Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Ollie Whitehouse | 24 Aug 2007 07:00:00 GMT | 0 comments

Here is a short update to bring this latest chapter in Vista’s security fairytale finally to a close.

On Monday the 13th of August, ATI patched their Catalyst drivers to resolve the vulnerability that PurplePill exploited. ATI should be commended with the speed and agility theyresponded to the issue, although one has to wonder if Microsoft had ahand in this.

It’s still not clear on how they are going to deal with thedistribution of this update (there's some conjecture around usingWindows Update) and revocation of the old driver. Patching it is onething, but...

Joshua Talbot | 24 Aug 2007 07:00:00 GMT | 0 comments

With the dawn of networked computing, users were granted on-demand access to their data and computing infrastructure. The gained connectivity, of course, led to an increased exposure to attacks. Attackers no longer required any physical access to the machines or to the portable media. Establishing a connection to the network (PSTN, Tymnet, DATAPAC or the Internet) and knowing the target’s network address accomplished the same task remotely—thus beginning the information arms race between the attackers and the administrators. While one side was gathering information for gaining access and circumventing restrictions, the other was trying to patch vulnerabilities and protect their assets.

During this time, factions began to...

Nicolas Falliere | 23 Aug 2007 07:00:00 GMT | 0 comments

The latest variants of Peacomm, detected as Trojan.Peacomm.C (or proactively, as the usual Trojan.Packed.13), have introduced some interesting changes in the way they infect a machine.

As was written in a previous blog entry ,Peacomm spam entices users to visit a Web page containing a link to afile applet.exe. This Web page also embeds an obfuscated JavaScriptroutine that tries to exploit a Windows Media Player vulnerability, incase the user decided – very wisely – not to download and run the socalled “Secure Login Applet”. If the vulnerability is exploitedsuccessfully, a small file will be downloaded on the compromisedmachine, which will in turn download applet.exe. Both files aredetected as Trojan.Packed.13.

When...

Ken Gonzalez | 23 Aug 2007 07:00:00 GMT | 0 comments

Over the past twenty-some years, ITIL® (IT Infrastructure Library) has gone from just another good idea to the development of a major movement within the IT universe. The version that most people know today as ITIL (often referred to as ITIL v2), is defined within the two Office of Government Commerce (OGC, U.K.) publications – Service Delivery (the “Red book”) and Service Support (the “Blue book”). In these publications the 10 core ITIL processes and Service Desk functions are described in (more or less) self-contained blocks. In this world, things were relatively simple. Process areas roughly mapped on to how many organizations could structure their job roles and thus make parts of the framework operational relatively quickly. As a result, many organizations adopted ITIL as their framework of choice and in a very real...

Nicolas Falliere | 22 Aug 2007 07:00:00 GMT | 0 comments

Trojan.Packed.13,or TP13 as we call it internally, is associated with some of the mostwidespread malware in 2007. Though its heuristic detection may beobscure, its related threats are now well-known: Trojan.Mespam,Trojan.Galapoper, and more importantly, the infamous Trojan.Peacommfamily of P2P malware.

Simply put, it consists of a set of heuristics to detect Trojansprotected with an unknown packer. We didn’t have a name, so we gave itthe number 13… Bad luck, perhaps, either for us or its authors.

This packer has several features that differentiate it from others.It is widespread, very frequently updated, and uses originalanti-emulation tricks to fool anti-virus software detections (such asdummy loops calling obscure Windows APIs). The packer is not publiclyavailable and we analyze it indirectly through threats that use it.Malicious files are usually repacked...

Yazan Gable | 22 Aug 2007 07:00:00 GMT | 0 comments

Code Red, Nimda, and Slammer (also known as SQL Slammer) are three of the most well known computer worms in the relatively short history of computers. Well known not because of their creatively selected names, but because of the massive impact they had on a widely used Internet. They weren’t the first worms to threaten the fabric of the Internet, but they hit at a time when the Internet was becoming very popular. It was a time when it was beginning to be widely used not only by governments and educational institutions, but also by people, corporations and non-profit organizations alike for communications and business.

Everyone who commonly used a computer when these malicious worms hit the Internet will remember them. Not only did they take down a number of government, corporate, and educational networks, but some of those not directly affected voluntarily shut down their networks as a precaution. But how were these things so effective and wide-ranging? How...

Hon Lau | 21 Aug 2007 07:00:00 GMT | 0 comments

Ever since the first Trojan.Peacomm, samples literally blew in from nowhere back in January 2007.Since then, the gang responsible have been constantly evolving theirTrojan with new features, new packers, and new techniques for spreadingit.

The thing that can be noted about the Peacomm gang is that they arevery much adept at the art of social engineering. The original Trojanwas propagated widely on the back of a story about a violent storm thatblew across Europe and hence the moniker. Since then the gang behindthe Trojan have explored all different manners of social engineeringavenues and subjects.

In particular they had a knack for latching on to the latestnews-worthy events and capitalizing on the public interest in them...

Vikram Thakur | 21 Aug 2007 07:00:00 GMT | 0 comments

We recently analyzed a sample of Infostealer.Monstres, and our colleague Amado posted an interesting entrywith some details of its actions. As the analysis of this threatcontinued, new details emerged. We've been able to acquire some emailtemplates that the Trojan may use to send targeted spam to individuals,using stolen personal information.

The templates acquired all point to the same position. The job isthat of a 'Transfer Manager' at an investment company. The jobdescription states that the position would entail facilitatingfinancial transactions made by the clients of the investment company.The email looks very realistic and may convince many that it has beensent from Monster.com or Careerbuilder.com.

Here are some of the email...

Liam O Murchu | 20 Aug 2007 07:00:00 GMT | 0 comments

It’s the universal come back. No matter what insult is thrown your way, you can always escape just by saying “your momma” *.So I had to laugh when we received a variant of an MSN worm thatentices would be victims with “lol, your mom just sent me thispicture?” Even funnier was the fact that the bot operator infectedhimself with his own worm.

This variant of the worm has been named W32.Scrimge.E. The worm isn’t restricted to just the one question, either, offering up any one of these goodies:


- Did you take this picture?
- Is that you on the left?
- How drunk was I in this picture?
- Is that your mom in this picture?
- lol, your mom just sent me this picture?


It was “your mom,” however, that...

Shunichi Imano | 18 Aug 2007 07:00:00 GMT | 0 comments

We have in the past repeatedly warned thatfree things on the internet do not always come cost free. And today, wehave to make a kind reminder as we came across a new example.

Security Response received a file with a .tgz file extension, whichexploits a new unknown vulnerability in a free Japanese decompress tool"Lhaz v1.33". The file is detected as Trojan.Lazdropper.

After a successful exploit attempt, Trojan.Lazdropper drops two files, both detected as Backdoor.Trojan,onto the infected computer. As Backdoor.Trojan opens a back door tocommunicate with the author for further actions, it is obvious thatpurpose behind...