Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.
Security Response
Showing posts in English
Ollie Whitehouse | 23 Jun 2006 07:00:00 GMT | 0 comments

When I look back on it now, MicrosoftOffice is a veritable Petri dish of threat evolution. From attackerslearning how to use intended functionality for malicious purposes,through to exploiting vulnerabilities in the applications themselves,an increased understanding and familiarity with the technology can beseen.

Let me explain. Once upon a time there were macroviruses in Microsoft Office documents that caused havoc. These viruseswere easy to mitigate because Microsoft simply updated Office to promptthe user for further action when opening a document with unsignedmacros. Alternatively, if Office was configured correctly by the user,only signed macros in trusted locations could be executed.

Fast forward four years or so, and we see that Microsoft Office isbeing used a semi-trusted vehicle to exploit buffer overflows in theentire Office suite. Most businesses rely on the transfer of Word,Excel, PowerPoint, Access, Project, or Visio files to exchangeinformation....

Marc Fossi | 21 Jun 2006 07:00:00 GMT | 0 comments

Almost everyone is aware of the nuisance caused by spam email. When we get to work in the morning we have to delete a bunch of useless messages from our Inbox before we can start the day. When we get home we have to do the same thing before getting around to reading messages from friends and family. Do you ever wonder how these spammers came by our email addresses in the first place?

There are several ways for spammers to gather email addresses to send their messages to. One of the oldest techniques involves sending a “bot” to crawl around on different Web sites, Usenet groups, and other similar Internet resources searching for email addresses. While this method works, it is time-consuming and prone to gathering addresses that are outdated and no longer in use. Another popular method involves generating email addresses using a technique called brute forcing. This method tries sending spam to addresses composed of every possible combination of letters and numbers (for...

Ollie Whitehouse | 16 Jun 2006 07:00:00 GMT | 0 comments

Phreaking ("analog style") emerged in the1960s and was around for over 30 years until it started to die out inthe mid-1990s. In my opinion the term is best described by Wikipedia: "Phreakingis a slang term coined to describe the activity of a subculture ofpeople who study, experiment with, or exploit telephones, the telephonecompany, and systems connected to or composing the Public SwitchedTelephone Network (PSTN) for the purposes of hobby or utility. The term‘phreak’ is a portmanteau of the words ‘phone’ and ‘freak’.”

We'vestarted to see a number of documented cases that point to a resurgencein phreaking, but this time it's not analog networks that are beingexploited; instead, it’s 21st century VoIP networks. I remember when Ifirst started playing with VoIP in 2002, entrenched in the lab with an AsteriskPBX and one...

Liam O Murchu | 14 Jun 2006 07:00:00 GMT | 0 comments

I would never associate the phrase "good ethics" with rogue anti-spyware. Maybe "questionable ethics" or, indeed, "no ethics" are phrases that would be more appropriate! We encounter questionable ethics everyday in the lab, especially when dealing with rogue applications. I will provide some information below on one of the best examples of rogue anti-spyware we have seen in the lab, called "Punisher".

Symantec detects this rogue application as Punisher, but it is also known as Remedy AntiSpy, SystemStable, HitVirus, and Adware Bazooka in the industry. Rogue applications often employ a technique of using various guises, where the application will be advertised and distributed using seemingly different software applications that all turn out to be exactly the same (except, perhaps, a different skin).

We made observations on...

Symantec Security Response | 11 Jun 2006 07:00:00 GMT | 0 comments

Webmail providers, such as Yahoo! Mail and Hotmail, are possible vectors of infection from mass-mailing email worms. As is the risk with Microsoft Outlook and other common email programs, if you download and execute programs from an email client you run the risk of executing malicious code. If there is a vulnerability in your email client, malicious code can even execute automatically. Webmail programs are similar to other email clients that are installed locally and are equally affected by vulnerabilities. For example, a variety of Outlook issues have been discovered in the past where attachments were automatically executed simply because a user previewed an item of email. Webmail programs are not immune from this type of vulnerability.

A new Yahoo! Mail worm, JS.Yamanner@m , is making the rounds by utilizing a vulnerability affecting webmail. Yahoo! Mail...

Eric Chien | 09 Jun 2006 07:00:00 GMT | 0 comments

I have received reports recently from people who are getting odd spam messages delivered to them that don't actually try to sell them prescription drugs, visas to the US, methods of enlarging his or her body parts, or cheap loans so they can refinance his or her home. Instead of these commonly known scams, the spam messages in question use a recipient's own email address as the return address, and have a subject line and message body containing random numbers. No exploit inside, no malicious code, no links.

Initially, a lot of theories were put forth; from spam software gone wrong, to spammers trying to poison Bayesian spam filters. It turns out the reason for these odd spam messages is nothing other than a familiar mass mailing worm, Beagle. W32.Beagle.FC is another variant of the Beagle family. Beagle is split into many components: one component may just try to...

Liam O Murchu | 07 Jun 2006 07:00:00 GMT | 0 comments

I recently posted a blog that refers to fuzzing techniques—inparticular I spoke about finding file format vulnerabilities usingthese fuzzing techniques. Therefore, it was with no great surprise thatI greeted the announcement of the discovery of nine different fileformat vulnerabilities affecting the Apple QuickTime application.However, what did surprise me was the number of separate file formatsthat were found to be vulnerable.

In this particularannouncement the commonly known .jpg, .bmp, .avi, and .pict fileformats were found to be vulnerable, along with several other formatsthat were disclosed. Given the number of issues discovered, there is nodoubt in my mind that these were all found using file fuzzingtechniques. For a full listing of the issues that Apple has resolvedwith a patched version of QuickTime, please refer to the...

Dave Stahl | 05 Jun 2006 07:00:00 GMT | 0 comments

"Your password will expire in six days." Upon receiving thisnotification, I grimaced. What could be more fun than coming up withyet another password—particularly one that meets the increasinglyludicrous password policies that are ever present in the industry?

"Yourpassword will expire in one day." Well, shoot. I guess I'd better go onand take care of it. A small modification to my current 23 characterpass phrase, and hopefully I'll be done with this for another month ortwo. Nope. It seems that more rules have been added since I lastchanged my password; specifically, the requirement that they be betweeneight and 14 characters. No shorter, no longer. The password changetool helpfully suggests a few possible passwords:

sYdid,5jag
glip*4esO
e&6fLogi
fam,1hYo
tar,7yePy
nib,2duenK
kEt1%geuck
yaLal7#yas
neTec7#jin
pEa+8hegju

Great, thanks! I'll be able to memorize one of those shortly beforethe next ice age. I'm now in...

Ollie Whitehouse | 02 Jun 2006 07:00:00 GMT | 0 comments

So, it's started. In terms of security, we are seeing first generation mobile operating systems transition into second generation mobile operating systems. While the threats mobile embedded devices face today are relatively small, they are very real threats. We often see samples of backdoors, spyware, worms, Trojans, and arbitrary code execution for either one or both of two key commercial mobile operating systems (Symbian and Windows Mobile).

What strikes me, however, is that the vendors seem to be learning from the tribulations in the desktop space. What I mean to say is, they could sit around and wait for these issues to become as rampant as they are today in the desktop arena before they addressed security in the mobile environment; however, initial evidence suggests that mobile OS companies like Symbian, Microsoft, and ARM are becoming more proactive with security.

With the release of Symbian 9 we are seeing a more granular permissions model. With the...

Stephen Doherty | 31 May 2006 07:00:00 GMT | 0 comments

n regards to my previous blog about the social engineering attack that occurred recently on Ladbrokespoker.com, it seems as though the problem with rogue phishing messages is still causing havoc with some online poker rooms. The following fake message was sent to Ladbrokespoker.com users from May 16th to May 17th (Monday night to Tuesday afternoon):

“ATTENTION PLAYERS: THE FIRST 10 PLAYERS WHO WILL VISIT THE SITE (http://www.ladbrokes-winners.com/) THEY WILL BE AWARDED WITH THE AMAZING PRICE OF $10,000. HURRY!!!!”

Ladbrokespoker.com are currently promoting their upcoming 500 millionth poker hand, and are offering over $60,000 in cash prizes. The timing of these unofficial message boxes will certainly...