Video Screencast Help
Security Response
Showing posts in English
Mimi Hoang | 23 Nov 2006 08:00:00 GMT | 0 comments

We have recently seen an increase in the number of zero-day exploits, which indicates that attackers are being more methodical in their discovery and use of software vulnerabilities. A zero-day exploit occurs when a software flaw is only discovered after it is already being exploited in the wild (and there isn’t a patch available from the vendor).

The “window of exposure” is the time frame during which users of vulnerable software will be at risk. This is calculated as the difference in time between when a vulnerability is exploited and when a patch is made available. The average window of exposure from the first six months of 2006 was 28 days – a dangerously large window in which systems and users are at risk. Average time to develop a patch – Time to develop exploit code = window of exposure (31 – 3 = 28 days).
While vendors continue to make strides and reduce the amount of time it takes to release a patch, attackers seem to be staying one step ahead of...

Patrick Fitzgerald | 22 Nov 2006 08:00:00 GMT | 0 comments

Malware is becoming increasingly complex. Take Rustock.B for example: this threat goes above and beyond to prevent analysis and detection. A blog article is probably too small of a space to describe everything Rustock does technically, but you shouldn’t be surprised, considering its complexity, that Rustock has a clear financial motive. In particular, apart from hiding itself with advanced rootkit techniques, the primary goal of this threat is to send a lot of spam. Because we capture spam such as this, it allows us to update our email security products, such as Brightmail AntiSpam. In addition to pharmaceuticals, mortgages, and imitation product spam, Rustock has also sent stock-based spam. Stock-based spam usually consists of some random text, followed by an image, followed by more random text. Below is an example of one of the stock-based...

Patrick Fitzgerald | 22 Nov 2006 08:00:00 GMT | 0 comments

Malware is becoming increasingly complex. Take Rustock.B for example: this threat goes above and beyond to prevent analysis and detection. A blog article is probably too small of a space to describe everything Rustock does technically, but you shouldn’t be surprised, considering its complexity, that Rustock has a clear financial motive. In particular, apart from hiding itself with advanced rootkit techniques, the primary goal of this threat is to send a lot of spam. Because we capture spam such as this, it allows us to update our email security products, such as Brightmail AntiSpam. In addition to pharmaceuticals, mortgages, and imitation product spam, Rustock has also sent stock-based spam. Stock-based spam usually consists of some random text, followed by an image, followed by more random text. Below is an example of one of the stock-based...

Al Hartmann | 21 Nov 2006 08:00:00 GMT | 0 comments

This Weblog and the blogoshpere in general have been abuzz with controversy over Microsoft PatchGuard and issues dealing with appropriate kernel security instrumentation. This blog entry is the first of a two-part series. It provides an excerpt of a draft posting that proposes an abstract host security metasystem and laws of host security that attempt to raise the level of discourse above specific features and implementations. This blog entry will outline the sensor and effector instrumentation laws and the second blog entry, covering the security and policy component laws, will be published later this week. Symantec posted this draft to openly solicit constructive comments and helpful suggestions for draft refinements. The intent is to reach industry consensus on an architectural framework to guide designers of future host security subsystems and supporting instrumentation.

...

John Canavan | 20 Nov 2006 08:00:00 GMT | 0 comments

VB-Oct06_small.jpg

In the early part of this year, W32.Blackmal.E@mm and OSX.Leap.A received near blanket coverage from the technical media. W32.Blackmal.E@mm was a mass-mailing worm with two particular features that ensured it quickly became a focus of attention. When run, the worm would execute a Web-based php script, which was intended to function as an infection counter. Cue the daily tech-blog updates: "Clock ticking for Nyxem virus" (Slashdot), "Blackworm worm over 1.8 million infestations and climbing" (Sunbelt). Even the fancy animated .gifs of a counter shot up from 398,000 to 440,000 in seconds (F-Secure). Couple this with the fact that the worm was programmed to delete files with a number of common extensions on the third of the next month, and there's a storm a brewin': "Kama Sutra worm seduces PC users" (cnet),...

John Canavan | 20 Nov 2006 08:00:00 GMT | 0 comments

VB-Oct06_small.jpg

In the early part of this year, W32.Blackmal.E@mm and OSX.Leap.Areceived near blanket coverage from the technical media.W32.Blackmal.E@mm was a mass-mailing worm with two particular featuresthat ensured it quickly became a focus of attention. When run, the wormwould execute a Web-based php script, which was intended to function asan infection counter. Cue the daily tech-blog updates: "Clock tickingfor Nyxem virus" (Slashdot), "Blackworm worm over 1.8 millioninfestations and climbing" (Sunbelt). Even the fancy animated .gifs ofa counter shot up from 398,000 to 440,000 in seconds (F-Secure). Couplethis with the fact that the worm was programmed to delete files with anumber of common extensions on the third of the next month, and there'sa storm a brewin': "Kama Sutra worm seduces PC users" (cnet),"Countdown for Windows virus" (BBC), "Urgent...

Symantec Security Response | 17 Nov 2006 08:00:00 GMT | 0 comments

The next time you open and view a video file of the RealMedia variety (for example, an .rm or .rmvb file), be aware that you may unwittingly be allowing a Trojan to execute on your computer. When executed, a nasty threat that Symantec has dubbed Trojan.Realor scans the computer for RealMedia files and inserts a hyperlink into them. When the infected files are opened, the RealMedia player attempts to load an external Web page in the computer's default browser.

The Web site (unavailable at the time of this writing) reportedly attempts to exploit a vulnerability in one of the browser's underlying components – Microsoft Data Access Components, or "MDAC" for short. The user may only notice a seemingly harmless error message, but behind the scenes a hidden IFRAME object is loading the malicious code.

If the exploit is successful, theTrojan then searches for further RealMedia files, into which it will attempt to insert the hyperlink, and so the cycle...

Zulfikar Ramzan | 16 Nov 2006 08:00:00 GMT | 0 comments

A few weeks ago, two well-known online discount brokers, E-trade and TD Ameritrade, revealed that online fraud had cost them a combined $22 million. The amount of money here is clearly substantial and what is probably even scarier is that it only represents what two firms experienced from one set of attacks.

The purported mechanism by which the financial loss took place was a “pump-and-dump” scheme; the details of which are as follows. The perpetrators first managed to steal the passwords for a victim’s online brokerage account. (We’ll get into how they accomplished this step shortly.) The perpetrators then purchased a large number of small-cap low-volume stocks through an already existing brokerage account. Next, they logged into the compromised account, liquidated the account holder’s assets, and used the proceeds to purchase these same stocks—thereby driving up the price. The perpetrators heavily profited by dumping the previously acquired shares.

In addition...

Zulfikar Ramzan | 16 Nov 2006 08:00:00 GMT | 0 comments

A few weeks ago, two well-known online discount brokers, E-trade and TD Ameritrade, revealed that online fraud had cost them a combined $22 million. The amount of money here is clearly substantial and what is probably even scarier is that it only represents what two firms experienced from one set of attacks.

The purported mechanism by which the financial loss took place was a “pump-and-dump” scheme; the details of which are as follows. The perpetrators first managed to steal the passwords for a victim’s online brokerage account. (We’ll get into how they accomplished this step shortly.) The perpetrators then purchased a large number of small-cap low-volume stocks through an already existing brokerage account. Next, they logged into the compromised account, liquidated the account holder’s assets, and used the proceeds to purchase these same stocks—thereby driving up the price. The perpetrators heavily profited by dumping the previously acquired shares.

In addition...

Liam O Murchu | 15 Nov 2006 08:00:00 GMT | 0 comments

While analyzing a sample of W32.Graybird recently, I noticed a request for a picture from a well-known photo hosting site. The picture was of a cute fluffy bird (not gray, though) ;-) holding a bunch of roses (see below). The request seemed unusual and caught my attention.

bird2.jpg

Why was a back door connecting to a photo hosting site and requesting a picture like this? We often see threats connecting out for what appears to be a picture, but what is downloaded is actually an executable. In this case, it really was a picture that was downloaded. In other cases, the downloaded picture may contain executable code hidden within it, but here there was no executable code found inside either.

Upon closer inspection, a URL was found appended to the end of the image. The Graybird sample was downloading the image and parsing it to find this URL, then the...