Video Screencast Help
Security Response
Showing posts in English
Peter Ferrie | 20 Apr 2007 07:00:00 GMT | 0 comments

Microsoft's JScript is a very powerful and flexible language.However, great flexibility leads to a great potential for obfuscation.We have seen many examples of JScript obfuscation in the past, such asstring concatenation and dynamic decoding, and will likely see more inthe future.

The most recent and a potentially problematic example uses one ofthe simplest obfuscation methods: Unicode escaping. Normally, Unicodeescaping is used to send Unicode characters that might not travel wellacross networks, such as characters that could be transformed accordingto the system locale. From a security perspective, Unicode escaping iswidely used to deliver executable code in Web exploits.

What was previously unknown to us is that Unicode escapes can beapplied to function names, variables, and all kinds of other code. Thiswas demonstrated by the recent virus that we detect as ...

Ollie Whitehouse | 19 Apr 2007 07:00:00 GMT | 0 comments

User Interface Spoofing and Its Impact on Security
As you may have seen in James O’Connor’s paper, Attack Surface Analysis of Blackberry Devices, there is a bug/vulnerability in Blackberry devices that allows an attacker to spoof the interface that shows a .jad file's signing properties. A .jad file is a Java package format that is frequently used to distribute applications for mobile phones. This spoofing allows an attacker to make a .jad application appear to be signed by a legitimate user or company. The attacker accomplishes this by using a carefully constructed file with the appropriate amount of spaces within certain strings.

Because the susceptibility to this class of attacks is not unique to the BlackBerry or to .jad files, I thought it might make an interesting blog entry. I originally found something like this...

James O'Connor | 19 Apr 2007 07:00:00 GMT | 0 comments

Some of you may have read my blog article last year about the BlackBerry mobile device: Hacking the BlackBerry along with the associated whitepaper, Blackberry Security: Ripe for the picking? We decided not to widely distribute that paper for a number of reasons, including the fact that the model reviewed was a tad on the old side (BlackBerry 7290 circa 2004). Well, fast-forward to 2007, when I was supplied with a shiny new BlackBerry Pearl 8100 and a blank sheet of paper.

As I alluded to in my previous blog, the Pearl represents a significant departure for Research In Motion; a departure from the world of purely corporate utility, and an arrival at the world of consumer-oriented features. The device sports a beautifully stylized slimline form-factor, a 1.3 megapixel camera, and a removable media card as standard. Of course, all the...

Ron Bowes | 18 Apr 2007 07:00:00 GMT | 0 comments

The Home and Home Office Security Report(HHOSR), a monthly report released by Symantec, provides a high-leveloverview of Internet security concerns that may be of interest to homeand home office users. March's HHOSR focused largely on Volume XI of Symantec's Internet Security Threat Report.

This HHOSR's hot topic discussed the price of a wide variety ofinformation related to personal identity. The types of information, andthe prices at which they were offered, are outlines in table 1 below.

Item Cost in US Dollars
Complete Identity $14 - $18
US Credit Card $1 - $6
UK Credit Card $2 - $12
...
Elia Florio | 17 Apr 2007 07:00:00 GMT | 0 comments

What we saw in the first Trojan.Peacommoutbreak during January was only the beginning of the “storm-worm” war.The initial outbreak seemed to be an experiment in setting up apeer-to-peer (P2P) bot network, and to test the potential of theTrojan. The bad guys who were behind those criminal activities used thefirst variant of Peacomm to distribute a set of single-module Trojansthat were programmed to send spam, perform DDoS attacks, gather mailaddresses, and distribute new versions of the Trojan.


20070416%20-%20Peacomm_B_fig1_small_2_EF.jpg
...

Peter Ferrie | 17 Apr 2007 07:00:00 GMT | 0 comments

A few days ago, a postto a vulnerability discussion mailing list included a demonstration ofa heap corruption in Windows .hlp files' "bm" section. .hlp files areWinHelp-format Help files, a primitive version of .chm, or CompiledHelp Module-format help files. The "bm" section, or the Bitmap-formatgraphics section, is the part of the .hlp file that contains graphics(icons, pictures, etc.). The poster had discovered the vulnerability byusing a fuzzer to insert random data into the file. However, it seemsthat he did not understand why this vulnerability works.

After digging into the issue, it appeared to me that the filetargets the same vulnerability that was last attacked in December of2004, the WinHelp Phrase Heap Overflow.However, after a careful review, I realized that this...

Shunichi Imano | 16 Apr 2007 07:00:00 GMT | 0 comments

It has been reported that a worm that exploits the Microsoft Windows Domain Name Server Service Remote Procedure Call Interface Vulnerability is in the wild. Symantec Security Response has obtained a sample of the worm and we detect the threat as W32.Rinbot.BC.

UPDATE
We have seen an increase in activity over TCP port 1025 as a result ofW32.Rinbot.BC scanning the port in search of vulnerable computers.W32.Rinbot.BC is the first worm that exploits the Microsoft DNSvulnerability and the exploit code was only made public a few days ago.If you have not done so already, Symantec suggests that you block TCPport 1025 in order to avoid the attack.

Blaster, Sasser, W32.Rinbot.BC
We have observed that the time taken from exploit code...

Shunichi Imano | 16 Apr 2007 07:00:00 GMT | 0 comments

It has been reported that a worm that exploits the Microsoft Windows Domain Name Server Service Remote Procedure Call Interface Vulnerability is in the wild. Symantec Security Response has obtained a sample of the worm and we detect the threat as W32.Rinbot.BC.

UPDATE
We have seen an increase in activity over TCP port 1025 as a result ofW32.Rinbot.BC scanning the port in search of vulnerable computers.W32.Rinbot.BC is the first worm that exploits the Microsoft DNSvulnerability and the exploit code was only made public a few days ago.If you have not done so already, Symantec suggests that you block TCPport 1025 in order to avoid the attack.

Blaster, Sasser, W32.Rinbot.BC
We have observed that the time taken from exploit code...

Shunichi Imano | 16 Apr 2007 07:00:00 GMT | 0 comments

It has been reported that a worm that exploits the Microsoft Windows Domain Name Server Service Remote Procedure Call Interface Vulnerability is in the wild. Symantec Security Response has obtained a sample of the worm and we detect the threat as W32.Rinbot.BC.

UPDATE
We have seen an increase in activity over TCP port 1025 as a result ofW32.Rinbot.BC scanning the port in search of vulnerable computers.W32.Rinbot.BC is the first worm that exploits the Microsoft DNSvulnerability and the exploit code was only made public a few days ago.If you have not done so already, Symantec suggests that you block TCPport 1025 in order to avoid the attack.

Blaster, Sasser, W32.Rinbot.BC
We have observed that the time taken from exploit code...

Marc Fossi | 16 Apr 2007 07:00:00 GMT | 0 comments

The taxing time of year

It’s tax time once again – that time of year when those who owe aresweating while those getting refunds are gloating. Many people whoprepare their own returns use one of the many software packages on themarket to help them out. One thing that I’ve noticed is that many ofthe makers of these packages are beginning to offer Web-based tools toprepare and file their returns.

Honestly, the security of these Web applications worries me. In therecently published Symantec Internet Security Threat Report it wasfound that 66 percent of the 2,526 vulnerabilities in the second halfof 2006 affected Web applications. To highlight this fact, someonerecently reported that she was able to access other peoples’ returns through the TurboTax Web site. This is likely the result of a simple input validation flaw in the Web application.

Now, many of you who use the...