Symantec Blog Roundup
A Symantec Security Response podcast featuring two high-profile zero day vulnerabilities affecting Microsoft and the Broadcom Wireless device driver set. This podcast features a technical discussion of the vulnerabilities and offers listeners insight on likely attack scenarios and mitigating strategies. A Symantec Security Response podcast featuring a roundup of the top weblog postings from Symantec Security Response engineers in November. This podcast features a summary of weblogs from Zulfikar Ramzan, Patrick Fitzgerald, Dave Cole and Orlando Padilla.
More information at:
Host: Editor – PodTech
You’re listening to a Symantec Podcast powered by PodTech.
Editor – PodTech
Hello and welcome to this Security Response Podcast brought to you by Symantec, the world leader in providing solutions to help individuals, small businesses, and enterprises, assure the security, availability, and integrity of their information. This Podcast will present a roundup of the Symantec Security Response to weblogs posted in November, 2006. Blogs posted by Symantec Security Response engineers this month include a number of interesting topics. Zulfikar Ramzan discussed the cost of online fraud for two online brokerage houses. Patrick Fitzgerald wrote about online fraud that uses spam containing this leading investment tips. Dave Cole provided an update of this Symantec Phish Report Network. Shunichi Imano reported on a security concern affecting Broadcom Wireless Drivers; and finally Orlando Padilla recounted the results of Symantec’s research into the new Microsoft Vista Operating System for its resistance to malicious code. In his blog entitled, “A Dollar Figure on Online Fraud.” Zulfikar Ramzan discussed the cost of online fraud for two online brokerage houses “ETrade” and “TD AMERITRADE” estimated that online fraud had cost them a combined $22 million.
These losses were incurred through a scheme known as Pump-n-Dump and which fraudsters use stolen password and account information to manipulate stock prices. This confidential information was stolen using Keystroke Logging Software and Software Scraping Software. Both of these tools allow attackers to give all information entered into a compromised computer. Zulfikar goes on to describe some steps that the brokerage houses can take to detect suspicious activity. He also explains there are steps that you should take to ensure that your online transactions are protected these include the use of antivirus and Anti-Spyware Software using different passwords for different online accounts and not opening any attachments that do not come from known trusted sources.
Finally, Zulfikar recommends that you not conduct confidential transactions on unknown computers. Computers in public places such as internet cafes are often infected with malicious programs such as Spyware. It’s crucial that you’re sure that the computer you’re working on is secure and free of Spyware before conducting any confidential transactions. The best way to do this is to restrict such activities to you personal computer. In a related topic, it now appears that attackers maybe using spam messages to manipulate stock prices and so called Pump-n-Dump schemes. Patrick Fitzgerald explained that the virus Rustock.B has been detected sending spam that, contain stock information and false projections on future prices for the stock.
The stock in question was selling for $0.65, but was projected to be selling for $10 within 5 days, but this promise of quick earning potential would encourage speculators to buy the stock at thereby driving up the price artificially, as Patrick explains the stock rose from $0.65 up to $2 per share over a five-day period. The scammers within sell their holdings of the stock, which they bought at a very low price at the higher price caused by the speculator buying. After a few days, the stock returned to its natural price and those who had bought it based on the false information in the spam message would have lost their money. This type of spam activity may become more common as attackers realize its potential for easy earnings. As Patrick reminds us investing in stocks advertised by stock-based spam is definitely not a good idea.
The Phish report network is an extensive anti-fraud community in which members contribute and receive fraudulent web site addresses for alerting and blocking attacks across a broad range of solutions. The network is a community initiative led by a group of vendors including Yahoo!, Netscape, Symantec, and others and it’s open to any organization who wants to have phishing activity targeting their brand blocked through the networks community of solution providers. In his blog Dave Cole announced that any and all computer users can now submit their fresh phishing information to the network.
They can do this by visiting the following web site https://submit.symantec.com/antifraud/phish.cgi. They can then cut and paste the URL of the fraudulent web site in to the form provided. Once the web site has been submitted, Symantec will let the web site determine if it’s indeed fraudulent. If so, it will be added to a blank list, which will then be incorporated into the security products of participating vendors, allowing them to protect their users against phishing attacks using the fraudulent web site. The intelligence will also be forwarded to numerous financial institutions, which can then use the information to help law enforcement agencies to track down potential fraudsters. With the rapid adoption of wireless technologies, security of these devices is becoming a more urgent issue. It has blog entitled, “Wireless Monkey on the Loose.” Shunichi Imano reports that functional exploit code for Broadcom Wireless drivers has been made available to the public. A wireless device maybe vulnerable to this exploit if the computer has a susceptible Broadcom Wireless and network card and is running the drives in question.
Unfortunately, due to the nature of wireless networking all that is required of the attackers to be within range of the vulnerable machine. Because this vulnerability occurs extremely low level within the networking protocol, there maybe difficulties in detecting these attacks using standard IDS or IPS methods Shunichi recommends that you update the wireless drives as soon as possible. If your computer is running a vulnerable version of the Broadcom Wireless driver; otherwise, you should avoid using you wireless card to connecting networks in insecure areas and also be aware of the risk involved when connecting to wireless networks. Microsoft has finally released its much anticipated Vista Operating System. Vista is expected to address many of the security issues that have played past versions of Windows. Orlando Padilla’s blog entitled, “Hit or Miss? Vista and Current Threat Survivability” assessed Vista’s ability to protect against known malicious code samples.
In order to test Vista Symantec researchers gathered approximately 2000 unique instances of malicious code. Malicious code was selected randomly and included Rootkits, Trojans, Spyware, mass mailers, and so on. The researchers executed the code using this as a default user account control settings to determine the malicious code’s ability to execute on the target system and compromising on average about 70% of the malicious code tested loaded on Vista successfully and executed without a crash or runtime error. Howerver, successful execution does not necessarily mean the Malcode has fully compromised the victim host.
Out of this 70% of samples that we’re able to execute, only about 6% were able to fully compromise the targeted computer and even smaller number of 4% survived the system reboot. The rest did not execute properly either due to incompatibility, unhandled exceptions, or security restrictions. Orlando states that it’s easy to see why malicious code fails to successfully infect Vista. Malicious code authors regularly assume that users are running with administrator privileges. They usually attempt to modify system settings and/or global user environments such as registry keys and shared documents. They also attempt to bind a port with little interference. In Vista, these common tactics are now restricted or virtualized. Despite this, the majority of file infectors executor were able to modify other executables in the user’s directory. This is dangerous if the accounts are shared or if the user decides to share one of the directories that contains infected files.
Orlando concludes that while the results of Symantec’s research initially bode well for Vista, it is reasonable to conclude that malicious code authors will adapt to the new operating system. They will likely no longer target the system as a whole, instead they will target the users environment, a large portion of Symantec samples had failed because of unhandled conditions with no alternative code paths or because they were not able to execute within Vista’s new security environment. With relatively minor changes. Malcode authors can resolve these obstacles and when that happens, Vista will likely be more susceptible to successful compromise by malicious code. That concludes our security response Podcast for today.
For the complete text of this month’s blog postings point your browser to www.symantec.com/enterprise/security_response/weblog. Thank you for downloading and listening to the security response Podcast brought to you by Symantec, the global leader in information integrity, providing software, appliances, and services to help individuals and enterprises secure and manage their most important asset, their information. For more information about this subject, related products, or additional Podcasts make sure to visit www.symantec.com.