Video Screencast Help
Security Response
Showing posts in English
Elia Florio | 19 Oct 2006 07:00:00 GMT | 0 comments

Since we last talked about Trojan.Linkoptimizer (a.k.a. Gromozon) and the Italian Spaghetti saga, there have been some significant developments. What we had originally dubbed "spaghetti threats" now look much more like multi-layered "lasagna threats". Several new features and improvements were integrated into the latest incarnation of this Trojan by the authors, who are probably getting paid well for all of their efforts.

How do users get infected with Linkoptimizer/Gromozon variants? We noticed that the complicated distribution scheme of Trojan.Linkoptimizer (shown in Figure 1) introduced a few significant changes, compared to the original scheme of the previous blog article. Here are the new things that we...

Candid Wueest | 19 Oct 2006 07:00:00 GMT | 0 comments

ost users that have a computer spend a vast amount of time on the Internet, be it for work-related business, or just out of curiosity. Spending so much time browsing the Web should make it obvious that people will try to optimize and improve the user experience of surfing the Web. For instance, the Mozilla Firefox browser allows the user to extend the browser's feature set with extension add-ons. If you want to control script execution on a more granular basis, then the “No Script” extension might be the right thing for you to have a look at. If you get annoyed by ads while surfing, you can give AdBlock a try. These are only two of the many examples out there. There are hundreds of different extensions freely available on the Internet. Even if your idea has not yet been integrated into an extension, then you can simply make one yourself (in a...

Orla Cox | 18 Oct 2006 07:00:00 GMT | 0 comments

Closely following McDonalds' trouble with infected MP3 players, Apple has now confirmed that a small number of Video iPods were shipped with malware onboard. According to an announcement on the Apple support site, Video iPods purchased after September 12th could potentially contain a copy of W32.Rajump. Like W32.Pasobir, the worm found on the McDonalds MP3 players, it too has the ability to copy itself to removable USB drives. Apple is recommending that users run an antivirus scan of their Video iPod before use.

Apple is quick to point...

Orla Cox | 17 Oct 2006 07:00:00 GMT | 0 comments

McDonalds' customers in Japan recently found themselves exposed to a worm infection when MP3 players, offered as a prize in a drink promotion, were found to contain a worm called W32.Pasobir. This isn't the first time we've seen hardware devices and media accidentally shipped with malware. One of the more famous incidents occurred back in 1998, when the W95.Marburg virus was accidentally shipped on some game CDs, including CDs offered free with gaming magazines. More recently (again, in Japan) hard drive manufacturer I-O Data accidentally shipped a number of hard disks containing a back door Trojan horse. In most circumstances the malware itself is old, in which case any up-to-date antivirus program should prevent infection. This...

Marc Fossi | 16 Oct 2006 07:00:00 GMT | 0 comments

As regular readers of this blog site willbe aware, I attended the Virus Bulletin 2006 conference in Montreal,Quebec last week. On my flight home to Calgary (aboard a major Canadiancarrier) they had something new for me. On the back of each seat therewas a touch-screen display for people to watch movies, television, andso on. Ok, so this may not be anything new (I probably just don’t getout enough) or all that interesting at first glance. However, a coupleof things relevant to computer security struck me about these screens.

Almost right after looking at the screen for the first time, my eyeswere drawn to a socket just to the left of it—a USB port. There weren’tany keyboards distributed during the flight, but I suspect the portsare there for a future video game option (when I tried selecting thisoption on the touch screen, I was greeted with a “This feature iscurrently unavailable” message). Now, there’s also a distinctpossibility that the operating system behind these...

Marc Fossi | 13 Oct 2006 07:00:00 GMT | 0 comments


Back in September, I summed up some of the malicious code and phishing trends from the latest edition of the Symantec Internet Security Threat Report. To sum up that summary, I said that we’re seeing a trend toward profit-driven attacks. Malicious code is being created with financial motivation and is used in conjunction with phishing attacks. Well, after two days of presentations at the Virus Bulletin 2006 conference, it seems that others agree with this conclusion.

From the keynote address by Mikko Hypponen of F-Secure, through to the presentation on phishing Trojan creation kits by Dmitri Alperovitch of Secure Computing, there...

Oliver Friedrichs | 12 Oct 2006 07:00:00 GMT | 0 comments

I have to say that it is not surprising to see that Microsoft is countering the claims (that Symantec, McAfee, and others are making) that Windows Vista will hinder innovation, while putting consumers at risk. In fact, I think that it is to be expected. Some of the arguments that are being put forth in their favor are rather uninformed, exceptionally broad, and disingenuous. They have been presented in such a way as to position security vendors as though we have for decades preyed on the weak and stolen from the poor and with the emergence of Windows Vista, freedom from this tyranny is in sight. The reality is, we offer a real service—protection from real threats that will otherwise result in real losses—and this is by no means a protection racket. In any case, it’s not my intent to try and dissuade that part of the population that really thinks this; but, I will try to offer some insight to those who would consider themselves technologists.

It is important to remember that...

Peter Ferrie | 12 Oct 2006 07:00:00 GMT | 0 comments

Some time ago, the author of W32.Gatt had posted a comment on his Web site that said he read my blog entry aboutthis particular virus. From there on in he assumes that we visit hispage often. In fact, we have no need for it—customers are doing thatfor us.

We receive samples almost as soon as they appear on any Web site,anywhere in the world, and we are notified about curious comments likethat one. To quote the virus author's entry: "Interpretation without acontext of information." Well, exactly. Interestingly, while the authorclaims that Symantec was wrong about why the source was not released,he does not tell us why the source wasn’t released. It must be quitesensitive, maybe even better than my reason, but until we know, I'llstick with my reason.


Sarah Gordon | 11 Oct 2006 07:00:00 GMT | 0 comments


Monday was a holiday in the United States, but since I’m in Canada I took advantage of that fact in order to not take the day off. My boss should like that. :) Instead, I created some more slides for my upcoming VB presentation;but, I didn’t have a very easy time of it. Some people are naturals atputting together presentations—complete with nice graphics,easy-to-read charts, and a minimum of animation. I’m not one of them.Not only do I fight (and I’m finally winning, I might add) theanimation daemon that seems to want to add flying horses and spinningcircles of yellow and black to each slide, I am dyslexic and I suffer from more than moderate dyscalculia, making charts more than a small challenge.

I think...

Joji Hamada | 10 Oct 2006 07:00:00 GMT | 0 comments

Recently, we have seen a trend in Trojanhorse programs exploiting popular desktop applications. Theapplications that have been exploited have included Microsoft Word,Excel, Powerpoint, and JustSystem's Ichitaro. Now, we have uncovered aTrojan horse exploiting a vulnerability in WinRar—software which maynot be quite as well known as those examples I have just mentioned.

Symantec Security Response has confirmed that Trojan.Radropper exploits the RARLAB WinRAR LHA Filename Handling Buffer Overflow Vulnerability.This vulnerability was first made public in July of this year and hassubsequently been fixed. The current version of WinRAR (version 3.61)does not contain this vulnerability.

The attack was email based and was executed when an email with a RARarchive...