Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Security Response
Showing posts in English
David McKinney | 10 Apr 2007 07:00:00 GMT | 0 comments

Microsoft Patch Tuesday: April 2007

April was unique for Microsoft because it consisted of two MicrosoftTuesdays. Last week, we saw the release of patches for the .ANIzero-day vulnerability. This patch was consistent with Microsoft’spolicy of releasing out-of-band security patches (in other words,patches on days other than patch Tuesday) for vulnerabilities that areexperiencing widespread exploitation in the wild. From my experience,if the issue is significant enough to merit third-party patches fromDetermina, ZERT, etc., then in all likelihood Microsoft will do anout-of-band security patch release for the vulnerability.

Today Microsoft released an additional five security bulletins. Fourof the bulletins affect Microsoft Windows and the one affects MicrosoftContent Management Server.

• MS07-018 Vulnerabilities in Microsoft Content Management Server Could Allow Remote Code Execution (KB925939)

This bulletin addresses two...

Christopher Covert | 09 Apr 2007 07:00:00 GMT | 0 comments

Webmail has become ubiquitous - most people have at least one account and some people use several. As the folks at Google pointed out this April Fool’s Day, we’ve gotten to the point where the idea of relying on postal mail for communication is almost completely absurd. Services like Google’s Gmail, Microsoft’s Hotmail, and Yahoo! Mail all offer an incredibly large amount of storage and can be accessed from almost any internet-connected machine.

This weekend I got an email from a friend, arriving from her Hotmail address. It was actually an auto-generated invitation link to a social networking service called ‘Tagged’. Tagged is employing some very sketchy tactics in expanding their user base. While the whole idea behind Web 2.0 is the combination of existing Web services/technologies to make them more useful, when a user signs up for Tagged, they’re practically forced to put in...

John McDonald | 09 Apr 2007 07:00:00 GMT | 0 comments

Over the weekend Security Response receivedsamples of the latest variants of Trojan.Peacomm and W32.Mixor doingthe rounds. The social engineering trick employed this time is inappealing to people's sense of fear as well as natural curiosity of apossible Middle East war involving the United States, Iran and Israel.

Subjects include "USA Just Have Started World War III" / "MissleStrike: The USA kills more then 20000 Iranian citizens" / "Israel JustHave Started World War III" / "USA Missile Strike: Iran War just havestarted". From the sample emails that we have seen to date, the actualemail body is blank, and the attached files have various names such as"video.exe", "movie.exe", "click here.exe", "clickme.exe", "readme.exe"and "read more.exe".

Proactively detected by Symantec antivirus software asTrojan.Packed.13, the underlying threats are actually nothing new. Theyare simply minor variants of Trojan.Peacomm and W32.Mixor (namedW32.Mixor.AR@mm in this instance)...

Joji Hamada | 07 Apr 2007 07:00:00 GMT | 0 comments

In Japan, April is the first month of the fiscal year and is alsothe time of year when large numbers of high school and collegegraduates join the workforce. These new hires usually go though intensetraining in the first few months at their respective companies beforebeing assigned to their new posts. Well, these companies had betterplan to quickly take them through a crash course on security inaddition to the normal training, because there is new targeted attackthat takes advantage of a zero-day vulnerability in Justsytem'sIchitaro, the word processing program most widely used in Japan.

The attack – a specially crafted Justsystem Ichitaro document employing the zero-day exploit, which Symantec detects as Trojan.Tarodrop.C,allows a Trojan horse to be dropped onto the target computer. Thedropped Trojan horse then takes over and drops a downloader Trojan...

Joji Hamada | 07 Apr 2007 07:00:00 GMT | 0 comments

In Japan, April is the first month of the fiscal year and is alsothe time of year when large numbers of high school and collegegraduates join the workforce. These new hires usually go though intensetraining in the first few months at their respective companies beforebeing assigned to their new posts. Well, these companies had betterplan to quickly take them through a crash course on security inaddition to the normal training, because there is new targeted attackthat takes advantage of a zero-day vulnerability in Justsytem'sIchitaro, the word processing program most widely used in Japan.

The attack – a specially crafted Justsystem Ichitaro document employing the zero-day exploit, which Symantec detects as Trojan.Tarodrop.C,allows a Trojan horse to be dropped onto the target computer. Thedropped Trojan horse then takes over and drops a downloader Trojan...

Symantec Security Response | 06 Apr 2007 07:00:00 GMT | 0 comments

In 2006, Web security expert Jeremiah Grossman came up with aninteresting attack that can be used to read the history of visitors toa Web page using only a simple piece of JavaScript. In February 2007,RSnake came up with a modification of this attack that does not needJavaScript or any other scripting language. This is a rediscovery of an attack discovered by Andrew Clover in 2002.

In the original proof of concept, a Web site was set up with ascript that lists the sites that the user had visited. This was donewas by creating a set of links and looking up the color attribute ofthe link text. If the link was visited, it was rendered in a differentcolor than if the page was not visited. The script goes through each ofthe links, checks the colors and reports back to the owner of the site.

In the new version of this attack, Cascading Style Sheets (CSS) areused to achieve the same...

Chen Yu | 05 Apr 2007 07:00:00 GMT | 0 comments

For a long time if you visited a Chineseantivirus forum you see people crying that they are infected withGraybird. There are two popular topics in Chinese forums that representthe two sides of the coin: Guides to deploy Graybird on the one handand tips to get rid of it on the other.

So what is Graybird and how did it get started? Graybird was firstcreated in 2001. Initially it was for research purposes and was opensource. From early 2003 the author set up Gray Pigeon Studio thatdeveloped and sold Graybird. The studio stated that Graybird is aremote administration tool and sold it for 100 Chinese Yuan a year.Functions of this so-called remote administration tool include:
• Capture screenshots
• Turn on a Webcam
• Log keystrokes
• Steal passwords
• Access all files on the victim's machine

Unlike other remote administration tools, it apparently tries to runwithout the user’s knowledge; it does not display an icon or output anymessages while...

Peter Ferrie | 05 Apr 2007 07:00:00 GMT | 0 comments

On Wednesday morning, we received anonymously a copy of the first "iPod virus", which we call Linux.Podloso(renamed from Linux.Noslo), a play on the virus author's name of"Oslo". Although this virus is designed to run on iPod Linux, there isnothing iPod-specific in the virus code, so it is not an iPod virus. Itis just another proof-of-concept Linux virus.

"iPod Linux" is a software project that allows a user to run adifferent operating system, Linux, directly on an iPod. So, when theiPod is switched on, the user sees a Linux interface instead of theusual Apple interface. This virus runs within that particular Linuxframework and infects the files that are part of that operating system.

The virus arrives as a file called "oslo.mod.so" and it infectsspecific iPodLinux files on the compromised device. To infect an iPodwould require a user to...

Elia Florio | 04 Apr 2007 07:00:00 GMT | 0 comments

In these days of “zero-day”, I’ve analyzed many malicious filesexploiting some of the recent MS Office vulnerabilities for Word, Exceland PowerPoint. The "Trojan.Mdropper" and “Trojan.PPDropper” familieshave grown very quickly in the last year, and I was trying to come upwith some numbers by looking at the samples received here in the viruslab.

During my analysis I was surprised by some data about the number of samples picked up for Trojan.Mdropper.X.For most of these attacks the number of samples received for a singlefamily is very low (usually less than five samples), and allows vendorsto speak of “limited targeted attacks”. However for Trojan.Mdropper.Xthe situation was slightly different. The set of Mdropper.X samplesexploiting the same CVE-2006-6456 vulnerability has up to 30 different.doc files at the moment and started to increase quickly in the lastfew months.

There was no evident reason behind these statistics and it seemedobvious to me that...

Zulfikar Ramzan | 03 Apr 2007 07:00:00 GMT | 0 comments

At the recent Shmoocon conference, Billy Hoffman of SPI Labsdescribed a tool he built called Jikto. This tool can scan a Web sitefor different types of Web vulnerabilities. In the hands of a good guy,the tool can point out holes, which can then be fixed. In the hands ofa bad guy, the same tool can be used to find holes, which can then beexploited.

One remarkable aspect of Jikto is that it is written entirely inJavaScript. That means it can be executed in a Web browser (and alsothat it is more-or-less platform independent – with the ability to runon Windows machines, Macs, Linux boxes, etc.) Also, if an attackercreates a Web page that includes the Jikto code, then anyone who visitsthat Web page can effectively run a vulnerability scan on an entirelyseparate Web site. The results of that scan can be reported back to theattacker. On the other hand, from the victim’s perspective thevulnerability scan will not be traced back to the attacker. Insteadthey will point to the perhaps...