Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Security Response
Showing posts in English
Zulfikar Ramzan | 13 Aug 2007 07:00:00 GMT | 0 comments

Part I on Friday discussed the early days of phishing from relatively harmless spam to targeting the financial sector and then to an increasingly professional operation with serious consequences for both organizations and individuals.

The threat evolves further

In a technical sense, phishing has evolved in a number of ways. Phishers are conscious of the different anti-phishing technologies out there – many of which employ block lists of suspicious Web sites. Block lists work by matching the URL that appears in the address bar of the Web browser with a list of known phishing Web sites. If there is a match, the user is warned. To get around that, in September 2006 many phishers started randomizing the sub-domain portion of the URL. While these URLs lead to the same site, no two are the same, and therefore the technique circumvents basic block lists.

Phishers are also privy to the fact that their pages are being viewed...

Zulfikar Ramzan | 10 Aug 2007 07:00:00 GMT | 0 comments

Symantec is celebrating its 25-year anniversary and, during the course of the company’s history, we’ve seen the threat landscape evolve continuously. Many of the threats we routinely address today were practically unheard of in the early days. While much of the activity back then was centered around viruses and other forms of malicious code designed to wreak havoc on customers' personal computers, today’s landscape now includes new threats that can wreak havoc on customers’ personal lives, stealing their money and also their identity.

One of these emerging threats is phishing. Phishing is a threat whereby attackers use social engineering mechanisms, in a fairly automated way, to trick victims into divulging sensitive data that can later be used to assume a victim’s identity on an online site or in a financial transaction. Throughout 2006, Symantec observed over 300,000 unique phishing emails and blocked these messages in nearly three billion phishing instances. Phishing...

Michael Smith | 09 Aug 2007 07:00:00 GMT | 0 comments

Firewalls, intrusion detection and prevention systems, antivirus – they’re all old tricks of the trade that IT has traditionally deployed to maintain the security of large and complex networks.

But are they enough? Threat volume is rising, propagation speed is increasing, and attacks are becoming more advanced and elusive. Luckily, there are innovative new ways to complement the traditional approach. And security’s bright side may be on the ‘dark’ side.

A growing number of organizations are leveraging darknets to increase their security intelligence and, in turn, enhance their security posture. A darknet is an area of routed IP address space in which no active services reside.

IT is increasingly using this ‘dark’ network as a powerful security tool. Because no legitimate packets should be sent to or from a darknet, the majority are likely sent by malware that scans for vulnerable devices with open ports in order to download, launch, and propagate malicious code...

Ollie Whitehouse | 08 Aug 2007 07:00:00 GMT | 0 comments

The other day, I blogged about the latest happenings in the Atsiv saga. Today I’m providing an update, which I couldn’t have made up even if I tried.

This can only be described as one of those moments that would makeanyone in Microsoft’s situation start to sob. Alex Ionsecu published anentry on his blog (whichsubsequently got pulled) with a supporting tool called Purple Pill.This tool had embedded in it an ATI signed driver that would be droppedto disk and loaded (a similar approach to Atsiv). However it wouldappear that this signed driver contained a design error which allowsyou to use it to load any arbitrary driver even if they are not signed(similar functionality to Atsiv). You can imagine this came about dueto a requirement to extend this core driver with arbitrary...

David McKinney | 08 Aug 2007 07:00:00 GMT | 0 comments

The hacker's place in the pop culture continuum is as anti-hero. This is an image portrayed in movies and novels - the hacker is a wild-card with the power of deus ex machina who can be called upon to cheat technology or exploit a loophole in the system. Since computers don't lie and the system is perfect, the hacker invokes black arts in gross defiance of reality and the law in order to accomplish his (as hackers are overwhelmingly portrayed as male) goals. Yet we often sympathize with the fictional hacker for this exact reason. The system irks us and we often wish we could circumvent it.

The nineties had its own hacker anti-hero: Kevin Mitnick.

Most of Mitnick's story has been told by the media and in a book entitled Takedown...

Peter Ferrie | 07 Aug 2007 07:00:00 GMT | 0 comments

I just got back from Black Hat 2007 Las Vegas, where I wasco-presenting with Nate Lawson and Thomas Ptacek regarding detection ofhypervisors. Previously, we had asked Joanna Rutkowska to prove her"100% undetectable" claim, but she had declined. However, we did manageto prove that our methods work.

Joanna agreed that the TLB timing method that I first described in detailin 2006 works against BluePill. As she understood it, though, shethought that I presented it as a 'foolproof method for "BluePilldetection"'. While I did present it as a foolproof method, I didn'trefer to BluePill at all: I said that it would reliably detect ahypervisor, which it does. That it detects BluePill is a corollary.

At the forum last week, she said that it can be defeated, but hermethod to do so is to single-step the code following the RDTSCinstruction. That assumes, of course, that RDTSC is the...

Kelly Conley | 07 Aug 2007 07:00:00 GMT | 0 comments

The August State of Spam Reporthighlights the continuing decline of image spam, which reached a low inJuly from its peak in January. In addition, we observed the emergenceof a new focus - greeting card spam, PDF and other file attachmentsspam, and the rise in URLs with Chinese top-level domains (TLDs)marketing spam. This month’s spotlight includes regional spam trends inEMEA.

Though still steadily declining, what we’ve come to think of as‘image spam’ has not gone away. The preferred delivery method of thisspam type is now PDF, which emerged in June of 2007 and was discussedin a previous post. Symantec is seeing PDF spam ranging between two toeight percent of all spam. July also saw the emergence of yet moretactics focused on spamming images. These tactics include the use ofXLS and ZIP files. At this time, the volume of these spam types is lowbut Symantec is closely...

Ollie Whitehouse | 06 Aug 2007 07:00:00 GMT | 0 comments

So Friday before last, I blogged about the Atsiv tool.As a quick refresh this was a tool which implemented its own PE loaderwithin a kernel driver. The authors had gone through the process ofobtaining a signing key for both the 32-bit and 64-bit versions ofWindows Vista for their kernel driver. The result was that it could beused to load arbitrary unsigned driver code including rootkits into theVista kernel.

In the same blog, I stated it would be interesting to see how longit would take for Microsoft to get the certificate revoked. Well theclock officially stopped running last Thursdaywhen Microsoft started shipping a signature in Defender (Symantec alsodetects Atsiv as SecurityRisk.Atsiv) while also asking...

Hon Lau | 06 Aug 2007 07:00:00 GMT | 0 comments

Ok, you can substitute whatever agency name you want, but the storyis nearly always the same. A little while ago I blogged about AdvancedTDS, another Mpack-type clone and mentioned how professional some ofthe malware creators are becoming.

At the other end of the spectrum, we still have a large number ofamateurs in the game. The attempts that some of them make in theirsocial engineering trickery is abysmal, to say the least. Take thisexample of a spam email:

Dear Mr./Mrs. D####### P#######

This email was sent to inform you that your complaint case#278250765 filled with the FTC was successfully registered and postedin our Business Sentinel, a business complaint database maintained bythe U. S. Federal Trade Commission. The complaint that you have filledis now accessible to certified government law enforcement andregulatory agencies in ICPEN-member countries. Government agencies mayuse this information to investigate suspect companies and individuals,...

Brian Ewell | 03 Aug 2007 07:00:00 GMT | 0 comments

Symantec has observed active exploitationof a potential 0-day vulnerability in Xunlei Web Thunder. Thisvulnerability has been assigned BID 25192. This vulnerability is closely related to a previously discovered Xunlei vulnerability identified as BID 24552. Exploitation of this new vulnerability may result in arbitrary download of malicious files onto the compromised computer.

Symantec has observed an instance in which a copy of W32.Bratsters was downloaded. In addition to this malware detection, the IPS signature HTTP XunLei WebThunder ActiveX Download also detects the attempted exploitation.