Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Kevin Savage | 12 Sep 2007 07:00:00 GMT | 0 comments

The world of misleading applications (aka"rogue antispyware") never ceases to amaze with clever socialengineering and tricks to con and persuade users into parting withtheir hard-earned cash. We have recently noticed a sharp increase inthe number of these applications. One example we came across recentlythat is really contributing to the trend is called AVSystemCare.

This misleading application is unique in two ways:


- It uses a clever trick that makes it easy to generate an endless amount of clones that while looking and behaving
the same, are named differently.
- It offers localized versions in numerous languages.


AVSystemCare uses a clever trick to allow all of its clones to useidentical files, but yet have different names. Installing any of theseclones involves downloading a small file from the clone Web site. Whenthe user executes this file it will download the main applicationcomponents. All of...

Ben Greenbaum | 11 Sep 2007 07:00:00 GMT | 0 comments

Hello, and welcome to this month’s blog on the Microsoft patchreleases. September is a light month, with only 4 releases, eachresolving one issue.

Which is the most critical of these vulnerabilities? Well, itdepends on who you ask. Microsoft lists the issue in the Agent ActiveXcontrol as the only ‘Critical’ update this month, however ourcalculations have resulted in a higher urgency rating for the MSN /Live Messenger issue. Both vulnerabilities grant a remote attacker theability to run arbitrary code on the target machine if the target userperforms a specific action (clicks on a link or accepts an incomingmessage). Microsoft may have rated the ActiveX issue higher because anon-vulnerable upgrade to Messenger has been available for some time.However, we rate the issue in MSN Messenger/Live Messenger higher, dueto the availability of public proof-of-concept code known to work on atleast one platform. From the perspective of an affected user, theknowledge that they could have...

Ken Gonzalez | 11 Sep 2007 07:00:00 GMT | 0 comments

In my last installment, we examined the list of ITIL® v3 processes. Figure 1 (below) is an important tool to begin considering the expansion of the key ITIL process base. The names for the processes are listed on the left side and the relevant ITIL book across the top.

processmap_sm.jpg
Figure 1 - ITIL v2-v3 Process Coverage and Mapping (click for larger image)

I built this map in an attempt to describe which of the core publications are needed when researching or trying to understand a given process area. This was not quick or easy, because:


• Process naming is somewhat inconsistent across the books;
• Content from the ITIL v2 Core is not a clear or direct mapping;
• Content from other...

Jitender Sarda | 10 Sep 2007 07:00:00 GMT | 0 comments

In the month of August we had observed a huge spamming outbreak frommalware authors. Could this be an early warning signal for a new deadlyvirus/Trojan attack? It appears that malware authors are trying tostrengthen their botnet base by injecting and infecting as manymachines possible.

Cyber criminals are increasingly making use of different methods tospread their tentacles and one of the best ways is to globallydistribute huge spam campaigns with either a malicious attachment or aURL link in the spam email, which actually downloads some components ofthe malware code. This is usually in the form of either a rootkit or aTrojan.

The spam email containing the link for the malware download luresthe recipient to willingly download software for testing so that theymay receive a free license. Many users can easily get trapped by suchemails (the lure is getting something for free and when it’s a freelicense for software, many users will proceed thinking they have founda...

John McDonald | 10 Sep 2007 07:00:00 GMT | 0 comments

A new variant in the family of worms Symantec calls "Pykspa" - W32.Pykspa.D- is targeting Skype Instant Messenger. It spreads by using Skype'schat function, sending a message to contacts containing a link to whatappears to be a harmless .jpeg file, but if clicked on actuallydownloads and runs a copy of the worm on the user's computer. In anattempt to mask this innocuous activity the worm displays a legitimateWindows image (if it exists on the victim's machine), the bitmap fileSoap Bubbles.bmp, contained by default in the Windows installationdirectory. So if you saw the below image recently after clicking on alink contained in a Skype message from someone, chances are yourmachine is infected.

Soap%20Bubbles.bmp

To make matters worse the...

John McDonald | 10 Sep 2007 07:00:00 GMT | 0 comments

A new variant in the family of worms Symantec calls "Pykspa" - W32.Pykspa.D- is targeting Skype Instant Messenger. It spreads by using Skype'schat function, sending a message to contacts containing a link to whatappears to be a harmless .jpeg file, but if clicked on actuallydownloads and runs a copy of the worm on the user's computer. In anattempt to mask this innocuous activity the worm displays a legitimateWindows image (if it exists on the victim's machine), the bitmap fileSoap Bubbles.bmp, contained by default in the Windows installationdirectory. So if you saw the below image recently after clicking on alink contained in a Skype message from someone, chances are yourmachine is infected.

Soap%20Bubbles.bmp

To make matters worse the...

Ollie Whitehouse | 07 Sep 2007 07:00:00 GMT | 0 comments

In my last post on the subject of Vista versus the battle of vulnerable and malicioussigned drivers, I said there was some conjecture about whetherMicrosoft was going to use Windows Update to distribute a patch for avulnerable ATI driver. Elia Florio on our Security Response Operations team in Ireland sent me a link to a notice at ISC which showed this is indeed what they are doing. The link to the AMD notice shows this is indeed meant to resolve the security issue.

It is kind interesting that Microsoft...

Jeremy Ward | 06 Sep 2007 07:00:00 GMT | 0 comments

At the Open Group meeting in Austin a couple of weeks ago, I attended the workshops on IT risk assessment. Pretty dull, eh? In fact, this topic produced some of the liveliest debate I’ve ever had at a conference.

Unless you specialize in this area, you may think that risk assessment is pretty well sewn-up. You couldn’t be more wrong. Get 50 practitioners in a room and you will have 50 different methodologies for assessing IT risk. The trouble is that nearly all of them will be subjective – the outcome of any risk assessment exercise is most likely to be ‘high’, medium’ or ‘low’. Even when it’s an apparently objective number -- 54,821, for example – you don’t learn all that much. Try going to your board and telling them that their IT risk is 54,821 and their eyes are likely to glaze over very quickly! Any attempt to calculate ‘annual loss expectancy’, although valiant, only results in trouble when the degree of variability is larger than the sum itself!

So we urgently...

Ken Gonzalez | 05 Sep 2007 07:00:00 GMT | 0 comments

As I mentioned in my last blog entry, the version that most today know as ITIL® (often referred to as ITIL v2), is defined within the two Office of Government Commerce (OGC, U.K.) publications – Service Delivery (the “Red book”) and Service Support (the “Blue book”). In these publications, the 10 core ITIL processes and Service Desk functions are described in (more or less) self-contained blocks. In this world, things were relatively simple. I’ll start off our examination of ITIL v3 from the (more familiar) process-centric perspective.

As of now, there is no official count of authoritative list from OGC of which processes should be considered as the ITIL v3 core. Unfortunately, this pushes that responsibility on to the readers’ shoulders and I assure you that this is not an easy task...

Kelly Conley | 05 Sep 2007 07:00:00 GMT | 0 comments

The September State of Spam Report is out and includes several interesting highlights and trends seen inAugust. Some highlights in this report include an update on the stateof PDF spam, different variations that have been observed in e-cardspam tactics, including fake YouTube sites, as well as insight intosome new and novel tactics that were observed by Symantec during August.

Where did PDF spam go? Highlighted in a previous postas an emerging trend, PDF and other attachment spam reached a high inearly August but closed out the month with record lows. First seen inJune of 2007 with PDF files, attachment spam grew to encompass PDF, XLSand RAR files. By Early August, this spam type was seen in 20 percentof all...