Video Screencast Help
Security Response
Showing posts in English
Amado Hidalgo | 07 Feb 2007 08:00:00 GMT | 0 comments

Last week, Microsoft published Security Advisory 932553to warn Windows users of a new vulnerability in Microsoft Office.Security Response has analysed a sample of a malicious Microsoft Excelfile that appears to be exploiting the vulnerability that is hinted atin that Advisory. Fully patched versions of Office 2000, XP, and 2003appear to be vulnerable to this exploit.

Upon opening the malicious Microsoft Excel document, which Symantec now detects as Trojan.Mdropper.Y, it drops a Trojan horse program by using the exploit referenced by CVE-2007-0671 (BID 22383).It proceeds to drop a back door Trojan onto the compromised computer.It then attempts to contact...

Zulfikar Ramzan | 06 Feb 2007 08:00:00 GMT | 0 comments

Castlecops, a volunteer-run organization that has made tremendous waves in fighting phishing, announced a sweepstakesto celebrate their five-year anniversary. A number of security vendors,including Symantec, have contributed prizes to the contest. Inaddition, Castlecops receives a list of verified phishing sites fromSymantec through the Phish Report Network.

For those who don’t know, Castlecops runs the Phish IncidentReporting and Termination (PIRT) task force. If you find a legitimatephishing site and report it to them, Castlecops does the leg work tohelp take the site down before it does additional damage. In addition,they collect information to work with law enforcement. If the phisherhas stored stolen credentials (e.g., passwords, credit card numbers,bank account numbers, social security numbers, etc.) directly on theWeb server that he or she compromised, then there...

Zulfikar Ramzan | 06 Feb 2007 08:00:00 GMT | 0 comments

Castlecops, a volunteer-run organization that has made tremendous waves in fighting phishing, announced a sweepstakes to celebrate their five-year anniversary. A number of security vendors, including Symantec, have contributed prizes to the contest. In addition, Castlecops receives a list of verified phishing sites from Symantec through the Phish Report Network.

For those who don’t know, Castlecops runs the Phish Incident Reporting and Termination (PIRT) task force. If you find a legitimate phishing site and report it to them, Castlecops does the leg work to help take the site down before it does additional damage. In addition, they collect information to work with law enforcement. If the phisher has stored stolen credentials (e.g., passwords, credit card numbers, bank account numbers, social security numbers, etc.) directly on the Web server that he or she compromised,...

Ollie Whitehouse | 05 Feb 2007 08:00:00 GMT | 0 comments

Recently my boss provided me with a license for some mind-mapping software (if you’re curious, it’s MindManager from MindJet). So, I took it for a spin on a subject close to my heart and if you’re a regular reader I’m betting you’ll be able to guess what it is – yep, mobile device threats.

For mobile device threats, I found that it was actually quite a good way to communicate the threats modern mobile devices face today. You can see the results below (click on the image for a larger version). This rocked for several reasons, not the least because it saved me from having to type out long and rambling descriptions while trying to poorly communicate their relationships. The threats shown below are the most applicable to modern smart devices, yet certain categories also apply to legacy mobile devices running proprietary operating systems.

...

Marc Fossi | 02 Feb 2007 08:00:00 GMT | 0 comments

Being a fan of novels in the “cyberpunk” genre, the concept ofvirtual online worlds intrigues me. Standard massively multiplayeronline games (MMOGs) seem boring in comparison to the flexibility of aworld that allows participants to create their own objects within thevirtual environment. These creations are really only limited by theuser’s imagination and the boundaries of the coding language.

Recently, I read an article about residents of Second Life stagingin-world protests against a political party that opened an office inthe world (I won’t get into the details here because this space isn’tabout politics). What really caught my eye were some of the forms theseprotests took, including users strafing the offices with virtualmachine guns and exploding pigs.

So what does any of this have to do with computer security? Well, acouple of things about Second Life are noteworthy. One is that somemiscreants were successful in creating self-replicating code (like avirus) in...

Joseph Blackbird | 01 Feb 2007 08:00:00 GMT | 0 comments

What better time than January to review last year's security issuesand discuss predictions for the coming months of 2007. This issue ofSymantec's Home and Home Office Security Report looks into this, aswell as discussing current potential risks and threats that couldimpact home and home office users.

On January 20, 2007, a critical security flaw in Apple iChat wasreported. Hackers could use the flaw to break into your computer,allowing them to read your email messages and address books, steal yourfiles and software, and use your computer to carry out further hackingattempts. A hacker could also take advantage of the flaw by enticingyou to visit a malicious Web site or open a malicious file. When theWeb site is loaded or the file is opened, the malicious content willtake advantage of the flaw and allow the attacker to gain control ofyour computer. At the time of this writing, Apple had not yet releasedsolutions for all of these problems, but you can protect yourself...

Elia Florio | 31 Jan 2007 08:00:00 GMT | 0 comments

We've been getting a lot of requests from people asking what it looks like when your computer is compromised by one of these very limited targeted attacksthat involves any of the recent MS Word zero-day vulnerabilities. Atargeted attack begins with an incoming email that has a .DOC fileattached; a very common event that happens to almost everyone everyday. The email sender looks legitimate (it's spoofed of course!) andthe document name is selected to appeal to the recipient. For example,if the targeted user is an accountant, then the document would looklike a tax certificate or an invoice. For members of governments, itcould appear to be an important communication from a Minister. Forfinance brokers, a stocks analysis and so on...

Targeted attacks are not intended for the masses, so we're nevergoing to see the usual "Very exciting greeting postcard.exe" attachedto those emails. But the big question is: what happens when someoneopens the malicious...

Eric Chien | 30 Jan 2007 08:00:00 GMT | 0 comments

We have received some additional Worddocuments that exploit an unpatched Microsoft Word vulnerability. Thesedocuments are detected as Trojan.Mdropper.X. We believe this is a newvulnerability, making it the fifth currently unpatched Office fileformat vulnerability. While these documents are being used in atargeted attack consistent with previous cases, we have receiveddifferent documents that use this same exploit from multipleorganizations. The documents have been each designed specifically forthe targeted organization in both language and content.

The vulnerability could be a slight variation or may be covered bythe existing CVEs and we are awaiting confirmation from MicrosoftSecurity Response Center. Nevertheless, no patches appear to beavailable, so, as always, be careful opening unsolicited Word documents.

Update - Feb 1st, 2007 11:40 UTC: We have receivedconfirmation from Microsoft that the vulnerability being used in theseattacks is in...

Ollie Whitehouse | 30 Jan 2007 08:00:00 GMT | 0 comments

So, it's Tuesday morning in London town and I've been up since 6:00 a.m. staring at a monitor, trying to free myself from PowerPoint hell (it's all rock and roll I tell ya!). Anyway, this morning I stumbled across an InfoWorld article entitled “Hackers to target mobile banking, study says.” This article seems to have been spun out of a press release by the Tower Group entitled “Increases in Mobile Fraud and ID Theft Could Hamper Mobile Payment / Banking Initiatives.” The press release, in turn, references a report entitled “Fraud, Virus and ID Theft: Mobile Malware Stands to Create a New Beginning.” While I've not read the report and may not agree with the notion that security issues hamper payment / banking initiatives (just look at the world that is the Internet—yeah,...

Peter Ferrie | 29 Jan 2007 08:00:00 GMT | 0 comments

The latest news (as of January 23rd) is that the virus writing group29A is reforming, but with most of the coders missing. Gone are GriYo,Vecna, and Zombie. We knewthat Vecna had left, but that GriYo and Zombie have left as wellsuggests that the "internal issues" are a difference of opinion aboutwho should do what. A coup in a virus writing group? It's all sopolitical.

So that leaves VirusBuster, who has come out of retirement, andpresumably Vallez. It is unclear if roy g biv will join them, giventhat today he placed W32.Stutter on a popular VX website, under theDefjam label.

Ultimately, though, the point is "who cares"? A virus writing group that doesn't write viruses—that’s always a good thing.