Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Liam O Murchu | 07 Mar 2007 08:00:00 GMT | 0 comments

On March 5, we posted a blog about a new threat called Trojan.Bayrob that targets users of the eBay auction site and, more specifically, motor auctions. Following further research, we are able to shed some more light on the mechanics of Trojan.Bayrob. As stated previously, this attack is targeted at users who will be highly likely to buy a car on eBay, (e.g. second-hand car sales companies).

In this attack, victims are sent an email about a car that is being offered for sale. The email contains a legitimate slide show program that shows images of the car on offer; however, the email also contains the Trojan.Bayrob file. Below are two examples of what the slide show looks like. While the victim views the slide show, the Trojan is...

Eric Chien | 07 Mar 2007 08:00:00 GMT | 0 comments

Symantec has recently received a phishing email that makes use of an interesting technique of hiding a phishing site URL. When receiving a suspected phishing message, one of the methods of determining if the embedded URLs are legitimate or not is to simply pass your cursor over the underlined hyperlink and then check the URL in the status bar of your browser. In the status bar, you can see if the link belongs to the appropriate domain or not.

Using Javascript, one can alter the text in the status bar. So, when browsing on the Web in general, this isn't always a reliable technique to verify the underlying URL. However, when receiving an HTML email in an email client (including Webmail), Javascript is generally neutered so it does not execute, preventing the obfuscation of the status bar via Javascript, making this technique more reliable. However, this phishing message we recently received is able to modify what is displayed in the status bar without the use...

Elia Florio | 07 Mar 2007 08:00:00 GMT | 0 comments

Windows Live is “everything you need, all in one place” and it looks like the search engine really does know what exactly it is that Italians need! Today, we came across a story that was reported by Sunbelt about a takeover of the Italian version of the Windows Live search engine. We decided to do a bit more investigating into those rumors.

At the moment, the problem is that when someone searches a combination of specific Italian keywords on the Windows Live portal, that person will always get a set of weird links in the search results. These weird links will most likely be related to the Linkoptimizer gang (aka Gromozon)—so this likely means that the Gromozon gang has managed to take over and manipulate the search results of Windows Live by getting their links to end up on the top of the search result lists.

...

Elia Florio | 07 Mar 2007 08:00:00 GMT | 0 comments

Windows Live is “everything you need, allin one place” and it looks like the search engine really does know whatexactly it is that Italians need! Today, we came across a story thatwas reported by Sunbelt about a takeover of the Italian version of theWindows Live search engine. We decided to do a bit more investigatinginto those rumors.

At the moment, the problem is that when someone searches acombination of specific Italian keywords on the Windows Live portal,that person will always get a set of weird links in the search results.These weird links will most likely be related to the Linkoptimizer gang(aka Gromozon)—so this likely means that the Gromozon gang has managedto take over and manipulate the search results of Windows Live bygetting their links to end up on the top of the search result lists.

...

Liam O Murchu | 07 Mar 2007 08:00:00 GMT | 0 comments

On March 5, we posted a blog about a new threat called Trojan.Bayrob that targets users of the eBay auction site and, more specifically, motor auctions. Following further research, we are able to shed some more light on the mechanics of Trojan.Bayrob. As stated previously, this attack is targeted at users who will be highly likely to buy a car on eBay, (e.g. second-hand car sales companies).

In this attack, victims are sent an email about a car that is being offered for sale. The email contains a legitimate slide show program that shows images of the car on offer; however, the email also contains the Trojan.Bayrob file. Below are two examples of what the slide show looks like. While the victim views the slide show, the Trojan is...

Eric Chien | 07 Mar 2007 08:00:00 GMT | 0 comments

Symantec has recently received a phishing email that makes use of an interesting technique of hiding a phishing site URL. When receiving a suspected phishing message, one of the methods of determining if the embedded URLs are legitimate or not is to simply pass your cursor over the underlined hyperlink and then check the URL in the status bar of your browser. In the status bar, you can see if the link belongs to the appropriate domain or not.

Using Javascript, one can alter the text in the status bar. So, when browsing on the Web in general, this isn't always a reliable technique to verify the underlying URL. However, when receiving an HTML email in an email client (including Webmail), Javascript is generally neutered so it does not execute, preventing the obfuscation of the status bar via Javascript, making this technique more reliable. However, this phishing message we recently received is able to modify what is displayed in the status bar without the use...

Elia Florio | 07 Mar 2007 08:00:00 GMT | 0 comments

Windows Live is “everything you need, all in one place” and it looks like the search engine really does know what exactly it is that Italians need! Today, we came across a story that was reported by Sunbelt about a takeover of the Italian version of the Windows Live search engine. We decided to do a bit more investigating into those rumors.

At the moment, the problem is that when someone searches a combination of specific Italian keywords on the Windows Live portal, that person will always get a set of weird links in the search results. These weird links will most likely be related to the Linkoptimizer gang (aka Gromozon)—so this likely means that the Gromozon gang has managed to take over and manipulate the search results of Windows Live by getting their links to end up on the top of the search result lists.

...

Jim Hoagland | 07 Mar 2007 08:00:00 GMT | 0 comments

Greetings. For the last four months we have been busy taking a lookat the release (RTM) version of Windows Vista in an effort to updateour Windows Vista Network Attack Surface Analysis report fromlast July, which covered beta builds of Vista. To broaden and deepenour research, we have retested the results in the first report andexpanded our investigation of certain topics.

As of today, the new reportis available to you. The paper is 118 pages long, but don't worry, youdon't have to read it all! You can skip to the parts you are mostinterested in, or take a look at the 13 pages that summarize theresults in the paper. In addition, the appendices provide details ofour methodology and results. We hope you find this report useful as aWindows Vista network reference, and we hope you find value in both thedetailed security analysis and in the broad overview.

...
Eric Chien | 06 Mar 2007 08:00:00 GMT | 0 comments

I recently received an email supposedly from the Anti-Scam Department of the British Secret Intelligence Service. They sent me an email because apparently my "email address signaled to our computer database today, with strong indication that you currently MIGHT be in a business transaction where you are a SCAM VICTIM unknowingly." Oh no!

In particular, they asked if I was:
• in a business transaction case that would claim millions of dollars
• told by a lottery company that I have successfully won millions
• told I had overdue contract funds
• promised to receive large sums of money in excess of millions of dollars
• promised to be awarded a contract worth millions or billions of dollars

If so, "there is a 99.99% chance that you are currently a victim of fraud/scam, run by notorious criminals known as con artists, with the sole aim of scamming and ripping you off your very hard earned funds!!" More importantly, I was...

Masaki Suenaga | 05 Mar 2007 08:00:00 GMT | 0 comments

WordPress, a blog-publishing system written in PHP, has had a recent release of its software compromised that may allow remote code execution via a back door. While apparently limited to certain copies of 2.1.1, WordPress has since released an updated and verified version 2.1.2 and are advising people running any flavor of 2.1.1 to upgrade as soon as possible. They have also released a statement about it.

The modified code in the hacked version is contained in the following two .php files:
wp-includes\feed.php
wp-includes\themephp

These files contain instructions that can grab the parameter of the WordPress hosting service URL and pass it to either the PHP script engine or the command program of the operating system, allowing the attacker to execute a remote command on the server running the hacked version of WordPress. This includes downloading and...