Video Screencast Help
Security Response
Showing posts in English
Chintan Trivedi | 07 Dec 2006 08:00:00 GMT | 0 comments

"A browser" – that’s all we were led to believe the next generation would need to create office applications or engineering applications. Now, the focus on security has begun to divert in that direction. Statistics from the first half of 2006 showed that 69 percent of exploitable vulnerabilities were from Web applications. Web application vulnerabilities usually get mixed up with server vulnerabilities, although the two are distinctly different. Web developers who design Web sites are not usually security gurus. The developers will often leave behind various security holes in the Web application because of bad coding practices and a lack of security reviews.

On one hand, there are many security experts around the world who fuzz Web servers with variations in order find another zero-day. The end result is that the gap between popular Web servers and exploitable vulnerabilities within them is increasing. It has been a long time since we have seen a completely...

Eric Chien | 06 Dec 2006 08:00:00 GMT | 0 comments

In 2004, I spoke at Virus Bulletin about a new technology that at that time was known as Monad. Monad has since received an official name of Microsoft PowerShell and recently has been released for Windows XP and 2003 Server, with Vista versions following in January, 2007. PowerShell is a new command line shell, like cmd.exe, but much more powerful.

In 2004, PowerShell was still in its early beta stages and was originally rumored to be shipping in default with Vista. I examined the robust features of PowerShell and demonstrated that a variety of malicious code types were possible – including viruses, worms, and Trojans – using PowerShell. More worrying was that this new language (and platform) was a scripting language and it had the possibility to follow in the footsteps of Melissa and LoveLetter. In addition to their clever social engineering, those threats...

Symantec Security Response | 06 Dec 2006 08:00:00 GMT | 0 comments

On December 5, 2006, Microsoft announcedthey were investigating reports of the exploitation of a zero-dayvulnerability in Microsoft Word (described in Microsoft Security Advisory 929433).There is very little information available regarding the technicaldetails of this new vulnerability. Symantec Security Response ismonitoring the situation and will respond appropriately once furtherinformation is known.

At this time, Security Response has seen various malware binarieswhich may be related to the limited reports noted by Microsoft. Thesefiles are detected as "Downloader" by LiveUpdate virus definitions,version 12/6/2006 rev. 16. At least one known downloaded file isdetected as Backdoor.HackDefender, using Rapid Release virusdefinitions, version 12/6/2006 rev. 25.

The standard best practices apply in this situation and as such,caution should be exercised when...

Zulfikar Ramzan | 05 Dec 2006 08:00:00 GMT | 0 comments

I recently had the opportunity to look at some phishing data generated from the Symantec Brightmail AntiSpam system from April through September 2006, inclusive. The data included both the number of unique phishing messages that Symantec discovered per day, as well as the total number of blocked phishing messages. Note that a given phishing email might be blocked in multiple places, so the number of blocked messages exceeds the number of unique ones. (Also, several unique phishing emails may correspond to the same phishing site.) Our data for this period supports some interesting seasonal- and weekend-type effects in terms of phishing activity.

First, let’s look at the overall numbers. According to the tenth edition of the Symantec Internet Security Threat Report, from January 2006 to June 2006, Symantec blocked 1.3 billion phishing attempts and recognized 157,477 unique phishing emails. Since then, during the July 2006 to September 2006 time period, Symantec blocked...

Marc Fossi | 04 Dec 2006 08:00:00 GMT | 0 comments

‘Tis the season to spend money. As theholiday season approaches, people tend to loosen their purse strings inthe desperate search for the perfect gift for that special someone.Unfortunately, scammers and criminals are well aware of this fact anddo what they can to take advantage of it. Two common ways of doing thisare through “second chance” auction scams and “overpayment” scams.

If someone on your list wants that hot new gaming console that’ssold out in all the stores, you may turn to online auction sites tofind one. Because so many people are after these hot items, the auctionprices can get quite high. This is where the scammer steps in.Frequently, the winner of an auction may drop out or be unable to makegood on their bid for whatever reason. Most online auction sites allowthe seller to contact the next-highest bidder and offer the item tothem rather than re-listing it. As a result, scammers are checkingauctions for these items a day or two after the listing has...

Orlando Padilla | 01 Dec 2006 08:00:00 GMT | 0 comments

The long anticipated Windows Vista operating system is finally out the door and as anyone would agree, it’s celebration time at Microsoft. But, let’s discuss what we are in for with a peek at the default user environment on the 32-bit platform.

Symantec Advanced Threat Research decided to conduct an analysis of Windows Vista’s security enhancements provided by the user account control (UAC) and resulting new security barriers. No formal requirements were defined, although a few guidelines were set to stay organized; gather a sample set of malicious code, execute them under the default UAC environment, and carefully determine their success. The results were then broken down into three categories:
1) Successful execution of malicious code
2) System restart survivability
3) Failed execution of malicious code, and why

There are two important prerequisites in place to establish fair play practices:
1) All malicious code must be executed under the...

Orlando Padilla | 01 Dec 2006 08:00:00 GMT | 0 comments

The long anticipated Windows Vistaoperating system is finally out the door and as anyone would agree,it’s celebration time at Microsoft. But, let’s discuss what we are infor with a peek at the default user environment on the 32-bit platform.

Symantec Advanced Threat Research decided to conduct an analysis ofWindows Vista’s security enhancements provided by the user accountcontrol (UAC) and resulting new security barriers. No formalrequirements were defined, although a few guidelines were set to stayorganized; gather a sample set of malicious code, execute them underthe default UAC environment, and carefully determine their success. Theresults were then broken down into three categories:
1) Successful execution of malicious code
2) System restart survivability
3) Failed execution of malicious code, and why

There are two important prerequisites in place to establish fair play practices:
1) All malicious code must be executed under the default...

Peter Ferrie | 01 Dec 2006 08:00:00 GMT | 0 comments

It's been more than two months since thedisbanding of the 29A virus writing group, and in typical 29A fashion,we're still waiting for the official announcement. Of course, that'sfine – as long as they're no longer writing viruses we don't care ifthey tell us or not. Maybe they're waiting for January 1. ;-)

What fun we can have speculating on the “hows” and “whys”, such asthat Vecna left the group and nobody noticed, or that roy signs hisviruses with a different group name and nobody cares. Zombie's site hasbeen closed for a long time already; now the 29A site, hosted by GriYo,is gone. First it was replaced by GriYo's radio interviews and then itwas removed completely. Benny's real name is known and probablyRatter's and Vecna's are, too. They must know that they can't movefreely anymore. As for roy, I think he is actually not just one personbut several, although that's a topic for another day (although theyshould all quit).

Anyway, these are all promising signs....

Elia Florio | 30 Nov 2006 08:00:00 GMT | 0 comments

In a letter to the editor of CrossTalk magazine, “Rubey” of SofTech Inc. exhorted developers to “go beyond the condemnation of spaghetti code to the active encouragement of ravioli code.” It was 1992 and the "pasta theory of programming" was officially born. Since we first talked of the “spaghetti code” used by Trojan.LinkOptimizer, at least one blog reader has asked for more details about it, so I decided to post a brief explanation and a visual demonstration of what is exactly spaghetti code is.

Programmers talk about spaghetti code when a program has a complex and tangled control structure that uses many jumps (GOTOs) or other unstructured branching constructs. Now, take a second to solve the following visual quiz. Look at the images below, which show three different graphs generated by IDA Professional (a well-known disassembler program). Each graph is the result of the analysis of the function flow of an executable...

Brian Hernacki | 29 Nov 2006 08:00:00 GMT | 0 comments

As municipal Wi-Fi networks begin to roll out, I've begun to notice a trend that isn't surprising, but is still a bit worrisome. Business users are beginning to use the muni Wi-Fi in the office. While the signal doesn't often penetrate too deeply into buildings, conference rooms and window offices seem to get a sufficient signal in many cases. The problem is that I see people using the muni Wi-Fi signal instead of the office IT-supported network. Sometimes they just use it because it's more convenient. The office IT network is "secure" and requires extra work, such as entering keys or using a VPN. Sometimes they do it because they explicitly want to avoid the local IT policy controls (access to restricted sites, use of restricted applications, etc.)

So, why is this a problem? First, it exposes the user’s computer to the Internet without the normal protection of the office IT security safeguards (like a firewall). While it's quite possible to secure the...