Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Security Response
Showing posts in English
Brian Hernacki | 22 Sep 2006 07:00:00 GMT | 0 comments

Back to municipal Wi-Fi security again (I'll get onto other topics as soon as I get all of this out, I swear). There are two important things left to cover though: transmission security and device security. If you're new to this topic of muni Wi-Fi security, please have a look at some of my previous posts first, in order to catch up (Part I, Part II, and Part III).

I'll start with transmission security, which generally gets a lot of discussion. Transmission security really covers everything that you send or receive over the wireless network after you're "connected". Now, remember...

Kaoru Hayashi | 21 Sep 2006 07:00:00 GMT | 0 comments

Recently we have seen an increase in Trojan horse programs that attempt to steal online gaming accounts. Massively multiplayer online role playing games (MMORPG), such as Lineage, Ragnarok Online, World of Warcraft, and Final Fantasy are often targeted by these Trojans. What is the purpose of the attacks? Money. Players can trade their virtual money or items used in their game of choice online, at a special market called RMT (Real Money Trading). RMT is run by third parties and is not usually permitted by the official game vendors; however, RMT has become a big market. A recent report stated that RMT has traded more than two billion USD thus far in 2006. So, if attackers can steal gaming account information from compromised computers, they can easily sell virtual money for real money in the RMT market.

Attackers use a variety of methods to install Trojans on compromised computers. One of these ways is to use a Web site. In the past, attackers used to disguise Trojans...

Amado Hidalgo | 20 Sep 2006 07:00:00 GMT | 0 comments

The trend of new exploits being releasedimmediately after Microsoft's Patch Tuesday is continuing (we arestarting to call it "exploit week"). Symantec Security Response haveconfirmed a new Internet Explorer zero-day vulnerability today. It wasfirst reported by Sunbelt Software. Security Response is rating it as critical because an exploit for this vulnerability is already in-the-wild.

Wehave confirmed that this exploit takes advantage of a bug in VML(vector markup language, which is an XML language used to producevector graphics) to overflow a buffer and inject shell code. Theexploit then downloads and installs multiple security risks, such as spyware, on the compromised machine.

An interesting feature of the Web sites hosting themalicious...

Symantec Security Response | 19 Sep 2006 07:00:00 GMT | 0 comments

Symantec Security Response is aware of anexploit currently running in the wild on a vulnerability in MicrosoftPowerPoint. The exploit targets Chinese language versions of Office2000 running on Chinese language versions of Windows XP. Thus far, thisattack is not widespread and there is no reason to believe it willbecome more prevalent, based on our experience with similar attacksthis year. This is a continuation of the trend (which we have beentracking throughout this year) toward exploiting vulnerabilities inMicrosoft Office applications in order to install malware—mainlyTrojans.

It is not currently known if other languages or versions areaffected by the underlying vulnerability. Symantec has releasedantivirus definitions that detect this threat as Trojan.PPDropper. Allof the normal advice applies here (i.e., don't open attachments frompeople you don't know or are not expecting them from and keep yourantivirus and security solutions up to date).


Kelly Conley | 18 Sep 2006 07:00:00 GMT | 0 comments

Diet pills? Ambien? HGH? If any of these are up your alley, you were in luck this past month. Online pharmacy spam represented a significant number of spam attacks that were seen by the Symantec Brightmail antispam probe network. In fact, this spam type was one of the top categories of spam sent out in August and has been around for a long, long time. The Internet is a gold mine of “cheap prescription drugs” that “don’t require a prescription!”

How can you recognize this spam type? For starters, it is often text-based and includes a “non-clickable” URL. A non-clickable URL requires a person to copy and paste the URL into a browser window to navigate to the Web site. You may wonder “Who would manually copy and paste these URLs into a Web browser?”, but someone must. In fact, many people must do this because it is a popular component to the success of online pharmacy spam. Spammers wouldn’t do it if end users weren’t so gullible and it didn’t work as well as it does....

Hon Lau | 16 Sep 2006 07:00:00 GMT | 0 comments

In a recent blog, I mentioned that Office documents were a great place to hide malware in order to maximize its chances of distribution. This time I want to draw attention to the fact that the Windows Registry is also another handy reference tool for some Trojans, too.

A Trojan will usually drop another copy of itself or a components as part of the installation process to try and throw users off track. So, typically a Trojan would run and as part of its installation process, it would drop a copy of itself using another filename in, say, the Windows System folder and modify the registry to run itself at every restart of the computer.

The goal of any effective profit-making malware is to get installed and run undetected for as long as possible to try and maximize the profit-making window. Many angles of attack and stealth have been explored by malware authors over the years. Some are high tech, as we see with rootkits. Some are low tech, such as in disguising...

Symantec Security Response | 14 Sep 2006 07:00:00 GMT | 0 comments

Just days after Microsoft's September PatchTuesday announcement, Security Response has confirmed that there is anew Internet Explorer zero-day vulnerability. Because this is anunpatched vulnerability with proof-of-concept exploit code available,Symantec Security Response is considering this to be rated as"critical". The vulnerability itself was announced by XSec.

Uponfurther analysis, we have determined that the vulnerability is, infact, a buffer overflow related to how Internet Explorer tries toinstantiate a certain DirectionAnimation COM object as an ActiveXcontrol. At this point, we believe that successful exploitation of thisvulnerabilitiy may allow an attacker to execute remote code on thecompromised system.

There is no patch available from Microsoft for this particularzero-day exploit, as of yet. In order to provide proactive protectionto our customers against malicious attacks that attempt to leverage thevulnerability, Symantec Security Response is...

Liam O Murchu | 14 Sep 2006 07:00:00 GMT | 0 comments

There is a relatively new annoyance called "spim" that seems to be popping up on our screens more frequently. Spim is the equivalent of spam (unsolicited email, usually selling snake oil) that is delivered over instant messaging clients. After recently receiving more spim, which was advertising what I believed to be a spyware product, it occurred to me that the best tricks are still the oldest ones. With the recent attention that spyware applications are receiving, it is easy to overlook some of the simpler, more direct methods of spying. Spyware applications are not the only way people can catch their spouses cheating (!). The spim message I received was advertising a “catch your spouse cheating service”. No download necessary, no application to install, no hidden software on your spouse’s computer.

The service is based strictly on social engineering. It is a “very straightforward service”, as it is explained on their Web site. For a fee of only $49.95, this...

Zulfikar Ramzan | 13 Sep 2006 07:00:00 GMT | 0 comments

Last year, researchers at Indiana University performed a fascinating study on the potential impact of a phishing attack that included some form of relevant context. It was felt that it wouldn't be much longer before phishers harnessed the power of contextual techniques. The academic work I'm referring to, entitled "Social Phishing", involved an experiment where researchers at Indiana University first mined available resources (social networking sites, etc.) to determine who was friends with who. Then, they launched a mock phishing attack to see how individuals responded to a phishing email when the email message was forged to appear as if one of their friends sent it. It turned out that 72% of email recipients fell for the ruse and divulged sensitive credentials (compared to 15% in the "control" group that received an email from a random stranger).

At the time of the study, we weren't really aware of phishers trying to use the same trick to increase the...

Ben Greenbaum | 12 Sep 2006 07:00:00 GMT | 0 comments

Well, once again we find ourselves faced with the monthly ritual known as "Microsoft Patch Day”. This time around the ordeal is relatively minor, with only three new items in the bucket. Two of these items could potentially result in attacker-supplied code being run on a target system, but both are reliant on other limiting factors, which greatly reduce the global stress level associated with Patch Tuesday. All items, of course, are still worthy of close inspection by any admin to see if they apply to the machines and networks that they are responsible for.

The first issue we’ll address in this blog is the PGM overflow vulnerability (MS06-052, CVE-2006-3442, BID 19922). This is the most severe of the issues presented this month because it allows an attacker to execute arbitrary code remotely on the affected system. So then, what’s the good news? Well, the affected code is in MSMQ3....