Evolution of Security
Marian Merritt
|
November 20th, 2009
I had the honor recently of moderating a virtual roundtable discussion on the top Internet security trends from 2009 and what we expect to see in the security threat landscape in 2010. Funny thing about security predictions—you hope they won’t come true, but expect them to anyway. The roundtable featured expert panelists Paul Wood (Senior Analyst, MessageLabs Intelligence, Symantec) and Zulfikar Ramzan (Technical Director, Symantec Security Response). They each have unique insights into the world of cybercrime, spam, phishing attacks, and other cyberthreats that plague us all.
We want to give a big thanks to everyone who joined in to listen to our experts, and we hope you found it interesting. For those of you who couldn’t make it, please take a few minutes to listen to the podcast of the actual roundtable.
You can read more about Symantec’s top trends from 2009 and our predictions for 2010 by clicking on the following links:
Breadth of Security...
Emerging Threats, Security, Security Response, Evolution of Security, Malicious Code, Online Fraud, Security Risks, Spam, Vulnerabilities & Exploits, Endpoint Protection (AntiVirus)
0 comments
Paul Wood
|
November 19th, 2009
This post is made on behalf of my colleague Mat Nisbet, Malware Analyst for Symantec Hosted Services.
As of November 18, we have noticed a huge jump in the number of spam e-mails that contain a link to Twitter. Normally there is a tiny fraction of a percent, but on November 18 it jumped to 4 percent of all spam. This new surge is entirely from the DonBot botnet.
The apparent aim of these e-mails is to get people to fall for “get rich by working at home” schemes where the victim is encouraged to pay an initial fee for a trial and then sit back and watch the cash come in. Though easily stopped by us, this new run of spam uses a number of techniques to attempt to get past basic filters. Firstly, the body of the e-mail is simply an image (of a fake newspaper article), to try and get past text-based signatures.
Second, the image itself is a link to a Twitter account, an attempt to get past link signatures as Twitter is a legitimate site that couldn’t be stopped...
Emerging Threats, MessageLabs Intelligence, Security, Evolution of Security, Spam, Hosted Mail Security
0 comments
Gina Sheibley
|
November 18th, 2009
Symantec Partner Engage 2009, our annual North American partner conference, took place in early November in Orlando, Florida. The theme of this year’s event was Unstoppable and more than 380 partners and ten media from North America joined us to hear Symantec’s leadership team discuss our focus—both from a corporate and channel perspective—and to learn about Symantec’s channel programs and opportunities for 2010.
Throughout the event, Symantec discussed the Four Rs of the channel: Revenue, Readiness, Reputation and Relevance. Partners were excited to hear about new readiness tools, like SymDemo, and new programs, including the Enterprise Security Specialization and enhanced Renewals Program, designed to help them drive revenue and maintain relevance with their customers. Finally, we announced a new partner community to help foster collaboration and communication between Symantec and our partners. All of our new...
1 comments
Eric Chien
|
November 18th, 2009
Zeus is a botnet package that allows for the easy creation and command and control of a botnet. We've discussed Zeus previously in Zeus, King of the Underground Crimeware Toolkits. The main purpose of Zeus is to steal online credentials such as online banking passwords, but it can be configured to steal passwords from any online site.
Today, the BBC is reporting that police in the UK have arrested two suspects in relation to Zeus. While the details are preliminary, the two likely appear to be users of the Zeus botnet package rather than the actual creators, and thus the prevalence and usage of Zeus is likely to continue.
We've created a research paper providing more in-depth information on Zeus, including how the bot is created, what functionality it has, and additional screenshots on the Zeus command and control server. You can find the paper here:
Zeus: King of Bots
Emerging Threats, Security, Security Response, Evolution of Security, Malicious Code, Endpoint Protection (AntiVirus)
0 comments
Naor Penso
|
November 18th, 2009
Hi,
One of our clients asked me, and I'm not aware of the exsistance of a LiveCD containing Anti-Virus.
The client (which has a point by the way) says: McAfee has one, Kaspersky has one, why cant i get one from symantec.
If there is no LiveCD then it should be an idea.
Thanks.
Naor Penso
2 comments
Paul Wood
|
November 18th, 2009
This week I had the pleasure of sitting on a panel with some of the best and the brightest among my Symantec colleagues to reflect on 2009’s threat landscape and what we anticipate for the year ahead.
We concurred that what we’ve seen this year was ugly. Botnets prevailed and took over as a primary means of spamming and spreading malware and social engineering attacks became more sophisticated. But what we also know is that this year pales in comparison to what 2010 is expected to bring: fast flux botnets will dominate, IM spam will rear its head, rogue security software vendors will up their game, fraud targeted at social networking apps will grow, new CAPTCHA bypass techniques will emerge... to name a few.
That’s the bad news. The good news is that with a bit of preparation and the right security solutions in place, we can continue to outsmart the bad guys. So without further ado, I present to you Symantec’s 2010 Security Predictions.
2010 Security...
Emerging Threats, MessageLabs Intelligence, Security, Evolution of Security, Security Risks, Spam, Hosted Mail Security
1 comments
Kevin Haley
|
November 17th, 2009
Yes, it’s a cheap trick and not even close to original. But the lesson here is that even obvious social engineering tricks can get people to click on a link. We can’t help ourselves. We love to click. Clicking on links and attachments that are accompanied by just the slightest bit of social engineering appears to be a basic human need. I expect it to show up in a revision of Maslow’s Hierarchy of Human Needs any day now—behind love, but certainly ahead of safety.
I do have a point to all this. Two actually. As we compiled the Security Trends to Watch in 2010, what occurred to me is that the people who most needed to read this information never will. At least not without some social engineering on my part. And since social engineering plays such a prominent role in future trends, it seemed appropriate. So I’ve decided to use this little trick to get people to read the list of trends below. So…
Don’t read this if you think antivirus technology...
11.x, Security, Security Response, 10.x, Evolution of Security, 9.x and Earlier, IT Risk Management, Malicious Code, Online Fraud, Security Risks, Spam, Vulnerabilities & Exploits, Endpoint Protection (AntiVirus)
0 comments
Kevin Haley
|
November 17th, 2009
The Security Response team has compiled the top security trends of 2009. We pulled data from the Global Intelligence Network and the experiences of the thousands of analysts and security experts at Symantec to come up with the top trends for the year. While none of these trends will be a surprise to anyone even casually following the threat landscape, when compiled and summarized, it is clear that the breadth of security problems in the past year was pretty stunning.
For example:
• Toolkits and threat recycling have made malware easier to create than ever
• Polymorphic technology is being applied to make threats harder to catch
• Botnets, large and small, are used as the foundation of attacks making most attacks complex
• All major news events are used for social engineering
• Major brands are being appropriated by cybercriminals to lure online victims
But, it’s the...
Security, Security Response, Evolution of Security, IT Risk Management, Malicious Code, Online Fraud, Security Risks, Spam, Vulnerabilities & Exploits, Endpoint Protection (AntiVirus)
0 comments
Adrian Pisarczyk
|
November 16th, 2009
On November 4, 2009, Marsh Ray published detailed information about a vulnerability that affects the TLS/SSL protocols and allows for limited man-in-the-middle (MITM) attacks. We say “limited” because the attack exploiting this issue would be different from traditionally viewed MITM attacks, which would involve an attacker placing themselves in the middle of the SSL session between a client and a server and being able to intercept, view, and modify any requests or responses exchanged by the two communicating parties. In an attack using this recent TLS vulnerability, due to the way SSL-enabled applications handle the session-renegotiation process, an attacker may inject arbitrary plaintext into the beginning of the application protocol stream. This can affect multiple protocols that can communicate over an SSL session, such as HTTPS, IMAP, POPS, SIP, etc. Note that in this attack, the attacker would have no ability (at least without additionally exploiting other...
0 comments
Hon Lau
|
November 16th, 2009
When trawling the Web today we came across a website that has been compromised and rigged so that it is returned in search engine results for many different search terms. The site in question belongs to a UK-based company that specializes in hiring out holiday homes and is a legitimate business. However, the site has been compromised and is being used in a major ongoing SEO-based misleading applications attack, and has been for some time now. As you can see in the sample search results below, you may wonder what college football, a Ukraine vs. Greece soccer match, Penn State basketball, and Robin Williams have to do with renting a holiday home—and with good reason, too.
The key to identifying malicious pages in the search results is looking for the string “okps.php” in the URL. If you see that string anywhere in the URL, avoid it like the plague. Your computer and sanity will thank you for that. The interesting thing, according to the search, is that there are over...
Emerging Threats, Security, Security Response, Evolution of Security, Malicious Code, Endpoint Protection (AntiVirus)
0 comments
shp
|
November 12th, 2009
I would like to add an idea about online status of the users in Symantec connect.
It will be good to see a status icon(small bubble) beside user virtual face(avatar) like Green for online orange for inactive etc....
It will be easy for us to know the person availability and do PM.
11.x, Emerging Threats, Security, 10.x, Evolution of Security, 9.x and Earlier, Basics, IT Risk Management, Best Practice, Malicious Code, Security Risks, Configuring, Spam, Features, Installing, Performance, Reporting, Endpoint Protection (AntiVirus), Tip/How to, Upgrade
2 comments
Robert Keith
|
November 10th, 2009
Hello and welcome to this month’s blog on the Microsoft patch releases. This is a moderate month—the vendor is releasing six bulletins covering a total of 15 vulnerabilities.
Three of the issues are rated “Critical” and affect Web Services on Devices API, License Logging Server, and the Windows kernel. An attacker could exploit these issues remotely to gain complete control of a vulnerable computer.
The remaining issues, rated “Important”, affect Excel, the Windows kernel, Office, and Active Directory. Although these are only rated “Important” by Microsoft, we consider the Office and Excel issues quite serious and advise customers to apply updates as soon as possible.
As always, customers are advised to follow these security best practices:
- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid handling files from unknown or questionable sources.
- Never visit sites of...
0 comments
Nicolas Falliere
|
November 10th, 2009
Trojan.Clampi is an interesting threat, which we described in many blog entries over the past month. We’ve now compiled these entries, along with some new material, into a research paper—Inside the Jaws of Trojan.Clampi.
In a nutshell, Clampi is an Infostealer threat. Its executable can be seen as a host for separate modules, containing the real payloads of the threat. These modules are heavily protected from reverse-engineering as well. The functionalities range from banking-site password stealing, to local credential gathering, to a SOCKS proxy. The communication with Clampi’s command & control servers, the “Gates”, uses HTTP and is encrypted. Clampi spawns and uses an Internet Explorer instance as an API proxy to achieve network communication, bypassing firewalls along the way.
One thing we mentioned in passing in the blog entries is that the main executable and the modules are protected from reverse-engineering by VMProtect, a commercial packer...
Emerging Threats, Security, Security Response, Evolution of Security, Malicious Code, Endpoint Protection (AntiVirus)
0 comments
Kevin Haley
|
November 9th, 2009
One thing I see again and again in this job is that people usually don’t think about security until after they are hit with an incident. Companies create disaster recovery plans after the disaster. They come up with incident response teams after the incident. And consumers get antivirus software after they’ve had a virus infect their system.
People, here is a chance to turn that all around. We’ve seen several incidents of mobile phones being hacked. So far it’s been by old school hackers, those that are doing it just to prove that it can be done. But history shows us that the cyber criminals follow closely behind the old school hackers, and they will not be doing it for kicks—they’ll be doing it to rip you off.
Security professionals approach any situation like this by a risk assessment; in other words, they try to figure out what bad things could happen. Then they can hope for the best, but prepare for the worse. If anyone with a smart...
0 comments
Bijay.Swain
|
November 4th, 2009
Proactive threat Protection Needs more improvments as it is doing almost nothing. It should detect on behaviour of a file.Currently symantec is only depending upon signatures. Now irus writers are easily corrupting SEP and it can't even save itself.
SEP is failing to save itself also. A small program enters and easily destroys sep in a system. symantec should include some technology to protect all its files which are created during installation.
Emerging Threats, Security, Evolution of Security, Basics, IT Risk Management, Best Practice, Malicious Code, Security Risks, Configuring, Spam, Features, Installing, Performance, Reporting, Endpoint Protection (AntiVirus), Tip/How to, Upgrade
0 comments
Ben Nahorney
|
November 3rd, 2009
Threats targeting the Macintosh platform are much less common than those targeting Windows. The same can be said about video games, where Windows is the dominate platform of the two. Combining games and malware has happened before, but a Mac game performing malicious activities? That’s something relatively new.
Takashi Katsuki, one of our Tokyo engineers, came across just that today. The game looks to be a throw-back to the classic Space Invaders/Galaga style of games from the early 1980s. However, what brings this game into the realm of malicious code is that for every alien ship you destroy, the game deletes a file from your home directory.
What’s interesting is that the author of this “game” flat-out says what it does on his Web site. Reading through the author’s description, it seems that he has created this game/threat as some sort of artistic project. The aliens are your files and there are consequences for “killing” them. However...
Emerging Threats, Security, Security Response, Evolution of Security, Malicious Code, Endpoint Protection (AntiVirus)
0 comments
mgrajendra.mgr
|
October 30th, 2009
We have SEPM MR4 MP1 in our office. This console is not dupdating from 14 oct 2009. Wnen i tried it update giving error "replication issues Symantec Connect"
11.x, Emerging Threats, Security, Evolution of Security, Basics, IT Risk Management, Best Practice, Malicious Code, Security Risks, Configuring, Spam, Features, Installing, Performance, Reporting, Endpoint Protection (AntiVirus), Tip/How to, Upgrade
2 comments
David Krauss
|
October 26th, 2009
Sometimes it takes multiple views to really bring a subject into focus.
For financial institutions looking to improve their data protection operations, the findings of the latest Symantec Internet Security Threat Report, Managed Security in the Enterprise Report, and State of the Data Center Report shed light on an increasingly important trend: the decision to outsource IT security.
This article shows how the growth in cyber attacks, mounting losses, the difficulty of providing security, and staffing issues are creating the impetus for IT to adopt managed security services.
Unprecedented attacks
By any measure, 2008 was a banner year for cyber-criminals.
In fact, if the latest Internet Security Threat Report is any indication, cyber-criminals have never been busier.
According to Volume XIV of the report, issued in April, attackers released Trojan horses, viruses, and worms at a record pace in 2008, primarily targeting computer users’...
5 comments
Nicolas Falliere
|
October 26th, 2009
Clampi goes to unusual measures to bypass the local firewall on the compromised computer, such as the Windows Firewall. Usually, such firewalls allow only specific programs to communicate using specific ports and protocols. For instance, your browser would be allowed to use outbound TCP port 80.
As we’ve previously discussed, Clampi needs to communicate with a “Gate” gateway server in order to get its orders and send information. Any firewall would block the program if it tried to connect to the outside world. Bypassing this can be done in many ways, the most common one in the malware world being to add an entry in the Windows registry, added the program to the trusted file list.
The Clampi gang decided to inject their networking code into Internet Explorer, which is granted Web access by any standard firewall configuration out there. Fair enough—that’s another approach, but not a new one. Yet you’ve seen these guys don’t do things the way...
0 comments
Scott K.
|
October 22nd, 2009
We have seen one Vista computer have hundreds of false-positive this morning associated with this update from yesterday. The specific event description is:
[SID: 20628] MSRPC Mutiple Headers detected. Traffic has been allowed from this application: C:\WINDOWS\system32\ntoskrnl.exe
The remote host is Windows Server 2003 R2 x64, which is printer server for us. Our other Vista (~10) computers don't have this problem and neither does our Windows XP SP3 (~300) computers. I would rather not create a firewall exception for MSRPC Multiple Headers threat (http://www.symantec.com/business/security_response...), which would leave our clients valuable to this type of attack which has been suggested in a different post (http://www.symantec.com/connect/forums/sid-20628-m...). I would like to see Symantec fix the problem with their recent update.
9 comments
Gaurav Dixit
|
October 22nd, 2009
Misleading applications, also known as rogue applications, have always tried to lure users into their traps by using various techniques such as fake security scans, misleading task bar notifications, popup windows, etc. To take this to a new level, developers of these applications are now frequently changing the product name and its associated website name in order to mislead users and antivirus vendors. Clones of the same product—with different names—continue to appear almost every day. Earlier this week Symantec published its Report on Rogue Security Software, which discusses misleading apps in greater detail. A couple of examples of rogue security software are given below. We identify one such family of rogue or misleading applications as WiniGuard:
Those who are spreading this particular rogue app hold onto some of the associated domains for up to 24 to 48 hours. Once this domain goes down, another new domain becomes active, which will look almost the same as the...
0 comments
M.K. Low
|
October 21st, 2009
Rogue security software programs, also known as misleading applications or scareware, are programs that pretend to be legitimate security software, such as an antivirus scanner or registry cleaner, but which actually provide the user with little or no protection whatsoever. Well known examples of rogue security software include AntiVirus 2009, Malware Defender 2009, and System Guard 2009.
The recently published Symantec Report on Rogue Security Software includes a discussion on a number of servers that Symantec observed hosting these misleading applications from July to August 2009. The United States was the location for a majority of the servers hosting rogue security software, accounting for 53 percent of the total (figure 1). This result isn't surprising since the United States has a well-established broadband structure that can support these scams, and most of the rogue security software scams observed by Symantec are marketed in English.
When the distribution of the servers...
0 comments
Nicolas Falliere
|
October 20th, 2009
This chapter in our Clampi saga brings us back to the malware’s logging facility. As we saw before, one of Clampi’s modules, codenamed LOGGER, is responsible for logging outgoing information going to a determined list of URLs – stored in a data file as CRCs.
One problem arises with banking sites that preprocess the user’s personal information before sending it over HTTPS—it’s done using client-side JavaScript. For instance, a hash of the input PIN number could be sent instead of the PIN number itself. This mechanism adds an extra layer of security, preventing malware from sniffing network traffic at one end of the SSL tunnel. But still, it’s only covering one end. It’s more secure than no encryption, but still not great. At least two methods exist to get around this:
Setting up a keylogger using either software (driver/user-mode hooks) or hardware (wire-tapping). This is the generic approach.
Grabbing the user information before...
Emerging Threats, Security, Security Response, Evolution of Security, Malicious Code, Endpoint Protection (AntiVirus)
0 comments
David McKinney
|
October 20th, 2009
The Symantec Report on Rogue Security Software includes an in-depth analysis of the methods scammers use to distribute rogue security applications. This blog presents some of the highlights of the research into the distribution of these scams.
In the report, the following distribution and advertising trends were observed:
• Ninety-three percent of the top 50 most prevalent rogue security applications were distributed as intentional downloads. This means that victims are tricked into believing they are downloading legitimate security software and subsequently installing the rogue application.
• Seventy-six percent of the top 50 most prevalent rogue security applications were classified as unintentional downloads. This means that the software may be installed unintentionally through drive-by downloads or other means such as false advertising (such as misrepresenting the software as a video codec). This overlaps with intentional downloads...
0 comments
Ben Nahorney
|
October 20th, 2009
Rogue security software scams are everywhere these days. The numbers are quite staggering—over 250 distinct programs racking up 43 million installation attempts, according to our new Report on Rogue Security Software.
Still, when it comes down to functionality and code base, it’s more akin to a few people with really large wardrobes. There might be dozens of variations of the same underlying program, each receiving minor updates and a new software skin. They even use the same fake threat names when attempting to scam you—stuff like “Spyware.Monster” or “Spyware.IEmonster”.
Ultimately what we’re looking at is variety in graphic design rather than functional design. We’ve put together a video to show just that. Our report calls these threats Antivirus200X—a “family” of rogue security programs large enough that two iterations have the dubious honor of ranking second and third in the list of most common rogue...
Security, Security Response, Evolution of Security, Internet Security Threat Report, Security Risks, Endpoint Protection (AntiVirus)
0 comments