Video Screencast Help
Security Response
Showing posts in English
Marc Fossi | 27 Sep 2007 07:00:00 GMT | 0 comments

…they just move to new mediums. Waaaay back in 1994, a computervirus hoax known as Good Times was passed around the Internet. Whilenot the first computer virus hoax, it is probably one of the bestknown. Since then there have been many similar hoaxes all promisingcertain destruction of your computer if you open an email originatingfrom a certain address or simply by reading certain words that appearon your monitor. Naturally, when many people receive one of thesehoaxes they decide to forward the message to all their friends andfamily to save them from this fate, thus helping the chain letter tospread (if I tell two friends and they tell two friends…).

In recent years, I noticed that these messages were showing up in myinbox less and less frequently. Did people learn not to believe thesemessages? Well, apparently not. They seem to be making a comeback, butrather than being sent via email they’re now sent through the messagingsystems on various social networking sites, as well...

M.K. Low | 26 Sep 2007 07:00:00 GMT | 0 comments

Recently, I came across a publication by Tews, Weinmann and Pyshkinthat describes an attack, called aircrack-twp, which can recover a104-bit WEP key in less than 60 seconds. WEP (Wired Equivalent Privacy)is a protocol used for securing wireless LANs (WLANs) that use the RC4stream cipher to encrypt transmitted packets under a common key.

The RC4 stream cipher is at the heart of the WEP protocol and is oneof the most widely used stream ciphers in the world due to itssimplicity and compact software implementation. Packets of informationare encrypted using the following method: A 24-bit initializationvector (IV) is chosen for each packet which is concatenated with thesecret 104-bit RC4 common key to form the 128-bit per packet or sessionkey. The per-packet key is encrypted through the RC4 stream cipher toproduce a pseudo-random keystream. Note that, since each packet has...

Joji Hamada | 25 Sep 2007 07:00:00 GMT | 0 comments

Today, a new Prime Minister took over office in Japan. As usual,malware authors are taking full advantage of this big occasion,launching targeted attacks that play upon the event. Symantec SecurityResponse has received an archive file today with the file, which contains an executable called mofa.exe. This file isdetected as Backdoor.Darkmoon.E.

According to a local news source(in Japanese), an email pretending to be from the newly elected PrimeMinister, Yasuo Fukuda, is hitting some individuals' email boxes. Theemail contains content in regards to Japanese diplomacy in Asia, alongwith the address and phone number of the Prime minister's office – anattempt to make the email look more authentic. The name “MOFA” is...

Aaron Adams | 25 Sep 2007 07:00:00 GMT | 0 comments

As little as three years ago, the concept of remote kernelexploitation remained arcane for most people in the security industryand was believed in some circles to be practically impossible, mostlydue to reliability issues. However, things in the security realm changequickly. Reliable exploit techniques come and go, new securitymechanisms are introduced, and arcane exploitation concepts arerevisited. Sometimes an exploitation concept that was once brushed offas too unreliable is reconsidered, bringing it again into focus as auseful and feasible attack vector.

Kernel vulnerabilities themselves are nothing new, of course. Theexploitation of local kernel flaws has been a popular pastime for manyresearchers and hackers over the years, and in many cases these flawswere shown to be exploited just as reliably as a local flaw in userlandsoftware. However, being local to the system has its advantages; thelevel of interactivity with the system and the data that is availablemake for...

Kelly Conley | 24 Sep 2007 07:00:00 GMT | 0 comments

Pump-and-dump stock, or penny stock, spam has been around for a longtime. Most memorably it has the distinction of being the maindeliverable of image spam. Regardless of the morphing or variations itis still pump-and-dump stock and while we're not stock advisors wewould advise against it, unless you like parting from your money.

The most recent morphing we've observed over the past few daysincludes highly obfuscated messages with a few distinctive features.For starters, none of the message headers in the attack contain asubject line. This means that when it lands in your inbox there will beno subject line for the message. Spammers may be utilizing this tacticas a means to entice end users to open the message by banking on thecuriosity of an end user to open the mysterious message. There is asubject line in the body of the message. The spammer is most likelydoing this for obfuscation purposes.

Other features of this pump and dump attack are the inclusion ofrandom,...

Ron Bowes | 21 Sep 2007 07:00:00 GMT | 0 comments

The Future Watch section of the latest Symantec Internet Security Threat Reportdiscusses the changing threat landscape, and presents some issues thatSymantec believes will emerge in the next six to eighteen months. Fourkey points were made this time: malicious activity in virtual worlds,evasion processes used by malicious code, hiding the origin of attacks,and new uses for bots.

Massively multiplayer online games (MMOGs) are becoming increasinglypopular. Originally, these types of games were mainly populated by moreexperienced computer users, but as they grow in popularity, more andmore casual users are beginning to participate. These types of usersare more likely to be exploited by scammers due to their lack ofexperience. As more of these kinds of players participate in MMOGs,scammers may increasingly target them.

Moreover, some online games allow "real money...

Vikram Thakur | 21 Sep 2007 07:00:00 GMT | 0 comments

If you've recently received an email with an attachment or link,asking you to install a patch or an update from Microsoft, pleasebeware as this is in all probability a hoax and could transfer controlof your computer to some unknown entity anywhere in the world.

Recently, we received samples of emails which prompted users toinstall patches for Windows, via fake Security Bulletins. The patcheswere either linked from the email or attached to the mail itself.Symantec products detect the linked file as Trojan.Dropper.

Click image for larger view

In this case, the installer distributed via this...

Ron Bowes | 20 Sep 2007 07:00:00 GMT | 0 comments

Volume XII of Symantec's Internet Security Threat Reportlooks at a variety of trends that were seen in phishing and spam.Although spammers' and phishers' techniques and targets constantlyvary, one thing remains the same: they're trying to make money – andthey're getting better at it.

Phishing attacks targeting financial services remained the mostpopular target than any other sector, making up 79 percent of uniquebrands phished, and 72 percent of all phishing Web sites. The reasonfor this is obvious: phishers want money, and stealing bank account orcredit card information is one of the quickest ways to make it. Andwith credit cards commonly selling for less than ten dollars on theblack market, and bulk rates offered on credit card sales, the phishersneed a lot of them to turn a profit.

In an attempt to get more bang for their buck, phishers have starteddeveloping...

M.K. Low | 20 Sep 2007 07:00:00 GMT | 0 comments

When you think botnet, your first response is to associate them with the usual menu of attacks such as spam generation, denial of service attacks (DoS), worms, Trojans, or phishing. There are many articles that detail typical botnet usage including illegally installing adware or spyware (attackers get paid on a per-install basis), hosting fraudulent banking Websites, and extortion (attackers can either threaten to unleash a DoS on a company’s Website unless a ransom is paid or hold a company’s files hostage and threaten to destroy them).

A botnet is typically a network of hijacked computers used to conduct attacks, usually for personal gain. One of the advantages of a botnet is that it can be used in a distributed computing attack. A large problem can be broken up into smaller, more manageable parts and distributed to many computers where they work on the problem in parallel. Distributing the workload to many computers is a very effective and dangerous way of...

David McKinney | 19 Sep 2007 07:00:00 GMT | 0 comments

Volume XII of the Internet Security Threat Report (ISTR)is now out. In this report, we discuss how attackers have been usingtrusted Web sites as a means of reaching their victims. This trend is,in part, facilitated by something that we call “site-specificvulnerabilities”, which are vulnerabilities that are limited to aparticular Web site or service. These vulnerabilities are typicallypresent in the proprietary Web-based applications that drive theservices provided by the site.

What initially tipped us off to the increasing prevalence ofsite-specific vulnerabilities was actually a drop in the proportion ofWeb application vulnerabilities. In this report, we observed that 61percent of vulnerabilities affected Web applications, which is a dropfrom the 66 percent in the previous report. (Our discussion of Webapplication vulnerabilities includes only those Web applications...