Trojan.Heloag?“????”???????

      No Comments on Trojan.Heloag?“????”???????

        Trojan.Heloag是一个木马程序,它会在被感染的计算机中开启后门,并下载及执行其它恶意程序。运行时,Trojan.Heloag会添加注册表以实现开机自动运行,并在Windows目录下释放一个恶意文件。值得注意的是,Trojan.Heloag非常善于隐藏自身:它将被释放的恶意文件的属性设置为系统保护文件,并且在受害计算机的注册表中设置隐藏所有系统保护文件。下图是感染该木马后隐藏系统保护文件的设置状态:

        同时,该木马不允许用户修改计算机的该状态设置。
 
        因此,用户如果直接使用浏览器打开Windows目录则无法查看到包括该恶意文件在内的属性为系统保护文件的所有文件,只有使用专门的工具(如IceSword)才能查看到这些被隐藏的系统保护文件。下图是分别使用普通浏览器和IceSword工具查看到的Windows文件目录:

        Trojan.Heloag释放的恶意文件被命名为ThunderUpdate.exe。用户即使查看到该文件,也可能很容易被该名字所欺骗,误以为这是P2P软件“Thunder(迅雷)”的自动更新程序从而放松警惕。
 
        Trojan.Heloag还会尝试访问一些站点以试图下载更多的恶意程序到用户计算机中。Trojan.Heloag还将试图连接到另一恶意站点的8090端口。如果连接成功,该木马会在受感染计算机中开启后门,从而接受攻击者的远程命令。
 
        建议用户保持更新安全软件病毒库以抵御该病毒威胁。不要轻易访问可疑网站。一旦发现无法查看系统保护文件并且无法更改关于隐藏系统保护文件的设置状态,请立即使用诺顿安全软件对您的电脑进行全盘扫描。

??“??”????QQ???????

      No Comments on ??“??”????QQ???????

        近日,一则虚假的免费加话费的信息— “上72ub.com,有惊喜”— 通过手机QQ用户在其好友群里疯狂散布。用户点击该网址后,并不会直接登陆到72ub.com,而会被重定向至病毒制造者在新浪或163创建的博客。这些博客内容一致,均以图片形式推销假冒移动进行的查姓名送200元话费活动:

       
        如果用户出于好奇拨打该号码,企图获得免费的话费,那么“恭喜”你,您得到的不是免费话费,而将被扣费。通过我们的查询,该号码其实是一个声讯台号码,每分钟用户需付费2.2元人民币。这笔不法所得,则是病毒制造者的终极目的。
 
        赛门铁克已发布相关病毒定义,并将继续跟踪该木马的发展。

??QQ????Trojan.PWS.QQPass“?????”

      No Comments on ??QQ????Trojan.PWS.QQPass“?????”

        QQ是一个拥有广大客户群的即时聊天工具,因此也出现了许多针对QQ的病毒攻击。赛门铁克安全响应中心近期检测到QQ盗号木马Trojan.PWS.QQPass的又一新变种。
 
        运行时,它会首先检查用户是否安装了QQ聊天工具。如果检测到有,它就会在QQ安装目录下释放一个名为qqc.dll的动态链接库文件并且选择一个会被QQ.exe加载的.dll文件进行感染,然后将感染后的该.dll文件导入qqc.dll。这样,当用户运行QQ时,qqc.dll将会被加载。qqc.dll会创建一个线程不断搜索QQ用户登录窗口,一旦找到,它会立即将真实的登录窗口隐藏起来,并抛出一个非常逼真的名为“QQ用户登录”的假冒登录窗口。图一、图二分别是假冒登录窗口与真实的QQ登录窗口:

                                   图一:假冒登录窗口

                            图二:真实的QQ登录窗口

        可见,用户如果不仔细辨别则很难区分真伪。但是,与真实的QQ登录窗口不同的是,如果用户点击假冒窗口中的“查杀木马”或“设置”按钮,该窗口不会作出任何响应。图三、图四分别是这两个真假窗口的组件信息:

                      图三:假冒登录窗口的组件信息

                     图四:真实的QQ登录窗口的组件信息

        一旦用户在假冒的登录窗口中输入QQ号码及密码并点击其上的登录按钮,这些信息就会被发送到指定的地址。该木马非常狡猾,为了避免自己的恶意行为被发现,它会把用户输入的登录信息同时转送至真实的登录窗口以便QQ正常登录,使受害用户误以为一切正常。
 
        该病毒通常通过网页挂马的方式来到受害用户计算机。因此,我们建议用户尽量不要访问可以网站,以免感染该病毒。

Microsoft Security Advisory (981169): Vulnerability in VBScript Could Allow Remote Code Execution

Revision Note: V2.0 (April 13, 2010): Advisory updated to reflect publication of security bulletin.
Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-022 to addre…

Microsoft Security Advisory (977544): Vulnerability in SMB Could Allow Denial of Service – Version: 2.0

Revision Note: V2.0 (April 13, 2010): Advisory updated to reflect publication of security bulletin.
Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-020 to addre…

Microsoft Security Advisory (981374): Vulnerability in Internet Explorer Could Allow Remote Code Execution – Version: 2.0

Revision Note: V2.0 (March 30, 2010): Advisory updated to reflect publication of security bulletin.
Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-018 to addre…

Introducing our Technical Advisory Webcasts

      No Comments on Introducing our Technical Advisory Webcasts

I’ve mentioned before that I’m a really keen advocate of bringing our customer base closer to our product development process.
2 years ago, I started running Customer Advisory Boards for our customers in EMEA.  These annual or bi-annual events were a chance for customers to come together and help us prioritise future development work by discussing their experience and insight into messaging security.
In general, these were really successful and the fruits of those sessions are just coming to light now with last years Brightmail Gateway 8.0 release and the very-soon-to-be-release Brightmail Gateway 9.0.

But, what about our customers that don’t have the budget to travel to another city and participate?
This is more and more common in this economic climate.  Travel budget is often the first belt to be tightened.

Well, this month I’m delighted to kick off the first Messaging & Web Security Technical Advisory Webcast.

Sounds interesting, what are they?

The Technical Advisory Webcasts are regular events, initially covering Symantec Brightmail Gateway and Symantec Web Gateway.
Presented via Webcast and tele-conference, you can expect to hear the following kind of information:

  • General product updates
  • Insight into future roadmap planning
  • Technical Deep Dives
  • Best Practices
  • Ask Us Anything Q & A

I’m keen to make sure we provide information that is interesting and useful to you, our customers.  So, if you have any specific topics you would like to see covered and discussed, please do let me know.

As I mentioned above, we are very close to shipping Symantec Brightmail Gateway 9.0 and this first webcast will introduce this major release.

How do I sign up?

Head over to the Security “Groups” page (https://www-secure.symantec.com/connect/security/g…) and sign up to the “Symantec Customer Advisory Program – Enterprise Security” group.
Be sure to complete your profile as complete as possible and add a comment that you want to register for the Technical Advisory Webcasts.
If you have any problems, feel free to contact me either here on Connect or at ian_mcshane@symantec.com

Cheers!

//ian

Microsoft Security Advisory (979682): Vulnerability in Windows Kernel Could Allow Elevation of Privilege – Version: 2.0

Revision Note: V2.0 (February 9, 2010): Advisory updated to reflect publication of security bulletin.
Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-015 to add…

Microsoft Security Advisory (979352): Vulnerability in Internet Explorer Could Allow Remote Code Execution – Version: 2.0

Revision Note: V2.0 (January 21, 2010): Advisory updated to reflect publication of security bulletin
Summary: Microsoft has completed the investigation the public reports of this vulnerability. We have issued MS10-002 to addres…

Microsoft Security Advisory (979267): Vulnerabilities in Adobe Flash Player 6 Provided in Windows XP Could Allow Remote Code Execution

Revision Note: V1.0 (January 12, 2010): Advisory published.
Summary: Security Advisory