Video Screencast Help
Security Response
Showing posts in English
Eric Chien | 12 Nov 2007 08:00:00 GMT | 0 comments

All of the recent rumors about Google releasing a "gPhone" were finally put to rest with their release of Android, which is a software stack for mobile devices. Android includes an operating system (Linux), middleware, and some default applications like a browser.


(Click for larger image)

Applications are developed using Java and use a framework provided by Google including their own virtual machine (Dalvik virtual machine). The entire framework is open source and Google (as part of the Open Handset Alliance) wants to bring openness to the mobile ecosystem, allowing anyone to write applications and make use of all of the functionality available on handsets.

Of course, this begs the question of security...

Erik Kamerling | 12 Nov 2007 08:00:00 GMT | 0 comments

On October 25, 2007, Elcomsoft Co Ltd. in Moscow, Russia filed for a US patent on a reportedly new password recovery method that makes use of a video card's graphics processing unit (GPU). Elcomsoft credits the February 2007 release of the NVIDIA CUDA C-Compiler and developer's kit for providing the necessary low-level GPU access they needed to make this cryptographic advancement. The newest NVIDIA GPUs act as multiprocessors that utilize shared memory, cache, and multiple registers. The newest graphics cards utilize fixed point calculations, relatively massive amounts of memory, and multiple processing units. They differ significantly from a computer's central processing unit (CPU) in terms of their cryptanalytic processing capabilities and Elcomsoft claims to have leveraged newer GPU architectures to improve brute force password cracking by a factor of 25.

Statistics from Elcomsoft state that the new method can be used to exhaustively crack an eight character pseudo-...

Takashi Katsuki | 09 Nov 2007 08:00:00 GMT | 0 comments

Since the start of this past September, mydaily tasks have included investigating Trojan.Farfli, which is updatedfrequently. On the dark side of things, the author of the Trojan hasdaily tasks that are closely related to mine: updating Trojan.Farfli.We have seen Trojan.Farfli updated three times a day on average andsometimes as much as seven times a day, and the total number ofvariants has reached more than 300 since July. In comparison, Trojansdiscovered around the same time have far fewer variants. For example,Trojan.Hachilem and Trojan.Srizbi have only 150 variants and 40variants, respectively. Precisely speaking, because there are filesdropped by this Trojan that are polymorphic there are hundred andhundred variants of this Trojan.

Why does the author update the threat so often? Well, we don’t knowexactly what the motive is, but the most likely reason is for monetarypurposes. An infected computer will access predefined Web sites withthe author’s affiliate ID,...

Peter Coogan | 09 Nov 2007 08:00:00 GMT | 0 comments

The countdown to Nov 11th and the most recently rumored "cyber Jihad"against the West has sparked some other questions. One in particular isthe comparison of their individual capabilities for possible denial ofservice (DoS) attacks.

Symantec’s analysis of the purported DoS tool to be used in this"E-Jihad," known as “E-Jihad 3.0,” has shown it to be crude andunsophisticated. First, it requires a user to manually install it ontoa computer. The user must then log into a “cyber-jihadist” Web sitethrough the tool, which sends back attack commands. The Web site inquestion is currently offline and we believe it may have been sinceJuly 2007. Symantec has detection for this tool as Hacktool.Dijah and has set up intrusion prevention system (IPS) blocking.

...

Ollie Whitehouse | 08 Nov 2007 08:00:00 GMT | 0 comments

Well, we’ve arrived at where we’ve been trying to get to for some time. That is to say that we now have the ability to release security advisories for Windows CE & Windows Mobile after working through the accepted responsible disclosure process with Microsoft. It hasn't been easy, with us initially reporting issues back in February 2006, but we’ve finally got here. This really marks a milestone for COTS mobile platforms even though we did achieve something similar back in 2003 with Nokia and their proprietary OS and recently with Palm OS, but getting vendor responses on mobile security issues (with maybe the exception of RIM) has historically been hard work.

A quick thanks to all those involved here at Symantec: Katie (before she left), Tyler, as well as the folks over...

Kelly Conley | 07 Nov 2007 08:00:00 GMT | 0 comments

Presidential spam? Yes, we have seen it. Asthe race to the Whitehouse builds momentum, one spammer is out thereendorsing his favorite candidate. While there is no evidence that thespam for this particular candidate originates with the candidatehimself, we believe this may be an interesting view into what politicalspam may look like over the course of the next year as the UnitedStates Presidential elections draw nearer. Please have a look at theNovember State of Spam Report to view samples of this type of spam.

A new tactic during the month of October was the inclusion of MP3files to promote pump and dump stock spam. This variation of theclassic pump-and-dump stock is just the most recent technique beingutilized to market these stocks to the masses. A blog was createdearlier in the month regarding this novel type spam attack and can beread ...

Elia Florio | 06 Nov 2007 08:00:00 GMT | 0 comments

A few weeks ago, we warned users about a new Local Privilege Escalation vulnerability in Windows XP and 2003.The original exploit was found in the wild and actively used againstWindows-based computers to gain SYSTEM privileges and installadditional malware or bypass other restrictions. It wasn’t justproof-of-concept code, but a malicious exploit used in real (butlimited) attacks. Today, Microsoft posted Microsoft Security Advisory (944653) about this issue.

With the release of this advisory, I’d like to answer a few follow-up questions for blog readers:

Q: I don’t play games and I don’t use Macrovision software, so am I safe?
A: No. The vulnerable component affected by the bug is theMacrovision driver...

Kelly Conley | 06 Nov 2007 08:00:00 GMT | 0 comments

Over the past week we have seen some scamspurporting to be generating from the IRS. The scams are requestingdonations for the wildfires that ravaged the Southern California regionlast week. A portion of the email is below:

From: Internal Revenue Service<61yu9@irs.gov>Subject: Help for California Wildfire Victims

Right now California is asking you for help !
If you chose to take part in our program (initiated by IRS & U.S GOVERNMENT)
click on the link below and make a small contribution.
Together we can rebuild California !

BE HUMAN GET INVOLVED ! BE AMERICAN ! CALIFORNIA NEEDS YOUR HELP !

https://www.irs.gov/help/donate.html

This email is not from the IRS. The link redirectsto a fraudulent Web site created by scam spammers to steal your money.It is unfortunate...

Andrea DelMiglio | 05 Nov 2007 08:00:00 GMT | 0 comments

Anonymous proxy services are onlineapplications that enable users to surf the Web with enhanced privacy.These applications act as an SSL proxy between the user and the Website to be visited, thus masking the IP address and providingadditional privacy features, such as referrer hiding, script removal,cookies removal, and URL encoding. Proxify is one provider of these services, but many more are available on the Internet.

Although we believe online privacy is something we always need to take care of,the use of these kinds of services...

Erik Kamerling | 02 Nov 2007 07:00:00 GMT | 0 comments

In the previous entries in this series (part 1, part 2)I discussed the different tricks and indicators of issues involvingtimestamping anomalies, specifically with Windows-based computers. Now,from a defense and detection standpoint it is relatively easy to detectsuch activities on the network using a tool like Wireshark or its command-line equivalent tshark.

In the example below we make two assumptions: 1) Windows clients onour network should not be using the timestamp option on outgoing SYNpackets (this violates default configurations), and 2) a host on theoutside of our network that receives a SYN with no timestamp set shouldnot respond in turn with a timestamped SYN...