Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Jitender Sarda | 04 Dec 2007 08:00:00 GMT | 0 comments

'Tis the season of exchanging greetings,what with Thanksgiving and Xmas rounding out the year's end.Unfortunately, malicious code writers are on the job trying to exploitthese occasions by sending out mass spam email greeting cards withattractive and fancy links that serve the purpose of downloadingmalicious files to a victim's computer.

These eCards are purportedly sent from a legitimate source and tryto lure the victim to click on the link to view the eCards, which haveunderlying tricks to try and infect the computer. With the Xmas bellsstarting to ring, here is the first incidence where Xmas ecards havestarted doing the rounds. The URL included in the eCards attempts todownload "sos385.tmp" file, which is a downloader.

In this particular sample below, the "From:" header alias isdisplaying an eCard from a well known company; however, it is of coursea spoofed header. The spammer has also deliberately inserted the text "(no worm , no...

Davide Veneziano | 03 Dec 2007 08:00:00 GMT | 0 comments

Computer forensics is a powerful instrumentavailable to financial institutions in the battle against online fraud.During the analysis of a phishing attack many players need to beconsidered. As illustrated by Andrea Del Miglio,the role of email service providers is fundamental, but hostingcompanies as well as individual owners of compromised Web sites canreally help in enhancing the effectiveness of the analysis. Theinformation found within the log files of a compromised Web server cansupport forensics operations; precious details such as IP addressesbelonging to end-users, timestamps, and the visited URLs are allrecorded into these files. Additionally, the total number of visitorscan contribute to the evaluation of the real risk associated with eachsingle attack. That is to say, the more visitors a fraudulent Web sitehas, the higher the risk.

During the last...

Joji Hamada | 01 Dec 2007 08:00:00 GMT | 0 comments

On November 25, we blogged about a proof of concept exploit code for Apple's QuickTime RTSP Response Header Remote Stack Based Buffer Overflow Vulnerabilitybeing disclosed to the public. Now a week has passed and Symantec'sDeepSight honeynet has spotted at least one active exploitation in thewild.

Originally, the flaw was disclosed on November 23, 2007 by Polishsecurity researcher Krystian Kloskowski and since then we have seennumber of exploits targeting the vulnerability being released to thepublic. But now the exploit is active and in the wild, meaning websurfers are in danger of being attacked. Our current analysis is alsoleading us to believe that there may be multiple attacks in existence.Further investigation is currently under way to confirm this...

Vikram Thakur | 30 Nov 2007 08:00:00 GMT | 0 comments

A few days ago we posted a blog entryabout how some pharmaceutical sites were using link farms and spammingin their marketing campaign. The hackers were injecting links intocompromised sites, which raised the marketed sites in search engineresults. We followed up with some of the owners and administrators ofsites that were being used in this spam campaign and found mostadministrators cleaning up the infections and closing holes in theirWeb applications promptly.

Ironically, after we posted the previous article the spammers beganto use text from our blog to redirect traffic to their sites. Thisshotgun seeding technique allows the link farmers to rapidly manipulatethe metadata and skew search results. Here is a screenshot of what wegot by searching for one specific line from our previous blog entry.

...

Liam O Murchu | 30 Nov 2007 08:00:00 GMT | 0 comments

The Mpack and IcePack exploit packages havebeen on sale for some time. Now, free releases of these tools are beingdistributed, but are these free distributions all they are supposed tobe? While examining these free releases we discovered some surprises.

The Mpack and IcePack exploit packages are designed fornon-technical users. They group exploits together into one easy toinstall package and using this package, non-technical users can runexploits on the browsers of unsuspecting visitors. Ultimately thisgrants non-technical attackers the ability to infect visitors to theirsites without having to know how exactly it happens.

When these packs were first released they sold in the undergroundfor over $1,000 apiece. The packs are installed with minimumconfiguration and effort and all that the controller needs to do isattract users to the exploit site. When one of these exploit sites isopened in a visitor's browser, the exploits are run and if the user isvulnerable a...

Téo Adams | 29 Nov 2007 08:00:00 GMT | 0 comments

Recently there have been several reports of security flaws in a product provided by a company called Mobile Spy. The product is an application for Windows Mobile smartphones. The application logs various forms of communication data transmitted to and from the phone and sends it to a hosted database. A user can log in to the web service and view all the data that has been logged.

The idea behind this product is that it’s installed on a device without the knowledge of that device’s user (for example, an employee, child, spouse, etc.). The party who installed it can then monitor the user’s activity to ensure that the device is not being abused. A company manager, for example, can make sure that an employee is not making personal calls or sending personal text messages from a company device.

For the most part, this seems like a reasonable idea, but the security flaws in both the...

Brian Ewell | 29 Nov 2007 08:00:00 GMT | 0 comments

On November 29 the FBI announced the results of its second Bot Roast (see the FBI release).This is the FBI operation responsible for hunting out and attempting tobring to justice cyber criminals involved in cultivating botnets. Thesebotnets, which can call home to millions of computers, are responsiblefor millions of dollars in financial losses at both a corporate andconsumer level. The FBI operation has resulted in the successfulcapture, indictment, and/or sentencing of multiple criminals. In thelong run it may be only a small slice of the world of botnets, but makeno mistake, any gains in fighting this epidemic are well received. TheFBI and those involved should be commended.

Of course, what's a blog entry without the standard "practice safecomputing" comment: Insure your system is patched and protected as bestas possible through the use of a security package. Anything we...

Jitender Sarda | 28 Nov 2007 08:00:00 GMT | 0 comments

Malicious code writers have always usedpopular Web brand names to spread malicious code through spam vectorsand these days the YouTube brand name is popping up more and more.However, the spoofed URL in this latest scam redirects visitors todynamic domain names with seemingly unusual top level domains (TLDs),such as .li, .ch, and .es. Last month, spammers used the YouTube brandname in an attempt to spread spam regarding male enhancement pills andget-rich-quick schemes.

The email looks harmless enough, because the “From” header is spoofed to appear as if it's coming from "YouTube Service" ,which helps it to look like a legitimate invitation. The video'sdescription is enticing and seems innocuous, inviting potential victimsto open a shared video file, which is a fake YouTube link. Here is asample of one of these scam emails:

From: "YouTube Service" service@youtube.com
To: [REMOVED]
Bcc: [...

Ben Nahorney | 28 Nov 2007 08:00:00 GMT | 0 comments

Four days after news of the recent Apple QuickTime vulnerabilitybegan to spread, a new proof-of-concept exploit, with a twist, has beenpublished. While the shell code in the previous exploit was containedwithin a malicious RTSP data stream, this time the shell code is sentvia JavaScript, separate from the stream.

Let’s break down how this might play out. A client requests a Webpage from a malicious site. The page that is sent contains maliciousshell code and a request for a QuickTime movie. If the client is usingInternet Explorer, the shell code is written to a heap area for lateruse. Meanwhile, the browser receives the QuickTime movie and then opensit with QuickTime, creating an RTSP stream to the malicious server.Only the RTSP server in this scenario is hosting a hacked version,which actually sends back a stream that overwrites the...

Jitender Sarda | 28 Nov 2007 08:00:00 GMT | 0 comments

Malicious code writers have always usedpopular Web brand names to spread malicious code through spam vectorsand these days the YouTube brand name is popping up more and more.However, the spoofed URL in this latest scam redirects visitors todynamic domain names with seemingly unusual top level domains (TLDs),such as .li, .ch, and .es. Last month, spammers used the YouTube brandname in an attempt to spread spam regarding male enhancement pills andget-rich-quick schemes.

The email looks harmless enough, because the “From” header is spoofed to appear as if it's coming from "YouTube Service" ,which helps it to look like a legitimate invitation. The video'sdescription is enticing and seems innocuous, inviting potential victimsto open a shared video file, which is a fake YouTube link. Here is asample of one of these scam emails:

From: "YouTube Service" service@youtube.com
To: [REMOVED]
Bcc: [...