Video Screencast Help
Security Response
Showing posts in English
John Canavan | 20 Nov 2006 08:00:00 GMT | 0 comments

VB-Oct06_small.jpg

In the early part of this year, W32.Blackmal.E@mm and OSX.Leap.Areceived near blanket coverage from the technical media.W32.Blackmal.E@mm was a mass-mailing worm with two particular featuresthat ensured it quickly became a focus of attention. When run, the wormwould execute a Web-based php script, which was intended to function asan infection counter. Cue the daily tech-blog updates: "Clock tickingfor Nyxem virus" (Slashdot), "Blackworm worm over 1.8 millioninfestations and climbing" (Sunbelt). Even the fancy animated .gifs ofa counter shot up from 398,000 to 440,000 in seconds (F-Secure). Couplethis with the fact that the worm was programmed to delete files with anumber of common extensions on the third of the next month, and there'sa storm a brewin': "Kama Sutra worm seduces PC users" (cnet),"Countdown for Windows virus" (BBC), "Urgent...

Symantec Security Response | 17 Nov 2006 08:00:00 GMT | 0 comments

The next time you open and view a video file of the RealMedia variety (for example, an .rm or .rmvb file), be aware that you may unwittingly be allowing a Trojan to execute on your computer. When executed, a nasty threat that Symantec has dubbed Trojan.Realor scans the computer for RealMedia files and inserts a hyperlink into them. When the infected files are opened, the RealMedia player attempts to load an external Web page in the computer's default browser.

The Web site (unavailable at the time of this writing) reportedly attempts to exploit a vulnerability in one of the browser's underlying components – Microsoft Data Access Components, or "MDAC" for short. The user may only notice a seemingly harmless error message, but behind the scenes a hidden IFRAME object is loading the malicious code.

If the exploit is successful, theTrojan then searches for further RealMedia files, into which it will attempt to insert the hyperlink, and so the cycle...

Zulfikar Ramzan | 16 Nov 2006 08:00:00 GMT | 0 comments

A few weeks ago, two well-known online discount brokers, E-trade and TD Ameritrade, revealed that online fraud had cost them a combined $22 million. The amount of money here is clearly substantial and what is probably even scarier is that it only represents what two firms experienced from one set of attacks.

The purported mechanism by which the financial loss took place was a “pump-and-dump” scheme; the details of which are as follows. The perpetrators first managed to steal the passwords for a victim’s online brokerage account. (We’ll get into how they accomplished this step shortly.) The perpetrators then purchased a large number of small-cap low-volume stocks through an already existing brokerage account. Next, they logged into the compromised account, liquidated the account holder’s assets, and used the proceeds to purchase these same stocks—thereby driving up the price. The perpetrators heavily profited by dumping the previously acquired shares.

In addition...

Zulfikar Ramzan | 16 Nov 2006 08:00:00 GMT | 0 comments

A few weeks ago, two well-known online discount brokers, E-trade and TD Ameritrade, revealed that online fraud had cost them a combined $22 million. The amount of money here is clearly substantial and what is probably even scarier is that it only represents what two firms experienced from one set of attacks.

The purported mechanism by which the financial loss took place was a “pump-and-dump” scheme; the details of which are as follows. The perpetrators first managed to steal the passwords for a victim’s online brokerage account. (We’ll get into how they accomplished this step shortly.) The perpetrators then purchased a large number of small-cap low-volume stocks through an already existing brokerage account. Next, they logged into the compromised account, liquidated the account holder’s assets, and used the proceeds to purchase these same stocks—thereby driving up the price. The perpetrators heavily profited by dumping the previously acquired shares.

In addition...

Liam O Murchu | 15 Nov 2006 08:00:00 GMT | 0 comments

While analyzing a sample of W32.Graybird recently, I noticed a request for a picture from a well-known photo hosting site. The picture was of a cute fluffy bird (not gray, though) ;-) holding a bunch of roses (see below). The request seemed unusual and caught my attention.

bird2.jpg

Why was a back door connecting to a photo hosting site and requesting a picture like this? We often see threats connecting out for what appears to be a picture, but what is downloaded is actually an executable. In this case, it really was a picture that was downloaded. In other cases, the downloaded picture may contain executable code hidden within it, but here there was no executable code found inside either.

Upon closer inspection, a URL was found appended to the end of the image. The Graybird sample was downloading the image and parsing it to find this URL, then the...

Aaron Adams | 15 Nov 2006 08:00:00 GMT | 0 comments

Succinct information regarding the OS Xthreat landscape is hard to come by. Much of the information regardingOS X security and threats is blatantly wrong, overwhelmed by flamewars, and generally hard to digest. This isn’t to say that researchersaren’t releasing accurate and cutting edge information regardingviruses, vulnerabilities, and exploitation vectors affecting theplatform. On the contrary, it seems that many of the defenders or usersof OS X are unaware of their existence, don't understand them, orsimply choose to ignore them.

In light of all of the misinformation and confusion surrounding thetopic, there is a lack of a sufficient summary of what threats haveaffected OS X and what research is being carried out regarding theplatform. So, I decided to document it. The document I set out to writewas not meant to uncover anything new. No new vulnerabilities, exploitvectors, or rootkit techniques. Instead, I wanted to correlate andsummarize the information that was...

Liam O Murchu | 15 Nov 2006 08:00:00 GMT | 0 comments

While analyzing a sample of W32.Graybirdrecently, I noticed a request for a picture from a well-known photohosting site. The picture was of a cute fluffy bird (not gray, though);-) holding a bunch of roses (see below). The request seemed unusualand caught my attention.

bird2.jpg

Why was a back door connecting to a photo hosting site andrequesting a picture like this? We often see threats connecting out forwhat appears to be a picture, but what is downloaded is actually anexecutable. In this case, it really was a picture that was downloaded.In other cases, the downloaded picture may contain executable codehidden within it, but here there was no executable code found insideeither.

Upon closer inspection, a URL was found appended to the end of theimage. The Graybird sample was downloading the image and parsing it tofind this URL, then the sample was...

Liam O Murchu | 15 Nov 2006 08:00:00 GMT | 0 comments

While analyzing a sample of W32.Graybird recently, I noticed a request for a picture from a well-known photo hosting site. The picture was of a cute fluffy bird (not gray, though) ;-) holding a bunch of roses (see below). The request seemed unusual and caught my attention.

bird2.jpg

Why was a back door connecting to a photo hosting site and requesting a picture like this? We often see threats connecting out for what appears to be a picture, but what is downloaded is actually an executable. In this case, it really was a picture that was downloaded. In other cases, the downloaded picture may contain executable code hidden within it, but here there was no executable code found inside either.

Upon closer inspection, a URL was found appended to the end of the image. The Graybird sample was downloading the image and parsing it to find this URL, then the...

Ben Greenbaum | 14 Nov 2006 08:00:00 GMT | 0 comments

Microsoft released six security bulletins this morning, covering atotal of 11 distinct security vulnerabilities. In rough order of mosturgent to least, here we go:

Topping the list in raw urgency is MS06-066 (BID 21023 and BID 20984,CVE-2006-4688 and CVE-2006-4689). This affects everything from Win2KSP0 to XP SP2, provided that the systems have the Client Service forNetware enabled. This obviously reduces the population of vulnerablesystems, but for those systems this is where you want to start. Thisaddresses two vulnerabilities, the more severe of which is theMicrosoft Windows Client Service For Netware Remote Code ExecutionVulnerability. If your computers match that description, you are wideopen to remote attackers, who have the opportunity to run code of theirchoice on your machines – until you apply the...

Mimi Hoang | 14 Nov 2006 08:00:00 GMT | 0 comments

Whether it’s spaghetti or lasagna or any other potential mess, Symantec can clear away whatever Gromozon dishes out. Our team has already written a couple of blogs on just how nasty the Gromozon (LinkOptimizer) threat is. You can read about it in Gromozon.com and Italian Spaghetti, and Gromozon Evolution: From Spaghetti to Lasagna.

Recently, we took 18 different LinkOptimizer samples and did our own testing to see whether or not other vendors could deal with this super aggressive threat. The results are pretty staggering. Symantec provides the most complete protection, whereas the next closest vendor handled only five out of the 18 samples.

...