Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Kelly Conley | 26 Jan 2007 08:00:00 GMT | 0 comments

The Symantec Messaging and Web Security team started off 2007 with the release of a new monthly report geared towards the media. This report, entitled The State of Spam: A Monthly Report was released last week, covers December 2006, and can be found here.

Do you want to know what the top spam type for last month was? Or how about what new techniques spammers are currently using? Did you see some unusual spam in your Inbox? Check out our report and see if it's a new trend. People interested in what’s going on in the ever-changing world of spam will want to get their hands on a copy of this report for the metrics, latest trends, new spam examples, and data points of interest.

Have you noticed more spam? You're not going crazy. Symantec AntiSpam tracking has shown an increase in spam by over 15 percent from the month of October to mid-December. In...

Dave Cole | 25 Jan 2007 08:00:00 GMT | 0 comments

We’re happy to report that so far today, Peacomm and Mixor.Q activity is lighter than the maelstrom of activity we’ve seen in previous days. We’ve noted no new spam runs today, with the malware submissions and activity levels tapering off a bit as well. Phew! Our Security Response team in Pune, India, has pulled together a slick Flash-based run through of the attack, which can be viewed using the following URL:
http://www.symantec.com/content/en/us/home_homeoffice/media/flash/peacomm.html

Just a little more info on this threat you may have not heard before—it is communicating over peer-to-peer using the Overnet protocol and network (of eDonkey fame). After connecting to the network, the threat then searches for some particular hashes (searches are done by hash, not by specific filename) and eventually it receives a reply that includes some 'meta tag' information...

Dave Cole | 25 Jan 2007 08:00:00 GMT | 0 comments

We’re happy to report that so far today, Peacomm and Mixor.Q activity is lighter than the maelstrom of activity we’ve seen in previous days. We’ve noted no new spam runs today, with the malware submissions and activity levels tapering off a bit as well. Phew! Our Security Response team in Pune, India, has pulled together a slick Flash-based run through of the attack, which can be viewed using the following URL:
http://www.symantec.com/content/en/us/home_homeoffice/media/flash/peacomm.html

Just a little more info on this threat you may have not heard before—it is communicating over peer-to-peer using the Overnet protocol and network (of eDonkey fame). After connecting to the network, the threat then searches for some particular hashes (searches are done by hash, not by specific filename) and eventually it receives a reply that includes some 'meta tag' information...

Eric Chien | 25 Jan 2007 08:00:00 GMT | 0 comments

While Trojan.Peacomm (aka Storm Worm) received its alias because of unprecedented storms that battered Europe, the threat deserves the name more because Peacomm itself is the perfect storm. Peacomm is a combination of an open source email worm, a file infecting virus, a polymorphic packer, a spam relay, a rootkit, and a botnet that operates over a peer-to-peer network. In the history of malicious code, we have never seen a malicious threat that contains a handful of these characteristics let alone all of them. Thus, the perfect storm.

We've been tracking Peacomm over the week and wanted to provide a high level summary of how Peacomm spreads and some of the unique and interesting aspects of Peacomm, including how it uses peer-to-peer communication with the ultimate goal of sending out spam.

In late December and early January, the authors of Peacomm...

Hon Lau | 25 Jan 2007 08:00:00 GMT | 0 comments

We’ve seen many threats using vulnerabilities based on MicrosoftOffice documents over the last year, so it’s no surprise that we haverecently observed new samples of a threat that follows the same theme.This threat named Trojan.Mdropper.W is using the new Microsoft Word 2000 Unspecified Code Execution Vulnerability (BID22225)to drop threats onto a compromised computer. When the infected Worddocument is opened, it uses an exploit to drop some files onto thecomputer. These files are back door Trojans that enable an attacker togain remote access to your computer.

This vulnerability comes on the back of three other recent and unpatched Microsoft Word vulnerabilities, which are:

BID21518...

Dave Cole | 25 Jan 2007 08:00:00 GMT | 0 comments

We’re happy to report that so far today, Peacomm and Mixor.Q activity is lighter than the maelstrom of activity we’ve seen in previous days. We’ve noted no new spam runs today, with the malware submissions and activity levels tapering off a bit as well. Phew! Our Security Response team in Pune, India, has pulled together a slick Flash-based run through of the attack, which can be viewed using the following URL:
http://www.symantec.com/content/en/us/home_homeoffice/media/flash/peacomm.html

Just a little more info on this threat you may have not heard before—it is communicating over peer-to-peer using the Overnet protocol and network (of eDonkey fame). After connecting to the network, the threat then searches for some particular hashes (searches are done by hash, not by specific filename) and eventually it receives a reply that includes some 'meta tag' information...

Liam O Murchu | 25 Jan 2007 08:00:00 GMT | 0 comments

Spoke is a community for sales andmarketing professionals (home users would probably not have much usefor the site or software). Spoke makes a sales/marketing tool thathelps find contacts in companies across North America. For example, asales team can search for a company in the Spoke database and find thenames and titles of different employees in the company. This makes itclearer who to contact within that company in order to sell/market aproduct.

The Spoke database cuts down on the amount of time spent searchingonline, cold calling, and searching the phone book to find a useful andcorrect contact in a company. As well as providing information aboutcontacts within a company, Spoke also calculates relationships that youand other users have to each other, so that you can perhaps find acontact of yours who already has a relationship with someone at yourtarget company and who could possibly provide a friendly introduction.Spoke is essentially a data aggregator; the...

Dave Cole | 25 Jan 2007 08:00:00 GMT | 0 comments

We’re happy to report that so far today, Peacomm and Mixor.Qactivity is lighter than the maelstrom of activity we’ve seen inprevious days. We’ve noted no new spam runs today, with the malwaresubmissions and activity levels tapering off a bit as well. Phew! OurSecurity Response team in Pune, India, has pulled together a slickFlash-based run through of the attack, which can be viewed using thefollowing URL:
http://www.symantec.com/content/en/us/home_homeoffice/media/flash/peacomm.html

Just a little more info on this threat you may have not heardbefore—it is communicating over peer-to-peer using the Overnet protocoland network (of eDonkey fame). After connecting to the network, thethreat then searches for some particular hashes (searches are done byhash, not by specific filename) and eventually it receives a reply thatincludes some 'meta tag' information. The meta...

Peter Ferrie | 24 Jan 2007 08:00:00 GMT | 0 comments

At AVAR 2006,I presented a paper which discussed ways in which virtual machines arevulnerable to detection and, in some cases, forced hangs or crashes.

The paper briefly discusses the two major types of virtual machines("hardware-bound" and "pure software") and the two hardware-boundsubtypes ("hardware-assisted" and "reduced-privilege guest"). The focusof the paper is the different ways in which various virtual machinescan be detected. There are detections for VMware, VirtualPC, Parallels,Bochs, Hydra (though the published methods have since been fixed),QEMU, Atlantis and Sandbox, along with lots of source code.

The slides from the talk are also available, but without thecommentary, they're not quite as interesting. The paper is availablefrom here. The slides are available from...

Symantec Security Response | 23 Jan 2007 08:00:00 GMT | 0 comments

While we often report on the number of infections we’re seeing for a threat and what our honeynets are catching, we haven’t often shared the numbers on the amount of malicious code we’re seeing via Symantec’s antispam solutions. With Trojan.Peacomm still very much on the prowl and repeatedly blasting spam in short bursts of five to ten minutes, we thought we’d share some of our statistics on the malware we see being spammed around the globe. All of the numbers below are from December 22, 2006 to January 22, 2007.

...