Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Security Response
Showing posts in English
Aaron Adams | 14 May 2007 07:00:00 GMT | 0 comments

The DeepSight Threat Analyst Team is constantly monitoring honeypotstermed “crawlers”, which are designed to crawl the Internet looking formaliciously-crafted web pages. These crawlers emulate users surfing theInternet with various browsers that may be susceptible to client-sideexploits hosted on Webpages. With the crawlers, we capture a lot of therun-of-the-mill malicious code using legacy web vulnerabilities.Malware authors especially like to spread using the (Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution Vulnerability BID 17462).

But among the legacy attacks, we run into much more interestingcompromises that ironically still install some of the same old malwarevariants. One of these interesting compromises was encountered on May8, 2007. A URL was distributed that was designed to look like itbelonged to the Halifax Online financial institute. However, theresulting site...

Symantec Security Response | 14 May 2007 07:00:00 GMT | 0 comments

In my last blog entry, Pre-Phishing Recon for Context Aware Attacks,I talked about how generic phishing messages can be used to collectcontextual information for more advanced phishing attacks. In thisblog, I will describe two such types of advanced phishing attacks.

First, I must note that a pre-phishing recon attack is not the only waythat attackers can get their hands on contextual information about aperson. Attackers can also search the internet for public documentscontaining personally-identifying information. They can buy informationabout a person on an underground economy server, and they can get theinformation through a corporate data breach. In any case, if anattacker gets access to some personal information about someone, he orshe can attempt what is called a context-aware phishing attack.

A context-aware phishing attack...

Gary Sabala | 11 May 2007 07:00:00 GMT | 0 comments

A quick Google search on the term “virtualization” returns nearly 19million results. The subject has graced the cover of nearly every majorIT trade publication in the past year in probably the past six months.In contrast, search the term “virtual security,” and you’ll be lucky tosee a meager 150,000 hits. Mark my words though—that limited attentionis about to change. As virtualization technology continues to emerge asa viable option for moving from development to production environments,the focus on the security implications of this new IT frontier willreach a tipping point.

With the security threat landscape in an enterprise changing on adaily basis, IT requires more innovative ways to protect desktopendpoints. Evolutionary security enhancements have just managed to keeppace with threats, but it is clear that more revolutionary securitymodels will be needed to protect the desktop in the future.Virtualization may hold the key.

Virtualization changes how IT thinks...

Takashi Katsuki | 10 May 2007 07:00:00 GMT | 0 comments

In the blog entry MS Needs Your Credit Card Details?, we detailed the behavior of the Kardphisher Trojan,which "attempts to steal credit card numbers by tricking the user intoentering their credit card details to activate Windows." This entryexplains how to remove the Trojan.

Removal instructions

1. Reboot the infected machine. You can do that by simply clickingthe "No" and "Next" buttons, or by doing a good-old fashioned hardreboot.

2. While Windows is starting, press the function 8 key (F8 key) to enter Safe Mode.

3. Click Start > Run.

4. Type regedit

5. Click OK.

6. Navigate to and delete these subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
...

Elia Florio | 10 May 2007 07:00:00 GMT | 0 comments

When computer programmers and OS designers introduce newfunctionalities in their products, they should always consider “Who isgoing to use this?”. Sometimes solutions created for legitimatepurposes may turn into dangerous weapons if used in a bad way.Alternate Data Streams (ADS) and Encrypted File System (EFS) are justtwo well-known examples of good technologies used by malware such asBackdoor.Rustock and Trojan.Linkoptimizer (more here about this topic).

Today the list of good technologies used for bad purposes has a new entry.

In the past week I’ve been discussing with a friend (Frank Boldewin)a curious technique used to download malicious files on a system. Frankanalyzed one of the recent Trojans spammed by e-mail in Germany duringthe end of March, 2007 and he...

Yazan Gable | 09 May 2007 07:00:00 GMT | 0 comments

In a recent article published at Baseline Security,a number of large corporations were identified to be hostingbot-infected computers. Although this created some waves of surprise,it really shouldn’t have. Sure, bot network owners tend to target homeusers but it isn’t because home users are their preferred target;they’re just an easy target. Home users’ computers are limited in theirmalicious usefulness. They tend to have low bandwidth capabilities thatlimit their ability to send spam and carry out denial of serviceattacks. Also, they are often monitored and regulated by their Internetservice providers.

Computers in large corporations, on the other hand, have a greaterrange of possibilities. These computers may be more difficult tocompromise, assuming they are behind firewalls, protected by intrusionprevention systems, and...

Liam O Murchu | 08 May 2007 07:00:00 GMT | 0 comments

No, I’m not talking about typing 53704 intoyour calculator and turning it upside down! I’m referring to theincreasing popularity of inserting links to exploits into legitimateHTML pages in an attempt to infect users who visit the affected page,multiplying the effectiveness of the original infection. I’ll outlinebelow the steps used in one such attack that we recently received inour lab.

In this case the malicious links were added by hand after the Web server had been hacked. However, W32.Fujacks and W32.Fubalcause similar techniques to the ones discussed here to automaticallyinfect asp, aspx, htm, html, php and jsp files residing on the infectedmachine in order to spread themselves further. Infostealer.Lingling wasalso distributed...

Liam O Murchu | 08 May 2007 07:00:00 GMT | 0 comments

No, I’m not talking about typing 53704 intoyour calculator and turning it upside down! I’m referring to theincreasing popularity of inserting links to exploits into legitimateHTML pages in an attempt to infect users who visit the affected page,multiplying the effectiveness of the original infection. I’ll outlinebelow the steps used in one such attack that we recently received inour lab.

In this case the malicious links were added by hand after the Web server had been hacked. However, W32.Fujacks and W32.Fubalcause similar techniques to the ones discussed here to automaticallyinfect asp, aspx, htm, html, php and jsp files residing on the infectedmachine in order to spread themselves further. Infostealer.Lingling wasalso distributed...

Ben Greenbaum | 08 May 2007 07:00:00 GMT | 0 comments

May proves to be a busy month for Windowsadministrators as we received information on no less than 21vulnerabilities being addressed in this month's 7 patches. If youhappen to be responsible for any DNS servers running on Server 2000,2003 Server or SBS, you will most likely want to skip to the last oneand work your way up. For the rest of us, we'll start with the IEissues and continue from there:

MS07-027; 931768 Cumulative Security Update for Internet Explorer
This is the seemingly monthly cumulative patch for IE issues. Sixdistinct issues are addressed in IE this month, as well as two issuesin third-party ActiveX controls. Note that these two are only mentionedas footnotes in the advisory and therefore do not have their ownUrgency Ratings from Microsoft...

Yazan Gable | 08 May 2007 07:00:00 GMT | 0 comments

Or rather, has your debit or credit card been skimmed? Have you everbeen the victim of debit card or credit card fraud? Have you everwondered how fraudsters got your information in the first place? Youwere sure that you never let your debit card or credit card out of yoursight. You had made sure that the only online shopping you did was atsecure Websites when you used your credit card or bank account topurchase anything online. So how did they get your info?

There are a few ways that your information can leak through thecracks and into the hands of malicious fraudsters. But one of the mostpopular ways is skimming. Skimming is the process of recording the dataon the magnetic strip of a credit or debit card so that it can be usedlater in a fraudulent way. It isn’t the easiest way, but it producesthe most viable data for fraudsters to sell.

So how do they do it? Typically they use a card reader similar tothe ones that the bank or retail outlets use to process your...