Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Juniper Security Research | 01 Mar 2007 08:00:00 GMT | 0 comments

This is the first guest blog post from the Juniper Security ResearchLab. We wish to thank our partners at Symantec for allowing us to usethis forum and further show the value in our partnership that was announced last September.

Today marks the first vendor-acknowledged vulnerability that wasfound by a Juniper Security Researcher. The vulnerability was found byKarl Lynn and is a Buffer Overflow in the Citrix Presentation ServerClient for Windows. If successfully exploited, this vulnerability canallow for remote code execution. When exploited, the malicious codewill run in the context of the logged-in user.

We will not be releasing a separate advisory from the vendor releaseand we do strongly recommend that those using this software install thepatch from Citrix. Users of our IDP can rest assure that they areprotected against this vulnerability with our latest...

Ollie Whitehouse | 01 Mar 2007 08:00:00 GMT | 0 comments

When I started this project, I had one goal in mind – to understandwhich binaries in Windows Vista were not /GS compiled. While this mayseem rather simple on the surface, as I started to dig, it became alittle more complex. That said, my goal was achievable and today I’mhappy to present my findings.

The purpose of my paper "Analysis of GS Protection in Windows Vista"was to show which binaries under a default installation of WindowsVista 32bit RTM were not protected by the Visual Studio 2005 /GScompiler flag. This, in turn, was designed to help Symantec and ourclients understand any exposure, either direct or indirect, which mayresult from this lack of protection.

The abstract for my paper is as follows:

Visual Studio 2002 introduced the Buffer Security Check(GS) option to protect stack variables from overflows that resulted inarbitrary code...

Ollie Whitehouse | 01 Mar 2007 08:00:00 GMT | 0 comments

ASLR (Address Space Layout Randomization) is one of the cornerstones of Windows Vista and its enhanced security posture. ASLR workson the basis that it will move an application and its associated memoryaround, either each time it’s executed or when the host is rebooted,depending on the element concerned. The purpose of this is to hinder aclass of vulnerabilities commonly referred to as memory manipulation vulnerabilitiesby making it difficult for an attacker to know where an application isin memory. This would impede successful exploitation, which relies onfixed memory addresses.

Back in December, I decided to take a brief look at theimplementation of ASLR on Vista. I had seen some findings emerge duringits development, but these really didn’t show if the implementation wasgood, bad, or indifferent. Since my work load was winding down, as Ihad December off, and a tool I had written indicated there might besome problems, I decided to look at this in more detail. My...

Eric Chien | 28 Feb 2007 08:00:00 GMT | 0 comments

Soon after information was released about a vulnerability in the in.telnetd daemon in Solaris 10, Symantec's Deepsight monitoring system began to see spikes in port 23 traffic. Most of this traffic was due to people scanning for vulnerable systems. However, yesterday we saw a renewed spike in traffic that has been correlated to a worm known as Wanuk, which uses the vulnerability to spread.

wanuk_fig1.jpg

Once Wanuk is on the system, it drops an executable that creates a /bin/sh back door, which listens on port 32982/TCP. In addition, Wanuk's payload includes sending out system broadcast messages of creatively designed shout-outs to a...

Elia Florio | 28 Feb 2007 08:00:00 GMT | 0 comments

People using Web 2.0 have personal Web spaces, blogs, and online discussions on forums and public boards. Everyone can create Web content from his or her own computer just by using the browser. So what would be the perfect vector for spreading malwares in the Web 2.0 world? The Web itself, of course.

On Monday we posted a blog about a new variant of Trojan.Mespam distributed via StormWorm/Peacomm botnet. We noticed that this new Mespam takes advantage of new Web technologies and spreads by injecting malicious links when users interact with the Web.

What does it mean? When users are going to post something on any Web site running VBulletin or phpBB, the Trojan will sneakily add a malicious link into the outgoing Web packet. The same also happens when users are sending emails using clients such as Gmail, Yahoo, Lycos, Tiscali...

Stephen Doherty | 28 Feb 2007 08:00:00 GMT | 0 comments

From time to time virus writers leave messages in their code. Sometimes these are shout-outs to other virus writers, sometimes it is their own nickname, and other times they send messages to us.

Here is one that speaks for itself:

Dear Symantec: For years I have longed for just one thing, to make malware with just the right sting, you detected my creation and got my domains killed, but I will not stop, I can rebuild. P.S. F@?k you a**^$les, especially Stephen Doherty who is the biggest f@??#t I know of.

Message Edited by SR Blog Moderator on 08-26-2008 12:36 PM
Mat Carter | 28 Feb 2007 08:00:00 GMT | 0 comments

As any regular reader of security industrynews will tell you, over the past few years the quality that is mostprized by malicious coders is stealth. Loud, reputation-enhancingattacks are strictly for the teenage malcontents of a previous century.Today’s malicious coders are professionals who prefer a more commercialmodel, which aims to compromise as many machines as possible, asquietly as possible, with the minimum amount of effort—and they areadopting increasingly diversified tactics to this end.

Older malicious code tended to rely on the static hosting of themalicious payload and this was always susceptible to filtering andtargeted action from law enforcement. Consequently a trend developed totry and keep the payload moving and hard to shut off using fast fluxDNS techniques, or to store it on "bullet proof" hosting from providersthat usually ignore complaints. However, the Security Response team hasrecently noticed a simpler approach that can be utilized by...

Oliver Friedrichs | 28 Feb 2007 08:00:00 GMT | 0 comments

Last July, I discussed how Windows Vista™ was one of the mostimportant technologies that we would see in 2007. Last year, SymantecAdvanced Threat Research released four research papers on the then betaversion of Windows Vista. These papers provided a security analysis ofthe new Windows Vista network stack, user-mode security defenses,kernel-mode security technologies, and the Teredo protocol—a key IPv6over IPv4 transition technology in Vista. Being one of the firstthird-party assessments on the progression of Windows Vista security,these papers were extremely well received in the technology industry.

Fast forward to today, and Windows Vista has now been released tobusinesses and consumers alike. Throughout its release, Symantec hastracked the evolution of Vista very closely and continued to assess itspotential in defeating today’s attackers. We’ve documented our findingsin a series of six research papers that are being released in thecourse of the next week. The goal of this...

Oliver Friedrichs | 28 Feb 2007 08:00:00 GMT | 0 comments

Last July, I discussed how Windows Vista™ was one of the mostimportant technologies that we would see in 2007. Last year, SymantecAdvanced Threat Research released four research papers on the then betaversion of Windows Vista. These papers provided a security analysis ofthe new Windows Vista network stack, user-mode security defenses,kernel-mode security technologies, and the Teredo protocol—a key IPv6over IPv4 transition technology in Vista. Being one of the firstthird-party assessments on the progression of Windows Vista security,these papers were extremely well received in the technology industry.

Fast forward to today, and Windows Vista has now been released tobusinesses and consumers alike. Throughout its release, Symantec hastracked the evolution of Vista very closely and continued to assess itspotential in defeating today’s attackers. We’ve documented our findingsin a series of six research papers that are being released in thecourse of the next week. The goal of this...

Brian Hernacki | 27 Feb 2007 08:00:00 GMT | 0 comments

Today most of the identity oriented transactions on the Internet are done via plain old HTML forms and, if we're lucky, over SSL. And once again, something that seemed sufficient at first, is showing strain as usage grows. HTML/HTTP ends up providing a pretty clumsy and inadequate way to do identity transactions. It offers a poor user experience and wasn't really designed with security in mind. This has contributed to much of the grief over fraud, phishing, etc. Our primary defense mechanism against such threats has historically been the SSL certificate, but we know users don't read those. We also know users don't look too carefully at URLs (even when they are not obsfucated). Some of the...