Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.
Security Response
Showing posts in English
Jim Hoagland | 07 Mar 2007 08:00:00 GMT | 0 comments

Greetings. For the last four months we have been busy taking a lookat the release (RTM) version of Windows Vista in an effort to updateour Windows Vista Network Attack Surface Analysis report fromlast July, which covered beta builds of Vista. To broaden and deepenour research, we have retested the results in the first report andexpanded our investigation of certain topics.

As of today, the new reportis available to you. The paper is 118 pages long, but don't worry, youdon't have to read it all! You can skip to the parts you are mostinterested in, or take a look at the 13 pages that summarize theresults in the paper. In addition, the appendices provide details ofour methodology and results. We hope you find this report useful as aWindows Vista network reference, and we hope you find value in both thedetailed security analysis and in the broad overview.

...
Eric Chien | 06 Mar 2007 08:00:00 GMT | 0 comments

I recently received an email supposedly from the Anti-Scam Department of the British Secret Intelligence Service. They sent me an email because apparently my "email address signaled to our computer database today, with strong indication that you currently MIGHT be in a business transaction where you are a SCAM VICTIM unknowingly." Oh no!

In particular, they asked if I was:
• in a business transaction case that would claim millions of dollars
• told by a lottery company that I have successfully won millions
• told I had overdue contract funds
• promised to receive large sums of money in excess of millions of dollars
• promised to be awarded a contract worth millions or billions of dollars

If so, "there is a 99.99% chance that you are currently a victim of fraud/scam, run by notorious criminals known as con artists, with the sole aim of scamming and ripping you off your very hard earned funds!!" More importantly, I was...

Masaki Suenaga | 05 Mar 2007 08:00:00 GMT | 0 comments

WordPress, a blog-publishing system written in PHP, has had a recent release of its software compromised that may allow remote code execution via a back door. While apparently limited to certain copies of 2.1.1, WordPress has since released an updated and verified version 2.1.2 and are advising people running any flavor of 2.1.1 to upgrade as soon as possible. They have also released a statement about it.

The modified code in the hacked version is contained in the following two .php files:
wp-includes\feed.php
wp-includes\themephp

These files contain instructions that can grab the parameter of the WordPress hosting service URL and pass it to either the PHP script engine or the command program of the operating system, allowing the attacker to execute a remote command on the server running the hacked version of WordPress. This includes downloading and...

Liam O Murchu | 05 Mar 2007 08:00:00 GMT | 0 comments

We have recently received a new threat that targets users of the eBay auction site and, more specifically, motor auctions. The threat, named Trojan.Bayrob, is quite advanced and tries to implement a man in the middle style attack. While we have previously seen Infostealers that try to steal your username and password, a threat attempting a man in the middle attack on eBay is very unusual.

Man in the middle attacks are very powerful, but are also difficult to code correctly. Trojan.Bayrob takes the approach of implementing a local proxy server and directing traffic bound for eBay through this local proxy server. The proxy server listens on localhost port 80.

To send traffic through its proxy server, Trojan.Bayrob changes the etc/hosts files to force traffic bound for the following sites through the local proxy server:
My.ebay....

Eric Chien | 05 Mar 2007 08:00:00 GMT | 0 comments

Recently, a new IRCbot known as Rinbot has been making the news. There are multiple variants of Rinbot (over 20 at the time of writing) and more variants are likely. However, to put Rinbot in perspective, the largest family of bots known as Spybot already has over 30,000 variants. In addition, Rinbot does not introduce any new functionality and, in fact, contains far less default functionality than the average Spybot. Based on the spread of previous variants, we don't foresee a large worldwide outbreak of Rinbot at this time. Nevertheless, just one bot infection on your network can pose trouble.

So, people shouldn't overreact to any threat posed by Rinbot itself, but instead use this opportunity to ensure they are taking proactive steps to address possible...

Stuart Smith | 05 Mar 2007 08:00:00 GMT | 0 comments

Larry Wall once said, “Three great virtues of programming arelaziness, impatience, and hubris.” It appears the authors of aW32.Darksnow have taken this saying to heart. It also appears that theywere too impatient to read the other virtues he lists – diligence,patience, and humility. And they’ve mainly focused on the virtue oflaziness, by trying to find a way to make money using other people’scomputers (and electricity and bandwidth). Specifically, they wanted tomake money using other people’s computers to spoof “impressions” ofadvertising links. Without asking the people, of course. That would betoo much work. And they’d probably say no.

Of course, you can’t just set up a computer, and let a program sitthere and pretend to view Web pages. You’d need a lot of computers toreally make money. And the ad networks are smart enough to figure outthat someone probably isn’t sitting on their computer all dayrefreshing a Web page, so the virus writers couldn’t get any money forthis....

Orlando Padilla | 02 Mar 2007 08:00:00 GMT | 0 comments

he media surrounding the effectiveness of Windows Vista's new security features has (in my opinion) just begun. Microsoft's reach is well beyond that of any other software vendor in the world, and with this achievement comes fame, power, and a corporate life under a microscope. To honor this tradition, I previously posted an entry about the effects of malicious code executed under a default Vista environment; if you haven't read it, you are certainly encouraged to. This research has now been completed and this new entry should serve as a compliment to my previous post. A paper detailing the full research has been made available here.

The outcome of the research:

In my previous blog, I mentioned that...

Orlando Padilla | 02 Mar 2007 08:00:00 GMT | 0 comments

The media surrounding the effectiveness of Windows Vista's newsecurity features has (in my opinion) just begun. Microsoft's reach iswell beyond that of any other software vendor in the world, and withthis achievement comes fame, power, and a corporate life under amicroscope. To honor this tradition, I previously posted an entryabout the effects of malicious code executed under a default Vistaenvironment; if you haven't read it, you are certainly encouraged to.This research has now been completed and this new entry should serve asa compliment to my previous post. A paper detailing the full researchhas been made available here.

The outcome of the research:

In my previous blog, I mentioned that about seventy...

Ollie Whitehouse | 01 Mar 2007 08:00:00 GMT | 0 comments

ASLR (Address Space Layout Randomization) is one of the cornerstones of Windows Vista and its enhanced security posture. ASLR workson the basis that it will move an application and its associated memoryaround, either each time it’s executed or when the host is rebooted,depending on the element concerned. The purpose of this is to hinder aclass of vulnerabilities commonly referred to as memory manipulation vulnerabilitiesby making it difficult for an attacker to know where an application isin memory. This would impede successful exploitation, which relies onfixed memory addresses.

Back in December, I decided to take a brief look at theimplementation of ASLR on Vista. I had seen some findings emerge duringits development, but these really didn’t show if the implementation wasgood, bad, or indifferent. Since my work load was winding down, as Ihad December off, and a tool I had written indicated there might besome problems, I decided to look at this in more detail. My...

Ollie Whitehouse | 01 Mar 2007 08:00:00 GMT | 0 comments

When I started this project, I had one goal in mind – to understandwhich binaries in Windows Vista were not /GS compiled. While this mayseem rather simple on the surface, as I started to dig, it became alittle more complex. That said, my goal was achievable and today I’mhappy to present my findings.

The purpose of my paper "Analysis of GS Protection in Windows Vista"was to show which binaries under a default installation of WindowsVista 32bit RTM were not protected by the Visual Studio 2005 /GScompiler flag. This, in turn, was designed to help Symantec and ourclients understand any exposure, either direct or indirect, which mayresult from this lack of protection.

The abstract for my paper is as follows:

Visual Studio 2002 introduced the Buffer Security Check(GS) option to protect stack variables from overflows that resulted inarbitrary code...