Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Security Response
Showing posts in English
Liam O Murchu | 15 Nov 2006 08:00:00 GMT | 0 comments

While analyzing a sample of W32.Graybirdrecently, I noticed a request for a picture from a well-known photohosting site. The picture was of a cute fluffy bird (not gray, though);-) holding a bunch of roses (see below). The request seemed unusualand caught my attention.

bird2.jpg

Why was a back door connecting to a photo hosting site andrequesting a picture like this? We often see threats connecting out forwhat appears to be a picture, but what is downloaded is actually anexecutable. In this case, it really was a picture that was downloaded.In other cases, the downloaded picture may contain executable codehidden within it, but here there was no executable code found insideeither.

Upon closer inspection, a URL was found appended to the end of theimage. The Graybird sample was downloading the image and parsing it tofind this URL, then the sample was...

Liam O Murchu | 15 Nov 2006 08:00:00 GMT | 0 comments

While analyzing a sample of W32.Graybird recently, I noticed a request for a picture from a well-known photo hosting site. The picture was of a cute fluffy bird (not gray, though) ;-) holding a bunch of roses (see below). The request seemed unusual and caught my attention.

bird2.jpg

Why was a back door connecting to a photo hosting site and requesting a picture like this? We often see threats connecting out for what appears to be a picture, but what is downloaded is actually an executable. In this case, it really was a picture that was downloaded. In other cases, the downloaded picture may contain executable code hidden within it, but here there was no executable code found inside either.

Upon closer inspection, a URL was found appended to the end of the image. The Graybird sample was downloading the image and parsing it to find this URL, then the...

Ben Greenbaum | 14 Nov 2006 08:00:00 GMT | 0 comments

Microsoft released six security bulletins this morning, covering atotal of 11 distinct security vulnerabilities. In rough order of mosturgent to least, here we go:

Topping the list in raw urgency is MS06-066 (BID 21023 and BID 20984,CVE-2006-4688 and CVE-2006-4689). This affects everything from Win2KSP0 to XP SP2, provided that the systems have the Client Service forNetware enabled. This obviously reduces the population of vulnerablesystems, but for those systems this is where you want to start. Thisaddresses two vulnerabilities, the more severe of which is theMicrosoft Windows Client Service For Netware Remote Code ExecutionVulnerability. If your computers match that description, you are wideopen to remote attackers, who have the opportunity to run code of theirchoice on your machines – until you apply the...

Mimi Hoang | 14 Nov 2006 08:00:00 GMT | 0 comments

Whether it’s spaghetti or lasagna or any other potential mess, Symantec can clear away whatever Gromozon dishes out. Our team has already written a couple of blogs on just how nasty the Gromozon (LinkOptimizer) threat is. You can read about it in Gromozon.com and Italian Spaghetti, and Gromozon Evolution: From Spaghetti to Lasagna.

Recently, we took 18 different LinkOptimizer samples and did our own testing to see whether or not other vendors could deal with this super aggressive threat. The results are pretty staggering. Symantec provides the most complete protection, whereas the next closest vendor handled only five out of the 18 samples.

...

Ben Greenbaum | 14 Nov 2006 08:00:00 GMT | 0 comments

Microsoft released six security bulletins this morning, covering a total of 11 distinct security vulnerabilities. In rough order of most urgent to least, here we go:

Topping the list in raw urgency is MS06-066 (BID 21023 and BID 20984, CVE-2006-4688 and CVE-2006-4689). This affects everything from Win2K SP0 to XP SP2, provided that the systems have the Client Service for Netware enabled. This obviously reduces the population of vulnerable systems, but for those systems this is where you want to start. This addresses two vulnerabilities, the more severe of which is the Microsoft Windows Client Service For Netware Remote Code Execution Vulnerability. If your computers match that description, you are wide open to remote attackers, who have the opportunity to run code of their choice on your machines – until you...

Dave Cole | 13 Nov 2006 08:00:00 GMT | 0 comments

This past spring we announced that Phish Report Network (PRN) was officially open for any organization who wanted to have phishing attacks against their brand blocked through the PRN’s community of solution providers, including Yahoo, Netscape, Symantec and others. This was (and still is) completely free of charge to the organization sending the data. We’re now pleased to announce that anyone, from Grandma Jones in Topeka to Uncle Jack in Melbourne, can now submit their fresh phish to the PRN. It’s a piece of cake to do and mostly consists of copying the URL of the fraudulent Web site into a submission form at the following location: https://submit.symantec.com/antifraud/phish.cgi

Once we receive the suspicious URLs, we vet them both programmatically as well as manually to make sure it is indeed a fraudulent...

Dave Cole | 13 Nov 2006 08:00:00 GMT | 0 comments

This past spring we announced that Phish Report Network (PRN) was officially open for any organization who wanted to have phishing attacks against their brand blocked through the PRN’s community of solution providers, including Yahoo, Netscape, Symantec and others. This was (and still is) completely free of charge to the organization sending the data. We’re now pleased to announce that anyone, from Grandma Jones in Topeka to Uncle Jack in Melbourne, can now submit their fresh phish to the PRN. It’s a piece of cake to do and mostly consists of copying the URL of the fraudulent Web site into a submission form at the following location: https://submit.symantec.com/antifraud/phish.cgi

Once we receive the suspicious URLs, we vet them both programmatically as well as manually to make sure it is indeed a fraudulent...

Shunichi Imano | 11 Nov 2006 08:00:00 GMT | 0 comments

It has recently been reported thatfunctional exploit code for Broadcom Wireless drivers has been madeavailable to the public. Concerns over the exploit are increasing,because the exploit allows remote code execution, and the susceptibledrivers are shipped with many new computers.

More information can be found at the Month of Kernel Bugs site.

A machine is vulnerable to the exploit if the computer has asusceptible Broadcom Wireless-N network card, and is running thedrivers in question. Unfortunately, due to the nature of wirelessnetworking, all that is required of the attacker is to be within rangeof the vulnerable machine. Because this vulnerability occurs at anextremely low level
within the networking protocol, there may be difficulties in detecting these attacks using standard IDS/IPS methods.

Symantec Security Response recommends that you update...

Ollie Whitehouse | 10 Nov 2006 08:00:00 GMT | 0 comments

Hola again! Well, that’s my Spanish out the way. Oh, wait – dos cervezas por favor ;-). Anyway, I was invited down to Spain by the kind folk of NoConName (thanks to Nico and crew – Majorca is lovely!) to deliver a presentation on some research I had done at the start of the year when I first joined the Advanced Threat Research team (research that I had alluded to in an earlier blog entry on an attack surface analysis of Windows CE 5 and Windows Mobile 5.

This is a rundown of the NoConName version of my presentation:

• Introduction & Context
• Overview of Windows CE
• Windows CE Security Model
• Analysis Findings
• Windows CE and Security Patches

The first three sections are pretty self explanatory and way too long to cover...

Zulfikar Ramzan | 09 Nov 2006 08:00:00 GMT | 0 comments

A fairly imaginative phishing attack was live on the MySpace.com site for a few hours on the morning of Friday, October 27, 2006. The attack was interesting not so much because of its technical prowess, but because the attackers were so creative. The attack was initially reported by Netcraft who discovered it when one of their customers encountered the page.

The attackers were able to create a login page located at http://www.myspace.com/login_home_index_html, which solicited the visiting user’s MySpace username and password. When entered, these values would go to a server operated out of France.

How did the attackers manage to pull this off? They tossed the wealth of complex phishing techniques aside and did something that was remarkably simple and yet clever. Like millions before them, they just went to MySpace.com and registered an...