Tag Archives: security

??QQ????Trojan.PWS.QQPass“?????”

      No Comments on ??QQ????Trojan.PWS.QQPass“?????”

        QQ是一个拥有广大客户群的即时聊天工具,因此也出现了许多针对QQ的病毒攻击。赛门铁克安全响应中心近期检测到QQ盗号木马Trojan.PWS.QQPass的又一新变种。
 
        运行时,它会首先检查用户是否安装了QQ聊天工具。如果检测到有,它就会在QQ安装目录下释放一个名为qqc.dll的动态链接库文件并且选择一个会被QQ.exe加载的.dll文件进行感染,然后将感染后的该.dll文件导入qqc.dll。这样,当用户运行QQ时,qqc.dll将会被加载。qqc.dll会创建一个线程不断搜索QQ用户登录窗口,一旦找到,它会立即将真实的登录窗口隐藏起来,并抛出一个非常逼真的名为“QQ用户登录”的假冒登录窗口。图一、图二分别是假冒登录窗口与真实的QQ登录窗口:

                                   图一:假冒登录窗口

                            图二:真实的QQ登录窗口

        可见,用户如果不仔细辨别则很难区分真伪。但是,与真实的QQ登录窗口不同的是,如果用户点击假冒窗口中的“查杀木马”或“设置”按钮,该窗口不会作出任何响应。图三、图四分别是这两个真假窗口的组件信息:

                      图三:假冒登录窗口的组件信息

                     图四:真实的QQ登录窗口的组件信息

        一旦用户在假冒的登录窗口中输入QQ号码及密码并点击其上的登录按钮,这些信息就会被发送到指定的地址。该木马非常狡猾,为了避免自己的恶意行为被发现,它会把用户输入的登录信息同时转送至真实的登录窗口以便QQ正常登录,使受害用户误以为一切正常。
 
        该病毒通常通过网页挂马的方式来到受害用户计算机。因此,我们建议用户尽量不要访问可以网站,以免感染该病毒。

Introducing our Technical Advisory Webcasts

      No Comments on Introducing our Technical Advisory Webcasts

I’ve mentioned before that I’m a really keen advocate of bringing our customer base closer to our product development process.
2 years ago, I started running Customer Advisory Boards for our customers in EMEA.  These annual or bi-annual events were a chance for customers to come together and help us prioritise future development work by discussing their experience and insight into messaging security.
In general, these were really successful and the fruits of those sessions are just coming to light now with last years Brightmail Gateway 8.0 release and the very-soon-to-be-release Brightmail Gateway 9.0.

But, what about our customers that don’t have the budget to travel to another city and participate?
This is more and more common in this economic climate.  Travel budget is often the first belt to be tightened.

Well, this month I’m delighted to kick off the first Messaging & Web Security Technical Advisory Webcast.

Sounds interesting, what are they?

The Technical Advisory Webcasts are regular events, initially covering Symantec Brightmail Gateway and Symantec Web Gateway.
Presented via Webcast and tele-conference, you can expect to hear the following kind of information:

  • General product updates
  • Insight into future roadmap planning
  • Technical Deep Dives
  • Best Practices
  • Ask Us Anything Q & A

I’m keen to make sure we provide information that is interesting and useful to you, our customers.  So, if you have any specific topics you would like to see covered and discussed, please do let me know.

As I mentioned above, we are very close to shipping Symantec Brightmail Gateway 9.0 and this first webcast will introduce this major release.

How do I sign up?

Head over to the Security “Groups” page (https://www-secure.symantec.com/connect/security/g…) and sign up to the “Symantec Customer Advisory Program – Enterprise Security” group.
Be sure to complete your profile as complete as possible and add a comment that you want to register for the Technical Advisory Webcasts.
If you have any problems, feel free to contact me either here on Connect or at ian_mcshane@symantec.com

Cheers!

//ian

Now, here’s an idea….

      No Comments on Now, here’s an idea….

Over the last couple of years, as a Product team working on Brightmail, we have really increased our efforts to gather as much information from customers as possible.
Talking to customers about what they need do today and how they do it, how they envisage doing it in the future, as well as how they deal with different security threats whether it’s around inbound email malware or Data Loss Prevention.

Last week I met with the top IT guys for one of our Enterprise Security customers, to talk about future projects they are running and how Symantec Enterprise Security products fit into their internal roadmap. I first visited them last summer on a whirlwind tour of customers in Europe.
Besides being a great week long roadtrip and building relationships with the guys in the field that I don’t often get to meet face to face, we had some really interesting discussions with customers about their requirements and futures.
Now, one of the thing I like to do when meeting customers, is to talk a little bit about what improvements our Engineering team have put into the product over the last release. It’s a pretty good way to break the ice, if it’s the first time i’ve met them.
It’s even better when I get to go back to a customer and outline improvements based on the feedback we took away from our last meeting with them. Of course, it doesn’t always go that way and some times it’s a little painful explaining why we haven’t put someone’s “must have” feature into the product yet. 🙂

Symantec have always been interested in customer feedback and i’m really pleased to see us adding more transparency to our product planning.
The Ideas section on Symantec Connect (https://www-secure.symantec.com/connect/ideas) was launched last month. It’s based on the idea of community voting and gives our customers a way to voice their opinions on and request new functionality requests.  You can find the Brightmail Gateway Ideas section under the Security heading.

One of the most difficult things to do around enhancements is to really understand just how popular a new feature would be across our entire customer base.
Sure, we can talk to as many customers as possible and ask for their opinions but using the Ideas portal to reach a wider audience is going to be invaluable.
It’s still in the infancy right now but as we start moving forwards through project release cycles, you’ll see others on my team and engineering folk joining in the conversations to make sure we are looking at the right solutions.

(Note: I try to steer clear from annoying corporate terms as much as possible so it pains me to type the next sentence.)

My “Call To Action” (grrr) for Brightmail Gateway customers is to get involved in the Ideas portal.
Have a look through the suggestions that have been put forward already.
Vote for the ones that interest you and add your own Ideas in.
You disagree with something that someone suggests? Add a comment to their suggestion explaining why you disagree.

I’m always happy to talk to customers so if you have a question about anything mail or web security related, leave a comment below or feel free to email me at ian_mcshane@symantec.com.

//Ian

Important information for users of Brightmail Gateway Virtual Edition

      No Comments on Important information for users of Brightmail Gateway Virtual Edition

Here’s some information you should be aware of before upgrading to the forthcoming Symantec Brightmail Gateway 8.0.2 release.

//Ian

<go>
Notification type: New version will be available – Important information to read prior to updating on VMware environments
Product: Symantec Brightmail Gateway
Version: 8.0.1
Patch: 8.0.2
Other Hardware/Software/Environment: VMware ESX Server 3.0.2 or prior with virtual LSI SCSI controller

Overview:
Action required for customers using Virtual Edition of Symantec Brightmail Gateway and VMware ESX Server 3.0.2 or prior with virtual LSI SCSI controller. Prior to updating to 8.0.2., Symantec is strongly recommending that customers assure themselves that they are current with VMware 3.5 or later prior to upgrading to Brightmail Gateway 8.0.2 to prevent loss of functionality.  An alternative workaround is provided if VMware 3.5 is not available.

Recommendation:
Symantec encourages all customers to update Brightmail Gateway to 8.0.2. The update is available via the Control Center or through the Command Line Interface (SSH).
For more information about all changes in this update, please copy and paste the URL below in a browser:
http://service1.symantec.com/SUPPORT/ent-gate.nsf/…

If you have deployed Brightmail Gateway as a virtual appliance and are using a VMware ESX Server environment with a release prior to 3.5update4, you must upgrade the virtual environment to 3.5update 4 or later prior to performing the software update. Failure to do so will result in complete loss of functionality for your Brightmail installation.

This notice is applicable to the following customer configuration;

– VMware Server Version 3.0.2 or prior
AND
– Using the virtual LSI SCSI controller

If you have the above combination and do not take one of the actions specified below, Symantec Brightmail Gateway will not function after updating to version 8.0.2. A kernel panic will occur after rebooting the virtual appliance after the update. The following options are available to prevent this issue:

* The Primary recommended method is to upgrade to VMware ESX Server Version 3.5.

Upgrading typically requires down time and a reboot for the virtual machine in which Symantec Brightmail Gateway runs. These steps may also be necessary for other virtual machines on the same physical computer. Before upgrading, perform the following tasks on Symantec Brightmail Gateway Virtual Edition:

1. Back up your existing data.
2. Check for a running LDAP synchronization cycle.
3. Check for a running Scanner replication cycle.
4. Halt incoming messages to drain all message queues.

These steps are similar to preparing for a software update. See “Running software update” in this document for more information about these steps.
For more information about upgrading, copy and paste the URL below into a Web browser:
https://www.vmware.com/pdf/vi3_35/esx_3/r35/vi3_35_25_upgrade_guide.pdf  

* If you are unable to upgrade to the latest version of VMware ESX Server, you can alternately change your virtual machine to use the BusLogic SCSI controller. For more information about changing the SCSI controller configuration, copy and paste the URL below into a Web browser:
http://www.vmware.com/support/vc14/doc/c14chgscsicontrol11.html

* For the most current information about this issue, copy and paste the URL below into a Web browser:
http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2009051416195754

Symantec Brightmail Gateway 8.0.1-7 released

      No Comments on Symantec Brightmail Gateway 8.0.1-7 released

I’m delighted to announce the release of our first update to the Brightmail Gateway 8.0 release.
Version 8.0.1-7 should be available for direct upgrade via your Brightmail Gateway UI or CLI right away and customers can upgrade from any previous production build directly to this release. 
Note:  If you participated in any of our previous beta programs, you CANNOT upgrade from a beta release of Brightmail Gateway.

What does this release include?

  1. Language Packs:
    This release includes translated help and documentation in: Simplified Chinese, Traditional Chinese, Japanese and Korean.  The Getting Started guide is also translated into Arabic, Brazilian Portuguese, Czech, European Portuguese, French, German, Greek, Hebrew, Italian, Polish, Romanian, Russian, Slovak, Slovenian and Spanish.
  2. New SMTP setting “Do not advertise 8BITMIME”:
    We’ve seen a few problems in the wild where, whilst Brightmail Gateway is able to handle messages containing 8-bit MIME data, if it tries to delier these messages  to an MTA that cannot handle 8-bit MIME, the contents became somewhat garbled.  This mostly affected hiascii character sets.  Enabling this new setting forces Brightmail Gateway to accept only 7-bit MIME, which inturn makes the sending MTA pass only 7-bit MIME data to us.
  3. Accepted inbound mail connections limit removed:
    With the 8.0.0 release, Brightmail Gateway did not use any entries after the first 100 in the “Accept inbound mail connections only from the following IP addresses and domains” list.  This has now been corrected.
  4. HTTP Access to control centre:
    Prior to upgrading to 8.0.0, some customers used plain HTTP to access the control centre.  After upgrading, this HTTP access was disabled automatically.  Additionally, the http CLI command did not function.  With the 8.0.1 release the functionality has been restored.  If you wish to access the control centre over HTTP, run the http on command from the CLI and restart the Control Centre.
  5. Messages remaining in delivery queue with SMTP error codes 421, 450, or 451:
    Under some circumstances, it was possible for the Brightmail Gateway connection timeout limit to be reached before all of a recipient domains MX records had been attempted.  For 8.0.1, this has been resolved.
  6. Large increase in messages reported by the control centre statistics:
    Under very unlikely circumnstances, it was possible for a short lived mail loop to exist between two of the Brightmail Gateway interfaces.  This would have manifested itself by way of showing an inflated number of messages sent and recieved under the control centre statistics.  Further redundancy has been added to Brightmail Gateway to avoid this problem.
  7. Virus definitions configured for download on weekends:
    If you perform a new installation of Brightmail Gateway, automatics virus definition updates are enabled every 10 minutes.  Previously, LiveUpdate was not set to run on Saturday and Sundays.  After upgrading to 8.0.1, you are stronly advised to verify your LiveUpdate settings as an upgrade will NOT change any schedules to remedy this.
  8. Ethernet interfaces on the same subnet:
    Previously, if you had two NICs on the same subnet, the MAC address for one NIC may have been cached by DNS and used for both addresses.  This may have resuled in mail delivery issues if one of the NICs was not working.  This issue has been addressed for NEW installations of Brightmail Gateway.  If you have this set up (2 NICs on one subnet) in an existing version of Brightmail Gateway, upgrading alone will not address this issue and you are advised to contact Technical Support for assistance.

Any questions?  Let me know!

//ian

NEW: Symantec Brightmail IQ Services

      No Comments on NEW: Symantec Brightmail IQ Services

If you point your web browser to http://www.brightmail.com/IQServices you’ll see our new online portal providing email security data to Brightmail administrators, email administrators and the general public.
The Global Intelligence Network is a co…