Security Research | Page 61

A few days ago we encountered a new variant of the Symbian worm, Yxes, that we named SymbOS/Yxes.H!worm. This worm contacts malicious remote servers, which host Java Server Pages, and propagates by sending 'attractive' SMS messages. For instance, this new variant sends an SMS with an URL promising private information concerning a Chinese actress. Globally, the logic (and much of the code) is the same as in previous variants. Yet, there are a few updates, one of the main ones being the use of new remote malicious Java Server Pages. I guess every... [Read More]
by RSS Axelle Apvrille  |  Mar 04, 2010  |  Filed in: Security Research
Let's admit, whilst IPSec VPN has traditionally been the standard for secure remote access it has never been the easiest to configure. The client software installation, pre-shared key distribution and the inevitable debugging due to the myriad of options and overly aggressive port filtering by your access provider has caused many an administrator, if not sleepless nights, then certainly a period of frustration. Whilst improving the experience of the IPSec VPN configuration, easing the client install and giving more widely useful default options... [Read More]
by RSS Carl Windsor  |  Mar 02, 2010  |  Filed in: Security Research
In-depth analysis of malware shows different methods of obfuscating their codes. They employ different tactics to hide themselves to harden analysis. They also dynamically load functions that they will be using. Those functions more often times called API (Application Programming Interface) are commonly loaded when we run an application. Malware authors also use dynamic function loading to enable itself to adapt to different operating system. They use it to enable their program to run on Windows XP, Vista, Windows 7 or other platform. Common practice... [Read More]
by RSS Raul Alvarez  |  Mar 01, 2010  |  Filed in: Security Research
Two of Fortinet's FortiGuard Labs researchers will be on hand at next week's RSA Conference to present their research in the Fortinet booth theater (#2225). The presentations focus on ransomware and industrial spying, two hot topic areas that are on the minds of security professionals at enterprises today. Here is a bit of information: All Your Data Are Belong To Us Ransomware comes in many shapes and forms, with the most recent variation using malware masquerading as antivirus protection. The goal of an attacker is simple: cripple, lock down and... [Read More]
by RSS Rick Popko  |  Feb 26, 2010  |  Filed in: Security Research
I’ve been asked to provide a little more information on what else we can provide in the web filtering space, particularly when it comes to service providers and how they can solve one of the main problems when considering a residential web filtering service. We have provided a way of dynamically provisioning the web filtering profile on a per end point basis, and end point can of course be many things. Flexibility in this end point definition is key, so it can relate to an authenticated username, a service, location, or in the case of mobile... [Read More]
by RSS Michael Xie  |  Feb 24, 2010  |  Filed in: Security Research
You have likely heard of the Kneber attacks chronicled by the mass media as of late. Kneber is a botnet, and a very familiar one at that - Zeus. Zeus is a crimeware kit, a do-it-yourself setup which allows any aspiring botnet herders to configure and create their own botnet (referred to as ZBot). The builder will configure the ZBot binary for the client, with its own botnetID/password: thus creating a new variant of ZBot. In fact, there are many active botnets that are spawned by this widely distributed kit. It has become so popular, and accessible,... [Read More]
by RSS Derek Manky  |  Feb 22, 2010  |  Filed in: Security Research
While web filtering provides a company with the ability to limit where users visit on the the Internet, what if some users - managers, guests or whole departments - needed access to these categories or subsets of those categories? What if you still want your users or employees some level of freedom? After all, a happy worker is a productive worker. The flexibility to accommodate a multitude of configurations and situations. One size does not necessarily fit all. Happily, FortiOS comes in many sizes. There are a options available to meet... [Read More]
by RSS Michael Xie  |  Feb 17, 2010  |  Filed in: Security Research
At Fortinet, we have created an innovative approach to web filtering that combines the advantages of cloud-based services with a layered response caching option - our FortiGuard web filtering services. FortiGuard data centers around the world contain a massive URL categorization database. These data centers receive rating requests from FortiGate units, typically, through browser-based URL requests. In combination with local profile configurations, the appropriate action - allow, deny, and monitoring - the FortiGate unit determines how... [Read More]
by RSS Michael Xie  |  Feb 16, 2010  |  Filed in: Security Research
It's been two months since we revealed the 3rd Generation Pushdo/Cutwail/Webwail Botnet communication protocol and encryption. Recently, while researching a new bot (GoolBot), we found another Pushdo-like malware spreading with its help. After reversing, it became clear that it was a brand new evolution of the infamous multi-malware loader, for two essential reasons: While it used the 2nd generation Pushdo communication protocol (with minor varations), it encrypted its communications and routed them through the SSL port (443); while this encryption... [Read More]
by RSS Kyle Yang  |  Feb 04, 2010  |  Filed in: Security Research
We have written much on Pushdo and its associated spamming component Cutwail over the years: for in-depth information on these botnets, check out our analysis. Cutwail has been observed with many spam campaigns over the past year, and today is no exception. As of writing, we observed 6 separate e-mail campaigns being sent from different Cutwail binaries -- all within the last 24 hours. The images below show the said emails, with a description. Since the campaigns range from malware to links and scams with different affiliate identifiers, it is likely... [Read More]
by RSS Derek Manky  |  Jan 29, 2010  |  Filed in: Security Research