Video Screencast Help
Security Response
Showing posts in English
Marc Fossi | 25 Jun 2007 07:00:00 GMT | 0 comments

Many people have said that the lack of attacks upon Apple’s operating systems and devices can be attributed to a lower market share than Microsoft Windows-based PCs. With the shift towards malicious code being written for financial gain, it makes more economic sense. (I know that there are other arguments to be made, but bear with me.) Why write a Trojan that only runs on about 10% of computers when you can write one that is capable of affecting closer to 90% of them? Far more bang for the buck.

At the same time, there haven’t been many attacks on cellular phones and mobile devices. There have been several proof of concept Trojans, worms, and viruses for Symbian Smart Phones as well as a few for the Windows Mobile platform. Some of these have even resulted in small, localized outbreaks. Again, the lack of attacks on these devices has been attributed to a smaller user base.

On June 29th, however, these two platforms will converge when Apple’s iPhone is released in the...

Ron Bowes | 22 Jun 2007 07:00:00 GMT | 0 comments

I recently stumbled upon a site that advertised an impossibleservice for Web sites: protecting a site's content from being copied,or "stolen." It's a service that is impossible. I know it's impossible,and that every Web developer knows is impossible. However, for only$37.99, this man offers to do it. At $37.99, it's a deal! And he hasall kinds of testimonials, not to mention snazzy clip-art on his site.

Of course, his solution, much like whitewashing over dirt, appearsto work. That is, until the paint starts peeling, or, in this case,until a user with any kind of experience realizes how easy it is tobypass these restrictions. I can think of a half-dozen waysimmediately, and none of them are difficult. Before long, the whitewashpeels off and the site administrator is left in the same situation theystarted in, only with $37.99 less.

Of course, there are no guarantees. You read the agreement, right?This type of service gives the site administrator a false sense...

Amado Hidalgo | 21 Jun 2007 07:00:00 GMT | 0 comments

In the past few days, much has been written about MPack and the mass hacking of legitimate web sitesby inserting hidden iframes. These iframes had the purpose ofredirecting web surfers to malicious sites, which served exploits andeventually infected the computer of the unsuspected visitors.

We have created a little movie to help you understand the wholeprocess. So without further ado, Symantec Security Response presents… MPack, The...

Pukhraj Singh | 21 Jun 2007 07:00:00 GMT | 0 comments

Recently, a DeepSight honeypot was compromised by a rogue Web site that served a variety of malicious scripts to users. From the dozens of Web sites that we investigate everyday, what makes this case special is the fact that this is the first detected instance of in-the-wild exploitation of Microsoft Internet Explorer Speech API 4 COM Object Instantiation Buffer Overflow Vulnerability (BID 24426).This exploit appears to be a derivation of the publicly available exploit released at milw0rm.com. The vulnerability lies in the way two COM objects in the Speech API 4, namely Windows DirectSpeechSynthesisModule (XVoice.dll, EEE78591-FE22-11D0-8BEF-0060081841DE ) and DirectSpeechRecognition Module (XListen.dll,4E3D9D1F-0C63-11D1-8BFB-0060081841DE), handle certain user input. The malicious attacker can instantiate these COM objects via Internet Explorer, and pass overly long arguments to certain routines....

Pukhraj Singh | 21 Jun 2007 07:00:00 GMT | 0 comments

Recently, a DeepSight honeypot was compromised by a rogue websitethat served a variety of malicious scripts to users. From the dozens ofWeb sites that we investigate everyday, what makes this case special isthe fact that this is the first detected instance of in-the-wildexploitation of Microsoft Internet Explorer Speech API 4 COM ObjectInstantiation Buffer Overflow Vulnerability (BID 24426).This exploit appears to be a derivation of the publicly availableexploit released at milw0rm.com. The vulnerability lies in the way twoCOM objects in the Speech API 4, namely Windows DirectSpeechSynthesisModule (XVoice.dll, EEE78591-FE22-11D0-8BEF-0060081841DE ) andDirectSpeechRecognition Module (XListen.dll,4E3D9D1F-0C63-11D1-8BFB-0060081841DE), handle certain user input. Themalicious attacker can instantiate these COM objects via InternetExplorer, and pass overly long arguments to certain routines. In thiscase...

Symantec Security Response | 21 Jun 2007 07:00:00 GMT | 0 comments

Earlier this year, NIST (National Institute of Standards and Technology),announced that they will be hosting an open competition to decide on anew secure cryptographic hash standard. Cryptographic hash functionsare a fundamental part of cryptography and computer security. Acryptographic hash function takes an input and returns a (practically)unique output, providing applications in authentication, encryption anddigital signatures.

The most commonly used hash functions right now have been aroundsince the mid-nineties and are beginning to show some serious cracks.One of the basic requirements of a cryptographic hash functions is thatit must be very hard to find two inputs that map to the same output.When two such inputs are found it is called a collision, and collisionsare a really bad thing for hash functions. The Message Digest 5 (MD5)algorithm was created in 1991 by Ron...

Ollie Whitehouse | 20 Jun 2007 07:00:00 GMT | 0 comments

In the words of the Ghost Busters, “We’ve got one…” We’ve got what?, I hear you ask. We now have an example of alleged SMS spam with some real statistics rather than the usual conjecture. We know SMS spam has been growing through the monitoring of such sites as Grumble Text [1] however we’ve never had true insight into the scale of a professional SMS spamming operation.

Well recently that changed - TelecomWeb broke the story [2] that,

“Verizon Wireless filed a lawsuit against Nev.-based I-VEST Global Corporation and various "John Does," alleging they sent unsolicited commercial electronic messages (wireless spam) to its customers.” and that “The lawsuit, filed in U.S. District Court in Trenton, N.J., alleges that, beginning in April, I-VEST attempted to send more than 12 million text messages to Verizon Wireless handsets, offering information about buying stocks or real estate. However, the carrier says spam filtering and network monitoring...

Eric Chien | 19 Jun 2007 07:00:00 GMT | 0 comments

On multiple Windows Live Messenger accounts (formally MSN Messenger), we received the messages (don't visit the link!):

     Get surprise at http://www.messengerweb.info/ Unbelievable!

     Hey, http://www.messengerweb.info/ helps u find out who is your friend!

     U have deleted me! Look here http://www.messengerweb.info

Was this a new worm? Or a bot that was sending out IM spam? Turns out it is neither and instead much more like adware. The site being advertised states they can find out who may have removed you from their contact list. All the service requires is for you to "enter your MSN account and password and we will tell you who has...

Peter Ferrie | 19 Jun 2007 07:00:00 GMT | 0 comments

It seems that for every scripting language that is powerful enoughto host a virus, a virus will be written for it eventually. It alsodoesn't seem to matter if the audience for that scripting language isvery restricted, or that the scripts might not be shared with anyoneelse.

This brings us to the first virus for the Autodesk Maya 3D scriptinglanguage - "Maya Embedded Language" or "MEL" - which we call MEL.Odorous.

This virus is simply a proof-of-concept. It begins by searching inthe current directory for the .MEL file that contains its code. Itreads this code into a buffer that will be used for replication. Thenit searches again in the current directory for other .MEL files. Forany .MEL file that is found to not be already infected, the virus willprepend itself to the file. There is no payload, and it does nothingbut replicate.

Such a virus...

Amado Hidalgo | 19 Jun 2007 07:00:00 GMT | 0 comments

You always thought that by staying clear ofthe dark alleys of the Internet and visiting only “reputable” websites,you would be safe from attacks and dubious content. I am afraid that isnot enough. My colleagues Elia Florio and Hon Lau reported recently (here and here)about legitimate sites that had been compromised to include a maliciousIFRAME that, without your knowledge, redirects you to a site servingexploits.

As Elia mentioned, thousands of sites (mostly Italian, but withseveral other nationalities included) were compromised. We were puzzledas to how the MPack gang had managed to hack so many sites in a shortperiod of time, and how they could inject the malicious iframe soquickly.

The MPack gang...