Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts in English
NoConName – Attack Surface Analysis of Windows CE/Mobile 5
Ollie Whitehouse | 10 Nov 2006 08:00:00 GMT | 0 comments

Hola again! Well, that’s my Spanish out the way. Oh, wait – dos cervezas por favor ;-). Anyway, I was invited down to Spain by the kind folk of NoConName (thanks to Nico and crew – Majorca is lovely!) to deliver a presentation on some research I had done at the start of the year when I first joined the Advanced Threat Research team (research that I had alluded to in an earlier blog entry on an attack surface analysis of Windows CE 5 and Windows Mobile 5.

This is a rundown of the NoConName version of my presentation:

• Introduction & Context
• Overview of Windows CE
• Windows CE Security Model
• Analysis Findings
• Windows CE and Security Patches

The first three sections are pretty self explanatory and way too long to cover...

Read more
An Imaginative Phishing Attack on MySpace
Zulfikar Ramzan | 09 Nov 2006 08:00:00 GMT | 0 comments

A fairly imaginative phishing attack was live on the MySpace.com site for a few hours on the morning of Friday, October 27, 2006. The attack was interesting not so much because of its technical prowess, but because the attackers were so creative. The attack was initially reported by Netcraft who discovered it when one of their customers encountered the page.

The attackers were able to create a login page located at http://www.myspace.com/login_home_index_html, which solicited the visiting user’s MySpace username and password. When entered, these values would go to a server operated out of France.

How did the attackers manage to pull this off? They tossed the wealth of complex phishing techniques aside and did something that was remarkably simple and yet clever. Like millions before them, they just went to MySpace.com and registered an...

Read more
Handling Today's Tough Security Threats: Spyware
Mimi Hoang | 08 Nov 2006 08:00:00 GMT | 0 comments

Symantec is the most effective at detecting and removing spyware versus five other vendors. AV-Test (Andreas Marx), under the supervision of TUEV Saarland, conducted a test to determine how each vendor handled the spyware/adware anti-removal techniques.

This test was conducted in June, 2006, with 50 security risk samples randomly chosen by AV-Test from the “top 10” lists of various antispyware vendors, including the vendors that were tested. Further information on testing methodology and samples used can be downloaded at http://www.symantec.com/enterprise/security_response/toughsecurity/index.jsp (refer to the Appendix at the end of the technical brief) or visit www.tekit.de.

The results showed Symantec’s lead in the detection and removal of spyware, adware, and other security risk programs. We effectively...

Read more
The Problem with Web 2.0
Hon Lau | 07 Nov 2006 08:00:00 GMT | 0 comments

Many great things have been touted about Web 2.0, such as that it will bring about a richer, freer, and more community-driven experience for all users. Technologies like wikis and blogs, along with services like Flickr and YouTube are prime examples of how the Web has evolved to bring about increased community participation. What these services really do is bring about freedom of speech to the masses. Unfortunately, the masses also include the “bad”.

Wikipedia has long been a target for mischief makers who abuse the ability for anyone to freely create and edit entries in the encyclopedia. Usually the abuses only involve providing false information in articles on the site. Recently, we received reports that the German version of Wikipedia has been used by malware creators to distribute their creations by modifying a page to point to their malicious programs. According to the reports, a Wikipedia entry regarding W32.Blaster was modified to point at fake...

Read more
New Vulnerability Affecting Internet Explorer
Eric Chien | 06 Nov 2006 08:00:00 GMT | 0 comments

An exploit has been spotted in the wild foran unpatched vulnerability in the Microsoft XML core services, whichallow developers to create XML-enabled applications. All supportedversions of Internet Explorer (including IE7) make use of thisfunctionality and are likely to be possible vectors of attack.

While the exploit has been spotted in the wild, it has only beenseen on a single Web site and Symantec has no confirmed infectionreports from customers. Nevertheless, as always, be cautious whensurfing the Web.

Symantec has already released a signature, Bloodhound.Exploit.96, to catch this exploit. More information about the vulnerability can be found in the Microsoft Security Advisory (927892).

Update Nov. 8, 2006: A...

Read more
October Home and Home Office Monthly - Roundup
Joseph Blackbird | 06 Nov 2006 08:00:00 GMT | 0 comments

Well, it’s now November and time to startthinking about buying presents for the holiday season. In the last fewyears, one of the most popular choices for presents has been one of themany different MP3 players on the market. Two incidents occurred inOctober that may make you think twice before connecting that new playerto your computer. Reports surfaced that a small number of Apple’s VideoiPods were infected with the Rajumpvirus. The virus was traced back to a Windows-based computer that wasused to test the devices during the manufacturing process.Additionally, some of the MP3 players given away as part of a promotionby McDonald’s in Japan were infected with a virus. Any new device thatyou connect to your computer should always be scanned with anup-to-date antivirus product before you allow it to synchronize anyfiles.

Also in October, there were a...

Read more
Exploits get Visual
Shunichi Imano | 03 Nov 2006 08:00:00 GMT | 0 comments

On October 31st, Microsoft released a Security Advisory entitled Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution.At this time, a vendor supplied patch has not been released against thevulnerability. It allows a remote file to be downloaded and executedwhenever a vulnerable user visits a malicious Web site. We haveconfirmed that it is being actively exploited in the wild.

To proactively detect the exploitation of this vulnerability, Symantec Security Response released Bloodhound.Exploit.95on November 1. Since then, we have received steady number ofBloodhound.Exploit.95 submissions. The submitted files are generally.html files from malicious Web sites, which use the vulnerability todownload further malware, most of which have turned out to be...

Read more
Bluetooth PIN Cracker: Be Afraid
Ollie Whitehouse | 03 Nov 2006 08:00:00 GMT | 0 comments

Back in 2004, I presented some research at CanSecWest entitled “Bluetooth Security: Toothless?” One of the items I covered in this presentation was the ability to recover link keys over the air. My research was missing a key feature, which was how to force a re-pair between two devices in order to be able to observe the new pairing to be able to get the required data. Fast-forward to June, 2005, and Yaniv Shaked and Avishai Wool improved the attack in many aspects and released the paper “Cracking the Bluetooth PIN,” including many novel aspects. Well, it’s now 2006 and Thierry Zoller has just given an interesting presentation at the hack.lu conference (with input from ...

Read more
Handling Today's Tough Security Threats: Rootkits
Mimi Hoang | 02 Nov 2006 08:00:00 GMT | 0 comments

Rootkits are on the rise! We define a rootkit as a component that uses stealth to maintain an undetectable presence on a computer. Above and beyond that, the actions performed by a rootkit are done without end-user consent or knowledge.

Open source offers ready-to-use rootkit applications that are widely available to anybody using the Internet. Even an inexperienced rookie would be able to use a rootkit without having to understand how it works. These hi-tech criminals are money hungry and want to hide their actions and presence on any system they get on. Rootkits are perfect to help them commit fraud and identity theft by granting the attackers unauthorized access to privileged and proprietary information, and launching and hiding other malicious applications on the system. Above all, it leaves the hi-tech criminal with a back door to be able to continue to harm the victimized machine. As well, a large proportion of spyware and adware programs that use...

Read more
Do the Macarena!
Peter Ferrie | 02 Nov 2006 08:00:00 GMT | 0 comments

We received a virus on Thursday morning that parasitically infects OSX Mach-O format files, without relying on resource forks. It's called OSX/Macarena. If you have read the OSX/Leap paper from this year's Virus Bulletin conference, you will have seen some suggestions about possible infection methods. Those suggestions were all ignored by the virus author in this case. Instead, the virus writer has found a rather unexpected region of memory in which to place the code, along with a way to gain immediate control when an infected file is executed. There is no payload in this virus—it simply replicates. However, it won't replicate very well, because it is restricted to the current directory. On Windows systems it is common to have directories like "Windows" and "Windows\system32" full of executable files; but, files aren't stored like that on OSX systems....

Read more