Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Symantec Security Response | 21 Jun 2007 07:00:00 GMT | 0 comments

Earlier this year, NIST (National Institute of Standards and Technology),announced that they will be hosting an open competition to decide on anew secure cryptographic hash standard. Cryptographic hash functionsare a fundamental part of cryptography and computer security. Acryptographic hash function takes an input and returns a (practically)unique output, providing applications in authentication, encryption anddigital signatures.

The most commonly used hash functions right now have been aroundsince the mid-nineties and are beginning to show some serious cracks.One of the basic requirements of a cryptographic hash functions is thatit must be very hard to find two inputs that map to the same output.When two such inputs are found it is called a collision, and collisionsare a really bad thing for hash functions. The Message Digest 5 (MD5)algorithm was created in 1991 by Ron...

Ollie Whitehouse | 20 Jun 2007 07:00:00 GMT | 0 comments

In the words of the Ghost Busters, “We’ve got one…” We’ve got what?, I hear you ask. We now have an example of alleged SMS spam with some real statistics rather than the usual conjecture. We know SMS spam has been growing through the monitoring of such sites as Grumble Text [1] however we’ve never had true insight into the scale of a professional SMS spamming operation.

Well recently that changed - TelecomWeb broke the story [2] that,

“Verizon Wireless filed a lawsuit against Nev.-based I-VEST Global Corporation and various "John Does," alleging they sent unsolicited commercial electronic messages (wireless spam) to its customers.” and that “The lawsuit, filed in U.S. District Court in Trenton, N.J., alleges that, beginning in April, I-VEST attempted to send more than 12 million text messages to Verizon Wireless handsets, offering information about buying stocks or real estate. However, the carrier says spam filtering and network monitoring...

Eric Chien | 19 Jun 2007 07:00:00 GMT | 0 comments

On multiple Windows Live Messenger accounts (formally MSN Messenger), we received the messages (don't visit the link!):

     Get surprise at http://www.messengerweb.info/ Unbelievable!

     Hey, http://www.messengerweb.info/ helps u find out who is your friend!

     U have deleted me! Look here http://www.messengerweb.info

Was this a new worm? Or a bot that was sending out IM spam? Turns out it is neither and instead much more like adware. The site being advertised states they can find out who may have removed you from their contact list. All the service requires is for you to "enter your MSN account and password and we will tell you who has...

Peter Ferrie | 19 Jun 2007 07:00:00 GMT | 0 comments

It seems that for every scripting language that is powerful enoughto host a virus, a virus will be written for it eventually. It alsodoesn't seem to matter if the audience for that scripting language isvery restricted, or that the scripts might not be shared with anyoneelse.

This brings us to the first virus for the Autodesk Maya 3D scriptinglanguage - "Maya Embedded Language" or "MEL" - which we call MEL.Odorous.

This virus is simply a proof-of-concept. It begins by searching inthe current directory for the .MEL file that contains its code. Itreads this code into a buffer that will be used for replication. Thenit searches again in the current directory for other .MEL files. Forany .MEL file that is found to not be already infected, the virus willprepend itself to the file. There is no payload, and it does nothingbut replicate.

Such a virus...

Amado Hidalgo | 19 Jun 2007 07:00:00 GMT | 0 comments

You always thought that by staying clear ofthe dark alleys of the Internet and visiting only “reputable” websites,you would be safe from attacks and dubious content. I am afraid that isnot enough. My colleagues Elia Florio and Hon Lau reported recently (here and here)about legitimate sites that had been compromised to include a maliciousIFRAME that, without your knowledge, redirects you to a site servingexploits.

As Elia mentioned, thousands of sites (mostly Italian, but withseveral other nationalities included) were compromised. We were puzzledas to how the MPack gang had managed to hack so many sites in a shortperiod of time, and how they could inject the malicious iframe soquickly.

The MPack gang...

Elia Florio | 18 Jun 2007 07:00:00 GMT | 0 comments

When SkyLined released in 2004 one of the first proof-of-conceptexploits introducing the “Heap Spraying” technique, he commented [1]his code in this way:

“The JavaScript creates a large amount of heap-blocksfilled with 0x0D byte nopslides followed by the shellcode. This is tomake sure [0x0D0D0D0D] == 0x0D0D0D0D. It's not the most efficient thingin the world but it works like a charm for most IE bugs.”

Well, it was not the most efficient thing in the world, but it hasbeen proven to work so well that it actually is the mostcopied-and-pasted piece of code used to exploit many of the InternetExplorer vulnerabilities discovered since 2004.
So, I was surprised to come across an exploit in the wild that uses adifferent heap manipulation technique. The malicious code was hosted ona Russian domain (hxxp://crun[REMOVED].info) and was part of one of thetypical web attacker toolkits developed by Eastern European gangs. Thecode exploited...

Eric Chien | 15 Jun 2007 07:00:00 GMT | 0 comments

Just hours after Apple released Safari for Windows and I wrote about the potential for associated exploits, multiple exploits have been released. This currently includes:

Apple Safari for Windows Protocol Handler Command Injection Vulnerability (BID 24434)
Apple Safari for Windows Unspecified Denial of Service Vulnerability (BID 24431)
Apple Safari for Windows Unspecified Remote Code Execution and Denial of Service Vulnerabilities (BID 24433)

Details on the first one have already been released publicly and theother two have been reportedly disclosed to Apple. We have not...

Elia Florio | 15 Jun 2007 07:00:00 GMT | 0 comments

We verified a report of a large-scale web attack on going in Italy at the moment. The attack is similar to what we described in our previous blog; it just uses a new different final domain which runs the hostile exploits of Mpack 0.86 kit.



The gang behind the attack had successfully compromised the homepagesof hundreds of legitimate Italian websites. We checked many of them andwe verified that they include now a malicious IFRAME (detected asTrojan.Mpkit!html) which redirects to the same bad IP address. The listof compromised sites is huge and from Mpack statistics this attack isworking efficiently (the...

Ron Bowes | 14 Jun 2007 07:00:00 GMT | 0 comments

In my recent article about Spam in Multiplayer Online Games(smog), I talk about how spammers sell resources such as gold. Theseresources can be obtained with minimal user interaction, by using anautomated program to control characters and play the game. By doingthis, gold can be collected and either used or sold for real money.

As a massively multiplayer online game develops, an economydevelops. The value of rare items tends to emerge, and people will makefair trades or purchases from each other. People who play the game fora reasonable amount of time are able to purchase the same items asothers, by collecting gold (or whatever currency is used). Ideally, theeconomy will balance and end up at a fair point.

However, automated programs can be used to for this collection. Aprogram can run 24/7, doing nothing but harvesting gold. This gold...

Greg Ahmad | 13 Jun 2007 07:00:00 GMT | 0 comments

On April 27, 2007, various Internet resources from the Republic of Estonia came under a series of DDOS or distributed denial of service attacks.According to claims by Estonian government officials and media, theattacks originated in Russia and followed a dispute between thegovernment and ethnic Russians over the relocation of a Soviet warmemorial from the Estonian capital of Tallinn. The attacks targetedwebsites belonging to government ministries, banks, media, politicalparties and businesses.

Though DDOS attacks against various networks have taken place onnumerous occasions in the past, the particularly interesting aspect ofthese attacks was that they appear to be...