Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Security Response
Showing posts in English
Symantec Security Response | 14 May 2007 07:00:00 GMT | 0 comments

In my last blog entry, Pre-Phishing Recon for Context Aware Attacks,I talked about how generic phishing messages can be used to collectcontextual information for more advanced phishing attacks. In thisblog, I will describe two such types of advanced phishing attacks.

First, I must note that a pre-phishing recon attack is not the only waythat attackers can get their hands on contextual information about aperson. Attackers can also search the internet for public documentscontaining personally-identifying information. They can buy informationabout a person on an underground economy server, and they can get theinformation through a corporate data breach. In any case, if anattacker gets access to some personal information about someone, he orshe can attempt what is called a context-aware phishing attack.

A context-aware phishing attack...

Gary Sabala | 11 May 2007 07:00:00 GMT | 0 comments

A quick Google search on the term “virtualization” returns nearly 19million results. The subject has graced the cover of nearly every majorIT trade publication in the past year in probably the past six months.In contrast, search the term “virtual security,” and you’ll be lucky tosee a meager 150,000 hits. Mark my words though—that limited attentionis about to change. As virtualization technology continues to emerge asa viable option for moving from development to production environments,the focus on the security implications of this new IT frontier willreach a tipping point.

With the security threat landscape in an enterprise changing on adaily basis, IT requires more innovative ways to protect desktopendpoints. Evolutionary security enhancements have just managed to keeppace with threats, but it is clear that more revolutionary securitymodels will be needed to protect the desktop in the future.Virtualization may hold the key.

Virtualization changes how IT thinks...

Takashi Katsuki | 10 May 2007 07:00:00 GMT | 0 comments

In the blog entry MS Needs Your Credit Card Details?, we detailed the behavior of the Kardphisher Trojan,which "attempts to steal credit card numbers by tricking the user intoentering their credit card details to activate Windows." This entryexplains how to remove the Trojan.

Removal instructions

1. Reboot the infected machine. You can do that by simply clickingthe "No" and "Next" buttons, or by doing a good-old fashioned hardreboot.

2. While Windows is starting, press the function 8 key (F8 key) to enter Safe Mode.

3. Click Start > Run.

4. Type regedit

5. Click OK.

6. Navigate to and delete these subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
...

Elia Florio | 10 May 2007 07:00:00 GMT | 0 comments

When computer programmers and OS designers introduce newfunctionalities in their products, they should always consider “Who isgoing to use this?”. Sometimes solutions created for legitimatepurposes may turn into dangerous weapons if used in a bad way.Alternate Data Streams (ADS) and Encrypted File System (EFS) are justtwo well-known examples of good technologies used by malware such asBackdoor.Rustock and Trojan.Linkoptimizer (more here about this topic).

Today the list of good technologies used for bad purposes has a new entry.

In the past week I’ve been discussing with a friend (Frank Boldewin)a curious technique used to download malicious files on a system. Frankanalyzed one of the recent Trojans spammed by e-mail in Germany duringthe end of March, 2007 and he...

Yazan Gable | 09 May 2007 07:00:00 GMT | 0 comments

In a recent article published at Baseline Security,a number of large corporations were identified to be hostingbot-infected computers. Although this created some waves of surprise,it really shouldn’t have. Sure, bot network owners tend to target homeusers but it isn’t because home users are their preferred target;they’re just an easy target. Home users’ computers are limited in theirmalicious usefulness. They tend to have low bandwidth capabilities thatlimit their ability to send spam and carry out denial of serviceattacks. Also, they are often monitored and regulated by their Internetservice providers.

Computers in large corporations, on the other hand, have a greaterrange of possibilities. These computers may be more difficult tocompromise, assuming they are behind firewalls, protected by intrusionprevention systems, and...

Liam O Murchu | 08 May 2007 07:00:00 GMT | 0 comments

No, I’m not talking about typing 53704 intoyour calculator and turning it upside down! I’m referring to theincreasing popularity of inserting links to exploits into legitimateHTML pages in an attempt to infect users who visit the affected page,multiplying the effectiveness of the original infection. I’ll outlinebelow the steps used in one such attack that we recently received inour lab.

In this case the malicious links were added by hand after the Web server had been hacked. However, W32.Fujacks and W32.Fubalcause similar techniques to the ones discussed here to automaticallyinfect asp, aspx, htm, html, php and jsp files residing on the infectedmachine in order to spread themselves further. Infostealer.Lingling wasalso distributed...

Liam O Murchu | 08 May 2007 07:00:00 GMT | 0 comments

No, I’m not talking about typing 53704 intoyour calculator and turning it upside down! I’m referring to theincreasing popularity of inserting links to exploits into legitimateHTML pages in an attempt to infect users who visit the affected page,multiplying the effectiveness of the original infection. I’ll outlinebelow the steps used in one such attack that we recently received inour lab.

In this case the malicious links were added by hand after the Web server had been hacked. However, W32.Fujacks and W32.Fubalcause similar techniques to the ones discussed here to automaticallyinfect asp, aspx, htm, html, php and jsp files residing on the infectedmachine in order to spread themselves further. Infostealer.Lingling wasalso distributed...

Ben Greenbaum | 08 May 2007 07:00:00 GMT | 0 comments

May proves to be a busy month for Windowsadministrators as we received information on no less than 21vulnerabilities being addressed in this month's 7 patches. If youhappen to be responsible for any DNS servers running on Server 2000,2003 Server or SBS, you will most likely want to skip to the last oneand work your way up. For the rest of us, we'll start with the IEissues and continue from there:

MS07-027; 931768 Cumulative Security Update for Internet Explorer
This is the seemingly monthly cumulative patch for IE issues. Sixdistinct issues are addressed in IE this month, as well as two issuesin third-party ActiveX controls. Note that these two are only mentionedas footnotes in the advisory and therefore do not have their ownUrgency Ratings from Microsoft...

Yazan Gable | 08 May 2007 07:00:00 GMT | 0 comments

Or rather, has your debit or credit card been skimmed? Have you everbeen the victim of debit card or credit card fraud? Have you everwondered how fraudsters got your information in the first place? Youwere sure that you never let your debit card or credit card out of yoursight. You had made sure that the only online shopping you did was atsecure Websites when you used your credit card or bank account topurchase anything online. So how did they get your info?

There are a few ways that your information can leak through thecracks and into the hands of malicious fraudsters. But one of the mostpopular ways is skimming. Skimming is the process of recording the dataon the magnetic strip of a credit or debit card so that it can be usedlater in a fraudulent way. It isn’t the easiest way, but it producesthe most viable data for fraudsters to sell.

So how do they do it? Typically they use a card reader similar tothe ones that the bank or retail outlets use to process your...

Kelly Conley | 07 May 2007 07:00:00 GMT | 0 comments

The May ‘State of Spam’ report is now online. This month’s report highlights several interesting spam trends seen by Symantec, including the reduction in image spam, image uploading hosting solutions used in stock spam, company character assassination spam, and a new twist on the 419 spam technique.

419 spam is named after an article of the Nigerian Criminal Code which deals with fraud, and has primarily been used to defraud individuals with stories about African dictators and the sale of natural African reserves such as oil and gas.

We’ve all seen these scams. Typically they begin with a greeting and then immediately claim to need assistance in the transfer of funds to the U.S. Some try to tug on your heart strings with a story of loss, while others just make a direct play for your purse strings. But the point is, it’s a complete stranger asking for access to...