Video Screencast Help
Security Response
Showing posts in English
Shunichi Imano | 11 Nov 2006 08:00:00 GMT | 0 comments

It has recently been reported thatfunctional exploit code for Broadcom Wireless drivers has been madeavailable to the public. Concerns over the exploit are increasing,because the exploit allows remote code execution, and the susceptibledrivers are shipped with many new computers.

More information can be found at the Month of Kernel Bugs site.

A machine is vulnerable to the exploit if the computer has asusceptible Broadcom Wireless-N network card, and is running thedrivers in question. Unfortunately, due to the nature of wirelessnetworking, all that is required of the attacker is to be within rangeof the vulnerable machine. Because this vulnerability occurs at anextremely low level
within the networking protocol, there may be difficulties in detecting these attacks using standard IDS/IPS methods.

Symantec Security Response recommends that you update...

Ollie Whitehouse | 10 Nov 2006 08:00:00 GMT | 0 comments

Hola again! Well, that’s my Spanish out the way. Oh, wait – dos cervezas por favor ;-). Anyway, I was invited down to Spain by the kind folk of NoConName (thanks to Nico and crew – Majorca is lovely!) to deliver a presentation on some research I had done at the start of the year when I first joined the Advanced Threat Research team (research that I had alluded to in an earlier blog entry on an attack surface analysis of Windows CE 5 and Windows Mobile 5.

This is a rundown of the NoConName version of my presentation:

• Introduction & Context
• Overview of Windows CE
• Windows CE Security Model
• Analysis Findings
• Windows CE and Security Patches

The first three sections are pretty self explanatory and way too long to cover...

Zulfikar Ramzan | 09 Nov 2006 08:00:00 GMT | 0 comments

A fairly imaginative phishing attack was live on the site for a few hours on the morning of Friday, October 27, 2006. The attack was interesting not so much because of its technical prowess, but because the attackers were so creative. The attack was initially reported by Netcraft who discovered it when one of their customers encountered the page.

The attackers were able to create a login page located at, which solicited the visiting user’s MySpace username and password. When entered, these values would go to a server operated out of France.

How did the attackers manage to pull this off? They tossed the wealth of complex phishing techniques aside and did something that was remarkably simple and yet clever. Like millions before them, they just went to and registered an...

Mimi Hoang | 08 Nov 2006 08:00:00 GMT | 0 comments

Symantec is the most effective at detecting and removing spyware versus five other vendors. AV-Test (Andreas Marx), under the supervision of TUEV Saarland, conducted a test to determine how each vendor handled the spyware/adware anti-removal techniques.

This test was conducted in June, 2006, with 50 security risk samples randomly chosen by AV-Test from the “top 10” lists of various antispyware vendors, including the vendors that were tested. Further information on testing methodology and samples used can be downloaded at (refer to the Appendix at the end of the technical brief) or visit

The results showed Symantec’s lead in the detection and removal of spyware, adware, and other security risk programs. We...

Hon Lau | 07 Nov 2006 08:00:00 GMT | 0 comments

Many great things have been touted about Web 2.0, such as that it will bring about a richer, freer, and more community-driven experience for all users. Technologies like wikis and blogs, along with services like Flickr and YouTube are prime examples of how the Web has evolved to bring about increased community participation. What these services really do is bring about freedom of speech to the masses. Unfortunately, the masses also include the “bad”.

Wikipedia has long been a target for mischief makers who abuse the ability for anyone to freely create and edit entries in the encyclopedia. Usually the abuses only involve providing false information in articles on the site. Recently, we received reports that the German version of Wikipedia has been used by malware creators to distribute their creations by modifying a page to point to their malicious programs. According to the reports, a Wikipedia entry regarding W32.Blaster was modified to point at fake Microsoft Windows...

Eric Chien | 06 Nov 2006 08:00:00 GMT | 0 comments

An exploit has been spotted in the wild foran unpatched vulnerability in the Microsoft XML core services, whichallow developers to create XML-enabled applications. All supportedversions of Internet Explorer (including IE7) make use of thisfunctionality and are likely to be possible vectors of attack.

While the exploit has been spotted in the wild, it has only beenseen on a single Web site and Symantec has no confirmed infectionreports from customers. Nevertheless, as always, be cautious whensurfing the Web.

Symantec has already released a signature, Bloodhound.Exploit.96, to catch this exploit. More information about the vulnerability can be found in the Microsoft Security Advisory (927892).

Update Nov. 8, 2006: A...

Joseph Blackbird | 06 Nov 2006 08:00:00 GMT | 0 comments

Well, it’s now November and time to startthinking about buying presents for the holiday season. In the last fewyears, one of the most popular choices for presents has been one of themany different MP3 players on the market. Two incidents occurred inOctober that may make you think twice before connecting that new playerto your computer. Reports surfaced that a small number of Apple’s VideoiPods were infected with the Rajumpvirus. The virus was traced back to a Windows-based computer that wasused to test the devices during the manufacturing process.Additionally, some of the MP3 players given away as part of a promotionby McDonald’s in Japan were infected with a virus. Any new device thatyou connect to your computer should always be scanned with anup-to-date antivirus product before you allow it to synchronize anyfiles.

Also in October, there were a couple of...

Shunichi Imano | 03 Nov 2006 08:00:00 GMT | 0 comments

On October 31st, Microsoft released a Security Advisory entitled Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution.At this time, a vendor supplied patch has not been released against thevulnerability. It allows a remote file to be downloaded and executedwhenever a vulnerable user visits a malicious Web site. We haveconfirmed that it is being actively exploited in the wild.

To proactively detect the exploitation of this vulnerability, Symantec Security Response released Bloodhound.Exploit.95on November 1. Since then, we have received steady number ofBloodhound.Exploit.95 submissions. The submitted files are generally.html files from malicious Web sites, which use the vulnerability todownload further malware, most of which have...

Ollie Whitehouse | 03 Nov 2006 08:00:00 GMT | 0 comments

Back in 2004, I presented some research at CanSecWest entitled “Bluetooth Security: Toothless?” One of the items I covered in this presentation was the ability to recover link keys over the air. My research was missing a key feature, which was how to force a re-pair between two devices in order to be able to observe the new pairing to be able to get the required data. Fast-forward to June, 2005, and Yaniv Shaked and Avishai Wool improved the attack in many aspects and released the paper “Cracking the Bluetooth PIN,” including many novel aspects. Well, it’s now 2006 and Thierry Zoller has just given an interesting presentation at the conference (with input from...

Mimi Hoang | 02 Nov 2006 08:00:00 GMT | 0 comments

Rootkits are on the rise! We define a rootkit as a component that uses stealth to maintain an undetectable presence on a computer. Above and beyond that, the actions performed by a rootkit are done without end-user consent or knowledge.

Open source offers ready-to-use rootkit applications that are widely available to anybody using the Internet. Even an inexperienced rookie would be able to use a rootkit without having to understand how it works. These hi-tech criminals are money hungry and want to hide their actions and presence on any system they get on. Rootkits are perfect to help them commit fraud and identity theft by granting the attackers unauthorized access to privileged and proprietary information, and launching and hiding other malicious applications on the system. Above all, it leaves the hi-tech criminal with a back door to be able to continue to harm the victimized machine. As well, a large proportion of spyware and adware programs that use rootkits are...