Video Screencast Help
Security Response
Showing posts in English
Symantec Security Response | 23 Apr 2007 07:00:00 GMT | 0 comments

Identity theft and phishing have become prominent issues in the lastfew years. In this time, many users have become savvy to phishingschemes and are less likely to fall for traditional phishing attacks.In order to keep the stream of revenue flowing, attackers have had tobegin using more advanced techniques. One of the more recent techniquesis called "context-aware" phishing. A context-aware phishing attackuses specific personal information about intended victims to gain theirtrust. With the right information and implementation, this type ofattack can be very effective. To get the necessary personal informationfor this attack, phishers have become more like private investigators.

In this blog, I'll talk about one of the techniques used byattackers to find the information necessary to carry out effectivecontext-aware phishing attacks. This includes identifying targets,finding which brands can be phished for a given target, and researchingpersonal information to supply the...

Peter Ferrie | 20 Apr 2007 07:00:00 GMT | 0 comments

Microsoft's JScript is a very powerful and flexible language.However, great flexibility leads to a great potential for obfuscation.We have seen many examples of JScript obfuscation in the past, such asstring concatenation and dynamic decoding, and will likely see more inthe future.

The most recent and a potentially problematic example uses one ofthe simplest obfuscation methods: Unicode escaping. Normally, Unicodeescaping is used to send Unicode characters that might not travel wellacross networks, such as characters that could be transformed accordingto the system locale. From a security perspective, Unicode escaping iswidely used to deliver executable code in Web exploits.

What was previously unknown to us is that Unicode escapes can beapplied to function names, variables, and all kinds of other code. Thiswas demonstrated by the recent virus that we detect as ...

Ollie Whitehouse | 19 Apr 2007 07:00:00 GMT | 0 comments

User Interface Spoofing and Its Impact on Security
As you may have seen in James O’Connor’s paper, Attack Surface Analysis of Blackberry Devices, there is a bug/vulnerability in Blackberry devices that allows an attacker to spoof the interface that shows a .jad file's signing properties. A .jad file is a Java package format that is frequently used to distribute applications for mobile phones. This spoofing allows an attacker to make a .jad application appear to be signed by a legitimate user or company. The attacker accomplishes this by using a carefully constructed file with the appropriate amount of spaces within certain strings.

Because the susceptibility to this class of attacks is not unique to the BlackBerry or to .jad files, I thought it might make an interesting blog entry. I originally found something like this...

James O'Connor | 19 Apr 2007 07:00:00 GMT | 0 comments

Some of you may have read my blog article last year about the BlackBerry mobile device: Hacking the BlackBerry along with the associated whitepaper, Blackberry Security: Ripe for the picking? We decided not to widely distribute that paper for a number of reasons, including the fact that the model reviewed was a tad on the old side (BlackBerry 7290 circa 2004). Well, fast-forward to 2007, when I was supplied with a shiny new BlackBerry Pearl 8100 and a blank sheet of paper.

As I alluded to in my previous blog, the Pearl represents a significant departure for Research In Motion; a departure from the world of purely corporate utility, and an arrival at the world of consumer-oriented features. The device sports a beautifully stylized slimline form-factor, a 1.3 megapixel camera, and a removable media card as standard. Of course, all the...

Ron Bowes | 18 Apr 2007 07:00:00 GMT | 0 comments

The Home and Home Office Security Report(HHOSR), a monthly report released by Symantec, provides a high-leveloverview of Internet security concerns that may be of interest to homeand home office users. March's HHOSR focused largely on Volume XI of Symantec's Internet Security Threat Report.

This HHOSR's hot topic discussed the price of a wide variety ofinformation related to personal identity. The types of information, andthe prices at which they were offered, are outlines in table 1 below.

Item Cost in US Dollars
Complete Identity $14 - $18
US Credit Card $1 - $6
UK Credit Card $2 - $12
...
Elia Florio | 17 Apr 2007 07:00:00 GMT | 0 comments

What we saw in the first Trojan.Peacommoutbreak during January was only the beginning of the “storm-worm” war.The initial outbreak seemed to be an experiment in setting up apeer-to-peer (P2P) bot network, and to test the potential of theTrojan. The bad guys who were behind those criminal activities used thefirst variant of Peacomm to distribute a set of single-module Trojansthat were programmed to send spam, perform DDoS attacks, gather mailaddresses, and distribute new versions of the Trojan.


20070416%20-%20Peacomm_B_fig1_small_2_EF.jpg
...

Peter Ferrie | 17 Apr 2007 07:00:00 GMT | 0 comments

A few days ago, a postto a vulnerability discussion mailing list included a demonstration ofa heap corruption in Windows .hlp files' "bm" section. .hlp files areWinHelp-format Help files, a primitive version of .chm, or CompiledHelp Module-format help files. The "bm" section, or the Bitmap-formatgraphics section, is the part of the .hlp file that contains graphics(icons, pictures, etc.). The poster had discovered the vulnerability byusing a fuzzer to insert random data into the file. However, it seemsthat he did not understand why this vulnerability works.

After digging into the issue, it appeared to me that the filetargets the same vulnerability that was last attacked in December of2004, the WinHelp Phrase Heap Overflow.However, after a careful review, I realized that this...

Shunichi Imano | 16 Apr 2007 07:00:00 GMT | 0 comments

It has been reported that a worm that exploits the Microsoft Windows Domain Name Server Service Remote Procedure Call Interface Vulnerability is in the wild. Symantec Security Response has obtained a sample of the worm and we detect the threat as W32.Rinbot.BC.

UPDATE
We have seen an increase in activity over TCP port 1025 as a result ofW32.Rinbot.BC scanning the port in search of vulnerable computers.W32.Rinbot.BC is the first worm that exploits the Microsoft DNSvulnerability and the exploit code was only made public a few days ago.If you have not done so already, Symantec suggests that you block TCPport 1025 in order to avoid the attack.

Blaster, Sasser, W32.Rinbot.BC
We have observed that the time taken from exploit code...

Shunichi Imano | 16 Apr 2007 07:00:00 GMT | 0 comments

It has been reported that a worm that exploits the Microsoft Windows Domain Name Server Service Remote Procedure Call Interface Vulnerability is in the wild. Symantec Security Response has obtained a sample of the worm and we detect the threat as W32.Rinbot.BC.

UPDATE
We have seen an increase in activity over TCP port 1025 as a result ofW32.Rinbot.BC scanning the port in search of vulnerable computers.W32.Rinbot.BC is the first worm that exploits the Microsoft DNSvulnerability and the exploit code was only made public a few days ago.If you have not done so already, Symantec suggests that you block TCPport 1025 in order to avoid the attack.

Blaster, Sasser, W32.Rinbot.BC
We have observed that the time taken from exploit code...

Shunichi Imano | 16 Apr 2007 07:00:00 GMT | 0 comments

It has been reported that a worm that exploits the Microsoft Windows Domain Name Server Service Remote Procedure Call Interface Vulnerability is in the wild. Symantec Security Response has obtained a sample of the worm and we detect the threat as W32.Rinbot.BC.

UPDATE
We have seen an increase in activity over TCP port 1025 as a result ofW32.Rinbot.BC scanning the port in search of vulnerable computers.W32.Rinbot.BC is the first worm that exploits the Microsoft DNSvulnerability and the exploit code was only made public a few days ago.If you have not done so already, Symantec suggests that you block TCPport 1025 in order to avoid the attack.

Blaster, Sasser, W32.Rinbot.BC
We have observed that the time taken from exploit code...