Video Screencast Help
Security Response
Showing posts in English
Symantec Security Response | 11 Jun 2006 07:00:00 GMT | 0 comments

Webmail providers, such as Yahoo! Mail and Hotmail, are possible vectors of infection from mass-mailing email worms. As is the risk with Microsoft Outlook and other common email programs, if you download and execute programs from an email client you run the risk of executing malicious code. If there is a vulnerability in your email client, malicious code can even execute automatically. Webmail programs are similar to other email clients that are installed locally and are equally affected by vulnerabilities. For example, a variety of Outlook issues have been discovered in the past where attachments were automatically executed simply because a user previewed an item of email. Webmail programs are not immune from this type of vulnerability.

A new Yahoo! Mail worm, JS.Yamanner@m , is making the rounds by utilizing a vulnerability affecting webmail. Yahoo! Mail...

Eric Chien | 09 Jun 2006 07:00:00 GMT | 0 comments

I have received reports recently from people who are getting odd spam messages delivered to them that don't actually try to sell them prescription drugs, visas to the US, methods of enlarging his or her body parts, or cheap loans so they can refinance his or her home. Instead of these commonly known scams, the spam messages in question use a recipient's own email address as the return address, and have a subject line and message body containing random numbers. No exploit inside, no malicious code, no links.

Initially, a lot of theories were put forth; from spam software gone wrong, to spammers trying to poison Bayesian spam filters. It turns out the reason for these odd spam messages is nothing other than a familiar mass mailing worm, Beagle. W32.Beagle.FC is another variant of the Beagle family. Beagle is split into many components: one component may just try to...

Liam O Murchu | 07 Jun 2006 07:00:00 GMT | 0 comments

I recently posted a blog that refers to fuzzing techniques—inparticular I spoke about finding file format vulnerabilities usingthese fuzzing techniques. Therefore, it was with no great surprise thatI greeted the announcement of the discovery of nine different fileformat vulnerabilities affecting the Apple QuickTime application.However, what did surprise me was the number of separate file formatsthat were found to be vulnerable.

In this particularannouncement the commonly known .jpg, .bmp, .avi, and .pict fileformats were found to be vulnerable, along with several other formatsthat were disclosed. Given the number of issues discovered, there is nodoubt in my mind that these were all found using file fuzzingtechniques. For a full listing of the issues that Apple has resolvedwith a patched version of QuickTime, please refer to the...

Dave Stahl | 05 Jun 2006 07:00:00 GMT | 0 comments

"Your password will expire in six days." Upon receiving thisnotification, I grimaced. What could be more fun than coming up withyet another password—particularly one that meets the increasinglyludicrous password policies that are ever present in the industry?

"Yourpassword will expire in one day." Well, shoot. I guess I'd better go onand take care of it. A small modification to my current 23 characterpass phrase, and hopefully I'll be done with this for another month ortwo. Nope. It seems that more rules have been added since I lastchanged my password; specifically, the requirement that they be betweeneight and 14 characters. No shorter, no longer. The password changetool helpfully suggests a few possible passwords:

sYdid,5jag
glip*4esO
e&6fLogi
fam,1hYo
tar,7yePy
nib,2duenK
kEt1%geuck
yaLal7#yas
neTec7#jin
pEa+8hegju

Great, thanks! I'll be able to memorize one of those shortly beforethe next ice age. I'm now in...

Ollie Whitehouse | 02 Jun 2006 07:00:00 GMT | 0 comments

So, it's started. In terms of security, we are seeing first generation mobile operating systems transition into second generation mobile operating systems. While the threats mobile embedded devices face today are relatively small, they are very real threats. We often see samples of backdoors, spyware, worms, Trojans, and arbitrary code execution for either one or both of two key commercial mobile operating systems (Symbian and Windows Mobile).

What strikes me, however, is that the vendors seem to be learning from the tribulations in the desktop space. What I mean to say is, they could sit around and wait for these issues to become as rampant as they are today in the desktop arena before they addressed security in the mobile environment; however, initial evidence suggests that mobile OS companies like Symbian, Microsoft, and ARM are becoming more proactive with security.

With the release of Symbian 9 we are seeing a more granular permissions model. With the...

Stephen Doherty | 31 May 2006 07:00:00 GMT | 0 comments

n regards to my previous blog about the social engineering attack that occurred recently on Ladbrokespoker.com, it seems as though the problem with rogue phishing messages is still causing havoc with some online poker rooms. The following fake message was sent to Ladbrokespoker.com users from May 16th to May 17th (Monday night to Tuesday afternoon):

“ATTENTION PLAYERS: THE FIRST 10 PLAYERS WHO WILL VISIT THE SITE (http://www.ladbrokes-winners.com/) THEY WILL BE AWARDED WITH THE AMAZING PRICE OF $10,000. HURRY!!!!”

Ladbrokespoker.com are currently promoting their upcoming 500 millionth poker hand, and are offering over $60,000 in cash prizes. The timing of these unofficial message boxes will certainly...

Liam O Murchu | 26 May 2006 07:00:00 GMT | 0 comments

The commercialization of every aspect of online fraud has been a growing trend over the last few years. [1] This commercialization has now hit the drive-by download market. A new subscription service that automates drive-by downloads is now available and being touted in the underground.

This service provides a point-and-click solution for anyone who wants to set up drive-by downloads on their own Web site. Some features offered by the service include: browser and browser version detection, OS detection, Windows service pack detection, JVM version detection, and antivirus software detection.

These detection processes allow specific exploits to be leveraged in each case. The team behind the service also claims to have the ability to develop exploits based on vendor advisories, which presents the worrying scenario of zero-day exploits being available to their customers. This could lead to a similar situation that occured when WMF exploits were circulating (in...

Stephen Doherty | 24 May 2006 07:00:00 GMT | 0 comments

t was a quiet Thursday night on May 11, 2006, when I decided to try my hand in a poker tournament on the Ladbrokespoker.com Web site. Ladbrokespoker.com is the busiest poker site in Europe with regular traffic of more than 5,000 players, usually reaching its peak in the evening hours.

Ladbrokespoker.com is powered by the Microgaming Poker Network, and promotes upcoming poker events by periodically sending a simple message box to all of their clients. However, on this particular Thursday night, instead of receiving a message box promoting an upcoming tournament, I received a message box that stated the following:

“Dear Ladbrokes Members : An employee of LADBROKES.COM steals $30,000,000 (Thirty-Million-Dollars) from Ladbrokes players accounts, all the players have the right to know ... http://www.ladbrokes-bbc.net/”

To the untrained eye, the URL in the message box appeared to be for an official BBC Web site; however, it linked to a site that was a spoof,...

Zulfikar Ramzan | 23 May 2006 07:00:00 GMT | 0 comments

Public-key cryptography enables transactions among those parties who haven’t previously agreed upon a symmetric cryptographic key. To make public-key cryptography work, one needs a mechanism for binding a person’s public key to their private identity (or to some set of authorizations or properties) for the purposes of providing security services.

The most common mechanism for doing so is a digital certificate, which is a document that is digitally signed by a certificate authority (CA). The digital certificate contains, among other things, the person’s public key together with the information the person would like to bind to it (such as a his or her identity, a domain name, etc.). Ultimately, we are relying on the due diligence the certificate authorities conducted prior to issuing the certificate. The proliferation of certificate authorities, many of whom have lax practices, could seriously undermine confidence in certificates and the use of public-key cryptography in...

Liam O Murchu | 22 May 2006 07:00:00 GMT | 0 comments

It is so great to now have the opportunity to choose how to receive your adware. In the past, drive-by downloads were targeted exclusively towards Internet Explorer (IE) users and indeed, many people changed to Firefox or Safari browsers specifically because of this fact. But now you can choose which browser you want to use to be hit with your least favourite adware!

When people contemplated moving from IE to Firefox, it didn’t matter if Firefox was measurably safer than IE or not, the simple fact that the bad guys weren’t targeting it made it far more secure in practice. Those heydays have long since disappeared. In the Symantec labs we still see a greater number of drive-by downloads solely targeting IE; however, we often see sites that will detect which browser you are using and then serve you your specific poison. Moreover, there have been several vulnerabilities discovered that can affect applications that are common across all Internet browsers (such as those...