Video Screencast Help
Security Response
Showing posts in English
Liam O Murchu | 26 May 2006 07:00:00 GMT | 0 comments

The commercialization of every aspect of online fraud has been a growing trend over the last few years. [1] This commercialization has now hit the drive-by download market. A new subscription service that automates drive-by downloads is now available and being touted in the underground.

This service provides a point-and-click solution for anyone who wants to set up drive-by downloads on their own Web site. Some features offered by the service include: browser and browser version detection, OS detection, Windows service pack detection, JVM version detection, and antivirus software detection.

These detection processes allow specific exploits to be leveraged in each case. The team behind the service also claims to have the ability to develop exploits based on vendor advisories, which presents the worrying scenario of zero-day exploits being available to their customers. This could lead to a similar situation that occured when WMF exploits were circulating (in...

Stephen Doherty | 24 May 2006 07:00:00 GMT | 0 comments

t was a quiet Thursday night on May 11, 2006, when I decided to try my hand in a poker tournament on the Ladbrokespoker.com Web site. Ladbrokespoker.com is the busiest poker site in Europe with regular traffic of more than 5,000 players, usually reaching its peak in the evening hours.

Ladbrokespoker.com is powered by the Microgaming Poker Network, and promotes upcoming poker events by periodically sending a simple message box to all of their clients. However, on this particular Thursday night, instead of receiving a message box promoting an upcoming tournament, I received a message box that stated the following:

“Dear Ladbrokes Members : An employee of LADBROKES.COM steals $30,000,000 (Thirty-Million-Dollars) from Ladbrokes players accounts, all the players have the right to know ... http://www.ladbrokes-bbc.net/”

To the untrained eye, the URL in the message box appeared to be for an official BBC Web site; however, it linked to a site that was a spoof,...

Zulfikar Ramzan | 23 May 2006 07:00:00 GMT | 0 comments

Public-key cryptography enables transactions among those parties who haven’t previously agreed upon a symmetric cryptographic key. To make public-key cryptography work, one needs a mechanism for binding a person’s public key to their private identity (or to some set of authorizations or properties) for the purposes of providing security services.

The most common mechanism for doing so is a digital certificate, which is a document that is digitally signed by a certificate authority (CA). The digital certificate contains, among other things, the person’s public key together with the information the person would like to bind to it (such as a his or her identity, a domain name, etc.). Ultimately, we are relying on the due diligence the certificate authorities conducted prior to issuing the certificate. The proliferation of certificate authorities, many of whom have lax practices, could seriously undermine confidence in certificates and the use of public-key cryptography in...

Liam O Murchu | 22 May 2006 07:00:00 GMT | 0 comments

It is so great to now have the opportunity to choose how to receive your adware. In the past, drive-by downloads were targeted exclusively towards Internet Explorer (IE) users and indeed, many people changed to Firefox or Safari browsers specifically because of this fact. But now you can choose which browser you want to use to be hit with your least favourite adware!

When people contemplated moving from IE to Firefox, it didn’t matter if Firefox was measurably safer than IE or not, the simple fact that the bad guys weren’t targeting it made it far more secure in practice. Those heydays have long since disappeared. In the Symantec labs we still see a greater number of drive-by downloads solely targeting IE; however, we often see sites that will detect which browser you are using and then serve you your specific poison. Moreover, there have been several vulnerabilities discovered that can affect applications that are common across all Internet browsers (such as those...

Symantec Security Response | 19 May 2006 07:00:00 GMT | 0 comments

Within the last 24 hours, Security Response has discovered a newattack which exploits a previously undocumented vulnerability inMicrosoft Word. The malicious Microsoft Word document is emailed to thevictim as an attachment, and upon being opened, it installs an embeddedTrojan horse program we are calling Trojan.Mdropper.H.

Thedropper Trojan then installs a backdoor, Backdoor.Ginwui, which binds acommand shell for allowing remote access to the victim machine by theattacker and contacts a remote web server via HTTP. Both the source andthe target of the attack were based in Asia. The Web site thatBackdoor.Ginwui was contacting every minute via HTTP POST commands hasbeen taken down, though the IP addresses were being juggled by theattacker.

Security Response has seen a number of attacks like this of late andit really serves to underscore the new threat landscape we’re dealingwith today. Here’s a few of the signs of the time illustrated by thislatest attack.

...

Zulfikar Ramzan | 18 May 2006 07:00:00 GMT | 0 comments

Phishing is an attempt by a third party to solicit confidential information from an individual, group, or organization, often for financial gain. The phishers may then use the information to conduct criminal activities for profit. A typical phishing email may ask the recipient to click on a URL that appears to belong to a well known Web site, but the link actually directs the user to a malicious site with the fraudulent intent to steal information.

In a recent twist, phishers have replaced malicious URLs with malicious “1-800” phone numbers. The brand name targeted in one particular instance was Chase Bank. The Chase Bank scam was initiated when users were enticed to dial a rogue 1-800 number listed in a phishing email. When they connected to the number, they were greeted by a warm voice asking for their account number, expiration date, and last four digits of their social security number [1]. The message ended by acknowledging that the account details had been...

Eric Chien | 17 May 2006 07:00:00 GMT | 0 comments

When we talk to customers about the future malware landscape, many often wonder when mobile device threats are going to arrive. They are surprised to learn that threats for mobile devices already exist, aren't just proof of concepts, and are actively spreading. Commwarrior, for example, infects Symbian Series 60 devices (for example, many Nokia smartphones) and has been reported worldwide. According to news reports, telephony companies have stated that Commwarrior has accounted for more than ten percent of all of their MMS traffic. Other telephony companies that Symantec has spoken to have specifically implemented filters to block Commwarrior at their gateways due to the amount of traffic it was generating.

While threats exist and are actively spreading, we are probably still years away from the situation we have with the Microsoft Windows operating system. We hope we can take a lesson from history and prevent such a situation, but some lessons seem to be hard to learn...

Ollie Whitehouse | 16 May 2006 07:00:00 GMT | 0 comments

So, it's started. We are starting to see the arrival of Linux in the cellular device/handset market (to be honest, it's been a year or two since they first emerged, but they are now starting to become more prevalent) and along with them the attendant security issues.

While I wish to avoid a war in regards to different operating systems and security (I don't want to antagonize the Slashdot crowd again), the following is true: the vendors who are gaining direct benefits from the adoption of open source software (OSS) within their devices and products (such as low cost and quicker product development) are not addressing the security with the same aggression. If Symantec were a non-OSS company, people (myself for one) would be quick to point this out and remind them of their obligations to end-user security.

Let me explain what I mean. Currently we expect big OS vendors like Microsoft, Apple, and Sun to typically provide an easy way to implement upgrades that...

Eric Chien | 15 May 2006 07:00:00 GMT | 0 comments

Being in this business, we are often called upon to help clean up the computers of families and friends. In the past I have had many friends who thought they had a virus, but usually it was just some other system anomaly. Times have changed though, and now I tend to see a lot of adware and spyware as well as infections from worms and IRC bots. Usually it is just a matter of running a few tools, deleting a few registry keys and files and everything is better.

So, when a friend of mine recently sent me an odd instant message (IM) on Yahoo IM, I wasn’t that surprised. I immediately recognized it as suspicious, since my friend would have no reason to be using a free Brazilian homepage Web site, and I don’t think he had ever written a smiley face in the manner displayed on the IM. (See figure 1)

IMphishing_1.JPG
Figure 1

I...

Ollie Whitehouse | 12 May 2006 07:00:00 GMT | 0 comments

I’ve had my head in Windows CE and Windows Mobile for what feels like months, looking at the security architecture and the types of threats that will affect these types of devices now and in the future (plug: paper coming soon). As I was drawing to a close on finalizing some last minute edits, I noticed that Microsoft had launched a small sub-section on their Windows Embedded site dedicated to security [1]. Digging a little further, I noticed that in order to access details of the patches available for vulnerabilities in Windows Mobile you needed an OEM agreement in place with Microsoft [2].

This got me really interested. I originally wanted to see if some of the issues Symantec had identified were patchable already. WIth a little more digging I found that you could access the QFE Updates (like Service Packs to the development environment) for Windows CE Platform Builder without needing an OEM agreement [3] (this I presume is due to the fact that anyone can get...