadily declining, what we’ve come to think of as‘image spam’ has not gone away. The preferred delivery method of thisspam type is now PDF, which emerged in June of 2007 and was discussedin a previous post. Symantec is seeing PDF spam ranging between two toeight percent of all spam. July also saw the emergence of yet moretactics focused on spamming images. These tactics include the use ofXLS and ZIP files. At this time, the volume of these spam types is lowbut Symantec is closely...