Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Kelly Conley | 14 Mar 2007 07:00:00 GMT | 0 comments

Replica watches are all the rage these days. It seems with all the spam that I’ve seen lately about replica watches, they are the "must have" of the season. Come get your replica watch at hundreds and sometimes thousands of dollars off the retail price of the authentic version!

Replica watches are not a new thing. No, they have been hawked on the Internet and streets of major cities for a long, long time. What we at Symantec have recently been seeing, is wave after wave of email spam regarding replica watches over the past few days. Most of these attacks have been high in volume.

What specifically are theses spammers hawking? Replicas of Rolex, Cartier, Breitling, Omega, Hermes, and many other top brands. When you click on the link provided in the spam emails, the intent of the spammers becomes obvious as you are taken to Web sites with large pictures of the wares that they are trying to sell. Every time I open a link to a replica site, I can almost hear the...

Candid Wueest | 13 Mar 2007 07:00:00 GMT | 0 comments

Recently, some people received quite a shock while doing their normal online banking business, as reported by Heise news. While browsing their bank’s Web site, they suddenly noticed that an international phone number and a country flag were integrated into the transaction page.

From that point on, the reaction of different users will vary. You might call me pessimistic, but I assume some people would not question it (if they noticed it at all), and would continue with their normal online banking transactions. The same people might also fall for general phishing email attacks. Afterall, user awareness is not yet universal.

Security-savvy users, however, would identify this as a phishing attack of some sort and stop their current online banking session immediately (after taking some screenshots, of course). They would then call up the bank to tell them that a new kind of...

Ollie Whitehouse | 12 Mar 2007 07:00:00 GMT | 0 comments

Code Signing and UAC in Windows Vista havea relationship that should not be underestimated. Code Signing allowsUAC to provide a user with the details of an application's publisherand, thus, permits the user to ensure it is trusted before allowing itto elevate to full administrative privileges. Therefore, my recentobservation has left me dumbfounded.

The observation was this: if a signed binary is modified on diskand, thus, the code signing signature invalidated, you don’t get a bigklaxon going off with the computer screaming, “Danger Will Robinson!Danger!” Instead, the binary is simply treated as if it isn’t signed.Why is this an issue? The simple reason is that if, for example, youhave a world of poor file permissions (looking squarely at third-partysoftware here) and the user running as a restricted administrator canmodify a binary that is allowed to elevate, you could end up in asticky situation. That is, if a user is familiar with the fact that anapplication needs...

Josh Harriman | 09 Mar 2007 08:00:00 GMT | 0 comments

No, this is not a new Monty Python skit. This is a real operation and is being implemented right now by the Securities and Exchange Commission (SEC). Operation Spamalot has halted trading in 35 companies. Their reason is basically that information regarding these companies have been spammed out through email to millions of people touting false or misleading information in order to drive up stock prices. We in Security Response have spoken of this phenomenon before in a couple of recent blogs, Spam and Stock Speculation and Trojan.Peacomm Part 2.

But now, the SEC has stepped in and is trying to put a stop to this...

Joseph Blackbird | 09 Mar 2007 08:00:00 GMT | 0 comments

February's Home and Home Office Security Report covers a number ofsecurity issues, including this month's "Hot Topic," which describes anattack targeting insecure routers that could allow a hacker to view allthe information you type online, including passwords! Recently,researchers have discovered a method that hackers may be able to use tobreak into your networks through your home wireless or wired router. Totake advantage of this issue, a hacker would simply have to entice youto load a Web page that they control. Once loaded, the site wouldhijack your router and allow the hacker to control the Web sites thatyou visit. For example, if you type in the Web address of your bank,the hacker could redirect your request to a site that is designed tolook like your bank's Web site, but is, in fact, controlled by thehacker. Any information that you enter on the hacker-controlled sitewould be viewable by the hacker, including user names and passwords foronline banking, credit card...

Josh Harriman | 09 Mar 2007 08:00:00 GMT | 0 comments

No, this is not a new Monty Python skit.This is a real operation and is being implemented right now by theSecurities and Exchange Commission (SEC). Operation Spamalothas halted trading in 35 companies. Their reason is basically thatinformation regarding these companies have been spammed out throughemail to millions of people touting false or misleading information inorder to drive up stock prices. We in Security Response have spoken ofthis phenomenon before in a couple of recent blogs, Spam and Stock Speculation and Trojan.Peacomm Part 2.

But now, the SEC has stepped in and is trying to put a stop to thisactivity and...

Liam O Murchu | 08 Mar 2007 08:00:00 GMT | 0 comments

A threat that we see very frequently in the lab is the back doornamed Backdoor.GrayBird or Backdoor.HuiPigeon. Today, I will shed somelight on this back door both to show how easy it has become to create apowerful back door with a rich feature set, and also to show why we seeso much of this particular back door.

Backdoor.Graybird gets its name from the Chinese company that makesthe product, which translates to Gray Bird. It is a commercial Chineseremote access tool that sells for about $100 for a 100 user license. Itcan be configured to run silently on the victim's machine and isnormally distributed via email or via drive-by downloads. (If sent viaemail, the user still needs to execute the file.) It can be packed tomake each sample unique and, most recently, NsAnti has been the packerof choice.

Backdoor.Graybird is very popular in underground Chinese hackingforums partly because it is all written in Chinese, so it is easilyunderstood, and also because...

Elia Florio | 08 Mar 2007 08:00:00 GMT | 0 comments

Following further research and also some feedback received fromSunbelt (thanks to Alex for that) we are posting a short follow upabout the Windows Live hijack story reported yesterday.First of all, we notice that some of the domains returned by WindowsLive open popup boxes and pages with false Windows errors and problems.

This is the usual social engineering scam to induce people toinstall programs like WinFixer or ErrorSafe. Those programs aresecurity risks that may give exaggerated reports of threats on thecomputer, and they only get installed on the machine if users agree andclick “Yes” to begin the installation.

Today we were able also to verify that a subset of the bad domainsreturned by Windows Live redirect Italian computers to some maliciousWeb sites hosting several exploits and delivering malwares. Thisbehavior affects, at the...

Elia Florio | 08 Mar 2007 08:00:00 GMT | 0 comments

Following further research and also some feedback received fromSunbelt (thanks to Alex for that) we are posting a short follow upabout the Windows Live hijack story reported yesterday.First of all, we notice that some of the domains returned by WindowsLive open popup boxes and pages with false Windows errors and problems.

This is the usual social engineering scam to induce people toinstall programs like WinFixer or ErrorSafe. Those programs aresecurity risks that may give exaggerated reports of threats on thecomputer, and they only get installed on the machine if users agree andclick “Yes” to begin the installation.

Today we were able also to verify that a subset of the bad domainsreturned by Windows Live redirect Italian computers to some maliciousWeb sites hosting several exploits and delivering malwares. Thisbehavior affects, at the...

Liam O Murchu | 08 Mar 2007 08:00:00 GMT | 0 comments

A threat that we see very frequently in the lab is the back doornamed Backdoor.GrayBird or Backdoor.HuiPigeon. Today, I will shed somelight on this back door both to show how easy it has become to create apowerful back door with a rich feature set, and also to show why we seeso much of this particular back door.

Backdoor.Graybird gets its name from the Chinese company that makesthe product, which translates to Gray Bird. It is a commercial Chineseremote access tool that sells for about $100 for a 100 user license. Itcan be configured to run silently on the victim's machine and isnormally distributed via email or via drive-by downloads. (If sent viaemail, the user still needs to execute the file.) It can be packed tomake each sample unique and, most recently, NsAnti has been the packerof choice.

Backdoor.Graybird is very popular in underground Chinese hackingforums partly because it is all written in Chinese, so it is easilyunderstood, and also because cracked...