Video Screencast Help

Security Response

Showing posts in English
Eric Chien | 24 Aug 2006 07:00:00 GMT | 0 comments

Over the last few weeks we've been tracking attacks coming from Gromozon.com. These attacks have actually been happening for a few months now, but the number of reports has recently escalated. In particular, a variety of Italian blogs and message boards have been spammed with links to hundreds of different URLs over the last week. These URLs all eventually point to gromozon.com and after an extensive trail of code downloading other code, one ends up infected with LinkOptimizer, which dials a high-cost phone number and then displays advertisements when browsing the Internet.

When you visit one of these malicious links, it eventually loads a page from gromozon.com that determines which browser you are using. If you are using Internet Explorer, it attempts to exploit a Internet Explorer vulnerability. The exploit has changed over time, but is currently...

Eric Chien | 23 Aug 2006 07:00:00 GMT | 0 comments

We've been watching Wargbot for the past week to monitor its activities. As noted in our previous blog entry, Wargbot was being used to send spam. I wanted to provide some statistics and anecdotes on Wargbot's activities.

As part of our standard intelligence gathering, we monitor a varietyof botnets. Usually, these botnets don't stay up too long because ISPsrespond to our shutdown notices, but servers related to Wargbot havebeen up for a week already and have been quite active. In particular,Wargbot downloads Backdoor.Ranky, which converts the infected machineinto a proxy for spam. Since the spam started coming through, we'veseen tens of thousands of spam messages being pumped through ourhoneypot; we actually take all of these spam messages and redirect themto the Symantec Email Security Group. The Email Security Group thenverifies that...

Symantec Security Response | 22 Aug 2006 07:00:00 GMT | 0 comments

Over the last few days there's been a lotof buzz about whether or not there is a new zero-day vulnerability inthe Microsoft PowerPoint application being exploited. Some peoplethought that the exploit was a spin-off from the recently announcedPowerPoint vulnerability in MS06-048 (in August). However, whatSymantec Security Response has determined is that the exploit is infact based on Microsoft Office vulnerabilities disclosed in MS06-012,which was announced back in March of this year.

Uponanalysis of samples related to this particular exploit in question, wediscovered that it is related to Trojan.PPDropper, which we've haddetection for since August 17, 2006. This file then drops a downloaderthat will download Keylogger.Trojan from two separate addresses (we'vehad detection for the downloader and Keylogger.Trojan since August 12,2006).

Symantec has also determined that the exploit occurs just as youclose a PowerPoint document, which is typical of MS06-012 exploits...

Ollie Whitehouse | 22 Aug 2006 07:00:00 GMT | 0 comments

I spoke in my previous entry about how, when using Symbian's C++ descriptors for variables, traditional buffer overflows can be turned into denial of service (DoS) conditions. Well, I thought it might be important to point out that traditional overflows can still exist in Symbian-developed software to this day. Although not recommended, Symbian does allow the inclusion of 'libc\string.h', among other headers; this allows programmers to utilize all of the unsafe “C” functions we have become accustomed to (such as strcpy, strcat, sprintf, etc.).

The subject of buffer overflows, the danger they pose, and how best to mitigate them is well documented on the Internet; so, for brevity’s sake I won't cover it here yet again. However, what I will say is that some of the research I've done at Symantec has shown that these overflows are no less...

Amado Hidalgo | 21 Aug 2006 07:00:00 GMT | 0 comments

These days it is quite common to receive bogus email alerts purporting to come from security companies, informing you about some apparent infection on your computer and telling you to install software or an update (attached to the email) to clean your computer. We have all seen them and now, most of us simply ignore them. In most cases, helpful spam filtering software makes sure we are not bothered by them.

Less frequently we see Web sites built with the sole purpose of distributing malicious code. In some cases the fraudulent sites imitate the alert pages of a legitimate security company with the hope of tricking unsuspecting users into downloading malicious code. The level of credibility of these Web sites varies, but in most cases they contain logos, colors, and other (copyrighted) branding details ripped off from the legitimate site. This makes them somewhat harder for the casual or misinformed web user to detect, when they are, in fact, phony. In more sophisticated...

Masaki Suenaga | 18 Aug 2006 07:00:00 GMT | 0 comments

Traditional key loggers are used to capture key strokes or parameters of WM_CHAR window messages. A key logger is usually good enough to decipher what is input by the user if the language is English, French, Russian, Arabic, Thai and so on. However, people in China, Japan, and Korea often have to input thousands of different kinds of characters, known as Chinese characters, Hiragana and Katakana, and Hangeul, while the PC has only 100 keys on the keyboard. That is why input method editors (IME) exist for these languages.

In order to input one special character through an IME, we need to type between one and six keys. Basically, we type the reading of the string (or parts of Hangeul in Korean) to obtain the converted strings. But, a reading can end up with multiple versions of the converted strings, which requires the user to ultimately determine the converted string. This final string is called the “result string” of an IME. Another IME-related technique can be found...

Marc Fossi | 18 Aug 2006 07:00:00 GMT | 0 comments

Typosquatting has been around for a while.For those not familiar with the term, it refers to the practice ofregistering a domain name similar to that of a legitimate Web site (forexample, symantc.com instead of symantec.com). The idea is that whenyou type the name of a site into your Web browser, there’s a chanceyou’ll make a typo, which results in you being taken to the squatter’ssite instead of the legitimate site. The squatter’s site may be a pageloaded with ads that generate revenue for them, a page that exploits abrowser vulnerability to load malicious code, adware, or spyware ontoyour computer, or a phishing site designed to look like the site youmeant to go to.

To fight typosquatting, many companieshave begun registering domain names based on common typos in theiractual names. For example, if you type gooogle.com into your browser,you’ll be redirected to google.com. Now, this works for typos withinthe domain name itself, but what if you leave the ‘o’ out of .com...

Ollie Whitehouse | 17 Aug 2006 07:00:00 GMT | 0 comments

With the advent of the Symbian mobile operating system we have been introduced to several new descriptors for different types of variables. These descriptors are used when writing software with Symbian's C++ API and are not standard C-style strings, but instead “classes” that perform strict type and length checking. These classes are designed to protect against buffer overflows and general memory corrupt bugs, among other things.

While this design is helpful because it stops overflows from overwriting the stack and heap, developers could develop a false sense of security. For what traditionally would have been a vulnerability that leads to arbitrary code execution, it is now potentially a vulnerability that causes a denial of service (DoS) condition.

Take the following code snippet as an example:

TBuf<5> Buf; //5 char buffer
_LIT(Boof,"AAAAAAAAAA"); // 10 chars
Buf.Copy(Boof); // Attempt to overflow

...
John Canavan | 16 Aug 2006 07:00:00 GMT | 0 comments

In recent months, we have seen a number of zero-day Microsoft Office exploits used to drop Trojan horses on affected systems. The release of the exploits had been timed so that when Microsoft released their patches, a zero-day exploit surfaced the next day. The timing of these releases was noted by Symantec Security Response and it was speculated that the people behind these exploits had discovered multiple vulnerabilities in Microsoft Office and were holding back on releasing them, in order to maximize the time-to-patch for each of their finds.

Today, we have seen another targeted attack on a document editing suite; however, this time around it is Justsystem's Ichitaro. Ichitaro is a word processing program widely used in Japan.

The malicious document uses a unicode stack overflow to execute its code on the system, dropping and executing a Trojan horse named Backdoor.Papi. When run, Backdoor.Papi copies itself to the %system% directory, creates a service named CAPAPI...

John Canavan | 16 Aug 2006 07:00:00 GMT | 0 comments

In recent months, we have seen a number of zero-day Microsoft Officeexploits used to drop Trojan horses on affected systems. The release ofthe exploits had been timed so that when Microsoft released theirpatches, a zero-day exploit surfaced the next day. The timing of thesereleases was noted by Symantec Security Response and it was speculatedthat the people behind these exploits had discovered multiplevulnerabilities in Microsoft Office and were holding back on releasingthem, in order to maximize the time-to-patch for each of their finds.

Today,we have seen another targeted attack on a document editing suite;however, this time around it is Justsystem's Ichitaro. Ichitaro is aword processing program widely used in Japan.

The malicious document uses a unicode stack overflow to execute itscode on the system, dropping and executing a Trojan horse namedBackdoor.Papi. When run, Backdoor.Papi copies itself to the %system%directory, creates a service named CAPAPI, and drops...