Security Research | Page 57

So you have your firewall in place and all is working great. You are collecting logs on everything that you need to keep an eye on. But then the problems start. You know something unexpected is happening in the network but what is it? You can look through all that data trying to find the problem, but this can become quite tedious and analogous to looking for the proverbial needle in a haystack. This is where a picture can greatly help; a chart to be specific. A chart can help for continuous monitoring and alert you to abnormal data patterns... [Read More]
by RSS Jeff Crawford  |  Apr 15, 2010  |  Filed in: Security Research
On Symbian phones, most malware are either implemented natively in C++ (over the Symbian API) or in Java (midlets). SymbOS/Enoriv.A!tr.dial uses another language called m. Usually, m scripts (.m extension) are run within the m environment, (mShell) using the various features offered by m library modules (messaging, obex, video, zip...). This is comparable to Java midlets, which run over a Java environment and use various Java API packages. The m scripts can also be compiled to be included in a stand-alone Symbian application. In that case, the... [Read More]
by RSS Axelle Apvrille  |  Apr 13, 2010  |  Filed in: Security Research
PCI mandates have forced retailers to take a hard look at their network security. As a retailer, how do you securely protect store data from malware and other Internet-based attacks? How do you secure a retail location with many different network security functionalities while also being cautious of space limitations? Is a wireless infrastructure feasible both from a security standpoint and from a budgetary perspective? Find out the answers to these questions by attending the Fortinet webinar "Cashing in on Network Security: PCI with ROI in a Retail... [Read More]
by RSS Maeve Naughton  |  Apr 08, 2010  |  Filed in: Security Research
When it comes to antivirus, how much coverage do you need? Everyone has different concerns when it comes to antivirus coverage. Some people want to circle the wagons and let very little into their networks, while others need some basic protection but prefer speed, speed and more speed. In this article I'll discuss the new antivirus features in the FortiOS 4.0 MR2 for the FortiGate family and how your device can be configured for your preferred level of coverage versus performance. Malware Lifecycles All malware have a life cycle. Some are like... [Read More]
by RSS Jeff Crawford  |  Apr 05, 2010  |  Filed in: Security Research
Just posted is our March 2010 Threat Landscape Report, where ransomware threats dominated our Top 10 malware list this report. Every single detection in our list, with the exception of HTML/Iframe.DN, resulted in either scareware or ransomware infesting the victim's PC. The "Total Security" ransomware threat observed to be spread by the Cutwail botnet last period was prevalent once again, while another Ransomware threat - W32/DigiPog.EP - surfaced as well this month. DigiPog is an SMS blocker using Russian language, locking out a system and aggressively... [Read More]
by RSS Derek Manky  |  Mar 26, 2010  |  Filed in: Security Research
If you haven't yet installed the latest patch apsb10-07 for your Adobe Reader and Acrobat, you should hurry. The exploit is in the wild! In this post I will dissect a PDF document (MD5: 48e0cc8629d492a64a2767949d2ed9bc), indeed found in the wild, that leverages CVE-2010-0188 in order to install a backdoor in your Microsoft Windows system. Fortinet detected this sample as PDF/Adbtiff.A!exploit.CVE20100188. The test environment is Adobe Reader 9.3.0 in Microsoft Windows XP SP3. The key for cybercriminals to exploit CVE-2010-0188 here is to... [Read More]
by RSS Bin Liu  |  Mar 24, 2010  |  Filed in: Security Research
Recently I've been working on an analysis of Sasfis botnet communications. During the tests I noticed that when the bot installs itself, it adds a registry key named "idid", with some random looking data in it. The data was added under the name "url0", so it seemed like it must be an encrypted URL. Here is an example from one of the bot variants: Key Name: HKEY_CLASSES_ROOT**idid** Name: url0 00000000 1e 9b 6d d8 89 e6 c4 50 7f fd 13 6b fa e2 f4 17 00000010 1a 80 78 cc d6 bb c4 55 73 b5 07 77 a4 81 3a 71 00000020... [Read More]
by RSS Doug Macdonald  |  Mar 10, 2010  |  Filed in: Security Research
There were many flavors of threats observed during this period, though most were overshadowed by a campaign that accounted for more than half of our total malware detection (detected as HTML/Goldun.AXT) - in just two days. Over these two days the daily detected volume for these malicious emails was very close to record levels. This spam campaign delivered a malware binary using the filename "" which, when executed, would download rogue antivirus software. In fact, this malware downloaded the ransomware "Security Tool" - an upgraded version... [Read More]
by RSS Derek Manky  |  Mar 08, 2010  |  Filed in: Security Research
With all of the features available in the FortiGate operating system, such as our antivirus, web filtering, IPS and antispam, together with the newer additions such as SSL VPN, DLP, WAN Optimization, etc., it is easy to overlook some of the lesser known features our solution provides. I wanted to mention our load balancing capability as another one of those surprising Fortinet free features. Of course in the current economic climate, consolidation, something Fortinet has pioneered for the past decade, is always being sought and the more features... [Read More]
by RSS Carl Windsor  |  Mar 04, 2010  |  Filed in: Security Research
A few days ago we encountered a new variant of the Symbian worm, Yxes, that we named SymbOS/Yxes.H!worm. This worm contacts malicious remote servers, which host Java Server Pages, and propagates by sending 'attractive' SMS messages. For instance, this new variant sends an SMS with an URL promising private information concerning a Chinese actress. Globally, the logic (and much of the code) is the same as in previous variants. Yet, there are a few updates, one of the main ones being the use of new remote malicious Java Server Pages. I guess every... [Read More]
by RSS Axelle Apvrille  |  Mar 04, 2010  |  Filed in: Security Research