Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Yazan Gable | 26 Apr 2007 07:00:00 GMT | 0 comments

In the last six months of 2006 we saw a pretty sharp decline in thedaily number of denial of service attacks. Although there are likely anumber of factors at play here, I think there is one primary factor:denial of service extortion attacks are no longer profitable.

DoS extortion attacks are usually carried out by a bot-networkowner. Using their bots, the extortionsist has to make a successful DoSattack against a target organization. Following that they have to issuethe extortion request and hope the target organization pays it.

The thing is that DoS attacks are loud and risky. Whenever abot-network owner carries out a denial of service attack they run therisk of losing some of their bots. This could happen either because anattacking computer is identified and disinfected, or if it is simplyblocked by its ISP from accessing the network. Furthermore, if thebot-network owner isn’t careful they could lose their entire botnetwork if their command and control server is...

Brian Ewell | 25 Apr 2007 07:00:00 GMT | 0 comments

Symantec Security Response has seen an increasing number ofsubmissions of Trojan.Peacomm and related malware arriving in emailscontaining password-protected RAR archives.

As with the previous Peacomm spam run, the email contains an image(a GIF file) and an attachment. The image contains a message about apatch that can be used to "remove worm files" and the password for thefile attached. However, in this case, the attachment is a RAR archive.

The files inside the RAR archive are detected as Trojan.Packed.13.This detection for Trojan.Packed.13 was available in definitions datedMarch 22, 2007. The Trojan.Packed.13 sample drops another maliciousfile, which is also already detected by March 22 definitions, this timeas W32.Mixor.Q@mm.

These are some of the email Subject lines being used by this wave of spam:
Trojan Alert!
Virus Alert!
Virus Detected!
Virus Alert!
Spyware Alert!
Worm Detected!

Some sample Attachment...

Luis Navarro | 25 Apr 2007 07:00:00 GMT | 0 comments

In a recent blog entry, I talked about creating a strong password. But what are passwords used for? They are, among other things, a mechanism for ensuring that sensitive data is accessed only by authorized persons. Some of that sensitive data may be personal data that can be used to uniquely identify a person, such as their Social Security Number or driver’s license number. If a person obtains sufficient personal data on an individual, they can perform identity theft, impersonating that individual in order to fraudulently open accounts, obtain credit cards, etc. It can take the individual whose identity was stolen a long time to get things straightened out, and during that time their credit history is tarnished.

Personal data is collected during normal business transactions. Even organizations that may not collect personal data from customers will still have personal data for their employees. This data must be protected from unauthorized disclosure. Depending on where you...

Ollie Whitehouse | 24 Apr 2007 07:00:00 GMT | 0 comments

With the advent of Windows Mobile 6 came a file system filter driver for encrypting data on Secure Digital (SD) cards, which are frequently used to store sensitive data. Previously, to gain access to users' data, an attacker could simply steal their SD card. Breaking the device's PIN protection was completely unnecessary.

In order to protect users and enterprises alike, Microsoft implemented on-device encryption for SD cards. The down side, however, is that the master key used for this encryption is non-persistent between hard resets. There is currently no escrow mechanism, which is clearly stated by Microsoft: [1]

There isn't any key escrow or recovery in this release. We realize this is very important to many enterprise customers. Feel free to add your comments about how important this is to your organization as it helps us prioritize the work for the future. If you don't want key escrow, that would also be good to hear.

Symantec Security Response | 23 Apr 2007 07:00:00 GMT | 0 comments

Identity theft and phishing have become prominent issues in the lastfew years. In this time, many users have become savvy to phishingschemes and are less likely to fall for traditional phishing attacks.In order to keep the stream of revenue flowing, attackers have had tobegin using more advanced techniques. One of the more recent techniquesis called "context-aware" phishing. A context-aware phishing attackuses specific personal information about intended victims to gain theirtrust. With the right information and implementation, this type ofattack can be very effective. To get the necessary personal informationfor this attack, phishers have become more like private investigators.

In this blog, I'll talk about one of the techniques used byattackers to find the information necessary to carry out effectivecontext-aware phishing attacks. This includes identifying targets,finding which brands can be phished for a given target, and researchingpersonal information to supply the...

Peter Ferrie | 20 Apr 2007 07:00:00 GMT | 0 comments

Microsoft's JScript is a very powerful and flexible language.However, great flexibility leads to a great potential for obfuscation.We have seen many examples of JScript obfuscation in the past, such asstring concatenation and dynamic decoding, and will likely see more inthe future.

The most recent and a potentially problematic example uses one ofthe simplest obfuscation methods: Unicode escaping. Normally, Unicodeescaping is used to send Unicode characters that might not travel wellacross networks, such as characters that could be transformed accordingto the system locale. From a security perspective, Unicode escaping iswidely used to deliver executable code in Web exploits.

What was previously unknown to us is that Unicode escapes can beapplied to function names, variables, and all kinds of other code. Thiswas demonstrated by the recent virus that we detect as ...

Ollie Whitehouse | 19 Apr 2007 07:00:00 GMT | 0 comments

User Interface Spoofing and Its Impact on Security
As you may have seen in James O’Connor’s paper, Attack Surface Analysis of Blackberry Devices, there is a bug/vulnerability in Blackberry devices that allows an attacker to spoof the interface that shows a .jad file's signing properties. A .jad file is a Java package format that is frequently used to distribute applications for mobile phones. This spoofing allows an attacker to make a .jad application appear to be signed by a legitimate user or company. The attacker accomplishes this by using a carefully constructed file with the appropriate amount of spaces within certain strings.

Because the susceptibility to this class of attacks is not unique to the BlackBerry or to .jad files, I thought it might make an interesting blog entry. I originally found something like this...

James O'Connor | 19 Apr 2007 07:00:00 GMT | 0 comments

Some of you may have read my blog article last year about the BlackBerry mobile device: Hacking the BlackBerry along with the associated whitepaper, Blackberry Security: Ripe for the picking? We decided not to widely distribute that paper for a number of reasons, including the fact that the model reviewed was a tad on the old side (BlackBerry 7290 circa 2004). Well, fast-forward to 2007, when I was supplied with a shiny new BlackBerry Pearl 8100 and a blank sheet of paper.

As I alluded to in my previous blog, the Pearl represents a significant departure for Research In Motion; a departure from the world of purely corporate utility, and an arrival at the world of consumer-oriented features. The device sports a beautifully stylized slimline form-factor, a 1.3 megapixel camera, and a removable media card as standard. Of course, all the...

Ron Bowes | 18 Apr 2007 07:00:00 GMT | 0 comments

The Home and Home Office Security Report(HHOSR), a monthly report released by Symantec, provides a high-leveloverview of Internet security concerns that may be of interest to homeand home office users. March's HHOSR focused largely on Volume XI of Symantec's Internet Security Threat Report.

This HHOSR's hot topic discussed the price of a wide variety ofinformation related to personal identity. The types of information, andthe prices at which they were offered, are outlines in table 1 below.

Item Cost in US Dollars
Complete Identity $14 - $18
US Credit Card $1 - $6
UK Credit Card $2 - $12
Elia Florio | 17 Apr 2007 07:00:00 GMT | 0 comments

What we saw in the first Trojan.Peacommoutbreak during January was only the beginning of the “storm-worm” war.The initial outbreak seemed to be an experiment in setting up apeer-to-peer (P2P) bot network, and to test the potential of theTrojan. The bad guys who were behind those criminal activities used thefirst variant of Peacomm to distribute a set of single-module Trojansthat were programmed to send spam, perform DDoS attacks, gather mailaddresses, and distribute new versions of the Trojan.