A new front opens up in Georgia: Cyberspace

It would appear that the conflict between Georgia and Russia is not confined to the ‘real’ world. There are reports that another front has opened up: Cyberspace.

It would appear that a significant Distributed Denial of Service attack has been visited upon various Georgian Government sites and other Georgian internet servers.  A variety of Government sites have been targeted, the Ministry of Foreign Affairs, the Ministry of Defense, and the country’s president, Mikhail Saakashvili, have been blocked completely, or traffic to and from those sites’ servers have been redirected to servers actually located in Russia and Turkey.

The speculation is that infamous Russian Business Network (RBN)is behind these attacks. The RBN is a notorious malware and criminal hosting network, albeit there actual involvement is yet to be proven.

There is a trend here. Going back to April 2007, we witnessed a DDoS on Estonia that took out parts of the internet infrastructure for some days.  The attacks coincided with a dispute between Estonia and Russian nationalists about the relocation of WWII era monuments.

I am sure that as part of any countries preparations for War now, include plans and preparations as to how they can protect and defend their internet infrastructure.

August 11, 2008 | Filed Under Events, Security | Leave a Comment 

Be alert to the ‘CNN Alert’!

Many of you may have received a SPAM email with the subject line, “CNN Alerts: My Custom Alert”.   This turned up in  my personal email folder. It was a very authentic looking email.  I thought it clever as, whilst I do not use the CNN site on a regular basis, I have used it now and again.  The interesting thing about this SPAM was that it did have a link to a legitimate CNN story about the discovery of the World’s smallest snake. Clicking on this would have given the email that feel of credibility.  The malicious link still exists in the e-mail but you must click the FULL STORY link to get there. 

The ‘FULL STORY’ link leads to a botnet of compromised machines which host a page prompting the user to download an updated version of Video ActiveX Object. If agreed to, you’ll download ‘adobe_flash.exe’ which is detected by us here at Symantec as ‘Downloader’.

August 11, 2008 | Filed Under Security, Spam | Leave a Comment 

On your marks!

The Beijing Olympics start tomorrow. The World’s biggest sporting event of all time, I am sure that it will not disappoint. 

In winning the Olympics, Beijing outlined that it would harness the power of IT, innovate around it, to bring the Games to new audiences. We will see a convergence of IT and Media on a scale not seen before. Many of the big Media companies and franchises have extensive plans to bring the games to the ‘net in a big way. I know that many network administrators are bracing themselves for the impact of ‘streaming’ video of Games – if they allow it on your corporate network.  It will be interesting to see (or maybe not) what the strain will be on your ISP as well. 

Where you have a mass audience connected to the ‘net, then in the shadows the’ bad guys’ will be lurking. In the Symantec State of Spam report for August, we are already seeing Spammers peddling their wares on the back of the Olympics. Symantec Security Response have already written up a blog on an attempted Phishing attack, purporting to sell tickets for the games. The creators of the site went to great lengths to make it convincing, even using an SSL connection, believe it or not. 

So, get on your marks, get set, and it is ‘Go’ for no doubt many Olympic related Spams, Phishing attempts, links to web sites that will be showing funny/curious videos of events of the games etc. So, I say, “Citius, Altius Fortius”, to all of my colleagues in the IT Security industry, to keep you all safe and for you to enjoy the Games.

August 7, 2008 | Filed Under Events, Identity theft, Security, Spam, Uncategorized | Leave a Comment 

Farewell Neosploit?

The past couple of years has seen a dramatic rise in the sheer number of pieces of malware out there on the internet, hence, associated attacks. One of the contributory factors to the dramatic volume increase in attacks  has been the arrival of ‘do-it-yourself’ infections kits. One of the most infamous of these is Neosploit, but there are many others such as Mpack, IcePack, Cyber Bot, Zunker etc.

Neosploit allowed a budding ‘hacker’ to launch their own exploits  and amass a sizable botnet. There were regular updates and even a user forum. However, the other day, a posting appeared on a Russian web site announcing that the authors of Neosploit were going to retire the product. The translation in effect announced:

 “Unfortunately, supporting our product is no longer possible. We apologize for any inconvenience, but business is business since the amount of time spent on this project does not justify itself.
We tried hard to satisfy our clients’ needs during the last few months, but the support had to end at some point. We were 1.5 years with you and hope that this was a good time for your business.”

So, it seems that the authors of Neosploit just couldn’t make it work from a commercial sense. That  got me to thinking, why? Is it because the cost of them coming up with new exploits is becoming more difficult, hence costly? I do not see any particular evidence as to this. There are other tool-kits out there and many new exploits being developed on-going.

Could it be, that they are being ‘boxed in’ by better security? Well, to be fair on this one, we are finding many more exploits, so this may not be the case. Is it that the market dynamics of the ‘under-ground economy’, ultimately played against them? Well, like every efficient market, there have been new entrants and competitors to Neosploit, who could compete with them on product and price. Therein may well be the answer.

So, farewell Neosploit, but there are other exploit tool-kits out there and no doubt, new ones will make it onto the ‘market’. 

July 31, 2008 | Filed Under Security, Spam, Technology | Leave a Comment 

You do not want this package

This month has seen a new twist on an old scam.  There have been mass Spam mailings with fake invoices.  One version purports to inform you that you have a package, from one of the very pick next-day-delivery companies, that could not be delivered and was returned.  There is a zip file attached, you are asked to download it, print it out and then collect your parcel from your local office.

When you download and unzip the file, the malware is copied onto the system, replacing a Windows file that manages explorer, the user interface and some other important processes. Additionally, it establishes a connection with a domain, which has been used on some occasions by banker Trojans. From this domain it will redirect the request to another domain in order to download a rootkit and a rogue antivirus.

So, you get a ‘package’ but not one you want nor expect!

July 31, 2008 | Filed Under Security, Spam | Leave a Comment 

Storms in July – who would have thought it?

So, even now 17 months down the line the ‘Storm Worm’ still is morphing and reinventing itself to keep itself alive and ‘out there’. The chronology of ‘storm’ is interesting as it shows just how the intersection of social engineering, and news events, allow the bad-guys to continue to use and repurpose this attack. More of this in a future blog.

The tactic that is being used this time round is to hide the Storm malware within fake news stories about the FBI and Facebook.  As usual, you are directed to a fake web site, a site is hosted on an infected Storm web proxy. If you follow the lure and click the link you will end up with an executable named “fbi_facebook.exe”. This is the malware.  The web site you link to not only hosts the download attachment, but the site also launches a set of browser exploits at you.

July 30, 2008 | Filed Under Security | Leave a Comment 

No ‘Summer of Love’ in San Francisco

San Francisco city officials are currently wrestling with a difficult issue, namely, they cannot access their FiberWAN network after a disgruntled system administrator deleted admin passwords. All administrators are locked out except, for Terry Childs, the unhappy and now ex-employee, who is refusing to divulge his access codes.

He is now facing criminal charges and is due in court tomorrow. However, the stand-off continues, with Childs not prepared to disclose his passwords. Engineers from Cisco have been brought in to try and gain access.  The Mayor of San Francisco has gone to pains to reassure people that the network is working fine: the only issue being if it crashes and there being no way to go into it and fix it.

All very unsatisfactory and embarrassing for the City of San Francisco. It brings into focus the need to be careful as to who has admin rights to your network and the background of people who you give access to. It turns out, that going back, Terry Childs, has a conviction from aggravated burglary.

There is a lesson from all of this for our own home networks. Our research shows that the majority of us use the default names and passwords that come with our routers at home. The bad-guys know all of these default names and passwords. So, if you do not want to have your own version of what is happening in San Francisco, make sure you change your router name and password to something unique to you. Also, be sure to also change the default password on the config/setup for the router as well.

July 17, 2008 | Filed Under Security | Leave a Comment 

NAV and NIS 2009 Public BETA

We have released Public BETA versions of Norton AntiVirus and Norton Internet Security 2009, If you follow this link it will take you to the download page. We would really like for people to download it and let us know what they think.

We plan some very bold things with our 2009 releases. We are aware that customers want security products that do not overwhelm there system resources. Our 2009 products provide strong protection whilst being light on system resources.  We have implemented a new architecture for the 2009 products to reduce boot time, scan times, memory usage and install time.

There is a lot of new stuff, so go ahead and download it!

July 15, 2008 | Filed Under Announcements, Security | Leave a Comment 

D’oh! Homer falls in with the malware crowd

The malware guys have now roped in Homer Simpson system into spreading malware. It appears that going back in time, there was a episode of the ‘Simpsons’ in which Homer’s e-mail address was given as “chunkylover53″. Prior to the episode’s airing, the address was registered by the production company and was then used it to answer hundreds of e-mails from Simpsons fans.

In the past few days ‘chunkylover53’ name has resurfaced, and it’s now being used to distribute a trojan disguised as a Simpsons movie file. If you get an email from Homer and his ‘chunkylover53’ email address you will be invited to follow a link to a special exclusive episode of the show available for download. The link in the message leads to an executable file.

Upon launching the trojan, the user is presented with a fake error message which is followed by several real error messages and, finally, a blank screen. Upon restarting, the system will run noticeable slower and be prone to crashes.

The other nasties in this attack is that once the malware is delivered onto the PC it has remote control software which logs the user in a botnet.  The botnet itself could easily be called on to launch another attack.

What is still unclear and a matter for conjecture is just how the bad guys got a hold of the ‘chunckylover53’ email address.

July 12, 2008 | Filed Under Security, Spam, Uncategorized | Leave a Comment 

A very ‘Patchy’ Patch-Tuesday

Most of us have become accustomed to Microsoft ‘Patch-Tuesday’. On the second Tuesday of the new month, Microsoft coordinate the release of security patches to fix security ‘holes’ they have been made aware of, and for which, they have found a solution to. Many people look at ‘Patch-Tuesday’ with a mixture of frustration and reassurance. Frustration borne from very public exposition of ‘not another list of security issues’ and then having to wait for their PCs to download and install the patches.  Reassurance comes in the form that solutions have been found and that the bad guys have been put back in their box. This month was a bit different.
 
When an exploit or vulnerability is discovered for the first time and hence no patch or solution is available for it, we describe this as a ‘zero-day’ vulnerability. On Monday, as Microsoft were preparing everyone for this month’s ‘Patch-Tuesday’, they had to warn that  attackers were exploiting a flaw in the Snapshot Viewer ActiveX control bundled with all versions of Access, Office’s database program, except the newest edition, Access 2007. As is the case with most of these ActiveX attacks, they are being served by traditional Web sites that have themselves fallen victim to automated injection of malware into some of the pages on the site. In the past, we have seen government, commercial, and hobby sites fall victim to these attacks and subsequently begin serving exploits to each of their visitors. An attacker would have to lure a victim, via a link in an e-mail or IM for instance, to a specially crafted Web page that could exploit the security hole to allow remote code execution. This would provide the attacker with as much access to and rights on the computer as the logged-on user has.  Now, until a patch is created and deployed, we recommended that all Internet Explorer users, including those who do not have the Access Snapshot viewer installed, should update their Norton antivirus/internet security definitions.

But things didn’t stop there, as we rolled into ‘Patch-Tuesday’, and therefore only hours after fixing nine vulnerabilities in several of its programs, Microsoft, confirmed that attackers are exploiting an unpatched bug in Word 2002. In lieu of a patch, the Microsoft advisory recommended that users turn to Word 2003 Viewer to open and view Word files. Microsoft said that a patch may be forthcoming, but did not specify a timetable.

All-in-all, a very messy ‘Patch-Tuesday’

July 10, 2008 | Filed Under Security | Leave a Comment 

« Previous PageNext Page »