Video Screencast Help
Security Response
Showing posts in English
Eric Chien | 05 Jul 2007 07:00:00 GMT | 0 comments

The MPack toolkit has received a fair amount of media attention causing it to become oneof the most desired Web browser exploit toolkits in the undergroundhacker scene. The original author was selling the MPack toolkit for$1000 USD, including a year of free support, and additional exploitmodules for around $100 USD.

However, considering the toolkit is written in a script language, itis easy to redistribute and modify. The toolkit is being sold by othersnow for as low as $150 USD. That is a whopping 85% off. Talk aboutclearance sale. The sellers likely didn't even need to buy itthemselves, but rather probably found some of the multiple Web sitesthat did not employ standard Web site protections, allowing them todownload the whole kit for free.

With the toolkit available in the underground scene and evenavailable to almost anyone for a mere...

Ollie Whitehouse | 03 Jul 2007 07:00:00 GMT | 0 comments

If you Google for either "Windows CE", "Windows Mobile" along with "rootkits" [1] [2] you don’t find anything on the subject. Back in the early part of this year I started a little skunk-works project (which resulted in an internal whitepaper) to understand the techniques that could be employed in rootkitting Windows Mobile devices, and how you would detect them if the bad guys got nasty and started doing so.

The results were, in short, not surprising. There are publicly known methods of API hooking on Windows CE. There is a publicly released keyboard logger in the compact .NET framework and there are numerous ways to load/inject DLLs into other processes. And, of course, direct kernel object modification is also possible.

The caveat about some of these methods and techniques is that your process needs to be fully trusted in order to weave its magic. So in a properly configured one-tier device that requires signing, or a two-tier...

Zulfikar Ramzan | 02 Jul 2007 07:00:00 GMT | 0 comments

The Pareto principle, sometimes known as the 80-20 rule, states thatroughly 80% of the effects stem from 20% of the causes. It was namedafter Vilfredo Pareto, an Italian economist, who observed that 20% ofItaly’s population received 80% of its income. This principle comes upin numerous other places in the social sciences and in engineering.

What does this have to with phishing? Well, recently I looked atwhich legitimate brands tend to get imitated the most in phishingattacks. I went back through data gathered from June through December2006. All in all, we found 343 brands being spoofed. Some of these werewell known banks, credit card companies, online retailers, and thelike. Others were smaller players. These included credit unions, localbanks, smaller retailers the like. Note that phishing attacks targetmany sectors beyond just the financial and retail sectors. I just choseto include these as an example.

It turns out that there is Pareto-like behavior among the...

Hon Lau | 01 Jul 2007 07:00:00 GMT | 0 comments

Security Response has received reports of a fake email purporting to have come from the US Department of Justice. The email informs the recipient of a complaint received by the IRS against the recipient’s business. The email looks reasonably well crafted and most people would tend to treat emails from the US Department of Justice with at least a bit of urgency.

The details of the email are as follows:

Complaint Case Number: 895285164 (Note the case number may vary)

US Department of Justice []

Email Body:
The email may contain the following text. Please note that the name of the plaintiff, the date and case number may vary. Despite the message that states an attachment is included with the email, there may or may not be any attachments.

Dear citizen ,

A complaint has been filled against your company in regards to the business...

Kaoru Hayashi | 29 Jun 2007 07:00:00 GMT | 0 comments

In the past few weeks, we have observed many Web sites that have been compromised to distribute browser exploits with the MPackkit. We’ve tracked many different MPack sources created with the intentof distributing different types of malicious codes. So far we’ve seenthe following malware samples installed while surfing sites compromisedby Mpack:

Trojan.Anserin - a Trojan that steals banking-related information
Trojan.Linkoptimizer.B - a dialer Trojan
Backdoor.IRC.Bot - an IRC bot

Hon Lau | 29 Jun 2007 07:00:00 GMT | 0 comments

Over the years, IRC channels have been afavourite communications method between back doors and their commandcenters because they are so simple to set up and use. The IRC protocolis easy to use can also be easily configured to travel over anarbitrary TCP port so its not easy block IRC traffic based on wellknown port numbers. That said, IRC traffic generally has no placewithin corporate environments so that makes it a little easier to spotand control.

A recent proof of concept back door Trojan (Backdoor.Fonamebot)that we have examined here in Symantec has perhaps pointed the wayforward for the transmission of data between zombies and the botherder. What we have seen is a new kind of back door that sends andreceives its data through the DNS protocol.

You might ask yourself, "What is the big deal with thisdevelopment?" Well, as it...

Dave Cole | 29 Jun 2007 07:00:00 GMT | 0 comments

Nothing could be more fitting to recap the colorful history of information security than the wonderfully off-kilter theatre of The Rocky Horror Picture Show. What a ride it’s been! The story of our craft now spans at least four decades (depending on how you count it), each one with its own hallmark events and memorable characters.

In order to commemorate Symantec’s 25th year of business, we thought we’d invite you to do the time warp with us. This is the first of a series of blogs that will go back and review the history of Internet security, stretching back to the 70s and all the way up the current age of rampant phishing, rootkits, splogs and SPIT.

The 70s
The deepest definition of youth is life as yet untouched by tragedy. ~ Alfred North Whitehead

Indeed, the 70s were a time in information security largely untouched by digital calamity but marked by exploration of emerging telecommunications technology....

Zulfikar Ramzan | 28 Jun 2007 07:00:00 GMT | 0 comments

I recently looked at some data collected from the NortonConfidential server on brands spoofed in phishing attacks from Junethrough December of 2006. In total, we saw phishing attacks on 343different brands. Looking further into the data, I wanted to get asense of which types of brands are consistently targeted by phishers.

I found that there 57 “core” brands that were consistently spoofedin each month from June through December. These core brands weredetermined by identifying seven lists of brands, one for each month inour data collection (June through December) in which a new Web sitespoofing that brand was reported. The core brands, then, made up theintersection of these lists.

There is a distinction between core brands and the most frequentlyspoofed brands. The former are brands that are consistently spoofedeach month. The latter are brands that are the most frequently spoofedoverall, measured by the number of Web sites that imitate these brands.

At first...

Kelly Conley | 27 Jun 2007 07:00:00 GMT | 0 comments

Hey, you put your Trojan in my spam!

A Trojan in my spam? True. The most recent version of malicious code that we are seeing being delivered by spam is a Trojan in greeting card spam. Malicious code in spam has been around off and on for some time. We’ve even blogged about it in the past; here (from January 2007) and it appears that at least one more spammer thinks it is a novel tactic.

We’ve observed over 18 million of these spam messages in the past few days and have successfully blocked the ones we have seen. Each of the messages we’ve seen so far has a Hong Kong domain (.hk ) in the subject line. Messages containing this Trojan are easy to spot, carrying subject lines such as:

Subject: Mima sent you a .hk! Greeting
Subject: Martha sent you a! Greeting

The body of the message appears to be a greeting...

Symantec Security Response | 26 Jun 2007 07:00:00 GMT | 0 comments

Digital Rights Management (DRM) is a termused to refer to the various content protection schemes used by contentproviders to restrict the usage of digital media and devices toauthorized persons. Popular DRM schemes include Apple’s FairPlaysystem, which is used by their online iTunes Store, and Microsoft’sWindows Media DRM. These systems use strong cryptography to protectmedia from being viewed except by hardware or software that have theproper credentials.

For most DRM applications, the trusted media player contains adecryption key that is used to decrypt and play the protected media.This decryption key must be secret and inaccessible to the user.Finding this decryption key would allow someone to decrypt the data andshare it without restriction, defeating the DRM protection. This posesa major problem because the trusted media player is often running on anuntrusted platform: the user’s home computer. Keeping the encryptionkeys used by the trusted media player from being...