Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Ollie Whitehouse | 02 Aug 2007 07:00:00 GMT | 0 comments

So in a world where data is king, peopleare obviously going to look for ways to mine the data in more effectiveways. I saw a talk in May last year by Ian Cook titled, “FindingInformation in the Darkweb,” with a subtitle of “Open SourceIntelligence Gathering on a Shoestring.” This was interesting andpretty cool on the whole, but required a number of tools and some timeto mine the data and glue all the bits together.

While data is cool, without context it can be a huge burden to mineand discover the relationships. Well, my friends, close your GoogleEarth as I’ve got something to show you that is so cool it’ll makewhizzing round the streets of San Francisco in Google Earth feel likepeeling potatoes.

Welcome to Evolution,the brain child of Roelof Temmingh of ex-SensePost fame. It’s a toolthat “associates data found in multiple search engines andsocial-networking Web sites… to find...

Shunichi Imano | 02 Aug 2007 07:00:00 GMT | 0 comments

Symantec Security has received a sample ofan Ichitaro document that contains a currently unknown exploit. This isnot necessarily surprising as most software has vulnerabilities but auser who opens the document will surely be hit with a surprise.

Symantec detects the malicious document as Trojan.Tarodrop.D. When it is opened, malware is dropped onto the compromised computer, which Symantec detects as Trojan Horse. The dropped Trojan in turn drops more malware (detected as Hacktool.Keylogger) that logs keystroke and sends the stolen information to cvnxus.8800.org on TCP port 443.

Additionally, Hacktool.Keylogger...

Liam O Murchu | 02 Aug 2007 07:00:00 GMT | 0 comments

Brazil is the home of the infamous Infostealer.Bancos family ofmalware. Recently, however, we have seen a more diverse number of sites- beyond just banking sites - coming into the crosshairs of theBrazilian malware gangs. Is the recent W32.Imcontactspam worm anotherof their creations?

The worm is Brazilian and spammed the infected users’ MSN contactswith email advising them that they had received an electronic greetingcard. We see these types of worms quite often; however what caught ourattention were the similarities between the techniques this worm usesand the techniques used by the Infostealer.Bancos family of trojans.

When executed, the worm does the following:

  1. Minimizes the real MSN Messenger login window;
  2. Displays a fake Portuguese language MSN login screen;
  3. Records the username and password that is typed;
  4. Displays the real MSN Messenger login window (user must re-type password);
  5. Records the email address of all...
Liam O Murchu | 02 Aug 2007 07:00:00 GMT | 0 comments

Brazil is the home of the infamous Infostealer.Bancos family ofmalware. Recently, however, we have seen a more diverse number of sites- beyond just banking sites - coming into the crosshairs of theBrazilian malware gangs. Is the recent W32.Imcontactspam worm anotherof their creations?

The worm is Brazilian and spammed the infected users’ MSN contactswith email advising them that they had received an electronic greetingcard. We see these types of worms quite often; however what caught ourattention were the similarities between the techniques this worm usesand the techniques used by the Infostealer.Bancos family of trojans.

When executed, the worm does the following:

  1. Minimizes the real MSN Messenger login window;
  2. Displays a fake Portuguese language MSN login screen;
  3. Records the username and password that is typed;
  4. Displays the real MSN Messenger login window (user must re-type password);
  5. Records the email address of all...
Nicolas Falliere | 01 Aug 2007 07:00:00 GMT | 0 comments

A proof-of-concept code exploiting newly discovered XSSvulnerabilities for the latest version of Wordpress (2.2.1) was postedtoday on a security blog.

The researcher unveiled seven vulnerabilities, cross-site scripting(XSS) or SQL injections, whose consequences range from benign toserious, the critical ones potentially leading to blog compromising. Inhis haste to show his skills, this person also released aproof-of-concept (PoC) code exploiting one of these vulnerabilities.

The PoC in itself, as explained, is supposedly not malicious, and isdesigned to raise awareness and patch vulnerable versions of theWordPress publishing platform. In a few words, here’s how it works:

  • A WordPress administrator browses the “Comments manager” in the administration panel
  • She clicks a link, which redirects to the PoC author’s Web page.This page checks the referrer, to see whether it might originate from alogged-on WordPress administrator (the URL would contain...
Elias Levy | 01 Aug 2007 07:00:00 GMT | 0 comments

t has been almost 14 years since Scott Chasin began BugTraq to discuss computer security vulnerabilities in detail. Since then, it has grown from a small email list to become a top industry source for vulnerability information and, along the way, helped advanced many of the changes in the industry through its full disclosure policy. What a long and strange trip it has been since then. But one thing remains the same, the constant struggle to do what is right in a field full of moral landmines.

Any field that deals in issues of security and safety, from medicine and insurance to airport screening and immigration, will contain many difficult moral dilemmas. Often these problems are rooted in finance and the different ways money incentivizes or disincentivizes people and organizations. Ideally, monetary and other incentives would be aligned with the moral thing to do. Often, though, this is not the case. Just as often, what the moral or right thing to do is not altogether...

Hon Lau | 31 Jul 2007 07:00:00 GMT | 0 comments

In the (legitimate!) business world,Management Information Systems (MIS) are typically used by managers andkey decision makers of a business to see at a glance how well abusiness is doing in its various key performance areas. They typicallysummarize masses of transactional data through tables and reports; andalso allow for more advanced analysis and drill-down to detailed data.The advantage of such systems in business is considerable, becausehaving such information available on hand allows these individuals tomake key decisions that affect the future of a business.

Moving over to the malware criminal world, we are seeing more andmore parallels to the world of legitimate business. As online criminalsget increasingly organized, we are seeing them employ more of the toolsand techniques that would be employed in running a normal business.Such is the amount of money to be made in online crime, it has reallybecome a sort of gold rush: just like in the traditional gold rush...

Andrea DelMiglio | 31 Jul 2007 07:00:00 GMT | 0 comments

Since May, phishing attacks against Italian banks have been a visiblebut rather limited phenomenon. Most financial institutions reactedquickly, setting-up proper fraud management processes, educationcampaigns for end users and technical countermeasures since early 2006.But in the last three months, Italian mailboxes have been flooded bymillions of phishing emails, moving the problem to the next level.

onlinefraud1.jpg
Number of single URLs per month (July 07 data includes attacks until July 27th)
(Click image for larger view)

As the graph illustrates, the number of attacks grew 14 times since the2006 peak (127 in August) to the current 2007 peak (1735 last May).Attack source analysis shows...

Masaki Suenaga | 30 Jul 2007 07:00:00 GMT | 0 comments

Some file formats are more vulnerable toexploits than others. Document and spreadsheet programs, for example,are often exploited, possibly as much because of their prevalence ondesktops as from any other reason. That said, updating them is ofteneasier precisely because of their widespread use, since updates areoften automatic or are otherwise easily obtained.

Less pervasive programs, though, are often harder to keep current. Aprime example of this is the archive format, with extensions such as.zip, .rar, etc. There are a wide number of different programsavailable for different platforms; more importantly, they havehistorically been quite vulnerable to exploits.

When security vendors discuss a newly-identified vulnerability in aprogram, there is always the hope that users have the latest version orthat they will quickly upgrade. As we all know, though, the reality isquite different. Even at the enterprise level, employees of any givencompany are often using...

John McDonald | 27 Jul 2007 07:00:00 GMT | 0 comments

One of our team members received anunsolicited but interesting email recently confirming his new accountat a certain website, and containing the login username and password.The email was addressed to him personally using his full name soundoubtedly his details were mined from somewhere on the Internet.

Using a secure computer he investigated by going first to the rootdirectory of the domain in the email, and found that it appeared to bea legitimate site. However upon then moving to the directory which waspart of the login URL contained in the email, he discovered exploitcode targeting the Microsoft Windows Media Player Plugin BufferOverflow Vulnerability (BID 16644).

The page contains shell code that downloads and runs an executable filewhich in turn drops other malware onto the computer. This malware isinjected into the explorer.exe process and scans all directories...