Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Liam O Murchu | 11 Jan 2007 08:00:00 GMT | 0 comments

We regularly see Brazilian Bancos samples that try to steal the credentials of Brazilian bank users. These are generally delivered via spam or drive-by downloads. However, recently a different form of threat was spotted that specifically targets Brazilian users.

W32.Selfish is a file infector that checks what your default language pack is and only proceeds to execute its payload if you are using the Brazilian Portuguese Language pack. If you are using a different language pack, W32.Selfish will simply execute the infected host file and exit.

When W32.Selfish is executed on a Brazilian machine, it tries to download a file from the internet and execute it. At the time of writing, this file is not accessible, so it is uncertain whether it will download a Brazilian bank password stealer. However, the emergence of this threat does show that Brazil is being specifically targeted by online criminals. Not only does this show that criminals are targeting Brazil, but it...

Ollie Whitehouse | 10 Jan 2007 08:00:00 GMT | 0 comments

UMA (Unlicensed Mobile Access) is a set of specifications now known as “Generic access to the A/Gb interface; Stage 2.” The purpose of these specifications is to allow cellular operators to terminate cellular services over unlicensed mediums that utilize IP. The original specifications catered to Bluetooth and WiFi, so the benefits of such a technology should be obvious. In the home or in metropolitan areas, it allows operators to move away from technologies that are costly, slower, higher-latency, or bandwidth-limited. By doing so, they reduce their own costs and improve user experience.

In March 2006, I wrote an internal Symantec paper entitled “UMA Attack Surface Analysis.” The purpose of this paper was to discuss the increased risks that subscribers or operators may be exposed to as a result of deploying UMA...

Ben Greenbaum | 09 Jan 2007 08:00:00 GMT | 0 comments

Welcome to 2007! Before we get started, I'd like to wish you all a happy, healthy, and safe year from the DeepSight research teams here at Symantec. May all your plans come to fruition, and may all your patches apply smoothly... This month's patch release by Microsoft is a little lighter than previous releases, and lighter even than initially projected by Microsoft themselves. On January 4th, as per their usual policy, they publicly released high-level details of the planned release. The initial advance notification mentioned eight patches. However, the notification was later modified to list only four releases. Included among the delayed releases are fixes for various Word issues. The updates for January that did make the cut cover 10 distinct vulnerabilities, which were primarily file-based, client-side issues in the Office suite.


Hon Lau | 08 Jan 2007 08:00:00 GMT | 0 comments

It hasn't been long since reports surfaced that videos of Saddam Hussein’s execution are available for download on the Internet. It’s no surprise that enterprising malware creators have latched on to this latest news in an attempt to spread their wares.

What we have is an email spam sent to unsuspecting targets with details about where you can download a video.
Of course, this email (like past, present, and future spam) is once again taking advantage of human nature to help it spread. In this case, it is trying to appeal to the dark side of the individuals who are on the receiving end of the email.

The subject line of the email looks like this:

Subject: Video completo da morte de Saddam Hussein

The body of the email looks like this:


Marc Fossi | 08 Jan 2007 08:00:00 GMT | 0 comments

Happy (belated) New Year! It’s safe to say that most people are backinto the full swing of things by now. Although the first week ofJanuary may have been a short one for some, there are many of us whowere kept on our toes in the fledgling days of 2007. We are stillwitnessing the aftermath of some annoying holiday-themed emailscontaining a mass-mailing worm, and even more recently we have beendealing with a cross-site scripting (XSS) problem involving AdobeAcrobat files.

Sadly, given these examples, it seems that the more things changefrom year to year, the more they stay the same (I know it’s a cliché).And in that regard, we have recently published the December 2006version of the Symantec Home and Home Office Security Report. Thereport discusses some of the top security news items in December aswell as a roundup of noteworthy Internet security trends for 2006. Lastmonth, there was a worm discovered to be propagating because ofmalicious URLs being sent as links in instant...

Peter Ferrie | 05 Jan 2007 08:00:00 GMT | 0 comments

With the public advisoryby Determina about a double-free bug in a CSRSS message function, theimmediate question was: does it really affect Vista? The short answeris "yes, but not reliably." Arbitrary code execution is possible, butrequires a great deal of luck, though a denial-of-service is definitelypossible.

Why the fuss? Simply put, successful exploitation of the bug allowseven the most restricted user-mode application to elevate itsprivileges to the System level. From there, the kernel is accessibleeven on Vista. Even without entering the kernel, System-levelprivileges allow almost complete control of the system, so thepossibilities are limited only by the imagination.

Of course, that the bug isn't reliable on Vista doesn't mean thateveryone can relax. The bug does affect earlier versions of Windows,where arbitrary code execution is far...

Peter Ferrie | 04 Jan 2007 08:00:00 GMT | 0 comments

While we probably haven't heard the last of virus writer SPTH, hisannouncement about leaving the rRlf (Ready Rangers Liberation Front )is welcome news. Further good news was the "lack of time" cited as hisreason for leaving. This suggests that he's busy doing things otherthan writing viruses, and that is to be encouraged (the "doing thingsother than" part, not the "writing viruses" part, of course).

Even though his viruses were not on the order of complexity of someothers in recent times, there is no question that he had a knack forfinding just the right target to interest the media. With mediaattention comes the associated "coolness" factor that encourages somepeople to start writing viruses in the first place. And once a virusreceives attention from the media, other virus writers will oftentarget the same platform.

In my W64/Bounds article for...

Zulfikar Ramzan | 04 Jan 2007 08:00:00 GMT | 0 comments

Back in July, I wrote a blog entry about examples we had seen of phishing Web sites that worked entirely using Macromedia Flash. What makes these sites scary is that they cannot be analyzed in the same way as traditional HTML- or Javascript-based phishing pages.

When we first mentioned these attacks, the observations didn’t receive much external attention. Perhaps this was due to other, more pressing, issues related to the growth of phishing or, more likely, perhaps folks were in the post-Independence Day doldrums. Now, there has been a resurgence of interest in this topic as seen in some recent articles. With this resurgence, I thought it would make sense to point readers back to my original article on the subject of Flash-based...

Hon Lau | 03 Jan 2007 08:00:00 GMT | 0 comments

We have received reports of a significantproblem relating to Adobe Acrobat files and Cross Site Scripting (XSS).A weakness was discovered in the way that the Adobe Reader browserplugin can be made to execute JavaScript code on the client side. Thisstems from the “Open Parameters” feature in Adobe Reader, which allowsfor parameters to be sent to the program when opening a .pdf file. Likemost things in life, this was a feature designed for benign usage, butunfortunately somebody has discovered that it can also be used formalicious purposes.

This development is significant for a number of reasons:
• The ease in which this weakness can be exploited is breathtaking. Useof this “feature” requires no exploitation of vulnerabilities on theserver side.
• Any Web site that hosts a .pdf file can be used to conduct thisattack. All the attacker has to do is find out who is hosting a .pdffile on their Web server and then piggy back on it to mount an attack.What this means...

Candid Wueest | 02 Jan 2007 08:00:00 GMT | 0 comments

If I remember my math teacher correctly, then 1 + 1 = 2. Or, 2.0, to be trendy. In terms of the Internet today this could mean: Take one interactive Web solution plus one large user community and that will equal the next generation Web application. In 2006, we have seen many companies employing exactly this formula to create new Web services (some of which are very useful, while others are more for entertainment).

But in arithmetic you have to be sure to understand the variables you calculate with. If, like in this case, you deal with a very large active user group, then the chances of encountering people who don’t play by the rules are high. Therefore, it should be of no surprise that we have seen a rise in Web attacks toward the end of this year, especially considering the number of browser vulnerabilities that were discovered.

Jeremiah Grossman and others compiled a list of the...