Video Screencast Help
Security Response
Showing posts in English
Brian Hernacki | 26 Jul 2006 07:00:00 GMT | 0 comments

Lately, there has been a whole bunch of cities announcing plans for the creation of municipal (“muni”) Wi-Fi networks. From San Francisco and Silicon Valley to New York, Philadelphia, Toronto, and even Paris, this seems to be the hot new thing to...

Symantec Security Response | 24 Jul 2006 07:00:00 GMT | 0 comments

Email is a great way to communicate with a wide audience, and the bad guys know it. We have seen yet another case of spam email that contains malicious code as an attachment. The attachment is a ZIP file (WC2905036.zip -> WC2905036.exe) that contains a Trojan horse program that will create a backdoor on a user's system when executed. This threat is detected as Backdoor.Haxdoor.O. Some variants may be detected as Backdoor.Haxdoor.I.

This Trojan attempts several things: downloads and executes files, logs keystrokes, listens on TCP ports, etc. We have only seen a few minor variants thus far, but one thing to be aware of is that the spam email purports to be from an online retailer that is asking the user to review an attached invoice. We have...

Zulfikar Ramzan | 24 Jul 2006 07:00:00 GMT | 0 comments

Making sure your computer has the latest patches installed is probably one of the most important safe computing practices. Unfortunately, many people outside the security community fail to understand why this is so critical. I can’t think of a better illustration of why this practice is so important than the recent use of MySpace to serve up banner ads that exploit the Windows metafile format (WMF) flaw.

Let me explain what happened. Back in December 2005, a vulnerability was discovered in the way Windows operating systems handled WMF images. If an image was maliciously crafted and you simply viewed it in an unpatched version of Windows, attackers could get your computer to execute any instructions they wanted it to. And, you would have no idea. As you can imagine, such a vulnerability has serious repercussions. Anyone...

Zulfikar Ramzan | 21 Jul 2006 07:00:00 GMT | 0 comments

It seems that there is an increased frequency of attacks where bogus links are placed on otherwise legitimate Web sites; these bogus links consequently send users that click on them to malicious pages. These malicious pages are hosted on a different domain and are built to mimic the legitimate site, and they can prompt a user to enter the username and password combination that would have been used on the original site. The username and password details can then be logged with the intention of future fraudulent use. For lack of a better name, I’ve started using the term "site jacking" to refer to this type of attack. This attack has some resemblance to phishing, except that instead of having a malicious link delivered via email, the link is “presented” on a well known (and even reputable) Web site.

There have been reported site jackings on...

Kaoru Hayashi | 20 Jul 2006 07:00:00 GMT | 0 comments

The number of reports of “Downloader” has been increasing in recent years. Downloader is a small program that downloads another malware or security risk from the Internet. In order to protect your computer from these Downloader programs, we recommend using an updated antivirus product, controlling Internet access for each desktop program, and filtering entrusted domains (by URL or IP address) with a firewall. However, when users or network administrators need to determine which Internet resources are trusted or not, it can become difficult.

In many cases, Downloader will attempt to download other programs from a cheaply run (or even free) Web hosting service. Since domain registration is fairly simple to do and not that expensive, attackers will try to create an attractive Web site using their own domain name in order to gain the trust of visitors to the site....

Ollie Whitehouse | 19 Jul 2006 07:00:00 GMT | 0 comments

I wanted to let you know that contrary tosome beliefs, there are still Lotus Notes users out there. During acursory look at Notes around the end of 2004 (just after @stake was bought by Symantec) I had identified a denial of service (DoS) condition that could be triggered via SMTP (the advisory was released last month). I wanted to take a few moments to discuss some of the details around this vulnerability.

Ihad originally identified the bug using SMTP as the injection vector.However, during Symantec's patching process (I was fortunate enough towork with our team that focuses on Notes issues) we identified thatNotes RPC could also be used as a vector. What is the result? Well,even if you patch the edge (peripheral) Lotus servers, as soon as asuitably malformed message hits a vulnerable server deep...

Eric Chien | 18 Jul 2006 07:00:00 GMT | 0 comments

The recent Yahoo! Mail worm, JS.Yamanner@m , is symptomatic of our increased usage and reliance on Web applications. This past weekend we saw a similar attack, but this time it was on the MySpace social networking site. Web applications are just as vulnerable to certain exploits, and even more so in some cases. In particular, services that allow people to author and post content under the service domain must always neuter any active content such as Javascript. MySpace fails to do so, allowing an attacker to automatically hijack any user's MySpace page as soon as they visit an infected MySpace page.

The attack works by using an embedded Shockwave Flash file. The MySpace site allows members to post embedded content, such as movies and Shockwave Flash files, via an HTML “embed” tag. Shockwave Flash files can contain scripting that is simply a variant of JavaScript (...

Eric Chien | 18 Jul 2006 07:00:00 GMT | 0 comments

The recent Yahoo! Mail worm, JS.Yamanner@m, is symptomatic of our increased usage and reliance on Webapplications. This past weekend we saw a similar attack, but this timeit was on the MySpace social networking site. Web applications are justas vulnerable to certain exploits, and even more so in some cases. Inparticular, services that allow people to author and post content underthe service domain must always neuter any active content such asJavascript. MySpace fails to do so, allowing an attacker toautomatically hijack any user's MySpace page as soon as they visit aninfected MySpace page.

The attack works by using anembedded Shockwave Flash file. The MySpace site allows members to postembedded content, such as movies and Shockwave Flash files, via an HTML“embed” tag. Shockwave Flash files can contain scripting that is simplya variant of JavaScript (known as Action...

Oliver Friedrichs | 18 Jul 2006 07:00:00 GMT | 0 comments

I think that it goes without saying that Windows Vista is one of the most important technologies that we will see in the next year. With current versions of Windows appearing on well over 90% of desktop systems, Vista will undoubtedly become the dominant operating system within a few years. The appearance of Windows Vista gives Symantec an interesting opportunity to both perform new research, and to publish the findings of that research. First of all, Vista is a beta operating system, meaning that it is changing at an extremely rapid pace; bugs are getting fixed, and in some cases new ones are introduced. Second, there is more freedom to discuss it because it is being made available explicitly for this purpose (to undergo testing and scrutiny).

With that said, I am very happy to present the Symantec Advanced Threat Research team’s first publicly available research paper: Windows...

Eric Chien | 18 Jul 2006 07:00:00 GMT | 0 comments

The recent Yahoo! Mail worm, JS.Yamanner@m , is symptomatic of our increased usage and reliance on Web applications. This past weekend we saw a similar attack, but this time it was on the MySpace social networking site. Web applications are just as vulnerable to certain exploits, and even more so in some cases. In particular, services that allow people to author and post content under the service domain must always neuter any active content such as Javascript. MySpace fails to do so, allowing an attacker to automatically hijack any user's MySpace page as soon as they visit an infected MySpace page.

The attack works by using an embedded Shockwave Flash file. The MySpace site allows members to post embedded content, such as movies and Shockwave Flash files, via an HTML “embed” tag. Shockwave Flash files can contain scripting that is simply a variant of JavaScript (...