Security Research | Page 62

I don't know if my recent analysis of Java/GameSat set me on divination, but today I feel like predicting a few things for 2010. And as we're already at the end of January, I should probably hurry. SymbOS/Yxes will be back and stronger this year. Its authors have probably had time to debug it, and I would be surprised if they do not release a few versions in the wild. The AppStore will be abused, unintentionally offering one (or more) malware to the iPhone community. My crystal ball tells me this malware is likely to be a spyware, i.e a malware... [Read More]
by RSS Axelle Apvrille  |  Jan 28, 2010  |  Filed in: Security Research
There was no shortage of threat news this month, most notably with the highly publicized attacks - codenamed "Aurora" - on select corporations, including Google. The official CVE identifier for this attack was CVE-2010-0249, with Fortinet's detection being "MS.IE.Event.Invalid.Pointer.Memory.Corruption". For more information, please see our advisory and blog post. Details on these attacks through a zero-day Internet Explorer flaw came out in mid-late January: in just a couple of days, this detection rocketed into fourth place in our top ten attack... [Read More]
by RSS Derek Manky  |  Jan 27, 2010  |  Filed in: Security Research
It had been a while since we'd last seen a malware transferring credits to pre-paid phone cards. Our last encounter dated back to SymbOS/Flocker!tr.python early January 2009. It is happening again, with Java/GameSat.A!tr, a Java ME midlet which is currently in the wild. Indosat, an Indonesian telecom operator, offers IM3 (Indosat Multimedia 3) customers the ability to transfer (small) funds between two accounts. This is known as 'pulse transfer' or 'M3-Transfer' and it works by ... SMS, without PIN nor registration ! The money is transferred from... [Read More]
by RSS Axelle Apvrille  |  Jan 26, 2010  |  Filed in: Security Research
The much anticipated out-of-band release was rolled out today by Microsoft in the form of MS10-002. Included is CVE-2010-0249 (see our advisory here), addressed by Microsoft through a security advisory (979352) late last week. We released the signature "MS.IE.Event.Invalid.Pointer.Memory.Corruption" to address this particular issue. The Microsoft advisory was, of course, the subject of many headlines through an Internet Explorer zero-day exploit with reports of targeted attacks -- probably the most since Conficker made waves in 2009. Activity on... [Read More]
by RSS Derek Manky  |  Jan 21, 2010  |  Filed in: Security Research
Appearing in the first quarter of 2009, Gumblar spread rapidly and has become one of the biggest threats today[1]. Gumblar infects PC by exploiting vulnerabilities of Web Browsers and Browser Plugins, such as Adobe Acrobat Reader and Flash player. There is some good information available regarding Gumblar, addressing its Javascript obfuscation, the affected domains and its C&C communication[2][3][4]. However, scarce detail is available about the very vulnerabilities and exploits leveraged by Gumblar, and the question "How are the malicious PDF... [Read More]
by RSS Bin Liu  |  Jan 19, 2010  |  Filed in: Security Research
Bredolab should be a name becoming familiar to most of our readers - it has been our most dominant threat overall for the last half of 2009, continuing over to 2010. It's been discussed several times in our monthly Threat Landscape reports, and also connected to Gumblar attacks. For those unfamiliar, Bredolab is a simplified botnet - a loader which simply connects to a remote server to report and receive files to download/execute. Apart from rogue antivirus software ("scareware"), Bredolab's other favorite download is Pushdo. Pushdo, another prominent... [Read More]
by RSS Derek Manky  |  Jan 15, 2010  |  Filed in: Security Research
Information security is a top priority for many organizations today due to the significant security breaches that made headlines in 2009. Security threats are changing and becoming more targeted, making organizations more vulnerable to new attacks. Because of this, planning for 2010 is more important than ever. Next week, Anthony James of Fortinet will participate in a Webinar hosted by Fidelity National Information Services and will discuss the top information security issues of 2009, emerging threats and trends to look for in 2010 and a solution... [Read More]
by RSS Rick Popko  |  Jan 13, 2010  |  Filed in: Security Research
Microsoft released bulletin MS09-067 on Nov 10, 2009. Same as in 2008, this last bulletin for Microsoft Office Excel in 2009 gives a total number of 17 vulnerabilities for this popular product. As the biggest contributor, Fortinet is credited for seven of these vulnerabilities in 2009. Our topic today is the vulnerability referred as CVE-2009-3127. It is one of the eight vulnerabilities that were fixed in Bulletin MS09-067. I found this vulnerability by fuzzing (automatic crafted files creation) in April and when I analyzed it I found it is different... [Read More]
by RSS Bin Liu  |  Jan 06, 2010  |  Filed in: Security Research
Overall malware volume returned to pre-October levels this period, after two months of record activity driven by ZBot, Bredolab and Pushdo/Cutwail. Nonetheless, the Bredolab loader returned to top spot with a vengeance this period, accounting for a whopping 66.5% of total detected malware activity. Again, as we have seen time and time again these attack campaigns typically do not last longer than a couple of days, but can return quickly in mass volume. The seeding engines (largely the Cutwail spamming trojan) behind Bredolab certainly have a lot... [Read More]
by RSS Derek Manky  |  Dec 28, 2009  |  Filed in: Security Research
While looking at some Pushdo botnet messages recently, I noticed a repeating pattern in the data. Here is an example, taken from an area where the pattern is most obvious: 0340 13 63 cc 69 13 63 cc 69 13 63 cc 69 53 63 cc 2b .c.i.c.i.c.iSc.+ 0350 13 63 cc 69 13 63 cc 69 13 63 cc 69 13 63 cc 69 .c.i.c.i.c.i.c.i 0360 13 63 cc 69 13 63 cc 69 13 63 cc 69 13 63 cc 69 .c.i.c.i.c.i.c.i This looked to me like a flaw in the encryption that potentially could be used for detection purposes. It might even be possible to automatically break the encryption. It... [Read More]
by RSS Doug Macdonald  |  Dec 15, 2009  |  Filed in: Security Research