Video Screencast Help
Security Response
Showing posts in English
Dave Cole | 16 May 2007 07:00:00 GMT | 0 comments

For those of us who are not hardcore gamers (yours truly included),but have fond memories of playing Pitfall on the Atari 2600 or Pirateson an old Apple, the world of online gaming has been experiencing aperiod of explosive growth in recent years. The rapid increases inplayers and dollars flowing into the gaming industry go well beyond theconsole-based games such as Sony’s PS3 and Nintendo’s Wii and extend toPC-based games such as the hugely popular World of Warcraft (WoW) whichenjoys a thriving online population that recently reached over 6 million users worldwide.WoW is a massively multiplayer online game (MMOG) that allows playersfrom across the globe to interact socially in a persistent world wherethe player is represented by their in-game avatar who increases inskills, gains possessions and presumably builds relationships overtime. The MMOG market...

Ron Bowes | 15 May 2007 07:00:00 GMT | 0 comments

For those of you who don't know orremember, a "companion virus" is a type of computer virus that tookadvantage of MS-DOS's filename matching. The companion virus wouldcreate a program with the same name as the "infected" file, but with adifferent extension, such as .com. For example, to infect a programcalled "innocent.exe," the virus could create one called "innocent.com"that would be, ironically, malicious rather than innocent. Once thevirus had infected innocent.exe, typing "innocent" into the commandline would invoke the first program found alphabetically,"innocent.com." Typically, the virus would execute the real program inaddition to running its payload, so as long as the virus was quickenough, the user wouldn't even know what had happened.

A similar concept is creating a program called "c:\program.exe." Ifthe user executed "c:\program files\innocent\innocent.exe," the program"c:\program.exe" could be run with "files\innocent\innocent.exe" as aparameter. This...

Kaoru Hayashi | 15 May 2007 07:00:00 GMT | 0 comments

Recently we found a new malware called Infostealer.Snifula.C. Themain purpose of malware is to steal confidential information from acompromised computer and send it to a certain web site. The author ofthe malware can obtain the information from the site and make moneywith it. To make matters worse, the web site has no access control andanyone can access the information there.

1%20Infostealer%20sm.jpg

As I'm writing this, more than 300MB logs are at the site and we cansee a huge collection of confidential information such as names,addresses, phone and credit card numbers, and login information foremail, online banking, MySpace, or eBay. And all of this informationcan be accessed through search engines.


...

Aaron Adams | 14 May 2007 07:00:00 GMT | 0 comments

The DeepSight Threat Analyst Team is constantly monitoring honeypotstermed “crawlers”, which are designed to crawl the Internet looking formaliciously-crafted web pages. These crawlers emulate users surfing theInternet with various browsers that may be susceptible to client-sideexploits hosted on Webpages. With the crawlers, we capture a lot of therun-of-the-mill malicious code using legacy web vulnerabilities.Malware authors especially like to spread using the (Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution Vulnerability BID 17462).

But among the legacy attacks, we run into much more interestingcompromises that ironically still install some of the same old malwarevariants. One of these interesting compromises was encountered on May8, 2007. A URL was distributed that was designed to look like itbelonged to the Halifax Online financial institute. However, theresulting site...

Symantec Security Response | 14 May 2007 07:00:00 GMT | 0 comments

In my last blog entry, Pre-Phishing Recon for Context Aware Attacks,I talked about how generic phishing messages can be used to collectcontextual information for more advanced phishing attacks. In thisblog, I will describe two such types of advanced phishing attacks.

First, I must note that a pre-phishing recon attack is not the only waythat attackers can get their hands on contextual information about aperson. Attackers can also search the internet for public documentscontaining personally-identifying information. They can buy informationabout a person on an underground economy server, and they can get theinformation through a corporate data breach. In any case, if anattacker gets access to some personal information about someone, he orshe can attempt what is called a context-aware phishing attack.

A context-aware phishing attack...

Gary Sabala | 11 May 2007 07:00:00 GMT | 0 comments

A quick Google search on the term “virtualization” returns nearly 19million results. The subject has graced the cover of nearly every majorIT trade publication in the past year in probably the past six months.In contrast, search the term “virtual security,” and you’ll be lucky tosee a meager 150,000 hits. Mark my words though—that limited attentionis about to change. As virtualization technology continues to emerge asa viable option for moving from development to production environments,the focus on the security implications of this new IT frontier willreach a tipping point.

With the security threat landscape in an enterprise changing on adaily basis, IT requires more innovative ways to protect desktopendpoints. Evolutionary security enhancements have just managed to keeppace with threats, but it is clear that more revolutionary securitymodels will be needed to protect the desktop in the future.Virtualization may hold the key.

Virtualization changes how IT thinks...

Takashi Katsuki | 10 May 2007 07:00:00 GMT | 0 comments

In the blog entry MS Needs Your Credit Card Details?, we detailed the behavior of the Kardphisher Trojan,which "attempts to steal credit card numbers by tricking the user intoentering their credit card details to activate Windows." This entryexplains how to remove the Trojan.

Removal instructions

1. Reboot the infected machine. You can do that by simply clickingthe "No" and "Next" buttons, or by doing a good-old fashioned hardreboot.

2. While Windows is starting, press the function 8 key (F8 key) to enter Safe Mode.

3. Click Start > Run.

4. Type regedit

5. Click OK.

6. Navigate to and delete these subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
...

Elia Florio | 10 May 2007 07:00:00 GMT | 0 comments

When computer programmers and OS designers introduce newfunctionalities in their products, they should always consider “Who isgoing to use this?”. Sometimes solutions created for legitimatepurposes may turn into dangerous weapons if used in a bad way.Alternate Data Streams (ADS) and Encrypted File System (EFS) are justtwo well-known examples of good technologies used by malware such asBackdoor.Rustock and Trojan.Linkoptimizer (more here about this topic).

Today the list of good technologies used for bad purposes has a new entry.

In the past week I’ve been discussing with a friend (Frank Boldewin)a curious technique used to download malicious files on a system. Frankanalyzed one of the recent Trojans spammed by e-mail in Germany duringthe end of March, 2007 and he...

Yazan Gable | 09 May 2007 07:00:00 GMT | 0 comments

In a recent article published at Baseline Security,a number of large corporations were identified to be hostingbot-infected computers. Although this created some waves of surprise,it really shouldn’t have. Sure, bot network owners tend to target homeusers but it isn’t because home users are their preferred target;they’re just an easy target. Home users’ computers are limited in theirmalicious usefulness. They tend to have low bandwidth capabilities thatlimit their ability to send spam and carry out denial of serviceattacks. Also, they are often monitored and regulated by their Internetservice providers.

Computers in large corporations, on the other hand, have a greaterrange of possibilities. These computers may be more difficult tocompromise, assuming they are behind firewalls, protected by intrusionprevention systems, and...

Liam O Murchu | 08 May 2007 07:00:00 GMT | 0 comments

No, I’m not talking about typing 53704 intoyour calculator and turning it upside down! I’m referring to theincreasing popularity of inserting links to exploits into legitimateHTML pages in an attempt to infect users who visit the affected page,multiplying the effectiveness of the original infection. I’ll outlinebelow the steps used in one such attack that we recently received inour lab.

In this case the malicious links were added by hand after the Web server had been hacked. However, W32.Fujacks and W32.Fubalcause similar techniques to the ones discussed here to automaticallyinfect asp, aspx, htm, html, php and jsp files residing on the infectedmachine in order to spread themselves further. Infostealer.Lingling wasalso distributed...