Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.
Security Response
Showing posts in English
Zulfikar Ramzan | 28 Jun 2007 07:00:00 GMT | 0 comments

I recently looked at some data collected from the NortonConfidential server on brands spoofed in phishing attacks from Junethrough December of 2006. In total, we saw phishing attacks on 343different brands. Looking further into the data, I wanted to get asense of which types of brands are consistently targeted by phishers.

I found that there 57 “core” brands that were consistently spoofedin each month from June through December. These core brands weredetermined by identifying seven lists of brands, one for each month inour data collection (June through December) in which a new Web sitespoofing that brand was reported. The core brands, then, made up theintersection of these lists.

There is a distinction between core brands and the most frequentlyspoofed brands. The former are brands that are consistently spoofedeach month. The latter are brands that are the most frequently spoofedoverall, measured by the number of Web sites that imitate these brands.

At first...

Kelly Conley | 27 Jun 2007 07:00:00 GMT | 0 comments

Hey, you put your Trojan in my spam!

A Trojan in my spam? True. The most recent version of malicious code that we are seeing being delivered by spam is a Trojan in greeting card spam. Malicious code in spam has been around off and on for some time. We’ve even blogged about it in the past; here (from January 2007) and it appears that at least one more spammer thinks it is a novel tactic.

We’ve observed over 18 million of these spam messages in the past few days and have successfully blocked the ones we have seen. Each of the messages we’ve seen so far has a Hong Kong domain (.hk ) in the subject line. Messages containing this Trojan are easy to spot, carrying subject lines such as:

Subject: Mima sent you a .hk! Greeting
Subject: Martha sent you a ..hk! Greeting

The body of the message appears to be a greeting...

Symantec Security Response | 26 Jun 2007 07:00:00 GMT | 0 comments

Digital Rights Management (DRM) is a termused to refer to the various content protection schemes used by contentproviders to restrict the usage of digital media and devices toauthorized persons. Popular DRM schemes include Apple’s FairPlaysystem, which is used by their online iTunes Store, and Microsoft’sWindows Media DRM. These systems use strong cryptography to protectmedia from being viewed except by hardware or software that have theproper credentials.

For most DRM applications, the trusted media player contains adecryption key that is used to decrypt and play the protected media.This decryption key must be secret and inaccessible to the user.Finding this decryption key would allow someone to decrypt the data andshare it without restriction, defeating the DRM protection. This posesa major problem because the trusted media player is often running on anuntrusted platform: the user’s home computer. Keeping the encryptionkeys used by the trusted media player from being...

Nicolas Falliere | 25 Jun 2007 07:00:00 GMT | 0 comments

Though the discovery of Microsoft Officezero-day exploits has dropped dramatically in the last six months, newfile format exploits are still being discovered (and exploited)regularly. After .zip and .rar file exploits, the latest archive formatvulnerability affects the Lhaca archiver and its LZH compressionsupport. While not very well known in the US and Europe, Lhaca appearsto be a popular archive tool in Japan, as is the compression format LZH.

On Friday, June 22nd, one of our Japanese customers submitted an.lzh file. The file in question, after quick analysis, raised immediatesuspicion. It contained several NOP-sleds, shell code-like code blocks,decryptors, and an encoded executable in the archive itself! All theingredients required by file format exploit recipes. The difficulty inthis case is finding the application that could be vulnerable. Cheersto Masaki Suenaga in Security Response, Japan for doing the initialanalysis and finding out that...

Marc Fossi | 25 Jun 2007 07:00:00 GMT | 0 comments

Many people have said that the lack of attacks upon Apple’s operating systems and devices can be attributed to a lower market share than Microsoft Windows-based PCs. With the shift towards malicious code being written for financial gain, it makes more economic sense. (I know that there are other arguments to be made, but bear with me.) Why write a Trojan that only runs on about 10% of computers when you can write one that is capable of affecting closer to 90% of them? Far more bang for the buck.

At the same time, there haven’t been many attacks on cellular phones and mobile devices. There have been several proof of concept Trojans, worms, and viruses for Symbian Smart Phones as well as a few for the Windows Mobile platform. Some of these have even resulted in small, localized outbreaks. Again, the lack of attacks on these devices has been attributed to a smaller user base.

On June 29th, however, these two platforms will converge when Apple’s iPhone is released in the...

Ron Bowes | 22 Jun 2007 07:00:00 GMT | 0 comments

I recently stumbled upon a site that advertised an impossibleservice for Web sites: protecting a site's content from being copied,or "stolen." It's a service that is impossible. I know it's impossible,and that every Web developer knows is impossible. However, for only$37.99, this man offers to do it. At $37.99, it's a deal! And he hasall kinds of testimonials, not to mention snazzy clip-art on his site.

Of course, his solution, much like whitewashing over dirt, appearsto work. That is, until the paint starts peeling, or, in this case,until a user with any kind of experience realizes how easy it is tobypass these restrictions. I can think of a half-dozen waysimmediately, and none of them are difficult. Before long, the whitewashpeels off and the site administrator is left in the same situation theystarted in, only with $37.99 less.

Of course, there are no guarantees. You read the agreement, right?This type of service gives the site administrator a false sense...

Amado Hidalgo | 21 Jun 2007 07:00:00 GMT | 0 comments

In the past few days, much has been written about MPack and the mass hacking of legitimate web sitesby inserting hidden iframes. These iframes had the purpose ofredirecting web surfers to malicious sites, which served exploits andeventually infected the computer of the unsuspected visitors.

We have created a little movie to help you understand the wholeprocess. So without further ado, Symantec Security Response presents… MPack, The...

Pukhraj Singh | 21 Jun 2007 07:00:00 GMT | 0 comments

Recently, a DeepSight honeypot was compromised by a rogue Web site that served a variety of malicious scripts to users. From the dozens of Web sites that we investigate everyday, what makes this case special is the fact that this is the first detected instance of in-the-wild exploitation of Microsoft Internet Explorer Speech API 4 COM Object Instantiation Buffer Overflow Vulnerability (BID 24426).This exploit appears to be a derivation of the publicly available exploit released at milw0rm.com. The vulnerability lies in the way two COM objects in the Speech API 4, namely Windows DirectSpeechSynthesisModule (XVoice.dll, EEE78591-FE22-11D0-8BEF-0060081841DE ) and DirectSpeechRecognition Module (XListen.dll,4E3D9D1F-0C63-11D1-8BFB-0060081841DE), handle certain user input. The malicious attacker can instantiate these COM objects via Internet Explorer, and pass overly long arguments to certain routines....

Pukhraj Singh | 21 Jun 2007 07:00:00 GMT | 0 comments

Recently, a DeepSight honeypot was compromised by a rogue websitethat served a variety of malicious scripts to users. From the dozens ofWeb sites that we investigate everyday, what makes this case special isthe fact that this is the first detected instance of in-the-wildexploitation of Microsoft Internet Explorer Speech API 4 COM ObjectInstantiation Buffer Overflow Vulnerability (BID 24426).This exploit appears to be a derivation of the publicly availableexploit released at milw0rm.com. The vulnerability lies in the way twoCOM objects in the Speech API 4, namely Windows DirectSpeechSynthesisModule (XVoice.dll, EEE78591-FE22-11D0-8BEF-0060081841DE ) andDirectSpeechRecognition Module (XListen.dll,4E3D9D1F-0C63-11D1-8BFB-0060081841DE), handle certain user input. Themalicious attacker can instantiate these COM objects via InternetExplorer, and pass overly long arguments to certain routines. In thiscase...

Symantec Security Response | 21 Jun 2007 07:00:00 GMT | 0 comments

Earlier this year, NIST (National Institute of Standards and Technology),announced that they will be hosting an open competition to decide on anew secure cryptographic hash standard. Cryptographic hash functionsare a fundamental part of cryptography and computer security. Acryptographic hash function takes an input and returns a (practically)unique output, providing applications in authentication, encryption anddigital signatures.

The most commonly used hash functions right now have been aroundsince the mid-nineties and are beginning to show some serious cracks.One of the basic requirements of a cryptographic hash functions is thatit must be very hard to find two inputs that map to the same output.When two such inputs are found it is called a collision, and collisionsare a really bad thing for hash functions. The Message Digest 5 (MD5)algorithm was created in 1991 by Ron...