Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Hon Lau | 30 Apr 2007 07:00:00 GMT | 0 comments

Since late yesterday we have seen a marked increase in the activity of a new Sober variant doing the rounds.
A new variant of Sober named W32.Sober.AA@mm is currently being spammed out to many users around the world.
The spam can be either in English or German and uses classic socialengineering techniques to trick users into opening and running theattachments.

The emails sent have the following characteristics:

Ihr Passwort wurde geaendert!
Fehlerhafte Mailzustellung
Ihr Account wurde eingerichtet!
Your Updated Password!
Error in your eMail

Ihr Passwort wurde erfolgreich geaendert.
Ihre neuen Account-Daten und Passwort befinden sich gesichert im Anhang!


Diese Nachricht wurde Automatisch generiert.
- Ihre...

Orla Cox | 30 Apr 2007 07:00:00 GMT | 0 comments

Commercial rootkits were first brought to the public's attention with the infamous Sony DRM case. This was followed a few months later by a rootkit component included on some KinoWelt DVDs.This rootkit was part of Alpha-DVD content-protection software,produced by Korean company Settec. Discussion surrounding commercialrootkits has died down somewhat since then, however this doesn't meanthat they've gone away.

Recently we added detection for a rootkit which is installed byKorean online shopping site, Cashmoa. In order to log onto the site,the user is required to install a software package. This packageincludes a driver called cmdriver.sys. The driver behaves like arootkit by hiding processes which use a particular name. The danger isthat a...

Nicolas Falliere | 27 Apr 2007 07:00:00 GMT | 0 comments

A few days ago, we received yet anothersubmission containing a strange Animated Cursor file. Thisvulnerability made quite some noise, and though we thought it washandled by now, this file was definitely not the usual ANI exploit…

An ANI file follows the RIFF standard, with a few exceptions. It isa collection of data chunks, all having the same format of "header |size | data". Therefore, spotting malicious files attempting to exploitthe vulnerability should be easy. But is it? For the human eye, it is.For a heuristic detection, in spite of what was said before, it is not.Despite the supposedly easy structure of the Animated Cursor file,Microsoft’s implementation of its parser is quite loose.

First, invalid chunks will get properly parsed. Though not affectingthe ANI file itself, such chunks should not be encountered in cursorfiles, but the ANI parser just allows and skips them. Fair enough, ourdetections can handle that as well. Attackers, after a few days of‘...

Yazan Gable | 26 Apr 2007 07:00:00 GMT | 0 comments

In the last six months of 2006 we saw a pretty sharp decline in thedaily number of denial of service attacks. Although there are likely anumber of factors at play here, I think there is one primary factor:denial of service extortion attacks are no longer profitable.

DoS extortion attacks are usually carried out by a bot-networkowner. Using their bots, the extortionsist has to make a successful DoSattack against a target organization. Following that they have to issuethe extortion request and hope the target organization pays it.

The thing is that DoS attacks are loud and risky. Whenever abot-network owner carries out a denial of service attack they run therisk of losing some of their bots. This could happen either because anattacking computer is identified and disinfected, or if it is simplyblocked by its ISP from accessing the network. Furthermore, if thebot-network owner isn’t careful they could lose their entire botnetwork if their command and control server is...

Brian Ewell | 25 Apr 2007 07:00:00 GMT | 0 comments

Symantec Security Response has seen an increasing number ofsubmissions of Trojan.Peacomm and related malware arriving in emailscontaining password-protected RAR archives.

As with the previous Peacomm spam run, the email contains an image(a GIF file) and an attachment. The image contains a message about apatch that can be used to "remove worm files" and the password for thefile attached. However, in this case, the attachment is a RAR archive.

The files inside the RAR archive are detected as Trojan.Packed.13.This detection for Trojan.Packed.13 was available in definitions datedMarch 22, 2007. The Trojan.Packed.13 sample drops another maliciousfile, which is also already detected by March 22 definitions, this timeas W32.Mixor.Q@mm.

These are some of the email Subject lines being used by this wave of spam:
Trojan Alert!
Virus Alert!
Virus Detected!
Virus Alert!
Spyware Alert!
Worm Detected!

Some sample Attachment...

Luis Navarro | 25 Apr 2007 07:00:00 GMT | 0 comments

In a recent blog entry, I talked about creating a strong password. But what are passwords used for? They are, among other things, a mechanism for ensuring that sensitive data is accessed only by authorized persons. Some of that sensitive data may be personal data that can be used to uniquely identify a person, such as their Social Security Number or driver’s license number. If a person obtains sufficient personal data on an individual, they can perform identity theft, impersonating that individual in order to fraudulently open accounts, obtain credit cards, etc. It can take the individual whose identity was stolen a long time to get things straightened out, and during that time their credit history is tarnished.

Personal data is collected during normal business transactions. Even organizations that may not collect personal data from customers will still have personal data for their employees. This data must be protected from unauthorized disclosure. Depending on where you...

Ollie Whitehouse | 24 Apr 2007 07:00:00 GMT | 0 comments

With the advent of Windows Mobile 6 came a file system filter driver for encrypting data on Secure Digital (SD) cards, which are frequently used to store sensitive data. Previously, to gain access to users' data, an attacker could simply steal their SD card. Breaking the device's PIN protection was completely unnecessary.

In order to protect users and enterprises alike, Microsoft implemented on-device encryption for SD cards. The down side, however, is that the master key used for this encryption is non-persistent between hard resets. There is currently no escrow mechanism, which is clearly stated by Microsoft: [1]

There isn't any key escrow or recovery in this release. We realize this is very important to many enterprise customers. Feel free to add your comments about how important this is to your organization as it helps us prioritize the work for the future. If you don't want key escrow, that would also be good to hear.

Symantec Security Response | 23 Apr 2007 07:00:00 GMT | 0 comments

Identity theft and phishing have become prominent issues in the lastfew years. In this time, many users have become savvy to phishingschemes and are less likely to fall for traditional phishing attacks.In order to keep the stream of revenue flowing, attackers have had tobegin using more advanced techniques. One of the more recent techniquesis called "context-aware" phishing. A context-aware phishing attackuses specific personal information about intended victims to gain theirtrust. With the right information and implementation, this type ofattack can be very effective. To get the necessary personal informationfor this attack, phishers have become more like private investigators.

In this blog, I'll talk about one of the techniques used byattackers to find the information necessary to carry out effectivecontext-aware phishing attacks. This includes identifying targets,finding which brands can be phished for a given target, and researchingpersonal information to supply the...

Peter Ferrie | 20 Apr 2007 07:00:00 GMT | 0 comments

Microsoft's JScript is a very powerful and flexible language.However, great flexibility leads to a great potential for obfuscation.We have seen many examples of JScript obfuscation in the past, such asstring concatenation and dynamic decoding, and will likely see more inthe future.

The most recent and a potentially problematic example uses one ofthe simplest obfuscation methods: Unicode escaping. Normally, Unicodeescaping is used to send Unicode characters that might not travel wellacross networks, such as characters that could be transformed accordingto the system locale. From a security perspective, Unicode escaping iswidely used to deliver executable code in Web exploits.

What was previously unknown to us is that Unicode escapes can beapplied to function names, variables, and all kinds of other code. Thiswas demonstrated by the recent virus that we detect as ...

Ollie Whitehouse | 19 Apr 2007 07:00:00 GMT | 0 comments

User Interface Spoofing and Its Impact on Security
As you may have seen in James O’Connor’s paper, Attack Surface Analysis of Blackberry Devices, there is a bug/vulnerability in Blackberry devices that allows an attacker to spoof the interface that shows a .jad file's signing properties. A .jad file is a Java package format that is frequently used to distribute applications for mobile phones. This spoofing allows an attacker to make a .jad application appear to be signed by a legitimate user or company. The attacker accomplishes this by using a carefully constructed file with the appropriate amount of spaces within certain strings.

Because the susceptibility to this class of attacks is not unique to the BlackBerry or to .jad files, I thought it might make an interesting blog entry. I originally found something like this...