Latest Posts | Page 150

I’ve been asked to provide a little more information on what else we can provide in the web filtering space, particularly when it comes to service providers and how they can solve one of the main problems when considering a residential web filtering service. We have provided a way of dynamically provisioning the web filtering profile on a per end point basis, and end point can of course be many things. Flexibility in this end point definition is key, so it can relate to an authenticated username, a service, location, or in the case of mobile... [Read More]
by RSS Michael Xie  |  Feb 24, 2010  |  Filed in: Security Research
You have likely heard of the Kneber attacks chronicled by the mass media as of late. Kneber is a botnet, and a very familiar one at that - Zeus. Zeus is a crimeware kit, a do-it-yourself setup which allows any aspiring botnet herders to configure and create their own botnet (referred to as ZBot). The builder will configure the ZBot binary for the client, with its own botnetID/password: thus creating a new variant of ZBot. In fact, there are many active botnets that are spawned by this widely distributed kit. It has become so popular, and accessible,... [Read More]
by RSS Derek Manky  |  Feb 22, 2010  |  Filed in: Security Research
While web filtering provides a company with the ability to limit where users visit on the the Internet, what if some users - managers, guests or whole departments - needed access to these categories or subsets of those categories? What if you still want your users or employees some level of freedom? After all, a happy worker is a productive worker. The flexibility to accommodate a multitude of configurations and situations. One size does not necessarily fit all. Happily, FortiOS comes in many sizes. There are a options available to meet... [Read More]
by RSS Michael Xie  |  Feb 17, 2010  |  Filed in: Security Research
At Fortinet, we have created an innovative approach to web filtering that combines the advantages of cloud-based services with a layered response caching option - our FortiGuard web filtering services. FortiGuard data centers around the world contain a massive URL categorization database. These data centers receive rating requests from FortiGate units, typically, through browser-based URL requests. In combination with local profile configurations, the appropriate action - allow, deny, and monitoring - the FortiGate unit determines how... [Read More]
by RSS Michael Xie  |  Feb 16, 2010  |  Filed in: Security Research
It's been two months since we revealed the 3rd Generation Pushdo/Cutwail/Webwail Botnet communication protocol and encryption. Recently, while researching a new bot (GoolBot), we found another Pushdo-like malware spreading with its help. After reversing, it became clear that it was a brand new evolution of the infamous multi-malware loader, for two essential reasons: While it used the 2nd generation Pushdo communication protocol (with minor varations), it encrypted its communications and routed them through the SSL port (443); while this encryption... [Read More]
by RSS Kyle Yang  |  Feb 04, 2010  |  Filed in: Security Research
We have written much on Pushdo and its associated spamming component Cutwail over the years: for in-depth information on these botnets, check out our analysis. Cutwail has been observed with many spam campaigns over the past year, and today is no exception. As of writing, we observed 6 separate e-mail campaigns being sent from different Cutwail binaries -- all within the last 24 hours. The images below show the said emails, with a description. Since the campaigns range from malware to links and scams with different affiliate identifiers, it is likely... [Read More]
by RSS Derek Manky  |  Jan 29, 2010  |  Filed in: Security Research
I don't know if my recent analysis of Java/GameSat set me on divination, but today I feel like predicting a few things for 2010. And as we're already at the end of January, I should probably hurry. SymbOS/Yxes will be back and stronger this year. Its authors have probably had time to debug it, and I would be surprised if they do not release a few versions in the wild. The AppStore will be abused, unintentionally offering one (or more) malware to the iPhone community. My crystal ball tells me this malware is likely to be a spyware, i.e a malware... [Read More]
by RSS Axelle Apvrille  |  Jan 28, 2010  |  Filed in: Security Research
There was no shortage of threat news this month, most notably with the highly publicized attacks - codenamed "Aurora" - on select corporations, including Google. The official CVE identifier for this attack was CVE-2010-0249, with Fortinet's detection being "MS.IE.Event.Invalid.Pointer.Memory.Corruption". For more information, please see our advisory and blog post. Details on these attacks through a zero-day Internet Explorer flaw came out in mid-late January: in just a couple of days, this detection rocketed into fourth place in our top ten attack... [Read More]
by RSS Derek Manky  |  Jan 27, 2010  |  Filed in: Security Research
It had been a while since we'd last seen a malware transferring credits to pre-paid phone cards. Our last encounter dated back to SymbOS/Flocker!tr.python early January 2009. It is happening again, with Java/GameSat.A!tr, a Java ME midlet which is currently in the wild. Indosat, an Indonesian telecom operator, offers IM3 (Indosat Multimedia 3) customers the ability to transfer (small) funds between two accounts. This is known as 'pulse transfer' or 'M3-Transfer' and it works by ... SMS, without PIN nor registration ! The money is transferred from... [Read More]
by RSS Axelle Apvrille  |  Jan 26, 2010  |  Filed in: Security Research
The much anticipated out-of-band release was rolled out today by Microsoft in the form of MS10-002. Included is CVE-2010-0249 (see our advisory here), addressed by Microsoft through a security advisory (979352) late last week. We released the signature "MS.IE.Event.Invalid.Pointer.Memory.Corruption" to address this particular issue. The Microsoft advisory was, of course, the subject of many headlines through an Internet Explorer zero-day exploit with reports of targeted attacks -- probably the most since Conficker made waves in 2009. Activity on... [Read More]
by RSS Derek Manky  |  Jan 21, 2010  |  Filed in: Security Research