Video Screencast Help
Security Response
Showing posts in English
Zulfikar Ramzan | 16 Nov 2006 08:00:00 GMT | 0 comments

A few weeks ago, two well-known online discount brokers, E-trade and TD Ameritrade, revealed that online fraud had cost them a combined $22 million. The amount of money here is clearly substantial and what is probably even scarier is that it only represents what two firms experienced from one set of attacks.

The purported mechanism by which the financial loss took place was a “pump-and-dump” scheme; the details of which are as follows. The perpetrators first managed to steal the passwords for a victim’s online brokerage account. (We’ll get into how they accomplished this step shortly.) The perpetrators then purchased a large number of small-cap low-volume stocks through an already existing brokerage account. Next, they logged into the compromised account, liquidated the account holder’s assets, and used the proceeds to purchase these same stocks—thereby driving up the price. The perpetrators heavily profited by dumping the previously acquired shares.

In addition...

Liam O Murchu | 15 Nov 2006 08:00:00 GMT | 0 comments

While analyzing a sample of W32.Graybird recently, I noticed a request for a picture from a well-known photo hosting site. The picture was of a cute fluffy bird (not gray, though) ;-) holding a bunch of roses (see below). The request seemed unusual and caught my attention.

bird2.jpg

Why was a back door connecting to a photo hosting site and requesting a picture like this? We often see threats connecting out for what appears to be a picture, but what is downloaded is actually an executable. In this case, it really was a picture that was downloaded. In other cases, the downloaded picture may contain executable code hidden within it, but here there was no executable code found inside either.

Upon closer inspection, a URL was found appended to the end of the image. The Graybird sample was downloading the image and parsing it to find this URL, then the...

Aaron Adams | 15 Nov 2006 08:00:00 GMT | 0 comments

Succinct information regarding the OS Xthreat landscape is hard to come by. Much of the information regardingOS X security and threats is blatantly wrong, overwhelmed by flamewars, and generally hard to digest. This isn’t to say that researchersaren’t releasing accurate and cutting edge information regardingviruses, vulnerabilities, and exploitation vectors affecting theplatform. On the contrary, it seems that many of the defenders or usersof OS X are unaware of their existence, don't understand them, orsimply choose to ignore them.

In light of all of the misinformation and confusion surrounding thetopic, there is a lack of a sufficient summary of what threats haveaffected OS X and what research is being carried out regarding theplatform. So, I decided to document it. The document I set out to writewas not meant to uncover anything new. No new vulnerabilities, exploitvectors, or rootkit techniques. Instead, I wanted to correlate andsummarize the information that was...

Liam O Murchu | 15 Nov 2006 08:00:00 GMT | 0 comments

While analyzing a sample of W32.Graybirdrecently, I noticed a request for a picture from a well-known photohosting site. The picture was of a cute fluffy bird (not gray, though);-) holding a bunch of roses (see below). The request seemed unusualand caught my attention.

bird2.jpg

Why was a back door connecting to a photo hosting site andrequesting a picture like this? We often see threats connecting out forwhat appears to be a picture, but what is downloaded is actually anexecutable. In this case, it really was a picture that was downloaded.In other cases, the downloaded picture may contain executable codehidden within it, but here there was no executable code found insideeither.

Upon closer inspection, a URL was found appended to the end of theimage. The Graybird sample was downloading the image and parsing it tofind this URL, then the sample was...

Liam O Murchu | 15 Nov 2006 08:00:00 GMT | 0 comments

While analyzing a sample of W32.Graybird recently, I noticed a request for a picture from a well-known photo hosting site. The picture was of a cute fluffy bird (not gray, though) ;-) holding a bunch of roses (see below). The request seemed unusual and caught my attention.

bird2.jpg

Why was a back door connecting to a photo hosting site and requesting a picture like this? We often see threats connecting out for what appears to be a picture, but what is downloaded is actually an executable. In this case, it really was a picture that was downloaded. In other cases, the downloaded picture may contain executable code hidden within it, but here there was no executable code found inside either.

Upon closer inspection, a URL was found appended to the end of the image. The Graybird sample was downloading the image and parsing it to find this URL, then the...

Ben Greenbaum | 14 Nov 2006 08:00:00 GMT | 0 comments

Microsoft released six security bulletins this morning, covering atotal of 11 distinct security vulnerabilities. In rough order of mosturgent to least, here we go:

Topping the list in raw urgency is MS06-066 (BID 21023 and BID 20984,CVE-2006-4688 and CVE-2006-4689). This affects everything from Win2KSP0 to XP SP2, provided that the systems have the Client Service forNetware enabled. This obviously reduces the population of vulnerablesystems, but for those systems this is where you want to start. Thisaddresses two vulnerabilities, the more severe of which is theMicrosoft Windows Client Service For Netware Remote Code ExecutionVulnerability. If your computers match that description, you are wideopen to remote attackers, who have the opportunity to run code of theirchoice on your machines – until you apply the...

Mimi Hoang | 14 Nov 2006 08:00:00 GMT | 0 comments

Whether it’s spaghetti or lasagna or any other potential mess, Symantec can clear away whatever Gromozon dishes out. Our team has already written a couple of blogs on just how nasty the Gromozon (LinkOptimizer) threat is. You can read about it in Gromozon.com and Italian Spaghetti, and Gromozon Evolution: From Spaghetti to Lasagna.

Recently, we took 18 different LinkOptimizer samples and did our own testing to see whether or not other vendors could deal with this super aggressive threat. The results are pretty staggering. Symantec provides the most complete protection, whereas the next closest vendor handled only five out of the 18 samples.

...

Ben Greenbaum | 14 Nov 2006 08:00:00 GMT | 0 comments

Microsoft released six security bulletins this morning, covering a total of 11 distinct security vulnerabilities. In rough order of most urgent to least, here we go:

Topping the list in raw urgency is MS06-066 (BID 21023 and BID 20984, CVE-2006-4688 and CVE-2006-4689). This affects everything from Win2K SP0 to XP SP2, provided that the systems have the Client Service for Netware enabled. This obviously reduces the population of vulnerable systems, but for those systems this is where you want to start. This addresses two vulnerabilities, the more severe of which is the Microsoft Windows Client Service For Netware Remote Code Execution Vulnerability. If your computers match that description, you are wide open to remote attackers, who have the opportunity to run code of their choice on your machines – until you...

Dave Cole | 13 Nov 2006 08:00:00 GMT | 0 comments

This past spring we announced that Phish Report Network (PRN) was officially open for any organization who wanted to have phishing attacks against their brand blocked through the PRN’s community of solution providers, including Yahoo, Netscape, Symantec and others. This was (and still is) completely free of charge to the organization sending the data. We’re now pleased to announce that anyone, from Grandma Jones in Topeka to Uncle Jack in Melbourne, can now submit their fresh phish to the PRN. It’s a piece of cake to do and mostly consists of copying the URL of the fraudulent Web site into a submission form at the following location: https://submit.symantec.com/antifraud/phish.cgi

Once we receive the suspicious URLs, we vet them both programmatically as well as manually to make sure it is indeed a fraudulent...

Dave Cole | 13 Nov 2006 08:00:00 GMT | 0 comments

This past spring we announced that Phish Report Network (PRN) was officially open for any organization who wanted to have phishing attacks against their brand blocked through the PRN’s community of solution providers, including Yahoo, Netscape, Symantec and others. This was (and still is) completely free of charge to the organization sending the data. We’re now pleased to announce that anyone, from Grandma Jones in Topeka to Uncle Jack in Melbourne, can now submit their fresh phish to the PRN. It’s a piece of cake to do and mostly consists of copying the URL of the fraudulent Web site into a submission form at the following location: https://submit.symantec.com/antifraud/phish.cgi

Once we receive the suspicious URLs, we vet them both programmatically as well as manually to make sure it is indeed a fraudulent...