Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Zulfikar Ramzan | 22 Dec 2006 08:00:00 GMT | 0 comments

This entry continues my blog series on some Symantec phishing data I have recently analyzed. I decided to look at data that relates to how phishing attacks are becoming more targeted. During the periods studied, our data does not support the hypothesis that attackers are going after more and more specialized targets. For the periods studied, our data also indicates that targeted phishing campaigns are outweighed by more scattered ones. Again, it’s important to note that the data is specific to a given period of time, so it’s possible (and perhaps quite likely, given how rapidly the landscape is changing) that outside this time frame the picture could change dramatically.

Let’s consider unique brands first. From June through September, 2006, the Symantec Norton Confidential system recorded 154 distinct brands that were spoofed in a phishing attack. Of these 154 brands, 93 of them were spoofed in a phishing attack that occurred during June; this number jumped...

Zulfikar Ramzan | 22 Dec 2006 08:00:00 GMT | 0 comments

As part of the look at phishing statistics that I’ve blogged about recently, we analyzed the industry segmentation of the brands spoofed in a phishing attack. We divided the spoofed brands into the following categories:
• Financial - sites associated with online banking, brokerage, lending, and similar financial services or sites that directly support such a brand
• Service provider - sites that provide some common Internet-related services, including one or more of the following: Internet access, email accounts, or information portals
• General retail - sites that are associated with the sale of merchandise online
• Computer hardware - sites that are associated almost exclusively with the sale of computer hardware and peripherals
• Government - sites whose common URL ends in the .gov extension
• Social networking - sites whose exclusive purpose is to facilitate connection, collaboration, and communication among members, possibly...

Kelly Conley | 21 Dec 2006 08:00:00 GMT | 0 comments

We've noticed a tricky new spam tactic occurring recently and thought we'd share it with you. It’s always exciting when a new spamming technique comes along and it’s even more exciting when our filtering capabilities are successful against it. Most users running our product will not have seen this. Spam filtering can still protect you from this “new spam technique,” but, even if you have seen it or even opened it, you probably gave it a one-two glance and wondered “Eh? This isn't what I thought it was.”

The headers are legit – coming from a newsletter or ad that you have signed up for. You should be receiving this mail, right? Nope, it's a spam email. Look closer. There at the top of the page. It's an ad for something entirely different than what you thought was going to be in that email.

It's an online pharmacy ad within a legitimate NFL newsletter. That is really sneaky. It looks legitimate from your Inbox. You did sign up for that NFL newsletter. Not...

Zulfikar Ramzan | 21 Dec 2006 08:00:00 GMT | 0 comments

As mentioned in one of my previous blog entries, I’ve been looking at some of the phishing data Symantec collects. As part of this effort, I looked at data associated with a recent Symantec offering called Norton Confidential (this product, which is geared towards providing transaction security, can detect phishing sites, among other things). The Norton Confidential back-end servers collect a tremendous amount of data associated with existing phishing sites.

Within these phishing sites, I decided to look a little more carefully at the distribution of spoofed brands that represent local US banks (for example, credit unions that are local to a specific state). For this purpose I considered a brand to be local if all the branch locations were in a specific state (or in states that directly bordered that state). I specifically...

Zulfikar Ramzan | 21 Dec 2006 08:00:00 GMT | 0 comments

As mentioned in one of my previous blog entries, I’ve been looking at some of the phishing data Symantec collects. As part of this effort, I looked at data associated with a recent Symantec offering called Norton Confidential (this product, which is geared towards providing transaction security, can detect phishing sites, among other things). The Norton Confidential back-end servers collect a tremendous amount of data associated with existing phishing sites.

Within these phishing sites, I decided to look a little more carefully at the distribution of spoofed brands that represent local US banks (for example, credit unions that are local to a specific state). For this purpose I considered a brand to be local if all the branch locations were in a specific state (or in states that directly bordered that state). I specifically...

Robert Keith | 20 Dec 2006 08:00:00 GMT | 0 comments

December 9, 2006, marks the day when long standing contributor to the PHP Security Response Team, Stefan Esser, retired.He has stated a few reasons for this latest move, primarily focusing on(in his opinion) the lack of response from his fellow colleagues and anextended delay in the patching of known vulnerabilities. Possiblyanother example of how some individuals or groups may choose to view “responsible disclosure.”

Over the years, SecurityFocus has reported on multiple vulnerabilities affecting PHP, such as BIDs 20879 (PHP HTMLEntities HTMLSpecialChars Buffer Overflow Vulnerabilities), 19582 (PHP Multiple Input...

Robert Keith | 20 Dec 2006 08:00:00 GMT | 0 comments

December 9, 2006, marks the day when long standing contributor to the PHP Security Response Team, Stefan Esser, retired. He has stated a few reasons for this latest move, primarily focusing on (in his opinion) the lack of response from his fellow colleagues and an extended delay in the patching of known vulnerabilities. Possibly another example of how some individuals or groups may choose to view “responsible disclosure.”

Over the years, SecurityFocus has reported on multiple vulnerabilities affecting PHP, such as BIDs 20879 (PHP HTMLEntities HTMLSpecialChars Buffer Overflow Vulnerabilities), 19582 (PHP Multiple Input...

Robert Keith | 20 Dec 2006 08:00:00 GMT | 0 comments

December 9, 2006, marks the day when long standing contributor to the PHP Security Response Team, Stefan Esser, retired.He has stated a few reasons for this latest move, primarily focusing on(in his opinion) the lack of response from his fellow colleagues and anextended delay in the patching of known vulnerabilities. Possiblyanother example of how some individuals or groups may choose to view “responsible disclosure.”

Over the years, SecurityFocus has reported on multiple vulnerabilities affecting PHP, such as BIDs 20879 (PHP HTMLEntities HTMLSpecialChars Buffer Overflow Vulnerabilities), 19582 (PHP Multiple Input...

Symantec Security Response | 19 Dec 2006 08:00:00 GMT | 0 comments

A new worm has been discovered that targets Skype, the voice-over-IP (VoIP) telephone application. The worm uses the Skype Control API to send text chat messages containing a malicious link to other Skype users. We highlighted the possibility of the Skype API being used as infection vector for malicious code in a blog article in May of this year: http://www.symantec.com/enterprise/security_response/weblog/2006/05/vulnerabilities_of_the_skype_a.html

However, in this case the security measures implemented by Skype have not been bypassed programmatically. Instead, the worm pleads with the user via a pop-up message box to "Allow this program in skype."

skype1.jpeg

On a live system, the user will receive this pop-...

Peter Ferrie | 18 Dec 2006 08:00:00 GMT | 0 comments

SecuriTeam recently ran a Code Cruncher competition. The idea was to create the smallest possible Windows executable file that could download an arbitrary file from the Code Cruncher site.

While the final results are not in yet, one entry at 210 bytes (including the length of the URL) looks set to be the winner. Why? Because it executes entirely from within the PE header. That's right - there is no code outside of the file header, only strings, such as the URL. Even more amazing, those strings are encrypted. The decryptor fits into the PE header, along with the downloader code.

Here's a sanitized version of it (the relevant code and URL have been replaced):

Malware that can travel in one network packet, even smaller than CodeRed...