Messaging & Web Security at Symantec Vision 2010 in Barcelona

I can’t quite believe it’s September already, this year is flying by at a crazy pace.
This means that the Symantec Vision conference in EMEA has come around quickly too.

This year, we are at the CCIB in Barcelona, Spain, during the first week of October – Tuesday 5th through Thursday 7th.

Amongst the many, many sessions over the 3 day conference, there are a number of Mail & Web security sessions that you shouldn’t miss (not least because I’m co-presenting them smiley ), so in no particular order.

  1. Best Practices for Email Security.
  2. Anatomy of a Web Attack.
  3. Hands On Lab – Best Practices for installing and Configuring Symantec Brightmail Gateway.
  4. Hands On Lab – Best Practices for installing and Configuring Symantec Web Gateway.
  5. Deploying Symantec Protection Suite: Architecture and Best Practices.

Other interesting sessions in the messaging and web security realm:

  • The State of Spam
  • Cost of Email Security – Calculating your risks
  • Protecting against Botnets
  • Best Practices for installing and configuring Symantec Mail Security for Exchange
  • Running Security Operations with Symantec Protection Center

If you are joining us at EMEA Vision this year, what are you looking forward to most?

Be sure to let me know if you are coming along, there are going to be plenty of opportunities to talk to our product specialists, engineers, decision makers and of course to network with your peers.

//ian

Microsoft Security Advisory (2264072): Elevation of Privilege Using Windows Service Isolation Bypass – Version: 1.0

Revision Note: V1.0 (August 10, 2010): Advisory published.
Summary: Microsoft is aware of the potential for attacks that leverage the Windows Service Isolation feature to gain elevation of privilege. This advisory discusses pot…

Microsoft Security Advisory (977377): Vulnerability in TLS/SSL Could Allow Spoofing – Version: 2.0

Revision Note: V2.0 (August 10, 2010): Advisory updated to reflect publication of security bulletin.
Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-049 to addr…

Microsoft Security Advisory (2286198): Vulnerability in Windows Shell Could Allow Remote Code Execution – Version: 2.0

Revision Note: V2.0 (August 2, 2010): Advisory updated to reflect publication of security bulletin.
Summary: Microsoft has completed the investigation into a public report of this vulnerability.

By: Willy

      No Comments on By: Willy

Your main problem overseas is that you only rely on this SSN and that nobody can verify that it matches you, because you always refused to have ID cards. Here in good old Europe, ID cards establish the relation between the photo, name and some numbers. We don\’t rely on a random number that anybody could forge and that nobody could check. This is a major step you will have to pass at one point.

Microsoft Security Advisory (2219475): Vulnerability in Windows Help and Support Center Could Allow Remote Code Execution – Version: 2.0

Revision Note: V2.0 (July 13, 2010): Advisory updated to reflect publication of security bulletin.
Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-042 to addres…

Microsoft Security Advisory (2028859): Vulnerability in Canonical Display Driver Could Allow Remote Code Execution – Version: 2.0

Revision Note: V2.0 (July 13, 2010): Advisory updated to reflect publication of security bulletin.
Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-043 to addres…

Trojan.Dysflink“????” ???????????

        Trojan.Dysflink是一种盗取QQ用户信息的木马。该木马会监控系统特定文件夹(STARTMENU, COMMON_STARTMENU, DESKTOP, COMMON_DESKTOPDIRECTORY, PROGRAM_FILES, PERSONAL)中后缀名为.lnk的文件,也就是我们常说的快捷方式,并替换这些.lnk文件。

        .lnk文件被替换前后的截图:

        被替换的快捷方式使木马在系统重启后仍然可以有机会被运行。同时,木马运行后依然会将原始的目标程序打开,令用户不容易察觉到中毒。

        病毒运行后,会在系统中添加如下文件:
ROOT:Program Filesqcat
ROOT:Program Filesqcatqcat.ini
ROOT:Program Filesqcatqsetup.exe
ROOT:Program Filesqcattmpdata
ROOT:Program Filesqcattmpdata*.lnk

        同时,该木马会在qcat.ini中记录被替换修改的.lnk文件的信息。tmpdata中存放的则是原始的被替换的.lnk文件,如下图所示:

        木马会寻找QQ程序进程,并将窃取的QQ用户机密信息发送到http://7[REMOVED]m.com:81/dd/dd/qq.asp

        目前,赛门铁克已发布针对Trojan.Dysflink的病毒定义,可有效协助用户抵御此类病毒的攻击。

        Thanks to Jerry Jing for the technical analysis.

??PDF?????????“????”??

      No Comments on ??PDF?????????“????”??

        上周,Adobe发布了安全更新(APSB10-15),可防范之前利用PDF进行的社会工程学攻击(CVE-2010-1240)。不过,随着补丁的发布,攻击者再次聚焦这类攻击,并研究补丁的破解方式。因此,我们担心类似攻击有可能再次发生。
 
        大家知道我们常用的PDF文档阅读软件Adobe Reader包含了很多强大的功能,其中之一便是令PDF可以执行或者打开一个目标文件,包括可执行文件(.exe)。但为了防止恶意程序乘虚而入,文件只有在用户许可的情况下才能打开或运行。如图一:
 

                                                           (图一)
 
        然而,这样一个防范功能竟也被攻击者所利用。开头提到的基于社会工程学的攻击便是其中一种。攻击者会构造一份特别的PDF文件,其内容可能包括用户感兴趣的话题。当PDF文件被打开时,会跳出一个窗口,提示这是一个加密的文档,需要点击窗口中的“打开(open)”才能阅读(如图二所示)。若用户一旦点击打开,内嵌在PDF中的恶意代码便会被激发并运行。

                                                            (图二)
 
        Symantec 数月前已发布针对此类攻击的病毒定义Bloodhound.PDF.24,可有效防止此类攻击的发生。同时,用户也应尽快根据官方指示将Adobe Reader更新至9.3.3 以上版本。

????????????????

      No Comments on ????????????????

        上网搜索信息使我们日常生活中经常使用的功能。互联网快捷的速度、全面的知识,令我们在弹指间便能找到需要的答案。而针对搜索的木马也应运而生,Trojan.Bamital就是赛门铁克安全响应中心近期检测到的此类木马病毒。用户如果使用被其感染的计算机对网络内容进行搜索,该木马会篡改搜索引擎的返回结果。
 
        运行后,Trojan.Bamital首先会释放一个DLL文件%UserProfile%Local SettingsApplication DataWindows Server<random 6 letters>.dll,并且创建注册表键值HKEY_CURRENT_USERSoftware<random 10 letters>”<random 10 letters>” = “[BINARY DATA]”。被释放的DLL文件从该注册表键值读取有害的代码来运行。同时,它还会关闭计算机的系统还原功能,并且将有害代码注入到多个进程,这些进程包括:cmdagent.exe,fssm32.exe,fsorsp.exe,avp.exe,iexplore.exe,firefox.exe,opera.exe
explorer.exe等。被注入的恶意代码会挂钩系统函数,监视浏览器向搜索引擎发送的数据包,修改搜索引擎的返回结果,并将一些广告链接添加到搜索结果中。
 
        该木马通过偷渡式下载进行传播。因此,建议用户不要轻易访问可疑网站;浏览网页前,可以使用“诺顿网页安全”(http://safeweb.norton.com/)分析将要访问网页的安全性。赛门铁克安全响应中心已发布针对该病毒的病毒库定义,请用户及时更新您的安全软件病毒定义库以抵御该病毒威胁。