Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts in English
Infostealer goes to Hollywood!
Andrea Lelli | 26 Sep 2006 07:00:00 GMT | 0 comments

We have seen malicious code steal a lot of information in the past: bank credentials and certificates, email accounts, IM passwords, online gaming accounts; but, that was not enough! Now, satellite shared accounts are going to have a turn.

There is a service out there called "cardsharing" that allows you to use the subscription rights of one satellite smartcard on multiple satellite receivers. Using this service, the receivers download the smartcard key information from the Internet or a LAN instead of the original smartcard, which will allow simultaneous viewing of satellite television on several receivers.

A cardsharing user needs to install a couple of computer programs on their local hard drive (WinCSC and ProgDVB), which store a configuration file containing the legitimate account data required to access the satellite service. All of the information is stored in plain text format and the configuration file contains the username and...

Read more
ISTR X – Attacks and bot networks
Joseph Blackbird | 26 Sep 2006 07:00:00 GMT | 0 comments

The Internet attack threat landscape has definitely changed. Long gone are the days when it was easy for bot network owners and script kiddies to run their favorite publicly available exploit for the vulnerability of the week. They could take control of as many computers as they bothered to take the time to attack. Really, the flurry of remotely available network-based vulnerabilities and their corresponding attacks that exploded in the first few years of the twenty-first century were culminations of the type of attack that was exploited by the Morris Worm, back in 1988. Microsoft Windows was the ideal target: coded for commercial purposes, security was still in its infancy and it was ripe for the harvest.

Today, perimeter security technologies, such as firewalls, are a part of the standard vocabulary of your average computer user. Microsoft even packaged one with their operating system and enabled it by default, quickly making opportunistic attacks...

Read more
ISTR X – Malicious code and phishing
Marc Fossi | 25 Sep 2006 07:00:00 GMT | 0 comments

In March, 1999, an email worm named Melissa caused havoc across the Internet. I can recall hearing stories of people unplugging their mail servers because they couldn’t deal with the flood of email messages Melissa generated. Then, in 2001, two worms—Code Red and Nimda—generated so much traffic that some people disconnected their networks from the Internet in order to cope. In January, 2003, the Slammer worm caused so much traffic that it even took down banks’ ATM machines. Even though these worms all caused a lot of headaches and created headlines worldwide, with the exception of Nimda, none of them really did much other than spread.

Since Slammer, I can’t recall any other worms causing so much traffic that they’ve affected bandwidth across the Internet. Why is this? Well, I would say there are a few reasons. First and foremost, I think this change can be summed up in one word: money.

As we reported in the latest edition of the Symantec...

Read more
Getting infected with spyware
Mimi Hoang | 25 Sep 2006 07:00:00 GMT | 0 comments

Unlike traditional worms or viruses, spyware usually does not spread itself from system to system. One of the easiest ways to distribute spyware is to go directly to the users and gain their consent to download the application. One of the more common trends in accomplishing this act is through the use of “misleading applications.” On the extreme end, these are applications that can grossly exaggerate and alert critical errors on users’ systems that are not actually present. This deceives some users and scares them into purchasing the program for a substantial fee to fix errors that are nonexistent.

Another method used to distribute spyware is to entice the user by offering up something desirable or useful for free. Not only does the user get the freebie tool, but they also get the bundled adware or spyware program downloaded with it as well.

On the flip side, there are ways of installing and downloading spyware without user consent, such as the...

Read more
Muni Wi-Fi security – Part IV
Brian Hernacki | 22 Sep 2006 07:00:00 GMT | 0 comments

Back to municipal Wi-Fi security again (I'll get onto other topics as soon as I get all of this out, I swear). There are two important things left to cover though: transmission security and device security. If you're new to this topic of muni Wi-Fi security, please have a look at some of my previous posts first, in order to catch up (Part I, Part II, and Part III).

I'll start with transmission security, which generally gets a lot of discussion. Transmission security really covers everything that you send or receive over the wireless network after you're "connected". Now...

Read more
From virtual money to real money
Kaoru Hayashi | 21 Sep 2006 07:00:00 GMT | 0 comments

Recently we have seen an increase in Trojan horse programs that attempt to steal online gaming accounts. Massively multiplayer online role playing games (MMORPG), such as Lineage, Ragnarok Online, World of Warcraft, and Final Fantasy are often targeted by these Trojans. What is the purpose of the attacks? Money. Players can trade their virtual money or items used in their game of choice online, at a special market called RMT (Real Money Trading). RMT is run by third parties and is not usually permitted by the official game vendors; however, RMT has become a big market. A recent report stated that RMT has traded more than two billion USD thus far in 2006. So, if attackers can steal gaming account information from compromised computers, they can easily sell virtual money for real money in the RMT market.

Attackers use a variety of methods to install Trojans on compromised computers. One of these ways is to use a Web site. In the past, attackers used to...

Read more
Trojan.Vimalov: A zero-day exploit in VML, in Internet Explorer
Amado Hidalgo | 20 Sep 2006 07:00:00 GMT | 0 comments

The trend of new exploits being releasedimmediately after Microsoft's Patch Tuesday is continuing (we arestarting to call it "exploit week"). Symantec Security Response haveconfirmed a new Internet Explorer zero-day vulnerability today. It wasfirst reported by Sunbelt Software. Security Response is rating it as critical because an exploit for this vulnerability is already in-the-wild.

Wehave confirmed that this exploit takes advantage of a bug in VML(vector markup language, which is an XML language used to producevector graphics) to overflow a buffer and inject shell code. Theexploit then downloads and installs multiple security risks, such as spyware, on the compromised machine.

An interesting feature of the Web sites hosting themalicious...

Read more
Exploit for vulnerability in Chinese version of Microsoft PowerPoint
Symantec Security Response | 19 Sep 2006 07:00:00 GMT | 0 comments

Symantec Security Response is aware of anexploit currently running in the wild on a vulnerability in MicrosoftPowerPoint. The exploit targets Chinese language versions of Office2000 running on Chinese language versions of Windows XP. Thus far, thisattack is not widespread and there is no reason to believe it willbecome more prevalent, based on our experience with similar attacksthis year. This is a continuation of the trend (which we have beentracking throughout this year) toward exploiting vulnerabilities inMicrosoft Office applications in order to install malware—mainlyTrojans.

It is not currently known if other languages or versions areaffected by the underlying vulnerability. Symantec has releasedantivirus definitions that detect this threat as Trojan.PPDropper. Allof the normal advice applies here (i.e., don't open attachments frompeople you don't know or are not expecting them from and keep yourantivirus and security solutions up to date).

...

Read more
Name your poison
Kelly Conley | 18 Sep 2006 07:00:00 GMT | 0 comments

Diet pills? Ambien? HGH? If any of these are up your alley, you were in luck this past month. Online pharmacy spam represented a significant number of spam attacks that were seen by the Symantec Brightmail antispam probe network. In fact, this spam type was one of the top categories of spam sent out in August and has been around for a long, long time. The Internet is a gold mine of “cheap prescription drugs” that “don’t require a prescription!”

How can you recognize this spam type? For starters, it is often text-based and includes a “non-clickable” URL. A non-clickable URL requires a person to copy and paste the URL into a browser window to navigate to the Web site. You may wonder “Who would manually copy and paste these URLs into a Web browser?”, but someone must. In fact, many people must do this because it is a popular component to the success of online pharmacy spam. Spammers wouldn’t do it if end users weren’t so gullible and it didn’t work as well as...

Read more
The poor man's rootkit
Hon Lau | 16 Sep 2006 07:00:00 GMT | 0 comments

In a recent blog, I mentioned that Office documents were a great place to hide malware in order to maximize its chances of distribution. This time I want to draw attention to the fact that the Windows Registry is also another handy reference tool for some Trojans, too.

A Trojan will usually drop another copy of itself or a components as part of the installation process to try and throw users off track. So, typically a Trojan would run and as part of its installation process, it would drop a copy of itself using another filename in, say, the Windows System folder and modify the registry to run itself at every restart of the computer.

The goal of any effective profit-making malware is to get installed and run undetected for as long as possible to try and maximize the profit-making window. Many angles of attack and stealth have been explored by malware authors over the years. Some are high tech, as we see with rootkits. Some are low tech, such as in...

Read more