Video Screencast Help
Security Response
Showing posts in English
Chen Yu | 05 Apr 2007 07:00:00 GMT | 0 comments

For a long time if you visited a Chineseantivirus forum you see people crying that they are infected withGraybird. There are two popular topics in Chinese forums that representthe two sides of the coin: Guides to deploy Graybird on the one handand tips to get rid of it on the other.

So what is Graybird and how did it get started? Graybird was firstcreated in 2001. Initially it was for research purposes and was opensource. From early 2003 the author set up Gray Pigeon Studio thatdeveloped and sold Graybird. The studio stated that Graybird is aremote administration tool and sold it for 100 Chinese Yuan a year.Functions of this so-called remote administration tool include:
• Capture screenshots
• Turn on a Webcam
• Log keystrokes
• Steal passwords
• Access all files on the victim's machine

Unlike other remote administration tools, it apparently tries to runwithout the user’s knowledge; it does not display an icon or output anymessages while...

Peter Ferrie | 05 Apr 2007 07:00:00 GMT | 0 comments

On Wednesday morning, we received anonymously a copy of the first "iPod virus", which we call Linux.Podloso(renamed from Linux.Noslo), a play on the virus author's name of"Oslo". Although this virus is designed to run on iPod Linux, there isnothing iPod-specific in the virus code, so it is not an iPod virus. Itis just another proof-of-concept Linux virus.

"iPod Linux" is a software project that allows a user to run adifferent operating system, Linux, directly on an iPod. So, when theiPod is switched on, the user sees a Linux interface instead of theusual Apple interface. This virus runs within that particular Linuxframework and infects the files that are part of that operating system.

The virus arrives as a file called "oslo.mod.so" and it infectsspecific iPodLinux files on the compromised device. To infect an iPodwould require a user to...

Elia Florio | 04 Apr 2007 07:00:00 GMT | 0 comments

In these days of “zero-day”, I’ve analyzed many malicious filesexploiting some of the recent MS Office vulnerabilities for Word, Exceland PowerPoint. The "Trojan.Mdropper" and “Trojan.PPDropper” familieshave grown very quickly in the last year, and I was trying to come upwith some numbers by looking at the samples received here in the viruslab.

During my analysis I was surprised by some data about the number of samples picked up for Trojan.Mdropper.X.For most of these attacks the number of samples received for a singlefamily is very low (usually less than five samples), and allows vendorsto speak of “limited targeted attacks”. However for Trojan.Mdropper.Xthe situation was slightly different. The set of Mdropper.X samplesexploiting the same CVE-2006-6456 vulnerability has up to 30 different.doc files at the moment and started to increase quickly in the lastfew months.

There was no evident reason behind these statistics and it seemedobvious to me that...

Zulfikar Ramzan | 03 Apr 2007 07:00:00 GMT | 0 comments

At the recent Shmoocon conference, Billy Hoffman of SPI Labsdescribed a tool he built called Jikto. This tool can scan a Web sitefor different types of Web vulnerabilities. In the hands of a good guy,the tool can point out holes, which can then be fixed. In the hands ofa bad guy, the same tool can be used to find holes, which can then beexploited.

One remarkable aspect of Jikto is that it is written entirely inJavaScript. That means it can be executed in a Web browser (and alsothat it is more-or-less platform independent – with the ability to runon Windows machines, Macs, Linux boxes, etc.) Also, if an attackercreates a Web page that includes the Jikto code, then anyone who visitsthat Web page can effectively run a vulnerability scan on an entirelyseparate Web site. The results of that scan can be reported back to theattacker. On the other hand, from the victim’s perspective thevulnerability scan will not be traced back to the attacker. Insteadthey will point to the perhaps...

Jim Hoagland | 03 Apr 2007 07:00:00 GMT | 0 comments

Last week the CVE project issued nine new CVEs for Vista, numberedCVE-2007-1527 through CVE-2007-1535. While these CVEs were directlybased on our findings in Windows Vista Network Attack Surface Analysis[1] report (released as a Symantec Security Response whitepaper on March 7th), they had been requested by a third party. I'll describe each of these in this post.

We don't feel that most of the issues are especially significant.Microsoft reviewed the paper prior to its public release and Symantecwould participate in any warranted responsible disclosure forvulnerabilities.

We regard CVE-2007-1535 asimportant, and it...

Jim Hoagland | 03 Apr 2007 07:00:00 GMT | 0 comments

Last week the CVE project issued nine newCVEs for Vista, numbered CVE-2007-1527 through CVE-2007-1535. Whilethese CVEs were directly based on our findings in Windows Vista Network Attack Surface Analysis[1] report (released as a Symantec Security Response whitepaper on March 7th), they had been requested by a third party. I'll describe each of these in this post.

We don't feel that most of the issues are especially significant.Microsoft reviewed the paper prior to its public release and Symantecwould participate in any warranted responsible disclosure forvulnerabilities.

We regard CVE-2007-1535 asimportant, and...

David McKinney | 02 Apr 2007 07:00:00 GMT | 0 comments

As part of the process of compiling the data for Symantec’s Internet Security Threat Report(ISTR), we discuss which metrics are critical to defining trends in thethreat landscape. We are constantly reassessing the validity of certainmetrics and looking for opportunities to create new metrics. Our datacollection capabilities have improved over the years with newacquisitions, new products, and new product features that allow us totrack different types of data. It is a great benefit that Symantec is acompany that has grown with the threat landscape. It is also a matterof internal policy with the ISTR team to rigorously question and debatethe relevance and validity of what we’re reporting on. I’d like to takethis opportunity to reflect a little bit on the process behind thecreation of one of the new metrics for this report – zero-dayvulnerabilities.

ISTR, Volume XI gave me an interesting research project – find thenumber of zero-day vulnerabilities. This seems...

David McKinney | 02 Apr 2007 07:00:00 GMT | 0 comments

As part of the process of compiling the data for Symantec’s Internet Security Threat Report(ISTR), we discuss which metrics are critical to defining trends in thethreat landscape. We are constantly reassessing the validity of certainmetrics and looking for opportunities to create new metrics. Our datacollection capabilities have improved over the years with newacquisitions, new products, and new product features that allow us totrack different types of data. It is a great benefit that Symantec is acompany that has grown with the threat landscape. It is also a matterof internal policy with the ISTR team to rigorously question and debatethe relevance and validity of what we’re reporting on. I’d like to takethis opportunity to reflect a little bit on the process behind thecreation of one of the new metrics for this report – zero-dayvulnerabilities.

ISTR, Volume XI gave me an interesting research project – find thenumber of zero-day vulnerabilities. This seems...

Amado Hidalgo | 01 Apr 2007 07:00:00 GMT | 0 comments

I wish I could have some humorous comment or a joke to mark the day. Unfortunately I have something more serious to write about.

Symantec Security Response has detected a new worm in the wild: W32.Fubalca.It infects executables and HTML-type files, inserting links tomalicious Animated Cursor files, and exploits the currently unpatchedMicrosoft Windows Cursor And Icon ANI Format Handling Remote BufferOverflow Vulnerability (BID 23194) to download further copies of the worm.

The worm infects executables on all drives (including removabledrives), except for the drive that Windows is installed upon (e.g.C:\). As well as exploiting the vulnerability, the worm appears tospread through removable drives and already-mapped network shares.

The malicious Animated...

Amado Hidalgo | 01 Apr 2007 07:00:00 GMT | 0 comments

I wish I could have some humorous comment or a joke to mark the day. Unfortunately I have something more serious to write about.

Symantec Security Response has detected a new worm in the wild: W32.Fubalca.It infects executables and HTML-type files, inserting links tomalicious Animated Cursor files, and exploits the currently unpatchedMicrosoft Windows Cursor And Icon ANI Format Handling Remote BufferOverflow Vulnerability (BID 23194) to download further copies of the worm.

The worm infects executables on all drives (including removabledrives), except for the drive that Windows is installed upon (e.g.C:\). As well as exploiting the vulnerability, the worm appears tospread through removable drives and already-mapped network shares.

The malicious Animated...