Video Screencast Help
Security Response
Showing posts in English
Kelly Conley | 09 Jul 2007 07:00:00 GMT | 0 comments

As image spam continues its decline, the July State of Spam Report highlights more new techniques for delivering spam images, including PDF spam. This is spam that contains no real text in the body of the message (although it may contain word salad), but that has a PDF attachment. When opened, the PDF file is an ad or some other spam message.

The PDF attachments result in messages that are very large in size. We have been monitoring this throughout the past month, but it has really heated up this past week. So far, we have observed over 25 million messages that were categorized as PDF spam.

We have seen a few different variants of this type of spam type thus far. The first one is the newsletter variant, in which a PDF attachment is made to resemble a legitimate newsletter. The second variant is one in which the PDF attachment resembles the more familiar images...

Yazan Gable | 06 Jul 2007 07:00:00 GMT | 0 comments

Symantec has observed an interesting trendin the world of Internet-based credit card fraud: fraudsters aredonating money to charity. How could this happen? In the world ofcarding, where stolen credit card information is bought and sold,carders need to know if the credit cards they are buying or selling canactually be used. It is sometimes difficult for them to verify thiswithout raising any alarm bells and risking that their cards will beidentified as stolen and disabled. As a consequence, a new trend isappearing.

Carders attempting to verify that a stolen credit card is legitimateand active have begun donating money to charity. By attempting to paysmall amounts of money to various charities, including well knowncharities such as the Red Cross, carders can determine if a stolencredit card is valid depending on the success or failure of thetransaction.

There are likely a number of reasons that this method may bebecoming more popular. For instance, bank behavior...

Sarah Gordon | 06 Jul 2007 07:00:00 GMT | 0 comments

Steal this book! F@&! the System! Do those phrases bring back any memories? For me, they conjure up images of Chicago’s Old Towne & New York’s Greenwich Village in the late '60s and early '70s. And that seems like a fitting start for a blog entry on computer security because…well, it’s a long story.

In the 1960s, some rather interesting people gained more than a little attention based on their innate ability to understand how things work and their desire to use that knowledge to help rebel against the perceived “authority system” of the day. One group of such people, the Youth International Party, or yippies as they were more commonly known, was frequently in the news. They were self-proclaimed representatives of the youth of the nation and were...

Kelly Conley | 05 Jul 2007 07:00:00 GMT | 0 comments

Who sends greeting cards for the Fourth of July? Apparently spammers. Beware of emails with Fourth of July subject lines such as:

Subject: Celebrate Your Independence
Subject: America the Beautiful
Subject: July 4th Fireworks Show
Subject: July 4th Family Day
Subject: 4th Of July Celebration
Subject: American Pride, On The 4th

Each message contains a link to the "greeting card". The link in these cases is an exposed IP address, which is a pretty good indicator that it isn’t a greeting card from an established and reputable Ecard service . When clicked, the link delivers a downloader that accesses the Internet and downloads a Trojan onto the computer.

We've been seeing a lot of generic Ecard spam over the past month and have noted it in previous blogs. What makes this one different is that...

Eric Chien | 05 Jul 2007 07:00:00 GMT | 0 comments

The MPack toolkit has received a fair amount of media attention, causing it to become one of the most desired Web browser exploit toolkits in the underground hacker scene. The original author was selling the MPack toolkit for $1,000 USD, including a year of free support, and additional exploit modules for around $100 USD.

However, considering the toolkit is written in a script language, it is easy to redistribute and modify. The toolkit is being sold by others now for as low as $150 USD. That is a whopping 85% off. Talk about clearance sale. The sellers likely didn't even need to buy it themselves, but rather probably found some of the multiple Web sites that did not employ standard Web site protections, allowing them to download the whole kit for free.

With the toolkit available in the underground scene and even available to almost...

Eric Chien | 05 Jul 2007 07:00:00 GMT | 0 comments

The MPack toolkit has received a fair amount of media attention causing it to become oneof the most desired Web browser exploit toolkits in the undergroundhacker scene. The original author was selling the MPack toolkit for$1000 USD, including a year of free support, and additional exploitmodules for around $100 USD.

However, considering the toolkit is written in a script language, itis easy to redistribute and modify. The toolkit is being sold by othersnow for as low as $150 USD. That is a whopping 85% off. Talk aboutclearance sale. The sellers likely didn't even need to buy itthemselves, but rather probably found some of the multiple Web sitesthat did not employ standard Web site protections, allowing them todownload the whole kit for free.

With the toolkit available in the underground scene and evenavailable to almost anyone for a mere...

Ollie Whitehouse | 03 Jul 2007 07:00:00 GMT | 0 comments

If you Google for either "Windows CE", "Windows Mobile" along with "rootkits" [1] [2] you don’t find anything on the subject. Back in the early part of this year I started a little skunk-works project (which resulted in an internal whitepaper) to understand the techniques that could be employed in rootkitting Windows Mobile devices, and how you would detect them if the bad guys got nasty and started doing so.

The results were, in short, not surprising. There are publicly known methods of API hooking on Windows CE. There is a publicly released keyboard logger in the compact .NET framework and there are numerous ways to load/inject DLLs into other processes. And, of course, direct kernel object modification is also possible.

The caveat about some of these methods and techniques is that your process needs to be fully trusted in order to weave its magic. So in a properly configured one-tier device that requires signing, or a two-tier...

Zulfikar Ramzan | 02 Jul 2007 07:00:00 GMT | 0 comments

The Pareto principle, sometimes known as the 80-20 rule, states thatroughly 80% of the effects stem from 20% of the causes. It was namedafter Vilfredo Pareto, an Italian economist, who observed that 20% ofItaly’s population received 80% of its income. This principle comes upin numerous other places in the social sciences and in engineering.

What does this have to with phishing? Well, recently I looked atwhich legitimate brands tend to get imitated the most in phishingattacks. I went back through data gathered from June through December2006. All in all, we found 343 brands being spoofed. Some of these werewell known banks, credit card companies, online retailers, and thelike. Others were smaller players. These included credit unions, localbanks, smaller retailers the like. Note that phishing attacks targetmany sectors beyond just the financial and retail sectors. I just choseto include these as an example.

It turns out that there is Pareto-like behavior among the...

Hon Lau | 01 Jul 2007 07:00:00 GMT | 0 comments

Security Response has received reports of a fake email purporting to have come from the US Department of Justice. The email informs the recipient of a complaint received by the IRS against the recipient’s business. The email looks reasonably well crafted and most people would tend to treat emails from the US Department of Justice with at least a bit of urgency.

The details of the email are as follows:

Subject:
Complaint Case Number: 895285164 (Note the case number may vary)

From:
US Department of Justice [abuse@usdoj.gov]

Email Body:
The email may contain the following text. Please note that the name of the plaintiff, the date and case number may vary. Despite the message that states an attachment is included with the email, there may or may not be any attachments.

Dear citizen ,

A complaint has been filled against your company in regards to the business...

Kaoru Hayashi | 29 Jun 2007 07:00:00 GMT | 0 comments

In the past few weeks, we have observed many Web sites that have been compromised to distribute browser exploits with the MPackkit. We’ve tracked many different MPack sources created with the intentof distributing different types of malicious codes. So far we’ve seenthe following malware samples installed while surfing sites compromisedby Mpack:

Trojan.Anserin - a Trojan that steals banking-related information
Trojan.Linkoptimizer.B - a dialer Trojan
Backdoor.IRC.Bot - an IRC bot
...