Video Screencast Help
Security Response
Showing posts in English
Thomas Parsons | 01 Nov 2007 07:00:00 GMT | 0 comments

The authors of the Storm worm (also know asTrojan.Peacomm) have shown an uncanny knack of changing or shedding keycomponents of the threat in order to enhance its persistence andspread. This week saw the latest incarnation of the threat, Trojan.Peacomm.D,reveal itself as halloween.exe or sony.exe. What is most interestingabout this latest variant of the Storm worm is that its authors haveremoved some key functionality that was present in the previousvariant, Trojan.Peacomm.C. Specifically, the threat no longer;
1. infects other legitimate drivers on the system. Previous variantsinfected drivers such as Tcpip.sys and Kbdclass.sys. This was astealth-like feature used by the threat to start early with theoperating system and without loading points...

Joji Hamada | 01 Nov 2007 07:00:00 GMT | 0 comments

Many Internet surfers learned a lesson whentheir computers were infected by visiting questionable Web sites. Thesesurfers began using Macs as most malware target the Windows operatingsystem. Well, soon enough, it may not matter which OS you are using.

According to Intego's press release,a Trojan horse has been found on several pornography sites that claimsto install a video codec required to view the content on Macs.

Symantec Security Response has also confirmed this, and added detection for the threat as OSX.RSPlug.A.It appears that the Mac is becoming popular enough that the "bad guys"think it is worth spending time and effort in developing malware forthe Mac OS. If we see a rise in Mac malware, then we will have toassume that there are profits to be made in...

Liam O Murchu | 01 Nov 2007 07:00:00 GMT | 0 comments

Recent reports have shown thatTrojan.Bayrob is scamming people again. The latest victim lost over€5,000 to the scam but luckily was able to track down where the moneyhad been sent. Unfortunately the final destination for the money was aWestern Union outlet in Greece, after having been first sent through amoney mule in the US.

Once Trojan.Bayrob is executed on a user’s system it can interceptall traffic to eBay. It can then show the infected user any contentthat it chooses instead of the real pages and it can also alterinformation that is shown to the user from the real pages.Trojan.Bayrob is used to scam people who are trying to buy cars oneBay.

The attack is a targeted attack and as such it is difficult toestablish the exact methods that are used to distribute the Trojan;however, from evidence gathered thus far the attack works in a mannersimilar to the following:
• The attacker posts an auction on eBay.
• This auction is used to gain information...

Vikram Thakur | 01 Nov 2007 07:00:00 GMT | 0 comments

A few days ago our good friends at SANS posted an entry in their diaryabout a possible IRS scam about to happen. Well, it happened. We wereable to acquire a copy of the spammed email and analyze the maliciousbehavior—we believed that the email itself had to be included in ouranalysis.

The email was very detailed and included the recipient’s completename with a message, allegedly from the Internal Revenue Service (IRS).The spammed email talked about some supposed IRS e-File issues andasked the email recipient to download and print the correct PDF fileusing a link. As you might have guessed, the link wasn't to a sitehosted by the real IRS.

Here is a picture of what the email looked like (click for a larger image):

...

Tim Gallo | 01 Nov 2007 07:00:00 GMT | 0 comments

I recently attended a pair of conferences in Las Vegas (yes, lovely Las Vegas). Not only was it hot, but because I was staying in one hotel and the conferences were in two other hotels, I had a long hike between where I was sleeping and where I was attending. Needless to say, walking through the desert heat I had lots of time to think about why I was dumb enough not to bring water with me, think about where the nearest air conditioning was, and also to think about things that I’ve said in front of crowds or things I’ve heard other people say. One of the most common phrases I heard at the conferences was “risk mitigation.” Well really, what does that mean?

I hear a lot of vendors talk about how they help clients mitigate their risks and how they use technical infrastructure to do so. But, should we mitigate risks? Well, let’s start with reminding ourselves what “mitigate” means. Dictionary.com defines “mitigate” as: to lessen in force or intensity, as wrath, grief,...

Liam O Murchu | 01 Nov 2007 07:00:00 GMT | 0 comments

Recent reports have shown thatTrojan.Bayrob is scamming people again. The latest victim lost over€5,000 to the scam but luckily was able to track down where the moneyhad been sent. Unfortunately the final destination for the money was aWestern Union outlet in Greece, after having been first sent through amoney mule in the US.

Once Trojan.Bayrob is executed on a user’s system it can interceptall traffic to eBay. It can then show the infected user any contentthat it chooses instead of the real pages and it can also alterinformation that is shown to the user from the real pages.Trojan.Bayrob is used to scam people who are trying to buy cars oneBay.

The attack is a targeted attack and as such it is difficult toestablish the exact methods that are used to distribute the Trojan;however, from evidence gathered thus far the attack works in a mannersimilar to the following:
• The attacker posts an auction on eBay.
• This auction is used to gain information...

Erik Kamerling | 31 Oct 2007 07:00:00 GMT | 0 comments

Welcome back. In my previous blog I was telling you about Kohno et al discovering how we can manipulate a Windows machine into starting to timestamp in the middleof a non-Tsopt enabled flow. If we have control of a machine that aWindows client connects to or we act in a man-in-the-middle (MiTM)capacity on a flow involving Windows hosts, we can perform a simpletrick. The “attacker” must actively modify a TCP SYN/ACK packet halfwaythrough the regular TCP handshake with a Windows host (server toclient) to incorrectly contain Tsval in violation of thetimestamp standard. If RFC 1323 guidance was adhered to in thissituation, a Windows system facing such an unexpected Tsopt in SYN/ACKwould not begin to timestamp its packets. However, it was discoveredthat if we introduce such a Tsopt-enabled SYN/ACK we can trick Windowssystems into...

Andrea DelMiglio | 30 Oct 2007 07:00:00 GMT | 0 comments

As anticipated in my first blog post,email service providers play a central role in the battle againstonline fraud. This is because they are often the only organization toown the data needed to support financial institutions and lawenforcement agencies in prosecuting criminals.

Most phishing sites are hosted on compromised Web servers and in thepast, stolen accounts were stored on local log files that phishers usedto save, using rather standard filenames (like “data.log” or “cc.txt,”where “cc” obviously stands for credit card). Web servers withdirectory listings that were enabled together with phishing kitanalysis quickly made this simple technique ineffective, becausefinancial institutions were able to read those files as well.Therefore, they were able to block stolen Internet banking accounts andcredit cards, thus preventing further...

Erik Kamerling | 29 Oct 2007 07:00:00 GMT | 0 comments

Kohno, Broido, and Clafy introduced theseminal paper "Remote physical device fingerprinting" at the IEEESymposium on Security and Privacy held May 8-11, 2005. In this paperthey outlined for the first time how TCP timestamp values can be usedto physically differentiate one Internet-connected host from another.Their work is based on the concept of “clockskew,” which is the amountand rate at which a computer's clock uniquely deviates from a baseline.Every physical machine's internal clock components deviate from truetime in a measurable and unique way. By measuring this drift patternusing linear regression/curve fitting (using the TCP timestamps option(Tsopt) value in normal TCP traffic) they were able to passively andsemi-passively perform clockskew calculations on remote hosts thatallowed them to accurately fingerprint individual computers. Thiscutting-edge methodology has subsequently enabled them to perform amyriad of brand new de-anonymization attacks.

Using TCP...

Andrea Lelli | 26 Oct 2007 07:00:00 GMT | 0 comments

A couple of weeks ago in thisblog entry, we learned how misleading applications advertise themselveson the Web. Now we'll take a closer look at the other side of things tosee how misleading applications infiltrate users' machines in order toconvince people to download and purchase them.

We are used to seeing malware that uses all sorts of tricks tocompromise a user's machine in order to steal valuable information orperform fraudulent activities. The purpose of all of this? Of course!Money! Why else would the miscreants otherwise make the effort ofstudying new tricks and developing new malware when they can simplyconvince users to give up their money spontaneously?

This is how it goes with misleading applications. They can appear inseveral ways, such as in downloaders or simply via browseradvertisements: "Your computer is in...