Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Security Response
Showing posts in English
Orla Cox | 30 May 2007 07:00:00 GMT | 0 comments

A new Trojan Horse called Backdoor.Robofohas been spammed out today, which uses a variety of social engineeringtactics to aid its propagation. First it masquerades as an email fromthe US Internal Revenue Service (IRS), including the use of the IRSlogo in the message body to make it appear more legitimate:



The use of legalese in the message content may intimidate some usersinto opening the attachment. The attachment is called COMPLAINT.rtfand, when launched, displays the following bogus error message:


...

Ron Bowes | 29 May 2007 07:00:00 GMT | 0 comments

I recently posted a blog that details apotential attack malware can use to bypass Vista's User Access Control(UAC) protection. What the attack really comes down to, however, isthat if you run any untrusted code under a user account, that useraccount can no longer be trusted. Any shortcuts or programs in thataccount may be infected, waiting for an opportunity to seize control.The problem is, this isn't a mistake on Vista's part; it's an artifactof the entire concept of user-separation. This time, I'm going todetail a similar attack against UNIX and Linux operating systems.

"Sudo" (super user do) is a command that can be used on Unix-basedoperating systems to allow a user to run certain programs with thehighest possible privilege (root). Sudo is similar to UAC in that itallows users to easily run programs with elevated privileges.

If a user runs a malicious program with a regular account, theprogram cannot install in a system-wide directory. On a typicalUNIX-...

Candid Wueest | 28 May 2007 07:00:00 GMT | 0 comments

“Because that's where the money is” was apparently the reason givenby Willie Sutton when asked why he kept robbing banks. Even though thatstatement may be correct, Willie Sutton never said it like this – as heexplains in his book “Where the Money Was.” Still, it evolved into oneof those urban myths, quoted many times. But there is an even betteranalogy to be made between the life of this bank robber from the 1940sand today’s online crime.

One of his nicknames was “The Actor,” which he gained aftercommitting robberies in broad daylight, impersonating trustedpersonnel. He varied his disguise from telegraph messenger tomaintenance man to policeman. He had realized that an acetylene torchwas not the best way into a safe – it was much easier to abuse people’strust, as no one really expected such assaults from within their ownranks. It was like an insider job, but without actually belonging tothe team in the first place. Those old-school social engineering tricksare comparable...

Candid Wueest | 28 May 2007 07:00:00 GMT | 0 comments

“Because that's where the money is” was apparently the reason givenby Willie Sutton when asked why he kept robbing banks. Even though thatstatement may be correct, Willie Sutton never said it like this – as heexplains in his book “Where the Money Was.” Still, it evolved into oneof those urban myths, quoted many times. But there is an even betteranalogy to be made between the life of this bank robber from the 1940sand today’s online crime.

One of his nicknames was “The Actor,” which he gained aftercommitting robberies in broad daylight, impersonating trustedpersonnel. He varied his disguise from telegraph messenger tomaintenance man to policeman. He had realized that an acetylene torchwas not the best way into a safe – it was much easier to abuse people’strust, as no one really expected such assaults from within their ownranks. It was like an insider job, but without actually belonging tothe team in the first place. Those old-school social engineering tricksare comparable...

Hon Lau | 27 May 2007 07:00:00 GMT | 0 comments

A nasty piece of malware was sent our way this weekend that we are detecting as Trojan.Mpkit!html and Downloader.This malware is yet another malware distribution and attack kit in thesame vein as other kits, such as WebAttacker. This kit, called MPack,is a professionally written collection of PHP software componentsdesigned to be hosted and run from a PHP server with a databasebackend. It is sold by a Russian gang and comes ready to install on aPHP server, and it also comes complete with a collection of exploitmodules to be used out of the box.


How it infects computers

Once the server is installed and running, all the owner has to do isto start generating some web browser traffic to it. They can do this byvarious...

Amado Hidalgo | 27 May 2007 07:00:00 GMT | 0 comments

We security folks always tell you that if you want to transactonline safely, you should type the address of the financial institutionin the browser instead of following a link, you should enter yourpersonal information only in trusted sites that use encryption, youneed to check that the little padlock in the corner of your browser islocked, you also need to verify the digital certificate is valid andmatches the site you want to visit, etc... Well, that’s not enough!

Recently we analysed a Trojan horse program (Infostealer.Banker.D)that, uses some cunning creativity. Using an HTML injection technique,it is capable of fooling even those who practice the standardprecautionary measures against online fraud.

When the user of an infected computer goes to the login page ofcertain websites, the Trojan intercepts the HTML page, checks forcertain blocks of...

Ron Bowes | 25 May 2007 07:00:00 GMT | 0 comments

The Internet is home to billions of computers, all of which performthe jobs they have been programmed to do. Each of these computers has ahard drive and RAM. It’s a rare case that either is completely full. Abillion computers, each with a couple spare megabytes, works out to afew terabytes in a very conservative estimate.

There are several ways that this space can be harnessed to varyingdegrees, depending on what the ultimate goal of an attacker is. A tinybit of RAM on a large number of computers can be used to store secretdata that an attacker wants to hide, while a lot of information can bestored on some servers at the risk of being found and removed.Harnessing this space is often referred to as "parasitic storage."

One parasitic storage technique, called "juggling," can be used forextremely sensitive or illegal information. The goal for the attackeris to ensure that the complete body of information is never on theircomputer all at once, but that part of it is...

Stuart Smith | 24 May 2007 07:00:00 GMT | 0 comments

As with my last blog, the topic this time is behavioral detection, and the various trade-offs involved. We already covered some of the issues in the use of virtual environments for the detection of threats, and this time we’ll cover some of the issues involved in classifying behavior and mitigating damage.

Whatever your approach is to generating and tracking behavior, you need the ability to classify it. There are challenges to tracking behavior, but once you have a profile of behavior, determining what is malicious is a harder problem. Some security products solve this by handing off the problem to the user. Most don’t. The real problem in profiling is that the definition of what is malicious has changed over time. Is tracking your activity as you surf a web page malicious? If you say yes, what about the wonderful “suggest” features that use historical data? Is any program that downloads silently with no GUI malicious? What about Windows Update or Live Update? Something...

Stuart Smith | 23 May 2007 07:00:00 GMT | 0 comments

The amount of new malware in the wild is growing quickly. While this is not a new observation, I have seen some claims that behavioral detection may be the answer to this ever-increasing amount of malware. Unlike more traditional types of detection that look at static attributes inherent in a piece of software, such as unique data, code, etc., behavioral detection involves running a possible threat, tracking its behavior with various monitors, and then using the information gathered to determine if it is malicious. As more behavioral detection products emerge, one article asked “Is Desktop Antivirus Dead?” [1]. Hardly, but it is worth a look at why the question even comes up.

Behavioral detection holds out the promise of more zero-day detections, and it reduces the number of updates you need to make to your antivirus software. Note that you cannot safely eliminate updates, since the definition of malicious behavior changes over time. The history of malware, from viruses and...

Ron Bowes | 22 May 2007 07:00:00 GMT | 0 comments

A few months ago, I moved out of my home town in search of greenerpastures. In doing so, I called every company I could think of whomight have my previous address. And that was a lot of calling - thesedays, it seems like changing a home address is as difficult as changingan email address!

After I arrived, I bought a lot of stuff online. I purchasedeverything from books and movies to show tickets from major onlineretailers. I made every transaction with my credit card, and everythingwas shipped to my new address. I didn't have any problems - at first -all I needed was my credit card information and everything was shippedwhere I asked it to be shipped.

Recently, however, I purchased a new hard drive from a localcomputer store. Since it's on the far side of the city, I opted to haveit shipped rather than pick it up. This morning, I received an emailsaying that they wouldn't accept the order because my shipping addressdidn't match the address on my credit card. So I...