Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Ollie Whitehouse | 06 Jul 2006 07:00:00 GMT | 0 comments

HD Moore and the MetaSploit project have gone to town with their toolbox of fuzzers and insight. They have unleashed a raft of security vulnerabilities on the world, in major browsers across many different platforms, one a day for an entire month (it is now day five of the Month of Browser Bugs as I write this).

While I think it's awesome that HD and the project team have made such a concerted effort to investigate most of the major sub-systems used in today's browsers (I don't want to detract from their initiative, motivation, or skill) it should be noted they were not the first to take a look at them, thinking that, aside from ActiveX (for a change) they could be fuzzed with high yield results. Similar methods were used by the illustrious group at Oulu university in 2001...

Zulfikar Ramzan | 05 Jul 2006 07:00:00 GMT | 0 comments

With any emerging threat there is an ongoing arms race between those who perpetrate the threats and those who work on eradicating them. We’ve seen this happen with spam, where spammers would try to develop new techniques to get their email to pass through spam filters, and, in turn, anti-spam offerings would take these techniques into account in an effort to better recognize (and eliminate) spam.

Phishing is no different. For example, we recently came across an entire phishing Web site that was built using Macromedia Flash. Macromedia Flash (or, just “Flash”) is a very popular technology used to add animations and interactivity to Web pages (though the technology is not necessarily limited to use within Web pages). If you have ever seen a glitzy Web page with nice animation, chances are that the animation was developed using Flash.

An entire Web page that was built using only Flash could more or less achieve the same functionality as a page developed using more...

David McKinney | 04 Jul 2006 07:00:00 GMT | 0 comments

Cross-site scripting (XSS) is hardly thescourge of the Internet, but at the same time, should it really betrivialized when it affects a widely used service or application?Cross-site scripting (and the broader category of content injectionvulnerabilities) is incredibly prevalent across a wide range ofsoftware, from guestbook programs churned out by weekend warriors, tohousehold names with revenue statements that eclipse the gross nationalproducts of some small countries.

These vulnerabilitiesare so common that most people just wish they would go away. So, if wewant something to go away and we're not willing to expend the time andenergy to develop a real solution, then what alternative do we have? Dowe just pretend that they don't exist? The suggestion is often madethat they aren’t real—nothing to see here—move along.

Some people contend that XSS isn’t a real vulnerability because itcan’t affect security with hosts or end users on its own, or when usedin a product...

Dave Cole | 03 Jul 2006 07:00:00 GMT | 0 comments

Since the early days of e-commerce,businesses have recognized the potential for the Internet to streamlinehow they interact with their customers. Oftentimes this meantdiminishing or eliminating the role of the businesses that were sittingin the middle, brokering the brick and mortar transaction. Goingstraight to the customer with a snazzy online store or auction Web sitecut these middle players (and their costs) out of the mix. This allowedthe business to take back profit margin, offer lower costs, andincrease transaction volume.

The benefits of gettingcloser to the customer haven’t been lost on those who peddle misleadingapplications. Misleading applications are programs that intentionallymisrepresent the security status of a computer by working to convincethe user that he or she must remove risks (usually nonexistent or fake)from the computer. The application will hold the user hostage byrefusing to allow him or her to remove or fix the phantom problemsuntil the “...

Peter Ferrie | 30 Jun 2006 07:00:00 GMT | 0 comments

Things have been pretty interesting here lately. The first virus for Sun Microsystems’ StarOffice appeared, although it wasn't a real virus because it didn't actually work. We also received reports of the first parasitic virus for the .chm (compiled HTML help file) file format, and reports of the first virus that is an IDA plug-in. I say "reports" because we have been told these two viruses exist but we have not received any samples to prove it.

The StarOffice virus just goes to show that virus writers don't test their code. Despite four attempts (represented by the samples that we received; who knows how many others we didn't receive) the virus author still couldn’t seem to work out why his code wasn’t infecting anything. However, hot on the heels of these initial samples was the...

Symantec Security Response | 30 Jun 2006 07:00:00 GMT | 0 comments

We are seeing signs of worm activity over instant messaging (IM) andwanted to warn you not to let your curiosity get the better of you.You’ve heard the saying about curiosity killing the cat, right?

Ina nutshell, IM users are receiving messages that say "check out thesepics of us!", with a link provided in the IM window to either "p1392.pic-myspace .info" or "p1377. pic-myspace .info". When unsuspectingvictims click on the link, thinking that they are going to the MySpaceWeb site, they are instead transported to another Web site at whichpoint a malicious downloader gets installed on the victim's machine.From what we can tell, this particular downloader tries to install abunch of applications, presumably with the intent to earn the site'sowner some commission. While this is probably more of an annoyance thananything else, if you ask me, the good news is that Symantec customershave been protected from this type of attack since December 2005.

At the end of the day, if...

Elia Florio | 29 Jun 2006 07:00:00 GMT | 0 comments

The never-ending game of hide-and-seek between the antivirus industry and rootkits has begun a new chapter. Recently our lab discovered a new rootkit sample in the wild that is very unique given the techniques it uses. It was named Backdoor.Rustock.A, and because of its special characteristics it can be considered the first born of the next generation of rootkits. Rustock.A consists of a mix of old techniques and new ideas that when combined make a malware that is stealthy enough to remain undetected by many rootkit detectors commonly used (such as RootkitRevealer, BlackLight and IceSword). We consider it to be an advanced example of "stealth by design" malicious code. [1]

So, why is Rustock.A so special? Many rootkit detectors use a cross-view based detection algorithm. This means that they detect hidden objects by finding the discrepancies between a high-level view and a low-level view. For example, a simple rootkit detector can enumerate the list of...

Ollie Whitehouse | 28 Jun 2006 07:00:00 GMT | 0 comments

These days, I spend a lot of my time looking at mobile devices and wireless technologies from a security perspective. I am particularly interested in the convergence of technology, and something that recently made me sit up and say “Here we go again!” is Wireless USB.

A development group has written a specification document for Wireless USB. The collaborative group (made up of representatives from Agere, Hewlett-Packard, Intel, Microsoft, NEC, Philips, and Samsung) is confident in the development of Wireless USB because they believe that it is a logical evolution of the ubiquitous technology of wired USB. The specification document states that Wireless USB can utilize the existing USB infrastructure and the USB model of smart host and simple device, but I am more interested in the security...

Yazan Gable | 27 Jun 2006 07:00:00 GMT | 0 comments

It has been said that the biggest securityproblem for computers and networks is the user. Every black hat worththeir salt knows that the best way to get information from a targetcomputer or network is to manipulate its user or users. The user setsthe password, knows what’s on the computer, and often knows how toconnect to it from outside of the organization. A little socialengineering by an attacker and then blammo!—the user and theirorganization are compromised.

Simple social engineeringcan go a long way, but the existence of certain vulnerabilities canmake the lives of these social-engineering black hats a whole loteasier. Enter the Microsoft HLINK.DLL Link Memory Corruption Vulnerability,which is a critical flaw in the Microsoft Office Excel application.Using this vulnerability, an attacker could take control of a computerby simply downloading the publicly available exploit and...

Ollie Whitehouse | 23 Jun 2006 07:00:00 GMT | 0 comments

When I look back on it now, MicrosoftOffice is a veritable Petri dish of threat evolution. From attackerslearning how to use intended functionality for malicious purposes,through to exploiting vulnerabilities in the applications themselves,an increased understanding and familiarity with the technology can beseen.

Let me explain. Once upon a time there were macroviruses in Microsoft Office documents that caused havoc. These viruseswere easy to mitigate because Microsoft simply updated Office to promptthe user for further action when opening a document with unsignedmacros. Alternatively, if Office was configured correctly by the user,only signed macros in trusted locations could be executed.

Fast forward four years or so, and we see that Microsoft Office isbeing used a semi-trusted vehicle to exploit buffer overflows in theentire Office suite. Most businesses rely on the transfer of Word,Excel, PowerPoint, Access, Project, or Visio files to exchangeinformation....