Video Screencast Help
Security Response
Showing posts in English
Yazan Gable | 22 Aug 2007 07:00:00 GMT | 0 comments

Code Red, Nimda, and Slammer (also known as SQL Slammer) are three of the most well known computer worms in the relatively short history of computers. Well known not because of their creatively selected names, but because of the massive impact they had on a widely used Internet. They weren’t the first worms to threaten the fabric of the Internet, but they hit at a time when the Internet was becoming very popular. It was a time when it was beginning to be widely used not only by governments and educational institutions, but also by people, corporations and non-profit organizations alike for communications and business.

Everyone who commonly used a computer when these malicious worms hit the Internet will remember them. Not only did they take down a number of government, corporate, and educational networks, but some of those not directly affected voluntarily shut down their networks as a precaution. But how were these things so effective and wide-ranging? How...

Hon Lau | 21 Aug 2007 07:00:00 GMT | 0 comments

Ever since the first Trojan.Peacomm, samples literally blew in from nowhere back in January 2007.Since then, the gang responsible have been constantly evolving theirTrojan with new features, new packers, and new techniques for spreadingit.

The thing that can be noted about the Peacomm gang is that they arevery much adept at the art of social engineering. The original Trojanwas propagated widely on the back of a story about a violent storm thatblew across Europe and hence the moniker. Since then the gang behindthe Trojan have explored all different manners of social engineeringavenues and subjects.

In particular they had a knack for latching on to the latestnews-worthy events and capitalizing on the public interest in them...

Vikram Thakur | 21 Aug 2007 07:00:00 GMT | 0 comments

We recently analyzed a sample of Infostealer.Monstres, and our colleague Amado posted an interesting entrywith some details of its actions. As the analysis of this threatcontinued, new details emerged. We've been able to acquire some emailtemplates that the Trojan may use to send targeted spam to individuals,using stolen personal information.

The templates acquired all point to the same position. The job isthat of a 'Transfer Manager' at an investment company. The jobdescription states that the position would entail facilitatingfinancial transactions made by the clients of the investment company.The email looks very realistic and may convince many that it has beensent from Monster.com or Careerbuilder.com.

Here are some of the email...

Liam O Murchu | 20 Aug 2007 07:00:00 GMT | 0 comments

It’s the universal come back. No matter what insult is thrown your way, you can always escape just by saying “your momma” *.So I had to laugh when we received a variant of an MSN worm thatentices would be victims with “lol, your mom just sent me thispicture?” Even funnier was the fact that the bot operator infectedhimself with his own worm.

This variant of the worm has been named W32.Scrimge.E. The worm isn’t restricted to just the one question, either, offering up any one of these goodies:


- Did you take this picture?
- Is that you on the left?
- How drunk was I in this picture?
- Is that your mom in this picture?
- lol, your mom just sent me this picture?


It was “your mom,” however, that...

Shunichi Imano | 18 Aug 2007 07:00:00 GMT | 0 comments

We have in the past repeatedly warned thatfree things on the internet do not always come cost free. And today, wehave to make a kind reminder as we came across a new example.

Security Response received a file with a .tgz file extension, whichexploits a new unknown vulnerability in a free Japanese decompress tool"Lhaz v1.33". The file is detected as Trojan.Lazdropper.

After a successful exploit attempt, Trojan.Lazdropper drops two files, both detected as Backdoor.Trojan,onto the infected computer. As Backdoor.Trojan opens a back door tocommunicate with the author for further actions, it is obvious thatpurpose behind...

Amado Hidalgo | 17 Aug 2007 07:00:00 GMT | 0 comments

Yesterday, we analyzed a sample of a new Trojan, called Infostealer.Monstres,which was attempting to access the online recruitment Web site,Monster.com. It was also uploading data to a remote server. When weaccessed this remote server, we found over 1.6 million entries withpersonal information belonging to several hundred thousand people. Wewere very surprised that this low profile Trojan could have attacked somany people, so we decided to investigate how the data could have beenobtained.

Interestingly, only connections to the hiring.monster.com andrecruiter.monster.com subdomains were being made. These subdomainsbelong to the “Monster for employers” only site, the section used byrecruiters and human resources personnel to search for potentialcandidates, post jobs to Monster, et cetera. This site requires recruiters to log in to view information on...

Peter Ferrie | 17 Aug 2007 07:00:00 GMT | 0 comments

After the success of the W97.Melissa virus in 1999, mass-mailing became the next big thing in viruses. This trend continues even today. Different methods have been tried over the time, but they fall mainly into two categories: exploits and social engineering.

Perhaps the most successful example of social engineering came on May 4, 2000 when VBS.LoveLetter called inboxes everywhere just to say “ILOVEYOU". At that time, curiosity easily outweighed security, especially with such a provocative subject line. Many people opened the email and then clicked on the attachment named "LOVE-LETTER-FOR-YOU.TXT[.vbs]" (the .vbs part being hidden by default on many systems). The resulting mess spread across the world during that same day, and...

Parveen Vashishtha | 16 Aug 2007 07:00:00 GMT | 0 comments

In our previous analysis we discussed ‘What is Mpack and how it works.’ We had reviewed MPackversion 0.84 in our previous blog; this time we will compare it with an updated version, MPack v 0.91.

1. The exploits include the existing ones present in v0.84. The list of exploits is present at the end of this blog.

2. There have been some changes to the management and reporting interface. A new file, admin.php, is introduced and stats.php has been removed.

The developers of the toolkit have provided admin.php for secure control and configuration of the Mpack installation. The Mpack owner can set username and password protection by using settings.php. There have been changes in the user interface, cosmetic changes such as better styles used to view, and a copyright logo: (c) 2007 DreamCoders– Logo.

MPack...

Candid Wueest | 16 Aug 2007 07:00:00 GMT | 0 comments

Well, we all know that playing games can influence your real life,even if it’s just the lack of sleep you get from spending whole nightsplaying online games. But there’s more to it. There are several crucialpoints that have to be considered when running around virtual fieldswith your character. Unfortunately, as in life, some people don't playby the rules.

Sometimes those virtual worlds are not as peaceful as one mightthink or hope. You, or more precisely your avatar, might getblackmailed for protection money or bullied by others. Destruction ofvirtual goods can happen if you don’t pay. The discovery of weapons ofmass destruction in Second Life confirms this point. (Yes, they doexist; search for “Jessie Massacre” if you don’t believe it.)

But, there are other entrapments to watch out for. We already reported on gold farming and the problem with in-game spam in a...

Candid Wueest | 16 Aug 2007 07:00:00 GMT | 0 comments

Have you ever “ego-Googled” yourself? That is, looked yourself up onGoogle? Chances are, if you haven’t, others have. Your employerprobably did it before hiring you, so it can’t be that bad, right? Butare you really aware of all the information that is available onlineabout you?

Nowadays, of course, one of the easiest ways to data-mine somebodyis to look them up on the many social networking sites that have sprungup over the past few years. These sites are hugely popular and you findthem for nearly every user group. You can find old buddies from schoolthat you’ve lost touch with, connect with people that listen to thesame music as you, or post your CV to attract a new employer.

For sure, they can be useful. And I admit that I, too, have usedthem several times. Sometimes it can even be very amusing. For example,I once received an email from a headhunter. Besides offering me aposition, she complained she couldn’t reach me on my listed phonenumber: ++1 234 567 890. What...