Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Eric Chien | 07 Aug 2006 07:00:00 GMT | 0 comments

While most of the threats we see today are average infostealers or IRC bots, we still regularly receive malware that sits on the fringes of the malware landscape. The fringes don’t only involve threats that run on uncommon platforms; they also include threats that use old school techniques (such as simple file infectors), or threats that are well before their time.

Recently, a virus magazine (it, in itself, an endangered species) was released that had a collection of more than 30 pieces of malware. These different types of malware fell all along the spectrum, but most of them definitely leaned towards the fringes. Some examples of the malware included were:
- a worm that spreads by modifying all the links on a Wiki to point to itself
- a MatLab scripting virus
- a 64bit infector
- a CHM (Compiled HTML) file infector
- a virus for FreeBSD
- more than one threat written in C#
- a virus that infects Microsoft InfoPath files
- an IDA...

Dave Cole | 04 Aug 2006 07:00:00 GMT | 0 comments

As we stand here in the middle of 2006, it’s already become a little tired to mention the shift in the threat landscape from the digital graffiti of the past to the outright criminal pursuits that dominate the industry today. The dramatic impact of this shift has left a dense fog in its wake—hanging over the industry—obscuring other important changes that have taken place during the same timeframe. Some of the more interesting trends have been specifically related to the concept of “Web 2.0”: the new genre of Web technologies and models that have emerged, like a phoenix, from the ashes of the dotcom meltdown. Let’s take a look at a few Web 2.0 trends and see what impact they have on security.

User-created content
Blogs are first to leap to mind here, but there are certainly other notable areas where the content creation responsibilities have shifted from the traditional publisher into the hands of the people. Check out the spate of new online video...

Jesse Gough | 03 Aug 2006 07:00:00 GMT | 0 comments


The continued development of insecure code was a topic at Black Hat 2006 that was explored by speaker Paul Böhm. Paul questioned why we see these same types of manifest coding issues year after year, despite over ten years of widely documented research into the matter. This pattern is not necessarily attributed to ignorance, as these mistakes are made by novice and veteran coders alike. In fact, it is not unheard of for individuals or organizations that specialize explicitly in security to eventually make a coding mistake that compromises the security of their software. One notable example of this was a vulnerability found in the grsecurity patch for the Linux kernel, which caused a product designed to harden the operating system to actually introduce a hole that would allow a full compromise.

Paul stated that...

Peter Ferrie | 02 Aug 2006 07:00:00 GMT | 0 comments

On July 2nd, 2006 a virus author released the first virus that infects IDC files (W32.Gatt), claiming that it would be very hard for antivirus researchers to detect and that the source code would be made public at the end of the month. Media reports at the time speculated that the virus release was intended to embarrass virus researchers because it targeted some software tools that we use to analyze malicious code. However, on July 3rd we released antivirus detection for the virus. On July 4th, the virus author withdrew the claim that the source code would be released. Coincidence? I don't think so.

Symantec’s Security Response team is just that: a response team. We responded quickly when this virus appeared and we were able to provide antivirus detections in short order. It was more than likely that the virus author had originally intended to post the source code for...

Marc Fossi | 02 Aug 2006 07:00:00 GMT | 0 comments


One server controlling thousands of client computers. Sound familiar? This statement is often used to describe a botnet. But, as Tom Ptacek and Dave Goldsmith of Matasano Security pointed out in their Black Hat presentation titled “Do Enterprise Management Applications Dream of Electric Sheep?”, the same statement can be used to describe enterprise management applications. These applications are developed to help network and system administrators with the tasks of configuring and managing hundreds or even thousands of client computers from a single server. This is also known as distributed systems management. Unfortunately, many of these enterprise management applications contain common vulnerabilities and weaknesses that were fixed in most other applications long ago.

Due to the fact that these applications...

Oliver Friedrichs | 01 Aug 2006 07:00:00 GMT | 0 comments

Following closely on the heels of the release of our first publicly available research paper, I am very pleased to present our second paper: Windows Vista Security Model Analysis. In this paper, we have taken a detailed look at the new user account protection (UAP) and user interface privilege isolation (UIPI) capabilities that form the basis of Vista’s new security model.

From our research paper's abstract:

This paper provides an in-depth technical assessment of the security improvements implemented in Windows Vista, focusing primarily on User Account Protection and User Interface Privilege Isolation. This paper discusses these features and touches on several of their shortcomings. It then demonstrates how it is possible to combine...

Zulfikar Ramzan | 31 Jul 2006 07:00:00 GMT | 0 comments

URLs often consist of a query string that appears right after the location of the particular file to be accessed. These query strings are used to pass various data parameters to the file. For example, the URL would send the parameter “query-string” to the program located at While query strings in URLs are usually meant for passing data values, enterprising attackers sometimes try to craft special query strings that include actual instructions (i.e., code); if the program processing these strings does not exercise the right precautions, it will fail to make the distinction between data and instructions, and actually end up executing the attacker's code.


Ollie Whitehouse | 28 Jul 2006 07:00:00 GMT | 0 comments

I thought I'd write a blog entry around this, as it seems that it is a question that comes up a lot when speaking to press, operators, enterprises, and users alike. The common question is usually along the lines of: "Why not build security into the network to protect mobile devices?" In this case the “network” could be cellular, WiFi, WiMax, or a hybrid of technologies; “mobile devices” can be cell phones, SmartPhones, PDAs or laptops, among others.

Well, there are two reasons why a network can’t mitigate all the risks involving mobile devices. First, mobile devices today are not always connected via a network that is controlled by just one entity. For example, it is feasible (although in my experience, rare) within GPRS (2.5G) or UMTS (3G) to ensure that a roaming user's traffic never touches the home operator’s Gateway GPRS Support Node (GGSN) when the user is, say, accessing the Internet using a mobile device (this is dependent on the policies of the...

Ben Greenbaum | 27 Jul 2006 07:00:00 GMT | 0 comments

Many years ago, almost all vulnerabilitieswere a “zero-day” style in some respect. Vendors did not, for the mostpart, talk about security defects in their products and in fact,several chose not to address them at all. Information about ways tobreak into systems remained primarily in the hands of the attackers.Things began to change in the mid-90s, when the discussion of securitybugs became more widespread. Vendors started to participate moreactively in the dissemination of protective information with the goalof enabling their customers to defend their digital assets. Variouscommunities sprouted up to facilitate this discussion, vendors set upsecurity-alert mailing lists and Web sites, and the general awarenesslevel of computer security was raised substantially. During this timethere were, of course, those who still chose to keep vulnerabilityinformation to themselves for their own purposes, but the overalldiscussion of these issues was open and frank. Flaws were discovered,...

Candid Wueest | 26 Jul 2006 07:00:00 GMT | 0 comments

Mozilla’s Firefox browser is quite popular and it is often recommended when it comes to the question: What is a safe browser alternative? Unfortunately, this does not necessarily mean that you are not susceptible to browser attacks.

Microsoft Internet Explorer is often hijacked by malware that drops browser helper objects (BHO), which will then be loaded every time the user starts Microsoft Internet Explorer. The BHOs can then manipulate data that is sent to the Internet and (for example) steal passwords or monitor user habits. With the Cross Platform Component Object Model (XPCOM), something similar to a BHO exists on the Mozilla side. It is a framework for developers to create modules that access features of the Gecko engine. For example, Firefox extensions are written with XPCOM and can therefore integrate seamlessly into Firefox.

Of course, it shouldn’t be a big surprise that this technique can also be used with malicious intent. Unwanted extensions that we...