Video Screencast Help
Security Response
Showing posts in English
Peter Ferrie | 24 Jan 2007 08:00:00 GMT | 0 comments

At AVAR 2006,I presented a paper which discussed ways in which virtual machines arevulnerable to detection and, in some cases, forced hangs or crashes.

The paper briefly discusses the two major types of virtual machines("hardware-bound" and "pure software") and the two hardware-boundsubtypes ("hardware-assisted" and "reduced-privilege guest"). The focusof the paper is the different ways in which various virtual machinescan be detected. There are detections for VMware, VirtualPC, Parallels,Bochs, Hydra (though the published methods have since been fixed),QEMU, Atlantis and Sandbox, along with lots of source code.

The slides from the talk are also available, but without thecommentary, they're not quite as interesting. The paper is availablefrom here. The slides are available from...

Symantec Security Response | 23 Jan 2007 08:00:00 GMT | 0 comments

While we often report on the number of infections we’re seeing for a threat and what our honeynets are catching, we haven’t often shared the numbers on the amount of malicious code we’re seeing via Symantec’s antispam solutions. With Trojan.Peacomm still very much on the prowl and repeatedly blasting spam in short bursts of five to ten minutes, we thought we’d share some of our statistics on the malware we see being spammed around the globe. All of the numbers below are from December 22, 2006 to January 22, 2007.

...

Symantec Security Response | 23 Jan 2007 08:00:00 GMT | 0 comments

While we often report on the number of infections we’re seeing for a threat and what our honeynets are catching, we haven’t often shared the numbers on the amount of malicious code we’re seeing via Symantec’s antispam solutions. With Trojan.Peacomm still very much on the prowl and repeatedly blasting spam in short bursts of five to ten minutes, we thought we’d share some of our statistics on the malware we see being spammed around the globe. All of the numbers below are from December 22, 2006 to January 22, 2007.

...

Symantec Security Response | 23 Jan 2007 08:00:00 GMT | 0 comments

While we often report on the number of infections we’re seeing for a threat and what our honeynets are catching, we haven’t often shared the numbers on the amount of malicious code we’re seeing via Symantec’s antispam solutions. With Trojan.Peacomm still very much on the prowl and repeatedly blasting spam in short bursts of five to ten minutes, we thought we’d share some of our statistics on the malware we see being spammed around the globe. All of the numbers below are from December 22, 2006 to January 22, 2007.

...

Amado Hidalgo | 22 Jan 2007 08:00:00 GMT | 0 comments

Since I posted my blog last Friday, the Trojan.Peacomm threat has (not surprisingly) evolved. The attachments have new filenames, some dropped files have changed, and the subject lines of the spam email are also changing. Please have a look at the full details in our updated write-up here.

The bot machines are now communicating over UDP port 7871, instead of port 4000. Symantec’s Threat Management System confirms this change:

peacomm_port7871-SRC_IPs.jpeg
Figure 1. IPs originating activity - UDP port 7871

More interestingly, the new version of the threat has...

Amado Hidalgo | 22 Jan 2007 08:00:00 GMT | 0 comments

Since I posted my blog last Friday, the Trojan.Peacomm threat has (not surprisingly) evolved. The attachments have new filenames, some dropped files have changed, and the subject lines of the spam email are also changing. Please have a look at the full details in our updated write-up here.

The bot machines are now communicating over UDP port 7871, instead of port 4000. Symantec’s Threat Management System confirms this change:

peacomm_port7871-SRC_IPs.jpeg
Figure 1. IPs originating activity - UDP port 7871

More interestingly, the new version of the threat has...

Matthew Conover | 22 Jan 2007 08:00:00 GMT | 0 comments

Continued from Part 1...

Exploiting double free vulnerabilities: Case 1

The first way that a double free vulnerability can be exploited is when the first free puts the chunk on the Lookaside (which the Windows heap implementation tries to use before the FreeList since it's more efficient). When a chunk is freed to the Lookaside, the Chunk is still marked as busy (that is, Chunk.Flags & BUSY_FLAG is set) to prevent the chunk from being coalesced with the previous/next chunk. That's because entries on the Lookasidelist are meant to be a fast allocate/deallocate (akin to "fast bins" inthe GLIBC and related Unix heap implementations). By contrast, entrieson the FreeList are frequentlycoalesced when a chunk is being freed and the chunk before/after it isalso free (to make larger contiguous chunks of memory available...

Amado Hidalgo | 22 Jan 2007 08:00:00 GMT | 0 comments

Since I posted my blog last Friday, the Trojan.Peacomm threat has (not surprisingly) evolved. The attachments have new filenames, some dropped files have changed, and the subject lines of the spam email are also changing. Please have a look at the full details in our updated write-up here.

The bot machines are now communicating over UDP port 7871, instead of port 4000. Symantec’s Threat Management System confirms this change:

peacomm_port7871-SRC_IPs.jpeg
Figure 1. IPs originating activity - UDP port 7871

More interestingly, the new version of the threat has...

Amado Hidalgo | 19 Jan 2007 08:00:00 GMT | 0 comments

Symantec Security Response has seen some moderate spamming of a new Trojan horse. The threat arrived in an email with an empty body and a variety of subjects such as:

A killer at 11, he's free at 21 and kill again!
U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
British Muslims Genocide
Naked teens attack home director.
230 dead as storm batters Europe.
Re: Your text

The attachments may have any of the following filenames:
FullVideo.exe
Full Story.exe
Video.exe
Read More.exe
FullClip.exe

The attachment is not a video clip, but a Trojan horse program, which Symantec heuristic technology already detected as...

Amado Hidalgo | 19 Jan 2007 08:00:00 GMT | 0 comments

Symantec Security Response has seen some moderate spamming of a new Trojan horse. The threat arrived in an email with an empty body and a variety of subjects such as:

A killer at 11, he's free at 21 and kill again!
U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
British Muslims Genocide
Naked teens attack home director.
230 dead as storm batters Europe.
Re: Your text

The attachments may have any of the following filenames:
FullVideo.exe
Full Story.exe
Video.exe
Read More.exe
FullClip.exe

The attachment is not a video clip, but a Trojan horse program, which Symantec heuristic technology already detected as...