Video Screencast Help
Security Response
Showing posts in English
Ben Greenbaum | 08 May 2007 07:00:00 GMT | 0 comments

May proves to be a busy month for Windowsadministrators as we received information on no less than 21vulnerabilities being addressed in this month's 7 patches. If youhappen to be responsible for any DNS servers running on Server 2000,2003 Server or SBS, you will most likely want to skip to the last oneand work your way up. For the rest of us, we'll start with the IEissues and continue from there:

MS07-027; 931768 Cumulative Security Update for Internet Explorer
This is the seemingly monthly cumulative patch for IE issues. Sixdistinct issues are addressed in IE this month, as well as two issuesin third-party ActiveX controls. Note that these two are only mentionedas footnotes in the advisory and therefore do not have their ownUrgency Ratings from Microsoft...

Yazan Gable | 08 May 2007 07:00:00 GMT | 0 comments

Or rather, has your debit or credit card been skimmed? Have you everbeen the victim of debit card or credit card fraud? Have you everwondered how fraudsters got your information in the first place? Youwere sure that you never let your debit card or credit card out of yoursight. You had made sure that the only online shopping you did was atsecure Websites when you used your credit card or bank account topurchase anything online. So how did they get your info?

There are a few ways that your information can leak through thecracks and into the hands of malicious fraudsters. But one of the mostpopular ways is skimming. Skimming is the process of recording the dataon the magnetic strip of a credit or debit card so that it can be usedlater in a fraudulent way. It isn’t the easiest way, but it producesthe most viable data for fraudsters to sell.

So how do they do it? Typically they use a card reader similar tothe ones that the bank or retail outlets use to process your...

Kelly Conley | 07 May 2007 07:00:00 GMT | 0 comments

The May ‘State of Spam’ report is now online. This month’s report highlights several interesting spam trends seen by Symantec, including the reduction in image spam, image uploading hosting solutions used in stock spam, company character assassination spam, and a new twist on the 419 spam technique.

419 spam is named after an article of the Nigerian Criminal Code which deals with fraud, and has primarily been used to defraud individuals with stories about African dictators and the sale of natural African reserves such as oil and gas.

We’ve all seen these scams. Typically they begin with a greeting and then immediately claim to need assistance in the transfer of funds to the U.S. Some try to tug on your heart strings with a story of loss, while others just make a direct play for your purse strings. But the point is, it’s a complete stranger asking for access to...

Takashi Katsuki | 04 May 2007 07:00:00 GMT | 0 comments

Recently we came across an interesting Trojan sample, detected by Symantec as Trojan.Kardphisher.The Trojan is not very technical - it's really just another classicsocial-engineering attack. What makes it interesting is that the authorhas obviously taken great pains to make it appear legitimate.

When you restart your PC after the Trojan is installed, this window appears:

You can only choose only Yes or No. You can't run Task Manager or anyother applications. If you choose No your PC will be shut downimmediately. If you choose Yes you'll see this image:


Robert Keith | 03 May 2007 07:00:00 GMT | 0 comments

In a recent staff meeting, someone mentioned that one of ourcompetitors was trying to steal our customers. In this or any otherbusiness, that should not come as too much of a shock. However, thecompetitor’s critique seemed to focus on trivial, nit-picky thingsrather than on what makes our products and services really stand out inthe field.

My role as part of Symantec’s DeepSight Research Team is to scourthe Internet for information related to known and as-yet unpublishedvulnerabilities in software and hardware. The information comes frommany sources, including Bugtraq,Full-Disclosure, independent researchers, and of course directly fromvendors themselves. We correlate and document these pieces ofinformation, then publish them as BIDs (Bugtraq IDs) available in thepublic repository at Security Focus and distributed...

Yazan Gable | 02 May 2007 07:00:00 GMT | 0 comments

Big money is being made through buying and selling stolen creditcard information. There’s an entire market thriving in shady chat roomson public Internet relay chat (IRC) servers. Carders vie for the bestdeals, having to wade through the thousands of lines of advertisements.Large collections of credit card numbers, identities, credit carddumps, bank account credentials and online payment accounts are amongthe many things that are traded by the minute. But it isn’t only thecarders who make money from the sale of this information.

Payment service companies make their commissions on these sales aswell. Every deal involving stolen credit card information has to bepaid for, and payment service companies provide the carders with theability to transfer their money.

But what makes any particular payment service popular amongstcarders? There are a number of factors. Firstly, anonymity isimportant. A carder wants to provide as little personal information aspossible. They don’t...

Yazan Gable | 01 May 2007 07:00:00 GMT | 0 comments

Did you ever wonder how your credit card information is bought, soldor transferred? Have you ever wondered how someone uses your creditcard information after it is stolen to commit fraud? There are a numberof ways, but the preferred method is through using dumps. A dump is afile containing the data that is stored on a credit card’s magneticstrip. Dumps are the favorite currency of credit card fraud these days.

Carders, the people who deal in stolen credit card information andlaundering, pay premium prices for dumps. Premium is around $8.00 US,while simple credit card numbers, names and expiration dates are around$1.00 – 2.00 US. Sure, having a credit card number, name and expirydate work pretty well for on-line purchases, but the difficulty is ingetting the goods. Where should they be shipped to?

Dumps, on the other hand, allow the carder to dump the data ontopretty much any magnetic card. This includes hotel room keys, discountcards, gift cards, and other credit...

Hon Lau | 30 Apr 2007 07:00:00 GMT | 0 comments

Since late yesterday we have seen a marked increase in the activity of a new Sober variant doing the rounds.
A new variant of Sober named W32.Sober.AA@mm is currently being spammed out to many users around the world.
The spam can be either in English or German and uses classic socialengineering techniques to trick users into opening and running theattachments.

The emails sent have the following characteristics:

Ihr Passwort wurde geaendert!
Fehlerhafte Mailzustellung
Ihr Account wurde eingerichtet!
Your Updated Password!
Error in your eMail

Ihr Passwort wurde erfolgreich geaendert.
Ihre neuen Account-Daten und Passwort befinden sich gesichert im Anhang!


Diese Nachricht wurde Automatisch generiert.
- Ihre...

Orla Cox | 30 Apr 2007 07:00:00 GMT | 0 comments

Commercial rootkits were first brought to the public's attention with the infamous Sony DRM case. This was followed a few months later by a rootkit component included on some KinoWelt DVDs.This rootkit was part of Alpha-DVD content-protection software,produced by Korean company Settec. Discussion surrounding commercialrootkits has died down somewhat since then, however this doesn't meanthat they've gone away.

Recently we added detection for a rootkit which is installed byKorean online shopping site, Cashmoa. In order to log onto the site,the user is required to install a software package. This packageincludes a driver called cmdriver.sys. The driver behaves like arootkit by hiding processes which use a particular name. The danger isthat a...

Nicolas Falliere | 27 Apr 2007 07:00:00 GMT | 0 comments

A few days ago, we received yet anothersubmission containing a strange Animated Cursor file. Thisvulnerability made quite some noise, and though we thought it washandled by now, this file was definitely not the usual ANI exploit…

An ANI file follows the RIFF standard, with a few exceptions. It isa collection of data chunks, all having the same format of "header |size | data". Therefore, spotting malicious files attempting to exploitthe vulnerability should be easy. But is it? For the human eye, it is.For a heuristic detection, in spite of what was said before, it is not.Despite the supposedly easy structure of the Animated Cursor file,Microsoft’s implementation of its parser is quite loose.

First, invalid chunks will get properly parsed. Though not affectingthe ANI file itself, such chunks should not be encountered in cursorfiles, but the ANI parser just allows and skips them. Fair enough, ourdetections can handle that as well. Attackers, after a few days of‘...