Video Screencast Help
Security Response
Showing posts in English
Marc Fossi | 02 Feb 2007 08:00:00 GMT | 0 comments

Being a fan of novels in the “cyberpunk” genre, the concept ofvirtual online worlds intrigues me. Standard massively multiplayeronline games (MMOGs) seem boring in comparison to the flexibility of aworld that allows participants to create their own objects within thevirtual environment. These creations are really only limited by theuser’s imagination and the boundaries of the coding language.

Recently, I read an article about residents of Second Life stagingin-world protests against a political party that opened an office inthe world (I won’t get into the details here because this space isn’tabout politics). What really caught my eye were some of the forms theseprotests took, including users strafing the offices with virtualmachine guns and exploding pigs.

So what does any of this have to do with computer security? Well, acouple of things about Second Life are noteworthy. One is that somemiscreants were successful in creating self-replicating code (like avirus) in...

Joseph Blackbird | 01 Feb 2007 08:00:00 GMT | 0 comments

What better time than January to review last year's security issuesand discuss predictions for the coming months of 2007. This issue ofSymantec's Home and Home Office Security Report looks into this, aswell as discussing current potential risks and threats that couldimpact home and home office users.

On January 20, 2007, a critical security flaw in Apple iChat wasreported. Hackers could use the flaw to break into your computer,allowing them to read your email messages and address books, steal yourfiles and software, and use your computer to carry out further hackingattempts. A hacker could also take advantage of the flaw by enticingyou to visit a malicious Web site or open a malicious file. When theWeb site is loaded or the file is opened, the malicious content willtake advantage of the flaw and allow the attacker to gain control ofyour computer. At the time of this writing, Apple had not yet releasedsolutions for all of these problems, but you can protect yourself...

Elia Florio | 31 Jan 2007 08:00:00 GMT | 0 comments

We've been getting a lot of requests from people asking what it looks like when your computer is compromised by one of these very limited targeted attacksthat involves any of the recent MS Word zero-day vulnerabilities. Atargeted attack begins with an incoming email that has a .DOC fileattached; a very common event that happens to almost everyone everyday. The email sender looks legitimate (it's spoofed of course!) andthe document name is selected to appeal to the recipient. For example,if the targeted user is an accountant, then the document would looklike a tax certificate or an invoice. For members of governments, itcould appear to be an important communication from a Minister. Forfinance brokers, a stocks analysis and so on...

Targeted attacks are not intended for the masses, so we're nevergoing to see the usual "Very exciting greeting postcard.exe" attachedto those emails. But the big question is: what happens when someoneopens the malicious...

Eric Chien | 30 Jan 2007 08:00:00 GMT | 0 comments

We have received some additional Worddocuments that exploit an unpatched Microsoft Word vulnerability. Thesedocuments are detected as Trojan.Mdropper.X. We believe this is a newvulnerability, making it the fifth currently unpatched Office fileformat vulnerability. While these documents are being used in atargeted attack consistent with previous cases, we have receiveddifferent documents that use this same exploit from multipleorganizations. The documents have been each designed specifically forthe targeted organization in both language and content.

The vulnerability could be a slight variation or may be covered bythe existing CVEs and we are awaiting confirmation from MicrosoftSecurity Response Center. Nevertheless, no patches appear to beavailable, so, as always, be careful opening unsolicited Word documents.

Update - Feb 1st, 2007 11:40 UTC: We have receivedconfirmation from Microsoft that the vulnerability being used in theseattacks is in...

Ollie Whitehouse | 30 Jan 2007 08:00:00 GMT | 0 comments

So, it's Tuesday morning in London town and I've been up since 6:00 a.m. staring at a monitor, trying to free myself from PowerPoint hell (it's all rock and roll I tell ya!). Anyway, this morning I stumbled across an InfoWorld article entitled “Hackers to target mobile banking, study says.” This article seems to have been spun out of a press release by the Tower Group entitled “Increases in Mobile Fraud and ID Theft Could Hamper Mobile Payment / Banking Initiatives.” The press release, in turn, references a report entitled “Fraud, Virus and ID Theft: Mobile Malware Stands to Create a New Beginning.” While I've not read the report and may not agree with the notion that security issues hamper payment / banking initiatives (just look at the world that is the Internet—yeah,...

Peter Ferrie | 29 Jan 2007 08:00:00 GMT | 0 comments

The latest news (as of January 23rd) is that the virus writing group29A is reforming, but with most of the coders missing. Gone are GriYo,Vecna, and Zombie. We knewthat Vecna had left, but that GriYo and Zombie have left as wellsuggests that the "internal issues" are a difference of opinion aboutwho should do what. A coup in a virus writing group? It's all sopolitical.

So that leaves VirusBuster, who has come out of retirement, andpresumably Vallez. It is unclear if roy g biv will join them, giventhat today he placed W32.Stutter on a popular VX website, under theDefjam label.

Ultimately, though, the point is "who cares"? A virus writing group that doesn't write viruses—that’s always a good thing.

Kelly Conley | 26 Jan 2007 08:00:00 GMT | 0 comments

The Symantec Messaging and Web Security team started off 2007 with the release of a new monthly report geared towards the media. This report, entitled The State of Spam: A Monthly Report was released last week, covers December 2006, and can be found here.

Do you want to know what the top spam type for last month was? Or how about what new techniques spammers are currently using? Did you see some unusual spam in your Inbox? Check out our report and see if it's a new trend. People interested in what’s going on in the ever-changing world of spam will want to get their hands on a copy of this report for the metrics, latest trends, new spam examples, and data points of interest.

Have you noticed more spam? You're not going crazy. Symantec AntiSpam tracking has shown an increase in spam by over 15 percent from the month of October to mid-December. In...

Dave Cole | 25 Jan 2007 08:00:00 GMT | 0 comments

We’re happy to report that so far today, Peacomm and Mixor.Q activity is lighter than the maelstrom of activity we’ve seen in previous days. We’ve noted no new spam runs today, with the malware submissions and activity levels tapering off a bit as well. Phew! Our Security Response team in Pune, India, has pulled together a slick Flash-based run through of the attack, which can be viewed using the following URL:
http://www.symantec.com/content/en/us/home_homeoffice/media/flash/peacomm.html

Just a little more info on this threat you may have not heard before—it is communicating over peer-to-peer using the Overnet protocol and network (of eDonkey fame). After connecting to the network, the threat then searches for some particular hashes (searches are done by hash, not by specific filename) and eventually it receives a reply that includes some 'meta tag' information...

Dave Cole | 25 Jan 2007 08:00:00 GMT | 0 comments

We’re happy to report that so far today, Peacomm and Mixor.Q activity is lighter than the maelstrom of activity we’ve seen in previous days. We’ve noted no new spam runs today, with the malware submissions and activity levels tapering off a bit as well. Phew! Our Security Response team in Pune, India, has pulled together a slick Flash-based run through of the attack, which can be viewed using the following URL:
http://www.symantec.com/content/en/us/home_homeoffice/media/flash/peacomm.html

Just a little more info on this threat you may have not heard before—it is communicating over peer-to-peer using the Overnet protocol and network (of eDonkey fame). After connecting to the network, the threat then searches for some particular hashes (searches are done by hash, not by specific filename) and eventually it receives a reply that includes some 'meta tag' information...

Eric Chien | 25 Jan 2007 08:00:00 GMT | 0 comments

While Trojan.Peacomm (aka Storm Worm) received its alias because of unprecedented storms that battered Europe, the threat deserves the name more because Peacomm itself is the perfect storm. Peacomm is a combination of an open source email worm, a file infecting virus, a polymorphic packer, a spam relay, a rootkit, and a botnet that operates over a peer-to-peer network. In the history of malicious code, we have never seen a malicious threat that contains a handful of these characteristics let alone all of them. Thus, the perfect storm.

We've been tracking Peacomm over the week and wanted to provide a high level summary of how Peacomm spreads and some of the unique and interesting aspects of Peacomm, including how it uses peer-to-peer communication with the ultimate goal of sending out spam.

In late December and early January, the authors of Peacomm...