Video Screencast Help
Security Response
Showing posts in English
Symantec Security Response | 19 May 2006 07:00:00 GMT | 0 comments

Within the last 24 hours, Security Response has discovered a newattack which exploits a previously undocumented vulnerability inMicrosoft Word. The malicious Microsoft Word document is emailed to thevictim as an attachment, and upon being opened, it installs an embeddedTrojan horse program we are calling Trojan.Mdropper.H.

Thedropper Trojan then installs a backdoor, Backdoor.Ginwui, which binds acommand shell for allowing remote access to the victim machine by theattacker and contacts a remote web server via HTTP. Both the source andthe target of the attack were based in Asia. The Web site thatBackdoor.Ginwui was contacting every minute via HTTP POST commands hasbeen taken down, though the IP addresses were being juggled by theattacker.

Security Response has seen a number of attacks like this of late andit really serves to underscore the new threat landscape we’re dealingwith today. Here’s a few of the signs of the time illustrated by thislatest attack.


Zulfikar Ramzan | 18 May 2006 07:00:00 GMT | 0 comments

Phishing is an attempt by a third party to solicit confidential information from an individual, group, or organization, often for financial gain. The phishers may then use the information to conduct criminal activities for profit. A typical phishing email may ask the recipient to click on a URL that appears to belong to a well known Web site, but the link actually directs the user to a malicious site with the fraudulent intent to steal information.

In a recent twist, phishers have replaced malicious URLs with malicious “1-800” phone numbers. The brand name targeted in one particular instance was Chase Bank. The Chase Bank scam was initiated when users were enticed to dial a rogue 1-800 number listed in a phishing email. When they connected to the number, they were greeted by a warm voice asking for their account number, expiration date, and last four digits of their social security number [1]. The message ended by acknowledging that the account details had been...

Eric Chien | 17 May 2006 07:00:00 GMT | 0 comments

When we talk to customers about the future malware landscape, many often wonder when mobile device threats are going to arrive. They are surprised to learn that threats for mobile devices already exist, aren't just proof of concepts, and are actively spreading. Commwarrior, for example, infects Symbian Series 60 devices (for example, many Nokia smartphones) and has been reported worldwide. According to news reports, telephony companies have stated that Commwarrior has accounted for more than ten percent of all of their MMS traffic. Other telephony companies that Symantec has spoken to have specifically implemented filters to block Commwarrior at their gateways due to the amount of traffic it was generating.

While threats exist and are actively spreading, we are probably still years away from the situation we have with the Microsoft Windows operating system. We hope we can take a lesson from history and prevent such a situation, but some lessons seem to be hard to learn...

Ollie Whitehouse | 16 May 2006 07:00:00 GMT | 0 comments

So, it's started. We are starting to see the arrival of Linux in the cellular device/handset market (to be honest, it's been a year or two since they first emerged, but they are now starting to become more prevalent) and along with them the attendant security issues.

While I wish to avoid a war in regards to different operating systems and security (I don't want to antagonize the Slashdot crowd again), the following is true: the vendors who are gaining direct benefits from the adoption of open source software (OSS) within their devices and products (such as low cost and quicker product development) are not addressing the security with the same aggression. If Symantec were a non-OSS company, people (myself for one) would be quick to point this out and remind them of their obligations to end-user security.

Let me explain what I mean. Currently we expect big OS vendors like Microsoft, Apple, and Sun to typically provide an easy way to implement upgrades that...

Eric Chien | 15 May 2006 07:00:00 GMT | 0 comments

Being in this business, we are often called upon to help clean up the computers of families and friends. In the past I have had many friends who thought they had a virus, but usually it was just some other system anomaly. Times have changed though, and now I tend to see a lot of adware and spyware as well as infections from worms and IRC bots. Usually it is just a matter of running a few tools, deleting a few registry keys and files and everything is better.

So, when a friend of mine recently sent me an odd instant message (IM) on Yahoo IM, I wasn’t that surprised. I immediately recognized it as suspicious, since my friend would have no reason to be using a free Brazilian homepage Web site, and I don’t think he had ever written a smiley face in the manner displayed on the IM. (See figure 1)

Figure 1


Ollie Whitehouse | 12 May 2006 07:00:00 GMT | 0 comments

I’ve had my head in Windows CE and Windows Mobile for what feels like months, looking at the security architecture and the types of threats that will affect these types of devices now and in the future (plug: paper coming soon). As I was drawing to a close on finalizing some last minute edits, I noticed that Microsoft had launched a small sub-section on their Windows Embedded site dedicated to security [1]. Digging a little further, I noticed that in order to access details of the patches available for vulnerabilities in Windows Mobile you needed an OEM agreement in place with Microsoft [2].

This got me really interested. I originally wanted to see if some of the issues Symantec had identified were patchable already. WIth a little more digging I found that you could access the QFE Updates (like Service Packs to the development environment) for Windows CE Platform Builder without needing an OEM agreement [3] (this I presume is due to the fact that anyone can get...

John Canavan | 11 May 2006 07:00:00 GMT | 0 comments

With a landmark of six million concurrent online users set last month, Skype’s active user base is growing quickly. With many worms now targeting other IM platforms, it looks to be only a matter of time before Skype becomes targeted as an infection vector. The presence of functionally strong features in the Skype API makes it a prime target for malicious code.

Towards the end of last year, Skype introduced a programming API with the intention of fostering a growing development community. Applications providing useful add-ons to Skype functionality and many hardware interfaces had been springing up over the previous months. Hoping to make development for these programmers less painful, introduce new add-ons to the product, and ultimately increase their market share in the face of the threats from Google Talk and Yahoo IM talk services, the Skype API was launched to capitalize on developer interest.

The Skype API allowed for stand-alone applications to communicate...

Patrick Martin | 10 May 2006 07:00:00 GMT | 0 comments

People often ask me about the best way toconfigure their computer to protect against threats, such as worms andTrojan horses. They say they have installed antivirus protection andnever open unexpected email attachments. But they wonder if that isenough. Antivirus protection is certainly an important part of aneffective protection solution. It has the ability to detect knownthreats as well as many new ones via heuristic technologies. But thereis a second technology that can be added to help complete the picture:a firewall.

While antivirus software helps to protect thefile system against unwanted programs, a firewall helps to keepattackers or external threats from getting access to your system in thefirst place. Most people are aware that worms often travel throughemail. They generally arrive as an attachment to an email that the useris enticed to click on by the text of the email itself. We call thesethreats “mass-mailing worms.” The best thing to do with these...

Dave Cole | 09 May 2006 07:00:00 GMT | 0 comments

Back in the wild and wooly pre-bust days of ’98, distributed denial of service attacks (DDoS) knocked the froth off of some very high profile Web sites. Backed by malcode like Trin00 and Stacheldracht, the attacks made headlines everywhere, as online businesses that were the frontrunners of the emerging Internet economy were unexpectedly closed for business while they did battle with the legions of zombie computers slinging packets at them and tying up their systems.

So here we are, approximately eight years later. Trin00 and Stacheldracht have been replaced by much more powerful, multi-purpose successors like Spybot and Gaobot. And the attacks keep coming. The latest Symantec Internet Security Threat Report (March 2006) showed a 51% increase in denial of service attacks. The previous period (January 2005 to June 2005) was characterized by a gaudy 680% growth, as attacks surged from 119 per day to 927 per day. The number for the second half of 2005 now rests at 1,402...

Symantec Security Response | 08 May 2006 07:00:00 GMT | 0 comments

“Ladies and Gentlemen, step right up and feast your eyes on this!” The special today is a cure for a little ailment called “spam.” Well, not all spam. Just spam with certain polka-dots on them. Call it a flavor if you will, and why not? I mean, you’ve got Heinz touting 57 varieties (in reality, there’s much, much more), so why not different flavors of spam? Dr. Seuss might even serve it up with some green eggs if you let him.

I digress. The spam du jour is of the self-inflicted kind. No, not the kind that you get after you sign up for a random online sweepstake. No, not even the kind you randomly pick up just for having an email account. The spam we are talking about is the kind that you get because your email appears on a Web site that you might maintain.

Imagine if you will, that one day you decided that you wanted to put up a Web site. What goes on this site? Well, first there are the usual pictures and maybe some prose. Then sprinkle in a blog if...