Video Screencast Help
Security Response
Showing posts in English
Elia Florio | 17 Jul 2006 07:00:00 GMT | 0 comments

Just a day after Microsoft released theirJuly security bulletins, a new PowerPoint zero-day vulnerability wasdiscovered as part of a targeted and limited attack. It was Tuesday,July 12th, and it was Microsoft’s "patch day". On July 11th, Microsofthad released seven new security bulletins aspart of the standard security life cycle. The following bulletins arerated as “critical” and affect the Microsoft Office suite, which isquickly becoming the next most popular platform exploited by attackers:
• MS06-037 - Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (917285)
• MS06-038 - Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (917284)
• MS06-039 - Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution (915384)

Inaddition, the MS06-037 patch was long awaited because it fixes...

Oliver Friedrichs | 17 Jul 2006 07:00:00 GMT | 0 comments

Since this is my first Symantec blog entry, I’d like to start things off by giving you some insight into our Advanced Threat Research team, which is a part of the Security Response group here at Symantec. We are responsible for generating all of Symantec’s protection content, which includes antivirus definitions, intrusion detection signatures, spam analysis, phishing site analysis, DeepSight early warning, and vulnerability alerts. Any content that is delivered through LiveUpdate or that drives the protection of Symantec products is delivered by Security Response.

The Advanced Threat Research team has the sole responsibility of researching new and emerging technologies and identifying how those technologies can be attacked. Our goal is fairly simple: to identify areas where attackers will strike next. There is no shortage of things to research, but we are interested specifically in those technologies and threats that will make the most impact within the next 12 to 24...

Ollie Whitehouse | 14 Jul 2006 07:00:00 GMT | 0 comments

I've always wondered why SMS/MMS isn't used more often for spam or other malicious activities (CommWarrior being one notable exception). After talking to people in the industry about this, (that is, the security industry with a cellular or mobile flavor) it became apparent that we all have numerous hypotheses that try to explain the lack of SMS/MMS spam or phishing attacks. Some of the ideas that I've heard over the years include:
a) It costs money to send SMS/MMS messages, whereas to send e-mail it, for all intents and purposes, is free.
b) Any spam originating from a single operator or third party SMS/MMS originator can easily be shut down.
c) There is no need to complicate things as people still fall for e-mail phishing.

These opinions are certainly valid, but I think the tide may be turning, albeit on a very small scale. SMS is starting to be used...

Symantec Security Response | 14 Jul 2006 07:00:00 GMT | 0 comments

Well, it seems that things will never get too boring around here inSymantec Security Response. There is a new, in-the-wild threat runningaround on the Internet that is exploiting a previously undisclosedvulnerability in Microsoft PowerPoint.

In particular,attackers can create specially crafted PowerPoint files to exploit thevulnerability. These files can then be special delivered to yourcomputer via your Inbox as an attachment, or perhaps placed on Webpages for downloading (like a wolf in sheep’s clothing). All you haveto do is open the file—and WHAMMO!—the vulnerability is triggered,potentially allowing the attacker to run his or her code on yourmachine.

At this point in time, we have discovered a Trojan attached to thePowerPoint exploits that we’ve seen in the wild, and made antivirussignatures available for it; the Trojan is detected as Trojan.PPDropper.B....

Ollie Whitehouse | 14 Jul 2006 07:00:00 GMT | 0 comments

I've always wondered why SMS/MMS isn't used more often for spam or other malicious activities (CommWarrior being one notable exception). After talking to people in the industry about this, (that is, the security industry with a cellular or mobile flavor) it became apparent that we all have numerous hypotheses that try to explain the lack of SMS/MMS spam or phishing attacks. Some of the ideas that I've heard over the years include:
a) It costs money to send SMS/MMS messages, whereas to send e-mail it, for all intents and purposes, is free.
b) Any spam originating from a single operator or third party SMS/MMS originator can easily be shut down.
c) There is no need to complicate things as people still fall for e-mail phishing.

These opinions are certainly valid, but I think the tide may be turning, albeit on a very small scale. SMS is starting to be used...

TWoodward | 13 Jul 2006 07:00:00 GMT | 0 comments

Researchers and engineers who are working in the security field musthave strong constitutions—especially when it comes to weatheringnegative backlash and tired conspiracy theories whenever security andMac OS X are mentioned in the same breath. With that in mind, in aneffort to improve the quality of the dialogue, I would like to discusssome important issues regarding Mac OS X and security.

Let’sstart with the hot-button issue of Mac OS X viruses. Simply put, at thetime of writing this article, there are no file-infecting viruses thatcan infect Mac OS X. I see some of you raising a hand or two, wantingto ask me some “but, what about…” types of questions. Indeed, inFebruary of this year, when OSX.Leap.Awas discovered the news headlines declared that it was the “First evervirus for Mac OS X!” Long before the digital ink dried on thosesimplistic and sensational headlines our Security...

Zulfikar Ramzan | 12 Jul 2006 07:00:00 GMT | 0 comments

In many cases we use passwords toauthenticate ourselves on Web sites where we make transactions, andpasswords represent only one mechanism for authentication. Passwordsare “something we know” (and something that, hopefully, no one elseknows). However, there are other ways of authenticating ourselves. Forexample, we can use “something we are”, such as a fingerprint or otherbiometric, or even “something we have”, such as an access control card.“Two-factor authentication” refers to the concept of using twoinstances of “something we know”, “something we are”, or “something wehave”. Two-factor authentication provides much stronger guarantees whencompared to using just one of these means of authentication.

Oneof the most popular forms of two-factor authentication involves the useof a hardware token that displays a sequence of digits that changes atset intervals. To authenticate ourselves on a network using thismethod, we provide our regular password in conjunction with...

Candid Wueest | 11 Jul 2006 07:00:00 GMT | 0 comments

Phishing attacks evolved from simple email attacks quite a long time ago. These days, we still see many attacks with obfuscated links and spoofed Web sites, but the emerging threat is in phishing malware. Even in the malware domain we have seen further developments, from basic key logging to session modification Trojans. The attacks are becoming more sophisticated in order to circumvent the current prevention methods.

Take, for example, the Trojan.Satiloler family. This threat monitors traffic that is sent and received by a Web browser. It can inject script code into received Web pages before they are passed to the user’s browser. If the Trojan finds a predefined online banking Web site, it replaces all of the Web form submit functions with its own functions. This enables the Trojan to control the information flow on that particular site without the user noticing. If a...

Candid Wueest | 11 Jul 2006 07:00:00 GMT | 0 comments

Phishing attacks evolved from simple email attacks quite a long time ago. These days, we still see many attacks with obfuscated links and spoofed Web sites, but the emerging threat is in phishing malware. Even in the malware domain we have seen further developments, from basic key logging to session modification Trojans. The attacks are becoming more sophisticated in order to circumvent the current prevention methods.

Take, for example, the Trojan.Satiloler family. This threat monitors traffic that is sent and received by a Web browser. It can inject script code into received Web pages before they are passed to the user’s browser. If the Trojan finds a predefined online banking Web site, it replaces all of the Web form submit functions with its own functions. This enables the Trojan to control the information flow on that particular site without the user noticing. If a...

Eric Chien | 11 Jul 2006 07:00:00 GMT | 0 comments

The Symantec Security Response team has received multiple reports of the hijacking of Yahoo! instant messaging accounts over this past weekend. The hijacking seems to be successful because some users are unwittingly providing their Yahoo! login credentials to a phishing Web page. There are several phishing Web pages involved in the attacks, some of which are listed here:
www.geocities.com/cindy7781115
www.geocities.com/madhatterchick15
www.geocities.com/julianna2504j15

Please use caution when receiving instant messages with links included in the text, especially any links that require you to login to another Web site. This phishing attack will attempt to use valid and current (compromised) Yahoo! accounts so that messages sent will appear to come from trusted contacts, so you'll need to keep a keen eye out for strange messages. For a detailed explanation on how this attack is carried out, please refer to my previous blog entry that describes the...