Latest Posts | Page 136

When The Pwnie Awards, aka the Oscars of security research, unveiled this year’s nominees on July 22, 2010, we were excited to discover that Fortinet researchers Guillaume Lovet and Haifei Li were nominated in the category of “Most Innovative Research” for their paper “Adobe Reader's Custom Memory Management: A Heap of Trouble.” “Most Innovative Research” is awarded to the person(s) who published “the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post”. Guillaume and... [Read More]
by RSS Rick Popko  |  Jul 23, 2010  |  Filed in: Security Research
Since the Belarus vendor VirusBlokAda pulled the alarm last week on a new malware deemed “Stuxnet”, a whole lot of information has been released here and there on different portions of the threat. As a matter of fact, the Stuxnet case presents a certain level of multiplicity, as it consists in an “exploit” part, a “rootkit” part, involves specific infection vectors, targets a specific class of victims, and has unusual characteristics (for instance regarding software certificates). The subsequent fragmentation of information across the... [Read More]
by RSS Guillaume Lovet  |  Jul 21, 2010  |  Filed in: Security Research
The more I analyze the SymbOS/Album malware, the more it scares me. The main malicious executable, Album.exe, is actually capable of processing incoming commands included in SMS messages sent by the value-added service provider number 106650xxx. Typical commands are: download and install software, get phone information or update software. Now, that starts to look like a botnet, even though it isn't (yet?) a very scalable way to communicate with bots because the bot master must send an SMS to each bot it manages. More in details, the Album... [Read More]
by RSS Axelle Apvrille  |  Jul 15, 2010  |  Filed in: Security Research
This month, Derek Manky, project manager, cyber security & threat research at Fortinet recorded an informative audio with Power Point presentation titled: “Threat Prevention: 2010 and Beyond.” This extremely enlightening discussion examines four real-world vulnerabilities (Dalai Lama, JBIG2 Zero-Day PDF, Operation Aurora and IE Zero Day) their timelines, what happened with these vulnerabilities, how the attacks occurred and what the payload was. Derek then concludes with examples of how you can best protect your network from becoming... [Read More]
by RSS Rick Popko  |  Jul 14, 2010  |  Filed in: Security Research
Lately, I have been analyzing a sample of SymbOS/Album.A!tr, another advanced malware targeting mobile phones running Symbian OS 9 and greater. First of all, once more, like SymbOS/Yxes, this malware was "legitimately" signed by Symbian's Express Signed program. The certificate is now revoked: Serial Number: c8:8e:00:01:00:23:db:45:38:bc:e7:2a:d3:03 Signature Algorithm: sha1WithRSAEncryption Issuer: C=GB, O=Symbian Limited, CN=Symbian CA I Validity Not Before: Nov 20 05:00:02 2009 GMT Not After : Nov 21 05:00:02 2019 GMT Subject: C=CN,... [Read More]
by RSS Axelle Apvrille  |  Jul 08, 2010  |  Filed in: Security Research
While there were plenty of new variations of malware that entered our top ten listing this report, many of them belonged to the Sasfis botnet. Sasfis, which has been battling in terms of volume with the Pushdo botnet recently, was very active this month. We observed Sasfis loading a spambot component which was heavily used to send out binary copies of itself in an aggressive seeding campaign. Sasfis' socially engineered emails lay in two distinct themes, one with fake UPS Invoice attachments (filename: "UPS_Invoice_{date}.zip"), and the other disguised... [Read More]
by RSS Derek Manky  |  Jun 28, 2010  |  Filed in: Security Research
In January 2010, the Fortinet’s FortiGuard Labs threat researchers issued a report outlining their predictions for The Top 10 Security Trends for 2010. Now that we’re midway through the year, we thought it would be interesting to see how right (or wrong) we were and if anything completely unexpected has come up along the way. The following report spells out the trends the team predicted at the beginning of the year and concludes with comments on where each threat exists today. 1) Security, Virtually Speaking **January 2010: **“Preventing... [Read More]
by RSS Derek Manky  |  Jun 23, 2010  |  Filed in: Security Research
When analyzing a new botnet, I tend to focus heavily on the network messages. After all, they are the glue that holds the botnet together. So one of the first things I did, when working on our new analysis of the Ozdok/Mega-D botnet, was to look at the messages and discover that they were encrypted. Of course this is not unusual, and after deciding the encryption was not something simple, I went to the bot code to see what was being used. It soon developed that the encryption used was DES (Data Encryption Standard), in ECB mode. The cryptographic... [Read More]
by RSS Doug Macdonald  |  Jun 15, 2010  |  Filed in: Security Research
High profile events such as the 2010 FIFA World Cup always lead to higher Internet search traffic. Maybe you’re looking for tickets, the latest scores or video highlights from the day’s games. If you find yourself doing a FIFA search anytime during the World Cup, we urge you to be mindful of the search results links, because concentrated search traffic around one particular subject tends to bring out search engine optimization (SEO)-based attacks. The FIFA World Cup is no exception. SEO attacks work by getting popular search engines to rank... [Read More]
by RSS Derek Manky  |  Jun 10, 2010  |  Filed in: Security Research
Starting from the beginning of this week, we have been getting several reports about sites being injected by a malicious script... Seems a new mass SQL injection campaign started, targeting web applications running over Microsoft IIS and ASP.Net, for a change (<- sarcasm). As of this writing, over 100,000 sites__ have already been tampered with to include some links to a malicious server (eg. hxxp://, which hosts a web exploit toolkit; the toolkit is of course aiming at compromising all visitors' systems via browsers flaws. Analysts... [Read More]
by RSS David Maciejak  |  Jun 10, 2010  |  Filed in: Security Research