Video Screencast Help
Security Response
Showing posts in English
Kelly Conley | 10 Apr 2007 07:00:00 GMT | 0 comments

The Symantec “State of Spam” report for April 2007 is now online. This month’s report includes a spotlight on spam trends in the Europe, Middle East, and Africa (EMEA) region. One of the highlights is a discussion on the categories of spam detected in EMEA. I found this particularly interesting because there were some marked differences between worldwide spam and EMEA-specific spam. The most notable instances were the financial and scam categories.

Whereas spam related to financial goods and services accounted for 20 percent of worldwide spam, it accounted for 31 percent of spam detected in EMEA. Spam messages detected in the EMEA region that were categorized as scams were double the number reported worldwide. While only six percent of all messages globally were scams, 12 percent of spam in EMEA included scam messages...

David McKinney | 10 Apr 2007 07:00:00 GMT | 0 comments

Microsoft Patch Tuesday: April 2007

April was unique for Microsoft because it consisted of two MicrosoftTuesdays. Last week, we saw the release of patches for the .ANIzero-day vulnerability. This patch was consistent with Microsoft’spolicy of releasing out-of-band security patches (in other words,patches on days other than patch Tuesday) for vulnerabilities that areexperiencing widespread exploitation in the wild. From my experience,if the issue is significant enough to merit third-party patches fromDetermina, ZERT, etc., then in all likelihood Microsoft will do anout-of-band security patch release for the vulnerability.

Today Microsoft released an additional five security bulletins. Fourof the bulletins affect Microsoft Windows and the one affects MicrosoftContent Management Server.

• MS07-018 Vulnerabilities in Microsoft Content Management Server Could Allow Remote Code Execution (KB925939)

This bulletin addresses two...

Christopher Covert | 09 Apr 2007 07:00:00 GMT | 0 comments

Webmail has become ubiquitous - most people have at least one account and some people use several. As the folks at Google pointed out this April Fool’s Day, we’ve gotten to the point where the idea of relying on postal mail for communication is almost completely absurd. Services like Google’s Gmail, Microsoft’s Hotmail, and Yahoo! Mail all offer an incredibly large amount of storage and can be accessed from almost any internet-connected machine.

This weekend I got an email from a friend, arriving from her Hotmail address. It was actually an auto-generated invitation link to a social networking service called ‘Tagged’. Tagged is employing some very sketchy tactics in expanding their user base. While the whole idea behind Web 2.0 is the combination of existing Web services/technologies to make them more useful, when a user signs up for Tagged, they’re practically forced to put in...

John McDonald | 09 Apr 2007 07:00:00 GMT | 0 comments

Over the weekend Security Response receivedsamples of the latest variants of Trojan.Peacomm and W32.Mixor doingthe rounds. The social engineering trick employed this time is inappealing to people's sense of fear as well as natural curiosity of apossible Middle East war involving the United States, Iran and Israel.

Subjects include "USA Just Have Started World War III" / "MissleStrike: The USA kills more then 20000 Iranian citizens" / "Israel JustHave Started World War III" / "USA Missile Strike: Iran War just havestarted". From the sample emails that we have seen to date, the actualemail body is blank, and the attached files have various names such as"video.exe", "movie.exe", "click here.exe", "clickme.exe", "readme.exe"and "read more.exe".

Proactively detected by Symantec antivirus software asTrojan.Packed.13, the underlying threats are actually nothing new. Theyare simply minor variants of Trojan.Peacomm and W32.Mixor (namedW32.Mixor.AR@mm in this instance)...

Joji Hamada | 07 Apr 2007 07:00:00 GMT | 0 comments

In Japan, April is the first month of the fiscal year and is alsothe time of year when large numbers of high school and collegegraduates join the workforce. These new hires usually go though intensetraining in the first few months at their respective companies beforebeing assigned to their new posts. Well, these companies had betterplan to quickly take them through a crash course on security inaddition to the normal training, because there is new targeted attackthat takes advantage of a zero-day vulnerability in Justsytem'sIchitaro, the word processing program most widely used in Japan.

The attack – a specially crafted Justsystem Ichitaro document employing the zero-day exploit, which Symantec detects as Trojan.Tarodrop.C,allows a Trojan horse to be dropped onto the target computer. Thedropped Trojan horse then takes over and drops a downloader Trojan...

Joji Hamada | 07 Apr 2007 07:00:00 GMT | 0 comments

In Japan, April is the first month of the fiscal year and is alsothe time of year when large numbers of high school and collegegraduates join the workforce. These new hires usually go though intensetraining in the first few months at their respective companies beforebeing assigned to their new posts. Well, these companies had betterplan to quickly take them through a crash course on security inaddition to the normal training, because there is new targeted attackthat takes advantage of a zero-day vulnerability in Justsytem'sIchitaro, the word processing program most widely used in Japan.

The attack – a specially crafted Justsystem Ichitaro document employing the zero-day exploit, which Symantec detects as Trojan.Tarodrop.C,allows a Trojan horse to be dropped onto the target computer. Thedropped Trojan horse then takes over and drops a downloader Trojan...

Symantec Security Response | 06 Apr 2007 07:00:00 GMT | 0 comments

In 2006, Web security expert Jeremiah Grossman came up with aninteresting attack that can be used to read the history of visitors toa Web page using only a simple piece of JavaScript. In February 2007,RSnake came up with a modification of this attack that does not needJavaScript or any other scripting language. This is a rediscovery of an attack discovered by Andrew Clover in 2002.

In the original proof of concept, a Web site was set up with ascript that lists the sites that the user had visited. This was donewas by creating a set of links and looking up the color attribute ofthe link text. If the link was visited, it was rendered in a differentcolor than if the page was not visited. The script goes through each ofthe links, checks the colors and reports back to the owner of the site.

In the new version of this attack, Cascading Style Sheets (CSS) areused to achieve the same...

Chen Yu | 05 Apr 2007 07:00:00 GMT | 0 comments

For a long time if you visited a Chineseantivirus forum you see people crying that they are infected withGraybird. There are two popular topics in Chinese forums that representthe two sides of the coin: Guides to deploy Graybird on the one handand tips to get rid of it on the other.

So what is Graybird and how did it get started? Graybird was firstcreated in 2001. Initially it was for research purposes and was opensource. From early 2003 the author set up Gray Pigeon Studio thatdeveloped and sold Graybird. The studio stated that Graybird is aremote administration tool and sold it for 100 Chinese Yuan a year.Functions of this so-called remote administration tool include:
• Capture screenshots
• Turn on a Webcam
• Log keystrokes
• Steal passwords
• Access all files on the victim's machine

Unlike other remote administration tools, it apparently tries to runwithout the user’s knowledge; it does not display an icon or output anymessages while...

Peter Ferrie | 05 Apr 2007 07:00:00 GMT | 0 comments

On Wednesday morning, we received anonymously a copy of the first "iPod virus", which we call Linux.Podloso(renamed from Linux.Noslo), a play on the virus author's name of"Oslo". Although this virus is designed to run on iPod Linux, there isnothing iPod-specific in the virus code, so it is not an iPod virus. Itis just another proof-of-concept Linux virus.

"iPod Linux" is a software project that allows a user to run adifferent operating system, Linux, directly on an iPod. So, when theiPod is switched on, the user sees a Linux interface instead of theusual Apple interface. This virus runs within that particular Linuxframework and infects the files that are part of that operating system.

The virus arrives as a file called "oslo.mod.so" and it infectsspecific iPodLinux files on the compromised device. To infect an iPodwould require a user to...

Elia Florio | 04 Apr 2007 07:00:00 GMT | 0 comments

In these days of “zero-day”, I’ve analyzed many malicious filesexploiting some of the recent MS Office vulnerabilities for Word, Exceland PowerPoint. The "Trojan.Mdropper" and “Trojan.PPDropper” familieshave grown very quickly in the last year, and I was trying to come upwith some numbers by looking at the samples received here in the viruslab.

During my analysis I was surprised by some data about the number of samples picked up for Trojan.Mdropper.X.For most of these attacks the number of samples received for a singlefamily is very low (usually less than five samples), and allows vendorsto speak of “limited targeted attacks”. However for Trojan.Mdropper.Xthe situation was slightly different. The set of Mdropper.X samplesexploiting the same CVE-2006-6456 vulnerability has up to 30 different.doc files at the moment and started to increase quickly in the lastfew months.

There was no evident reason behind these statistics and it seemedobvious to me that...