Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Stuart Smith | 06 Jun 2007 07:00:00 GMT | 0 comments

…was the case that they gave me. Specifically, SB.Badbunny, a fairlynovel OpenOffice macro virus that attempts to spread via IRC. Thenovelty comes partly from the attention-grabbing trendiness of workingon OpenOffice and many Unix-based operating systems (Linux andMacintosh included), but also with its use of a variety of scriptinglanguages to improve portability. Badbunny doesn't just use theOpenOffice macro language, but has components written in Ruby,JavaScript, Python and Perl.

What makes this virus worth mentioning is that it illustrates howeasily scripting platforms, extensibility, plug-ins, ActiveX, etc, canbe abused. All too often, this is forgotten in the pursuit to matchfeatures with another vendor. Fortunately, in this case the ease-of-useof these scripting languages attracted an amateur developer who wrotemultiple critical bugs in the code, causing Badbunny to barelyreplicate.

Given that Web servers are an area where operating systems are stillvery much...

Ron Bowes | 05 Jun 2007 07:00:00 GMT | 0 comments

Many types of spam are common, such as email, SMS, splog (blog spam), and snail mailer. Dave Cole discussed these in Spam: It's Not Just for Email. Today, I would like to talk about one that isn't discussed as much because it isn't as common yet: spam in multiplayer online games, or, as I like to call it, "smog".

In recent years many big titles in massive multiplayer online games have been released, and are played by millions of people all over the world. With big groups of players, there are always a few that will pay to get ahead, and spammers know that they can exploit them.

I asked several of my close friends who play online games if they've seen smog messages, and they've all experienced the same thing: offers of gold, items, and quick levels in exchange for payment....

Ollie Whitehouse | 04 Jun 2007 07:00:00 GMT | 0 comments

So time for another Mind Map. My generic one for Mobile devices last time was received pretty well. I put together the one below for Windows Mobile 6 as part of an internal research project on the new features Microsoft introduced (click for the bigger version) as well as ensuring that functionality in the previous version was captured.



I think it pretty much speaks for itself…. With ubiquity comes a vector/surface explosion... .

P.S. As with last time if you’re going to borrow the picture, feel free, but please...

Liam O Murchu | 01 Jun 2007 07:00:00 GMT | 0 comments

Last week saw the release of the Spanish Instant Messaging Worm W32.Posse.This week we have seen a similar Instant Messaging worm but this timeit can use messages in Spanish, German, Dutch, Italian, French andEnglish.

Although the default language that the worm uses is English, beforedeciding whether to use English messages the worm first checks thelocale of the infected computer. It then randomly chooses one of thefollowing messages depending on that locale.

If the infected machine has a locale value of:

ES (Spain), ME (?? – see not below) or VE (Venezuela) the worm uses:
"mis fotos calientes"
"mi fotograffas :p"
"mis fotos calientes"
"mis fotos calientes"
"mis fotos calientes"
"el lol mi hermana quisiera que le envia este album de foto"

DE (Germany) the worm uses:
"meine hei¯en Fotos...

Zulfikar Ramzan | 01 Jun 2007 07:00:00 GMT | 0 comments

Recently, Mikko Hypponen proposed the idea of a .bank top-level domain extension as a way to combat phishing attacks (see 21 Solutions to Save the World: Masters of Their Domain). The proposal garnered some significant interest including two Slashdot threads: A Foolproof Way To End Bank Account Phishing? and F-Secure Responds To Criticism of .bank.Since phishing is a topic that I spend a considerable amount of timethinking about, I thought I’d spend some time considering the benefitsand drawbacks of Mikko’s proposal.

First, let me summarize my understanding of the proposal. The ideawould be to have a top-level domain along the lines of .bank (inaddition...

Aaron Adams | 01 Jun 2007 07:00:00 GMT | 0 comments

On May 14, 2007 a number of interesting heap-corruptionvulnerabilities were disclosed in Samba 3.0.25rc3 and earlier. On thesame day, Immunity released a private exploit for one of the issues on Solaris. A few days later, an exploit modulewas released for the Metasploit framework that reliably exploited theissue on a number of Linux distributions. The module specificallytargeted the flaw in the lsa_io_trans_names function.

Over the past few years, the discovery of high profilevulnerabilities in widespread Unix applications seems to be decreasing.Additionally, a variety of security mechanisms are more commonlydeployed on Linux distributions, such as non-executable stacks, stackcanaries, and secure heaps, all of which make the release of...

Peter Ferrie | 31 May 2007 07:00:00 GMT | 0 comments

A new virus has appeared for a new platform. Nothing really newabout that, except that this time, the platform is a...calculator. Yes,the Texas Instruments TI89 is now the target of infection. The TIcalculators are very powerful, and allow modules to be installed in theRAM. There are thousands of applications already, lots of games, hacksto display grayscale instead of just black and white, and of courselots of mathematics routines.

We don't even have a name yet for this virus, because we're still inthe process of deciding on a proper platform name. TI89 is not accurateenough, since it's the underlying software layer that determines if thecode can run, rather than the hardware. It might be AMS, after the nameof the ROM software. Anyway, we'll see.

The virus itself is interesting, since it is not only a parasiticinfector of other modules, but it is entry point obscuring. That is,instead of simply changing the entry point of a module to pointdirectly to the virus code,...

David Curran | 30 May 2007 07:00:00 GMT | 0 comments

On Friday the top story on the social bookmarking site reddit.comlinked to a website that downloaded malware onto visitors’ computers.Social bookmarking sites like Reddit and Digg link to stories ranked bythe popularity of these stories with their users. The malware on thesite appeared to be a variant of Trojan.ByteVerify that downloaded more malicious programs onto the users’ machines.

It is interesting to consider how effective in spreading malware alink on a social bookmarking site is. How many infections can beachieved by a story linked to a popular social bookmarking site thatinstalls malware on the viewer’s computer? The number of infections amalicious website can cause is the number of people who view thewebsite multiplied by the fraction of these viewers who are susceptibleto this malware.

...

Orla Cox | 30 May 2007 07:00:00 GMT | 0 comments

A new Trojan Horse called Backdoor.Robofohas been spammed out today, which uses a variety of social engineeringtactics to aid its propagation. First it masquerades as an email fromthe US Internal Revenue Service (IRS), including the use of the IRSlogo in the message body to make it appear more legitimate:



The use of legalese in the message content may intimidate some usersinto opening the attachment. The attachment is called COMPLAINT.rtfand, when launched, displays the following bogus error message:


...

Ron Bowes | 29 May 2007 07:00:00 GMT | 0 comments

I recently posted a blog that details apotential attack malware can use to bypass Vista's User Access Control(UAC) protection. What the attack really comes down to, however, isthat if you run any untrusted code under a user account, that useraccount can no longer be trusted. Any shortcuts or programs in thataccount may be infected, waiting for an opportunity to seize control.The problem is, this isn't a mistake on Vista's part; it's an artifactof the entire concept of user-separation. This time, I'm going todetail a similar attack against UNIX and Linux operating systems.

"Sudo" (super user do) is a command that can be used on Unix-basedoperating systems to allow a user to run certain programs with thehighest possible privilege (root). Sudo is similar to UAC in that itallows users to easily run programs with elevated privileges.

If a user runs a malicious program with a regular account, theprogram cannot install in a system-wide directory. On a typicalUNIX-...