??QQ????Trojan.PWS.QQPass“?????”

      No Comments on ??QQ????Trojan.PWS.QQPass“?????”

        QQ是一个拥有广大客户群的即时聊天工具,因此也出现了许多针对QQ的病毒攻击。赛门铁克安全响应中心近期检测到QQ盗号木马Trojan.PWS.QQPass的又一新变种。
 
        运行时,它会首先检查用户是否安装了QQ聊天工具。如果检测到有,它就会在QQ安装目录下释放一个名为qqc.dll的动态链接库文件并且选择一个会被QQ.exe加载的.dll文件进行感染,然后将感染后的该.dll文件导入qqc.dll。这样,当用户运行QQ时,qqc.dll将会被加载。qqc.dll会创建一个线程不断搜索QQ用户登录窗口,一旦找到,它会立即将真实的登录窗口隐藏起来,并抛出一个非常逼真的名为“QQ用户登录”的假冒登录窗口。图一、图二分别是假冒登录窗口与真实的QQ登录窗口:

                                   图一:假冒登录窗口

                            图二:真实的QQ登录窗口

        可见,用户如果不仔细辨别则很难区分真伪。但是,与真实的QQ登录窗口不同的是,如果用户点击假冒窗口中的“查杀木马”或“设置”按钮,该窗口不会作出任何响应。图三、图四分别是这两个真假窗口的组件信息:

                      图三:假冒登录窗口的组件信息

                     图四:真实的QQ登录窗口的组件信息

        一旦用户在假冒的登录窗口中输入QQ号码及密码并点击其上的登录按钮,这些信息就会被发送到指定的地址。该木马非常狡猾,为了避免自己的恶意行为被发现,它会把用户输入的登录信息同时转送至真实的登录窗口以便QQ正常登录,使受害用户误以为一切正常。
 
        该病毒通常通过网页挂马的方式来到受害用户计算机。因此,我们建议用户尽量不要访问可以网站,以免感染该病毒。

Microsoft Security Advisory (981169): Vulnerability in VBScript Could Allow Remote Code Execution

Revision Note: V2.0 (April 13, 2010): Advisory updated to reflect publication of security bulletin.
Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-022 to addre…

Microsoft Security Advisory (977544): Vulnerability in SMB Could Allow Denial of Service – Version: 2.0

Revision Note: V2.0 (April 13, 2010): Advisory updated to reflect publication of security bulletin.
Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-020 to addre…

Microsoft Security Advisory (981374): Vulnerability in Internet Explorer Could Allow Remote Code Execution – Version: 2.0

Revision Note: V2.0 (March 30, 2010): Advisory updated to reflect publication of security bulletin.
Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-018 to addre…

Introducing our Technical Advisory Webcasts

      No Comments on Introducing our Technical Advisory Webcasts

I’ve mentioned before that I’m a really keen advocate of bringing our customer base closer to our product development process.
2 years ago, I started running Customer Advisory Boards for our customers in EMEA.  These annual or bi-annual events were a chance for customers to come together and help us prioritise future development work by discussing their experience and insight into messaging security.
In general, these were really successful and the fruits of those sessions are just coming to light now with last years Brightmail Gateway 8.0 release and the very-soon-to-be-release Brightmail Gateway 9.0.

But, what about our customers that don’t have the budget to travel to another city and participate?
This is more and more common in this economic climate.  Travel budget is often the first belt to be tightened.

Well, this month I’m delighted to kick off the first Messaging & Web Security Technical Advisory Webcast.

Sounds interesting, what are they?

The Technical Advisory Webcasts are regular events, initially covering Symantec Brightmail Gateway and Symantec Web Gateway.
Presented via Webcast and tele-conference, you can expect to hear the following kind of information:

  • General product updates
  • Insight into future roadmap planning
  • Technical Deep Dives
  • Best Practices
  • Ask Us Anything Q & A

I’m keen to make sure we provide information that is interesting and useful to you, our customers.  So, if you have any specific topics you would like to see covered and discussed, please do let me know.

As I mentioned above, we are very close to shipping Symantec Brightmail Gateway 9.0 and this first webcast will introduce this major release.

How do I sign up?

Head over to the Security “Groups” page (https://www-secure.symantec.com/connect/security/g…) and sign up to the “Symantec Customer Advisory Program – Enterprise Security” group.
Be sure to complete your profile as complete as possible and add a comment that you want to register for the Technical Advisory Webcasts.
If you have any problems, feel free to contact me either here on Connect or at ian_mcshane@symantec.com

Cheers!

//ian

Microsoft Security Advisory (979682): Vulnerability in Windows Kernel Could Allow Elevation of Privilege – Version: 2.0

Revision Note: V2.0 (February 9, 2010): Advisory updated to reflect publication of security bulletin.
Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-015 to add…

Microsoft Security Advisory (979352): Vulnerability in Internet Explorer Could Allow Remote Code Execution – Version: 2.0

Revision Note: V2.0 (January 21, 2010): Advisory updated to reflect publication of security bulletin
Summary: Microsoft has completed the investigation the public reports of this vulnerability. We have issued MS10-002 to addres…

Microsoft Security Advisory (979267): Vulnerabilities in Adobe Flash Player 6 Provided in Windows XP Could Allow Remote Code Execution

Revision Note: V1.0 (January 12, 2010): Advisory published.
Summary: Security Advisory

Microsoft Security Advisory (977981): Vulnerability in Internet Explorer Could Allow Remote Code Execution – Version: 2.0

Revision Note: V2.0 (December 8, 2009): Advisory updated to reflect publication of security bulletin.
Summary: Microsoft has completed investigating public reports of this vulnerability. We have issued Microsoft Security Bullet…

Microsoft Security Advisory (974926): Credential Relaying Attacks on Integrated Windows Authentication – Version: 1.0

Revision Note: V1.0 (December 8, 2009): Advisory published.
Summary: This advisory addresses the potential for attacks that affect the handling of credentials using Integrated Windows Authentication (IWA), and the mechanisms Mi…