Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Ollie Whitehouse | 27 Jul 2007 07:00:00 GMT | 0 comments

One of my colleagues, Orlando Padilla,recently ran across a tool by Linchpin Labs & OSR, which allowedunsigned drivers to be loaded on Vista 64-bit. The tool, Atsiv,is interesting since one of the big security features advertised byMicrosoft for Vista 64-bit was the fact that no unsigned code could beloaded into the kernel in order to help mitigate malicious kerneldrivers typically used by rootkits.

When looking at how it did its magic the original .exe contains two resource sections:

DRIVER_BIN32
DRIVER_BIN64


These are actually signed 32-bit and 64-bit drivers. The command linetool loads the appropriate driver, which then in turn allows loading ofunsigned drivers due to the implementation of their own PE loader. Aside effect of using their own load is noted by the authors in theirdesign documentation:...

Aaron Adams | 27 Jul 2007 07:00:00 GMT | 0 comments

The hacking scene is definitely not what it used to be. Though it seems hard to remember, there was a time before vulnerabilities were posted to mailing lists every day, you could sell exploits to corporations and hacking groups were being turned into security companies. There were few established laws restricting hacking and a simple Internet search returned a massive amount of detail on how to hack. It was a time when a few small groups of elite technology enthusiasts, driven largely by curiosity and mischief (vs. malicious) became some of the most notorious and powerful hackers of all time.

This was the era of groups like the Legion of Doom, the Cult of the Dead Cow, the Masters of Deception, the Chaos Computer Club, the P.H.I.R.M., the genesis of zines like Phrack and 2600, and the days when blowing a whistle found in a cereal box into a telephone receiver gave you control of a phone line.

In those days, communication between hackers was mostly...

Symantec Security Response | 26 Jul 2007 07:00:00 GMT | 0 comments

In the June 2007 edition of RSA Security Phishing Newsreleased on July 5th, RSA’s Anti-Fraud Command Center uncovered a newtype of phishing kit, which is “actually a single file which creates anentire phishing site on a compromised server when double-clicked on,similar to .exe installation files.” According to the report,traditional phishing kits include all of the relevant files which mustbe installed one by one in the appropriate directories on the serverthat is controlled by the phisher. The new kit instead, “saves thephishers time and effort, by automating the site installation process.”

This news received quite a bit of press coverage, but does it reallychange the rules of the game? Our feeling is that it doesn’t: mostphishing sites are currently hosted on compromised Web servers, wherephishers have been able to upload files using one of the (many)unpatched vulnerabilities lying in the Web application code. Phishingkit configuration is usually done on a phisher...

Marc Fossi | 25 Jul 2007 07:00:00 GMT | 0 comments

Hacking has existed in one form or another for quite some time. Just as the Internet grew by leaps and bounds in the '90s, so did the hacking community. While the dot-com bubble thrust the Internet into the general public’s conscience, it also brought hacking into the limelight. Web site defacements and denial of service attacks quickly became commonplace. Naturally, with the rapid growth of the Internet population, a rise in the number of people looking to take advantage of neophyte users also took place.

More hacking groups began forming in the '90s, such as the L0pht. In 1998 members of the L0pht testified before congress that they could shut down the Internet in 30 minutes. In 1992, five members of the Masters of Deception group were indicted in federal court and later plead guilty...

Jim Hoagland | 24 Jul 2007 07:00:00 GMT | 0 comments

I recently made a discovery that shows theimportance of anchoring the input when trying to match a password. Bythis I mean that there should be no extra characters accepted eitherbefore or after the password (i.e., no extra characters that could bepart of the password). Unanchored matching greatly weakens the defenseagainst brute forcing the password.

My wife and I were driving back from dinner when we decided to trythe remote message check feature of our new home phone answeringmachine. I had set the two digit password (let's pretend it is "54")but we hadn't read the directions on how to check messages remotely. Itold my wife our code and she tried just entering the two digits "5-4"and it worked. I had expected that we'd at least have to enter "#"first. That the machine was just listening to the incoming call for thepasscode made me wonder. Playing a hunch, I had my wife call back andenter "1-5-4-0", a four digit passcode with our actual passcode in themiddle. To her...

Darren Kemp | 23 Jul 2007 07:00:00 GMT | 0 comments

Attacks targeting vulnerabilities in the Java Runtime Environmentare anything but new. Several researchers have previously visited thistopic and the results have been some fantastic research. However, inrecent weeks the DeepSight Threat Analyst Team has been investigatingseveral Java issues resulting from a notable increase invulnerabilities reported affecting the Java Runtime Environment and itsassociated components.

The threat landscape has seen a dramatic increase in attackstargeting client-side vulnerabilities in recent years. Vulnerabilitieshave been exposed in a variety of applications including media players,Web browsers, ActiveX controls and mail clients, to name just a few.The ubiquitous nature of the Java Runtime Environment makes it a primecandidate for attackers. With this in mind, it is not surprising to seemuch of the preliminary research into exploitation of environments likethe Java Virtual Machine manifest itself both in recently disclosedvulnerabilities...

Liam O Murchu | 20 Jul 2007 07:00:00 GMT | 0 comments

There have been lot of rumours and discussions about the recent Adobe Flash Player Remote Code Execution vulnerability.The most interesting thing is that it is a cross-platformvulnerability. Due to the fact that Flash can run in different browsersand on many different platforms, the discovery of this onevulnerability could leave all those operating systems and devices thatare Flash-enabled open (e.g., including some advanced smartphones) tothe attack.

The vulnerability has already been tested on Windows, Apple Mac, andsome Linux distributions, but many other devices that are Flash-enabledcould be affected by the problem too. For example, we verified that theNintendo Wii gaming console is also affected. Wii has an Internetchannel that runs a special version of the Opera browser with Flash,and yes… we verified that it is affected by the problem too! The Wiiconsole completely hangs while...

Liam O Murchu | 20 Jul 2007 07:00:00 GMT | 0 comments

There have been lot of rumours and discussions about the recent Adobe Flash Player Remote Code Execution vulnerability.The most interesting thing is that it is a cross-platformvulnerability. Due to the fact that Flash can run in different browsersand on many different platforms, the discovery of this onevulnerability could leave all those operating systems and devices thatare Flash-enabled open (e.g., including some advanced smartphones) tothe attack.

The vulnerability has already been tested on Windows, Apple Mac, andsome Linux distributions, but many other devices that are Flash-enabledcould be affected by the problem too. For example, we verified that theNintendo Wii gaming console is also affected. Wii has an Internetchannel that runs a special version of the Opera browser with Flash,and yes… we verified that it is affected by the problem too! The Wiiconsole completely hangs while...

Ollie Whitehouse | 20 Jul 2007 07:00:00 GMT | 0 comments

On the desktop we have many different executable compactors, compressors and encryptors. These are used to protect and/or obfuscate binary files. These can be employed by software authors and malicious code authors to protect their code from reverse engineering (though, typically in vain). A while back, we saw a surge of malicious code authors using these tools to obfuscate their code against signatures. It became a case of:




10 Download executable compactor

20 Pass existing malicious code through it

30 Release on Internet

40 Wait for signature to be added to antivirus

50 GOTO 10


This got a bit boring for antivirus vendors like Symantec, so we introduced executable decompression support to our AV engines (as discussed in the Internet Security Threat...

Liam O Murchu | 20 Jul 2007 07:00:00 GMT | 0 comments

There have been lot of rumours and discussions about the recent Adobe Flash Player Remote Code Execution vulnerability.The most interesting thing is that it is a cross-platformvulnerability. Due to the fact that Flash can run in different browsersand on many different platforms, the discovery of this onevulnerability could leave all those operating systems and devices thatare Flash-enabled open (e.g., including some advanced smartphones) tothe attack.

The vulnerability has already been tested on Windows, Apple Mac, andsome Linux distributions, but many other devices that are Flash-enabledcould be affected by the problem too. For example, we verified that theNintendo Wii gaming console is also affected. Wii has an Internetchannel that runs a special version of the Opera browser with Flash,and yes… we verified that it is affected by the problem too! The Wiiconsole completely hangs while...