Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Chen Yu | 13 Sep 2007 07:00:00 GMT | 0 comments

It has recently been discovered thatBaoFeng Storm, a movie player written in Chinese and widely used inChinese-speaking countries, contains multiple buffer-overflowvulnerabilies, some of which are being actively exploited. Thevulnerabilities are related to the ActiveX control used by the softwareand a vulnerable computer simply needs to browse a Web site, whichcontains exploit code, to be compromised. Successful exploitation thenallows remote execution of arbitrary code in the context of theapplication using the ActiveX control (in this case Internet Explorer)and allows the attacker to take full control of the compromisedcomputer. Failed exploit attempts may lead to denial-of-serviceconditions, possibly resulting in the browser crashing.

The vulnerabilities have been confirmed in version 2.7.9.8 and betaversion 2.7.9.9, although other versions may also be affected, and atthe time of this writing the vulnerabilities remain unpatched. SecurityFocus have also...

Marvin Fabuli | 13 Sep 2007 07:00:00 GMT | 0 comments

TechNewsWorld recently published an article discussing how epidemiologists are using the outbreak of a virtual disease in a MMOG to study human behavior and hopefully apply the lessons to future outbreaks of disease. The incident in question is the intentional introduction of a plague by Blizzard Entertainment two years ago into its own World of Warcraft, basically to “add a little kick” to the game.

The disease was called Corrupted Blood and, just for fun, the makers made it truly viral so that, once infected, gamers would pass on the virus to others. That said, the pandemic was supposed to be limited to a new area in the game only meant to be accessible to high-level players who, it was presumed, would have the strength and knowledge to deal with the disease.

Of course...

Kevin Savage | 12 Sep 2007 07:00:00 GMT | 0 comments

The world of misleading applications (aka"rogue antispyware") never ceases to amaze with clever socialengineering and tricks to con and persuade users into parting withtheir hard-earned cash. We have recently noticed a sharp increase inthe number of these applications. One example we came across recentlythat is really contributing to the trend is called AVSystemCare.

This misleading application is unique in two ways:


- It uses a clever trick that makes it easy to generate an endless amount of clones that while looking and behaving
the same, are named differently.
- It offers localized versions in numerous languages.


AVSystemCare uses a clever trick to allow all of its clones to useidentical files, but yet have different names. Installing any of theseclones involves downloading a small file from the clone Web site. Whenthe user executes this file it will download the main applicationcomponents. All of...

Ben Greenbaum | 11 Sep 2007 07:00:00 GMT | 0 comments

Hello, and welcome to this month’s blog on the Microsoft patchreleases. September is a light month, with only 4 releases, eachresolving one issue.

Which is the most critical of these vulnerabilities? Well, itdepends on who you ask. Microsoft lists the issue in the Agent ActiveXcontrol as the only ‘Critical’ update this month, however ourcalculations have resulted in a higher urgency rating for the MSN /Live Messenger issue. Both vulnerabilities grant a remote attacker theability to run arbitrary code on the target machine if the target userperforms a specific action (clicks on a link or accepts an incomingmessage). Microsoft may have rated the ActiveX issue higher because anon-vulnerable upgrade to Messenger has been available for some time.However, we rate the issue in MSN Messenger/Live Messenger higher, dueto the availability of public proof-of-concept code known to work on atleast one platform. From the perspective of an affected user, theknowledge that they could have...

Ken Gonzalez | 11 Sep 2007 07:00:00 GMT | 0 comments

In my last installment, we examined the list of ITIL® v3 processes. Figure 1 (below) is an important tool to begin considering the expansion of the key ITIL process base. The names for the processes are listed on the left side and the relevant ITIL book across the top.

processmap_sm.jpg
Figure 1 - ITIL v2-v3 Process Coverage and Mapping (click for larger image)

I built this map in an attempt to describe which of the core publications are needed when researching or trying to understand a given process area. This was not quick or easy, because:


• Process naming is somewhat inconsistent across the books;
• Content from the ITIL v2 Core is not a clear or direct mapping;
• Content from other...

Jitender Sarda | 10 Sep 2007 07:00:00 GMT | 0 comments

In the month of August we had observed a huge spamming outbreak frommalware authors. Could this be an early warning signal for a new deadlyvirus/Trojan attack? It appears that malware authors are trying tostrengthen their botnet base by injecting and infecting as manymachines possible.

Cyber criminals are increasingly making use of different methods tospread their tentacles and one of the best ways is to globallydistribute huge spam campaigns with either a malicious attachment or aURL link in the spam email, which actually downloads some components ofthe malware code. This is usually in the form of either a rootkit or aTrojan.

The spam email containing the link for the malware download luresthe recipient to willingly download software for testing so that theymay receive a free license. Many users can easily get trapped by suchemails (the lure is getting something for free and when it’s a freelicense for software, many users will proceed thinking they have founda...

John McDonald | 10 Sep 2007 07:00:00 GMT | 0 comments

A new variant in the family of worms Symantec calls "Pykspa" - W32.Pykspa.D- is targeting Skype Instant Messenger. It spreads by using Skype'schat function, sending a message to contacts containing a link to whatappears to be a harmless .jpeg file, but if clicked on actuallydownloads and runs a copy of the worm on the user's computer. In anattempt to mask this innocuous activity the worm displays a legitimateWindows image (if it exists on the victim's machine), the bitmap fileSoap Bubbles.bmp, contained by default in the Windows installationdirectory. So if you saw the below image recently after clicking on alink contained in a Skype message from someone, chances are yourmachine is infected.

Soap%20Bubbles.bmp

To make matters worse the...

John McDonald | 10 Sep 2007 07:00:00 GMT | 0 comments

A new variant in the family of worms Symantec calls "Pykspa" - W32.Pykspa.D- is targeting Skype Instant Messenger. It spreads by using Skype'schat function, sending a message to contacts containing a link to whatappears to be a harmless .jpeg file, but if clicked on actuallydownloads and runs a copy of the worm on the user's computer. In anattempt to mask this innocuous activity the worm displays a legitimateWindows image (if it exists on the victim's machine), the bitmap fileSoap Bubbles.bmp, contained by default in the Windows installationdirectory. So if you saw the below image recently after clicking on alink contained in a Skype message from someone, chances are yourmachine is infected.

Soap%20Bubbles.bmp

To make matters worse the...

Ollie Whitehouse | 07 Sep 2007 07:00:00 GMT | 0 comments

In my last post on the subject of Vista versus the battle of vulnerable and malicioussigned drivers, I said there was some conjecture about whetherMicrosoft was going to use Windows Update to distribute a patch for avulnerable ATI driver. Elia Florio on our Security Response Operations team in Ireland sent me a link to a notice at ISC which showed this is indeed what they are doing. The link to the AMD notice shows this is indeed meant to resolve the security issue.

It is kind interesting that Microsoft...

Jeremy Ward | 06 Sep 2007 07:00:00 GMT | 0 comments

At the Open Group meeting in Austin a couple of weeks ago, I attended the workshops on IT risk assessment. Pretty dull, eh? In fact, this topic produced some of the liveliest debate I’ve ever had at a conference.

Unless you specialize in this area, you may think that risk assessment is pretty well sewn-up. You couldn’t be more wrong. Get 50 practitioners in a room and you will have 50 different methodologies for assessing IT risk. The trouble is that nearly all of them will be subjective – the outcome of any risk assessment exercise is most likely to be ‘high’, medium’ or ‘low’. Even when it’s an apparently objective number -- 54,821, for example – you don’t learn all that much. Try going to your board and telling them that their IT risk is 54,821 and their eyes are likely to glaze over very quickly! Any attempt to calculate ‘annual loss expectancy’, although valiant, only results in trouble when the degree of variability is larger than the sum itself!

So we urgently...