Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Peter Ferrie | 19 Jul 2007 07:00:00 GMT | 0 comments

It's not often that we get a proof-of-concept (PoC) virus, but toreceive four in two weeks is completely unprecedented. The first one,which we call MEL.Odorousis a virus for the Maya 3D scripting language. It searches in thecurrent directory for uninfected files, and prepends itself to them.After infecting files, it runs the host as usual.

The second virus, which we call WHS.Vred isa virus for the WinHex scripting language. Like MEL.Odorous, Vredsearches in the current directory for uninfected files, and prependsitself to them. Unlike MEL.Odorous, however, Vred does not run the hostcode after infecting files.

The third and fourth viruses, which we named...

Dave Cole | 18 Jul 2007 07:00:00 GMT | 0 comments

A while back we took a look at how securityalerting was being done across the industry and noticed that there wasplenty of room for improvement. We started out with our own ThreatCon.It was easy to see that it wasn’t very effective for helping lesstech-savvy consumers to protect themselves online. On the humorousside, we did a little survey on customer perception and effectivenessof the ThreatCon and one of the respondents thought it was related tosomething on StarTrek. Ouch! The feedback we got gave us a clearpicture of where to begin our journey to improve our alerting systems.

Old threatcon

We began the overhaul of our security alerting systems early last spring by introducing the Internet Threat Meter(ITM) for consumers. The idea was to make the...

Orlando Padilla | 17 Jul 2007 07:00:00 GMT | 0 comments

Earlier this year, I saw some screenshots of the Zunker bot and itscontrolling interface. I became curious about the existence of othersimilar interfaces and began paying a bit more attention to the spamcoming into my inbox on a personal account. After a few weeks ofwandering through IP blocks referenced by the spam, I ran across anopen directory containing a few screen shots of what looked likeanother interface actively spamming multiple products.

The following screen shot shows a statistics screen for a botnetthey are currently using. Similar to the Zunker interface, thisinterface also has the ability to group by country. It looks like thefeature is broken though, as you can only see one bot, which isoriginating from Poland. Given that, it is tempting to presume theowner is Polish; however, the interface's text is entirely in Englishand the screen shot was found on a Russian server. It could, however,mean that the person leasing this interface is controlling it from...

Ollie Whitehouse | 16 Jul 2007 07:00:00 GMT | 0 comments

With the advent of Symbian 9 came a new capabilities model that could be seen as akin to mandatory access control, or MAC, which I’ve touched on briefly in the past . If you’re interested more in the Symbian 9 capabilities model, I recommend you go read the Embeddec.com article or purchase a copy of Symbian Platform Security Development Architecture from Symbian Press.

FlexiSpy is spyware program...

Marc Fossi | 13 Jul 2007 07:00:00 GMT | 0 comments

Same thing we do every night – try to take over the world…

Morris and Brain. The average person doesn’t know these names very well in comparison to Melissa, CodeRed, Nimda, Slammer, and Funlove. They all had their day and are burned in the memories of the users who were infected and those who cleaned up after them. Without Morris and Brain, though, the current “superstars” wouldn’t exist.

Brain (also known as...

Symantec Security Response | 12 Jul 2007 07:00:00 GMT | 0 comments

In recent months, Symantec has detected a number of phishing sitesthat have been hosted on government URLs. In June alone, phishing siteswere identified on government sites from the following countries:Thailand (.go.th), Indonesia (.go.id), Hungary (.gov.hu), Bangladesh(.gov.bd), Argentina (.gov.ar), Sri Lanka (.gov.lk), Ukraine (.gov.ua),China (.gov.cn), Brazil (.gov.br), Bosnia and Herzegovina (.gov.ba),Columbia (.gov.co), and Malaysia (.gov.my).

This might come as a surprise to some people, as governments arethought to have very secure computer systems. However, the quantity ofphishing sites hosted on government domains around the world seems tosuggest otherwise. These fraudulent sites look like legitimate Websites and are designed to trick users into divulging personalinformation such as government-issued identity numbers, bank password,or credit card numbers. Most phishing sites are placed on governmentWeb servers by hackers who have gained access to the server...

Elia Florio | 11 Jul 2007 07:00:00 GMT | 0 comments

The early years of the 1980s were marked by great technological advancements, particularly the release of the first integrated and powerful personal computers. Apple introduced the “Apple II” microcomputer in 1977, and by the early 80s it was one of the most popular personal computers for business users, families, and schools. In 1981, computing giant IBM purchased the license to distribute the DOS operating system for their PC machines from an obscure company called Microsoft. At that time, computing companies were popping up quickly. The early 80s saw numerous home computers for sale, such as the Commodore 64 (1982) and the Atari ST (1985).

It sounds funny now thinking of those “extraordinary” computers of 80s while sitting on a desk with a modern hyper-threading CPU, gigabytes of memory, and wireless connection. Still, the 80s were the years during which personal computers established their foothold in homes and offices. For the first time people start...

Jim Hoagland | 10 Jul 2007 07:00:00 GMT | 0 comments

Symantec Security Advisory SYMSA-2007-005[1]is now available. This covers a Teredo-related vulnerability in theVista version of Windows Firewall (BID 24779, CVE-2007-3038). (To beclear, this vulnerability is not connected to any of the nine Vistaissues I discussed in my last blog[2].)

Last fall, when Ollie Whitehouse[3] was analyzing whatTCP ports were open over a Teredo interface in a freshly installedWindows Vista RC2, he discovered that port 5357 was open over Teredo.We thought this odd since there is no functional reason this port,which corresponds to Web Services on Devices (WSD)[4], should beremotely accessible. When the release version of Vista becameavailable, we verified that this port was still open. (Details on...

Jim Hoagland | 10 Jul 2007 07:00:00 GMT | 0 comments

Symantec Security Advisory SYMSA-2007-005[1]is now available. This covers a Teredo-related vulnerability in theVista version of Windows Firewall (BID 24779, CVE-2007-3038). (To beclear, this vulnerability is not connected to any of the nine Vistaissues I discussed in my last blog[2].)

Last fall, when Ollie Whitehouse[3] was analyzing whatTCP ports were open over a Teredo interface in a freshly installedWindows Vista RC2, he discovered that port 5357 was open over Teredo.We thought this odd since there is no functional reason this port,which corresponds to Web Services on Devices (WSD)[4], should beremotely accessible. When the release version of Vista becameavailable, we verified that this port was still open. (Details on...

Ben Greenbaum | 10 Jul 2007 07:00:00 GMT | 0 comments

This month's Microsoft patch releaseincludes six bulletins, addressing 12 vulnerabilities in common clientand server software, including four in a popular developmentenvironment. Topping the heap in terms of urgency is a remotelyexploitable, server side code execution vulnerability in IIS, andthat's where we'll start:

MS07-041;KB939373Vulnerability in Microsoft Internet Information Services Could Allow Remote Code Execution

This bulletin addresses a previously known issue in IIS 5.1 onWindows XP that was reported in late 2005 as a denial-of-serviceproblem. It is now known to be exploitable to run attacker code. IIS isnot running or installed by default on Windows XP.

  • Microsoft Internet Information Server 5.1 DLL Request Remote Code Execution Vulnerability...