Video Screencast Help
Security Response
Showing posts in English
Ollie Whitehouse | 20 Jul 2007 07:00:00 GMT | 0 comments

On the desktop we have many different executable compactors, compressors and encryptors. These are used to protect and/or obfuscate binary files. These can be employed by software authors and malicious code authors to protect their code from reverse engineering (though, typically in vain). A while back, we saw a surge of malicious code authors using these tools to obfuscate their code against signatures. It became a case of:




10 Download executable compactor

20 Pass existing malicious code through it

30 Release on Internet

40 Wait for signature to be added to antivirus

50 GOTO 10


This got a bit boring for antivirus vendors like Symantec, so we introduced executable decompression support to our AV engines (as discussed in the Internet Security Threat...

Liam O Murchu | 20 Jul 2007 07:00:00 GMT | 0 comments

There have been lot of rumours and discussions about the recent Adobe Flash Player Remote Code Execution vulnerability.The most interesting thing is that it is a cross-platformvulnerability. Due to the fact that Flash can run in different browsersand on many different platforms, the discovery of this onevulnerability could leave all those operating systems and devices thatare Flash-enabled open (e.g., including some advanced smartphones) tothe attack.

The vulnerability has already been tested on Windows, Apple Mac, andsome Linux distributions, but many other devices that are Flash-enabledcould be affected by the problem too. For example, we verified that theNintendo Wii gaming console is also affected. Wii has an Internetchannel that runs a special version of the Opera browser with Flash,and yes… we verified that it is affected by the problem too! The Wiiconsole completely hangs while...

Peter Ferrie | 19 Jul 2007 07:00:00 GMT | 0 comments

It's not often that we get a proof-of-concept (PoC) virus, but toreceive four in two weeks is completely unprecedented. The first one,which we call MEL.Odorousis a virus for the Maya 3D scripting language. It searches in thecurrent directory for uninfected files, and prepends itself to them.After infecting files, it runs the host as usual.

The second virus, which we call WHS.Vred isa virus for the WinHex scripting language. Like MEL.Odorous, Vredsearches in the current directory for uninfected files, and prependsitself to them. Unlike MEL.Odorous, however, Vred does not run the hostcode after infecting files.

The third and fourth viruses, which we named...

Dave Cole | 18 Jul 2007 07:00:00 GMT | 0 comments

A while back we took a look at how securityalerting was being done across the industry and noticed that there wasplenty of room for improvement. We started out with our own ThreatCon.It was easy to see that it wasn’t very effective for helping lesstech-savvy consumers to protect themselves online. On the humorousside, we did a little survey on customer perception and effectivenessof the ThreatCon and one of the respondents thought it was related tosomething on StarTrek. Ouch! The feedback we got gave us a clearpicture of where to begin our journey to improve our alerting systems.

Old threatcon

We began the overhaul of our security alerting systems early last spring by introducing the Internet Threat Meter(ITM) for consumers. The idea was to make the...

Orlando Padilla | 17 Jul 2007 07:00:00 GMT | 0 comments

Earlier this year, I saw some screenshots of the Zunker bot and itscontrolling interface. I became curious about the existence of othersimilar interfaces and began paying a bit more attention to the spamcoming into my inbox on a personal account. After a few weeks ofwandering through IP blocks referenced by the spam, I ran across anopen directory containing a few screen shots of what looked likeanother interface actively spamming multiple products.

The following screen shot shows a statistics screen for a botnetthey are currently using. Similar to the Zunker interface, thisinterface also has the ability to group by country. It looks like thefeature is broken though, as you can only see one bot, which isoriginating from Poland. Given that, it is tempting to presume theowner is Polish; however, the interface's text is entirely in Englishand the screen shot was found on a Russian server. It could, however,mean that the person leasing this interface is controlling it from...

Ollie Whitehouse | 16 Jul 2007 07:00:00 GMT | 0 comments

With the advent of Symbian 9 came a new capabilities model that could be seen as akin to mandatory access control, or MAC, which I’ve touched on briefly in the past . If you’re interested more in the Symbian 9 capabilities model, I recommend you go read the Embeddec.com article or purchase a copy of Symbian Platform Security Development Architecture from Symbian Press.

FlexiSpy is spyware program...

Marc Fossi | 13 Jul 2007 07:00:00 GMT | 0 comments

Same thing we do every night – try to take over the world…

Morris and Brain. The average person doesn’t know these names very well in comparison to Melissa, CodeRed, Nimda, Slammer, and Funlove. They all had their day and are burned in the memories of the users who were infected and those who cleaned up after them. Without Morris and Brain, though, the current “superstars” wouldn’t exist.

Brain (also known as...

Symantec Security Response | 12 Jul 2007 07:00:00 GMT | 0 comments

In recent months, Symantec has detected a number of phishing sitesthat have been hosted on government URLs. In June alone, phishing siteswere identified on government sites from the following countries:Thailand (.go.th), Indonesia (.go.id), Hungary (.gov.hu), Bangladesh(.gov.bd), Argentina (.gov.ar), Sri Lanka (.gov.lk), Ukraine (.gov.ua),China (.gov.cn), Brazil (.gov.br), Bosnia and Herzegovina (.gov.ba),Columbia (.gov.co), and Malaysia (.gov.my).

This might come as a surprise to some people, as governments arethought to have very secure computer systems. However, the quantity ofphishing sites hosted on government domains around the world seems tosuggest otherwise. These fraudulent sites look like legitimate Websites and are designed to trick users into divulging personalinformation such as government-issued identity numbers, bank password,or credit card numbers. Most phishing sites are placed on governmentWeb servers by hackers who have gained access to the server...

Elia Florio | 11 Jul 2007 07:00:00 GMT | 0 comments

The early years of the 1980s were marked by great technological advancements, particularly the release of the first integrated and powerful personal computers. Apple introduced the “Apple II” microcomputer in 1977, and by the early 80s it was one of the most popular personal computers for business users, families, and schools. In 1981, computing giant IBM purchased the license to distribute the DOS operating system for their PC machines from an obscure company called Microsoft. At that time, computing companies were popping up quickly. The early 80s saw numerous home computers for sale, such as the Commodore 64 (1982) and the Atari ST (1985).

It sounds funny now thinking of those “extraordinary” computers of 80s while sitting on a desk with a modern hyper-threading CPU, gigabytes of memory, and wireless connection. Still, the 80s were the years during which personal computers established their foothold in homes and offices. For the first time people start...

Jim Hoagland | 10 Jul 2007 07:00:00 GMT | 0 comments

Symantec Security Advisory SYMSA-2007-005[1]is now available. This covers a Teredo-related vulnerability in theVista version of Windows Firewall (BID 24779, CVE-2007-3038). (To beclear, this vulnerability is not connected to any of the nine Vistaissues I discussed in my last blog[2].)

Last fall, when Ollie Whitehouse[3] was analyzing whatTCP ports were open over a Teredo interface in a freshly installedWindows Vista RC2, he discovered that port 5357 was open over Teredo.We thought this odd since there is no functional reason this port,which corresponds to Web Services on Devices (WSD)[4], should beremotely accessible. When the release version of Vista becameavailable, we verified that this port was still open. (Details on...