Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Liam O Murchu | 08 May 2007 07:00:00 GMT | 0 comments

No, I’m not talking about typing 53704 intoyour calculator and turning it upside down! I’m referring to theincreasing popularity of inserting links to exploits into legitimateHTML pages in an attempt to infect users who visit the affected page,multiplying the effectiveness of the original infection. I’ll outlinebelow the steps used in one such attack that we recently received inour lab.

In this case the malicious links were added by hand after the Web server had been hacked. However, W32.Fujacks and W32.Fubalcause similar techniques to the ones discussed here to automaticallyinfect asp, aspx, htm, html, php and jsp files residing on the infectedmachine in order to spread themselves further. Infostealer.Lingling wasalso distributed...

Liam O Murchu | 08 May 2007 07:00:00 GMT | 0 comments

No, I’m not talking about typing 53704 intoyour calculator and turning it upside down! I’m referring to theincreasing popularity of inserting links to exploits into legitimateHTML pages in an attempt to infect users who visit the affected page,multiplying the effectiveness of the original infection. I’ll outlinebelow the steps used in one such attack that we recently received inour lab.

In this case the malicious links were added by hand after the Web server had been hacked. However, W32.Fujacks and W32.Fubalcause similar techniques to the ones discussed here to automaticallyinfect asp, aspx, htm, html, php and jsp files residing on the infectedmachine in order to spread themselves further. Infostealer.Lingling wasalso distributed...

Ben Greenbaum | 08 May 2007 07:00:00 GMT | 0 comments

May proves to be a busy month for Windowsadministrators as we received information on no less than 21vulnerabilities being addressed in this month's 7 patches. If youhappen to be responsible for any DNS servers running on Server 2000,2003 Server or SBS, you will most likely want to skip to the last oneand work your way up. For the rest of us, we'll start with the IEissues and continue from there:

MS07-027; 931768 Cumulative Security Update for Internet Explorer
This is the seemingly monthly cumulative patch for IE issues. Sixdistinct issues are addressed in IE this month, as well as two issuesin third-party ActiveX controls. Note that these two are only mentionedas footnotes in the advisory and therefore do not have their ownUrgency Ratings from Microsoft...

Yazan Gable | 08 May 2007 07:00:00 GMT | 0 comments

Or rather, has your debit or credit card been skimmed? Have you everbeen the victim of debit card or credit card fraud? Have you everwondered how fraudsters got your information in the first place? Youwere sure that you never let your debit card or credit card out of yoursight. You had made sure that the only online shopping you did was atsecure Websites when you used your credit card or bank account topurchase anything online. So how did they get your info?

There are a few ways that your information can leak through thecracks and into the hands of malicious fraudsters. But one of the mostpopular ways is skimming. Skimming is the process of recording the dataon the magnetic strip of a credit or debit card so that it can be usedlater in a fraudulent way. It isn’t the easiest way, but it producesthe most viable data for fraudsters to sell.

So how do they do it? Typically they use a card reader similar tothe ones that the bank or retail outlets use to process your...

Kelly Conley | 07 May 2007 07:00:00 GMT | 0 comments

The May ‘State of Spam’ report is now online. This month’s report highlights several interesting spam trends seen by Symantec, including the reduction in image spam, image uploading hosting solutions used in stock spam, company character assassination spam, and a new twist on the 419 spam technique.

419 spam is named after an article of the Nigerian Criminal Code which deals with fraud, and has primarily been used to defraud individuals with stories about African dictators and the sale of natural African reserves such as oil and gas.

We’ve all seen these scams. Typically they begin with a greeting and then immediately claim to need assistance in the transfer of funds to the U.S. Some try to tug on your heart strings with a story of loss, while others just make a direct play for your purse strings. But the point is, it’s a complete stranger asking for access to...

Takashi Katsuki | 04 May 2007 07:00:00 GMT | 0 comments

Recently we came across an interesting Trojan sample, detected by Symantec as Trojan.Kardphisher.The Trojan is not very technical - it's really just another classicsocial-engineering attack. What makes it interesting is that the authorhas obviously taken great pains to make it appear legitimate.

When you restart your PC after the Trojan is installed, this window appears:



You can only choose only Yes or No. You can't run Task Manager or anyother applications. If you choose No your PC will be shut downimmediately. If you choose Yes you'll see this image:

...

Robert Keith | 03 May 2007 07:00:00 GMT | 0 comments

In a recent staff meeting, someone mentioned that one of ourcompetitors was trying to steal our customers. In this or any otherbusiness, that should not come as too much of a shock. However, thecompetitor’s critique seemed to focus on trivial, nit-picky thingsrather than on what makes our products and services really stand out inthe field.

My role as part of Symantec’s DeepSight Research Team is to scourthe Internet for information related to known and as-yet unpublishedvulnerabilities in software and hardware. The information comes frommany sources, including Bugtraq,Full-Disclosure, independent researchers, and of course directly fromvendors themselves. We correlate and document these pieces ofinformation, then publish them as BIDs (Bugtraq IDs) available in thepublic repository at Security Focus and distributed...

Yazan Gable | 02 May 2007 07:00:00 GMT | 0 comments

Big money is being made through buying and selling stolen creditcard information. There’s an entire market thriving in shady chat roomson public Internet relay chat (IRC) servers. Carders vie for the bestdeals, having to wade through the thousands of lines of advertisements.Large collections of credit card numbers, identities, credit carddumps, bank account credentials and online payment accounts are amongthe many things that are traded by the minute. But it isn’t only thecarders who make money from the sale of this information.

Payment service companies make their commissions on these sales aswell. Every deal involving stolen credit card information has to bepaid for, and payment service companies provide the carders with theability to transfer their money.

But what makes any particular payment service popular amongstcarders? There are a number of factors. Firstly, anonymity isimportant. A carder wants to provide as little personal information aspossible. They don’t...

Yazan Gable | 01 May 2007 07:00:00 GMT | 0 comments

Did you ever wonder how your credit card information is bought, soldor transferred? Have you ever wondered how someone uses your creditcard information after it is stolen to commit fraud? There are a numberof ways, but the preferred method is through using dumps. A dump is afile containing the data that is stored on a credit card’s magneticstrip. Dumps are the favorite currency of credit card fraud these days.

Carders, the people who deal in stolen credit card information andlaundering, pay premium prices for dumps. Premium is around $8.00 US,while simple credit card numbers, names and expiration dates are around$1.00 – 2.00 US. Sure, having a credit card number, name and expirydate work pretty well for on-line purchases, but the difficulty is ingetting the goods. Where should they be shipped to?

Dumps, on the other hand, allow the carder to dump the data ontopretty much any magnetic card. This includes hotel room keys, discountcards, gift cards, and other credit...

Hon Lau | 30 Apr 2007 07:00:00 GMT | 0 comments

Since late yesterday we have seen a marked increase in the activity of a new Sober variant doing the rounds.
A new variant of Sober named W32.Sober.AA@mm is currently being spammed out to many users around the world.
The spam can be either in English or German and uses classic socialengineering techniques to trick users into opening and running theattachments.

The emails sent have the following characteristics:

Subject:
Ihr Passwort wurde geaendert!
Fehlerhafte Mailzustellung
Ihr Account wurde eingerichtet!
Your Updated Password!
Error in your eMail

Message:
Ihr Passwort wurde erfolgreich geaendert.
Ihre neuen Account-Daten und Passwort befinden sich gesichert im Anhang!

or

Diese Nachricht wurde Automatisch generiert.
- Ihre...