Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Ollie Whitehouse | 06 Aug 2007 07:00:00 GMT | 0 comments

So Friday before last, I blogged about the Atsiv tool.As a quick refresh this was a tool which implemented its own PE loaderwithin a kernel driver. The authors had gone through the process ofobtaining a signing key for both the 32-bit and 64-bit versions ofWindows Vista for their kernel driver. The result was that it could beused to load arbitrary unsigned driver code including rootkits into theVista kernel.

In the same blog, I stated it would be interesting to see how longit would take for Microsoft to get the certificate revoked. Well theclock officially stopped running last Thursdaywhen Microsoft started shipping a signature in Defender (Symantec alsodetects Atsiv as SecurityRisk.Atsiv) while also asking...

Hon Lau | 06 Aug 2007 07:00:00 GMT | 0 comments

Ok, you can substitute whatever agency name you want, but the storyis nearly always the same. A little while ago I blogged about AdvancedTDS, another Mpack-type clone and mentioned how professional some ofthe malware creators are becoming.

At the other end of the spectrum, we still have a large number ofamateurs in the game. The attempts that some of them make in theirsocial engineering trickery is abysmal, to say the least. Take thisexample of a spam email:

Dear Mr./Mrs. D####### P#######

This email was sent to inform you that your complaint case#278250765 filled with the FTC was successfully registered and postedin our Business Sentinel, a business complaint database maintained bythe U. S. Federal Trade Commission. The complaint that you have filledis now accessible to certified government law enforcement andregulatory agencies in ICPEN-member countries. Government agencies mayuse this information to investigate suspect companies and individuals,...

Brian Ewell | 03 Aug 2007 07:00:00 GMT | 0 comments

Symantec has observed active exploitationof a potential 0-day vulnerability in Xunlei Web Thunder. Thisvulnerability has been assigned BID 25192. This vulnerability is closely related to a previously discovered Xunlei vulnerability identified as BID 24552. Exploitation of this new vulnerability may result in arbitrary download of malicious files onto the compromised computer.

Symantec has observed an instance in which a copy of W32.Bratsters was downloaded. In addition to this malware detection, the IPS signature HTTP XunLei WebThunder ActiveX Download also detects the attempted exploitation.

...

Pukhraj Singh | 03 Aug 2007 07:00:00 GMT | 0 comments

Over the last few decades, markets and economies have been revolutionized with the advent of this powerful medium we call the Internet: Access to information and freedom of expression are not limited to any geographical boundaries; the world has shrunk to the size of electrons. I keenly remember the challenges facing the protagonist in Phillip Dick’s science fiction novel, ‘Do Androids Dream of Electric Sheep?’, while dealing with rogue androids. The Internet, with its decentralization, openness and commercial dependability has become the haven for a new breed of criminals, where botnets rule the dark, creepy labyrinths. Throughout this time, we at Symantec have been at the forefront in fighting this war of information accessibility and reliability.

Right now, botnets are one of the most concerning problems in information security and are considered to be source of all evil like spam, click frauds and denial of service attacks. Bots are software and...

Liam O Murchu | 02 Aug 2007 07:00:00 GMT | 0 comments

Brazil is the home of the infamous Infostealer.Bancos family ofmalware. Recently, however, we have seen a more diverse number of sites- beyond just banking sites - coming into the crosshairs of theBrazilian malware gangs. Is the recent W32.Imcontactspam worm anotherof their creations?

The worm is Brazilian and spammed the infected users’ MSN contactswith email advising them that they had received an electronic greetingcard. We see these types of worms quite often; however what caught ourattention were the similarities between the techniques this worm usesand the techniques used by the Infostealer.Bancos family of trojans.

When executed, the worm does the following:

  1. Minimizes the real MSN Messenger login window;
  2. Displays a fake Portuguese language MSN login screen;
  3. Records the username and password that is typed;
  4. Displays the real MSN Messenger login window (user must re-type password);
  5. Records the email address of all...
Ollie Whitehouse | 02 Aug 2007 07:00:00 GMT | 0 comments

So in a world where data is king, peopleare obviously going to look for ways to mine the data in more effectiveways. I saw a talk in May last year by Ian Cook titled, “FindingInformation in the Darkweb,” with a subtitle of “Open SourceIntelligence Gathering on a Shoestring.” This was interesting andpretty cool on the whole, but required a number of tools and some timeto mine the data and glue all the bits together.

While data is cool, without context it can be a huge burden to mineand discover the relationships. Well, my friends, close your GoogleEarth as I’ve got something to show you that is so cool it’ll makewhizzing round the streets of San Francisco in Google Earth feel likepeeling potatoes.

Welcome to Evolution,the brain child of Roelof Temmingh of ex-SensePost fame. It’s a toolthat “associates data found in multiple search engines andsocial-networking Web sites… to find...

Shunichi Imano | 02 Aug 2007 07:00:00 GMT | 0 comments

Symantec Security has received a sample ofan Ichitaro document that contains a currently unknown exploit. This isnot necessarily surprising as most software has vulnerabilities but auser who opens the document will surely be hit with a surprise.

Symantec detects the malicious document as Trojan.Tarodrop.D. When it is opened, malware is dropped onto the compromised computer, which Symantec detects as Trojan Horse. The dropped Trojan in turn drops more malware (detected as Hacktool.Keylogger) that logs keystroke and sends the stolen information to cvnxus.8800.org on TCP port 443.

Additionally, Hacktool.Keylogger...

Liam O Murchu | 02 Aug 2007 07:00:00 GMT | 0 comments

Brazil is the home of the infamous Infostealer.Bancos family ofmalware. Recently, however, we have seen a more diverse number of sites- beyond just banking sites - coming into the crosshairs of theBrazilian malware gangs. Is the recent W32.Imcontactspam worm anotherof their creations?

The worm is Brazilian and spammed the infected users’ MSN contactswith email advising them that they had received an electronic greetingcard. We see these types of worms quite often; however what caught ourattention were the similarities between the techniques this worm usesand the techniques used by the Infostealer.Bancos family of trojans.

When executed, the worm does the following:

  1. Minimizes the real MSN Messenger login window;
  2. Displays a fake Portuguese language MSN login screen;
  3. Records the username and password that is typed;
  4. Displays the real MSN Messenger login window (user must re-type password);
  5. Records the email address of all...
Liam O Murchu | 02 Aug 2007 07:00:00 GMT | 0 comments

Brazil is the home of the infamous Infostealer.Bancos family ofmalware. Recently, however, we have seen a more diverse number of sites- beyond just banking sites - coming into the crosshairs of theBrazilian malware gangs. Is the recent W32.Imcontactspam worm anotherof their creations?

The worm is Brazilian and spammed the infected users’ MSN contactswith email advising them that they had received an electronic greetingcard. We see these types of worms quite often; however what caught ourattention were the similarities between the techniques this worm usesand the techniques used by the Infostealer.Bancos family of trojans.

When executed, the worm does the following:

  1. Minimizes the real MSN Messenger login window;
  2. Displays a fake Portuguese language MSN login screen;
  3. Records the username and password that is typed;
  4. Displays the real MSN Messenger login window (user must re-type password);
  5. Records the email address of all...
Nicolas Falliere | 01 Aug 2007 07:00:00 GMT | 0 comments

A proof-of-concept code exploiting newly discovered XSSvulnerabilities for the latest version of Wordpress (2.2.1) was postedtoday on a security blog.

The researcher unveiled seven vulnerabilities, cross-site scripting(XSS) or SQL injections, whose consequences range from benign toserious, the critical ones potentially leading to blog compromising. Inhis haste to show his skills, this person also released aproof-of-concept (PoC) code exploiting one of these vulnerabilities.

The PoC in itself, as explained, is supposedly not malicious, and isdesigned to raise awareness and patch vulnerable versions of theWordPress publishing platform. In a few words, here’s how it works:

  • A WordPress administrator browses the “Comments manager” in the administration panel
  • She clicks a link, which redirects to the PoC author’s Web page.This page checks the referrer, to see whether it might originate from alogged-on WordPress administrator (the URL would contain...