Category: RootKit


Symantec says hackers stole source code in 2006

Filed under: Applications, Computers, Cybersecurity, Internet, PC, RootKit, Security, Software, Trojan, Virus by Ryan Boese — 1 Comment
January 18, 2012

Symantec Corp said a 2006 breach led to the theft of the source code to its flagship Norton security software, reversing its previous position that it had not been hacked.

The world’s biggest maker of security software had previously said that hackers stole the code from a third party, but corrected that statement on Tuesday after an investigation found that Symantec’s own networks had been infiltrated.

The unknown hackers obtained the source code, or blueprint for its software, to Norton Antivirus Corporate Edition, Norton Internet Security, Norton Utilities, Norton GoBack and pcAnywhere, Symantec spokesman Cris Paden said.

Last week, the hackers released the code to a 2006 version of Norton Utilities and have said they planned to release code to its antivirus software on Tuesday. It was not clear why the source code was being released six years after the theft.

Source code includes instructions written in computer programming languages as well as comments that engineers share to explain the design of their software. For example, a file released last week from the source code of a 2006 version of Norton Utilities included a comment that said “Make all changes in local entry, so we don’t screw up the real entry if we back up early.”

Companies typically heavily guard their source code, which is considered the crown jewels of most software makers. At some companies access is granted on an as-needed basis, with programmers allowed to view code only if it is related to the tasks they are assigned.

The reason for all the secrecy is that companies fear rivals could use the code to figure out the “secret sauce” behind their technology and that hackers could use it to plan attacks.

Paden said that the 2006 attack presented no threat to customers using the most recent versions of Symantec’s software.

“They are protected against any type of cyber attack that might materialize as a result of this code,” he said.

Yet Laura DiDio, an analyst with ITIC who helps companies evaluate security software, said that Symantec’s customers should be concerned about the potential for hackers to use the stolen source code to figure out how to defeat some of the protections in Symantec’s software.

“What we are seeing from Symantec is ‘Let’s put the best public face on this,’” she said. “Unless Symantec wrote all new code from scratch, there are going to be elements of source code in there that are still relevant today.”

Symantec said earlier this month that its own network had not been breached when the source code was taken. But Paden said on Tuesday that an investigation into the matter had revealed that the company’s networks had indeed been compromised.

“We really had to dig way back to find out that this was actually part of a source code theft,” he said. “We are still investigating exactly how it was stolen.”

Paden also said that customers of pcAnywhere, a program that facilitates remote access of PCs, may face “a slightly increased security risk” as a result of the exposure.

“Symantec is currently in the process of reaching out to our pcAnywhere customers to make them aware of the situation and to provide remediation steps to maintain the protection of their devices and information.”

Ryan: This is one of the reasons I had been telling people for years not to use Symantec programs. I knew they had been hacked because Viruses had been disabling out Norton on machines I had been fixing and I was seeing a big trend with this.

Source: Reuters / Yahoo! News

Tags: , , , , , , , , , , , , ,
Comment

Adobe Abandons Mobile Flash Development

Filed under: Adobe, Android, Computers, Cybersecurity, Exploit, Flash, Hackers, Malware, RootKit, Security by Ryan Boese — 3 Comments
November 9, 2011

Latest Update: Adobe confirmed it will cease Flash development on mobile devices in a press release published Wednesday morning.

In an abrupt about-face in its mobile software strategy, Adobe will soon cease developing its Flash Player plug-in for mobile browsers, according to an e-mail sent to Adobe partners on Tuesday evening.

And with that e-mail flash, Adobe has signaled that it knows, as Steve Jobs predicted, the end of the Flash era on the web is coming soon.

The e-mail, obtained and first reported on by ZDNet, says that Adobe will no longer continue to “adapt Flash Player for mobile devices to new browser, OS version or device configurations,” instead focusing on alternative application packaging programs and the HTML5 protocol.

“Our future work with Flash on mobile devices will be focused on enabling Flash developers to package native apps with Adobe AIR for all the major app stores,” the quoted e-mail says.

In the past, Adobe has released software tools for mobile developers that create a single platform programmers can use to make applications that work across three major mobile platforms: Android, iOS and the BlackBerry OS. While it’s seemingly easier than learning all of the native languages for each operating system, some developers have claimed a loss in app performance when coding in a non-native language that then gets translated into other languages.

The move indicates a massive backpedaling on Adobe’s part, a company who championed its Flash platform in the face of years of naysaying about its use on mobile devices. Despite Flash’s near ubiquity across desktop PCs, many in the greater computing industry, including, famously, Apple Computer, have denounced the platform as fundamentally unstable on mobile browsers, and an intense battery drain. In effect, Flash’s drawbacks outweigh the benefits on mobile devices.

Flash became a dominant desktop platform by allowing developers to code interactive games, create animated advertisements and deliver video to any browser that had the plugin installed, without having to take into account the particulars of any given browser. However, with the development of Javascript, CSS, and HTML5, which has native support for video, many web developers are turning away from Flash, which can be a resource hog even on the most advanced browsers.

Apple made its biggest waves in the case against Flash in April of last year, when Steve Jobs penned a 1,500-word screed against the controversial platform, describing it as a technology of the past. Jobs and Apple disliked the platform so intensely, it has since been barred from use on all iOS devices.

Despite attempts to breathe life into Flash on other mobile devices — namely, Android and BlackBerry OS — Adobe has failed to deliver a consistently stable version of the platform on a smartphone or tablet. In WIRED’s testing of the BlackBerry PlayBook in April, Flash use caused the browser to crash on a consistent basis. And when Flash was supposed to come to tablets with Motorola’s Xoom, Adobe was only able to provide an highly unstable Beta version of Flash to ship with the flagship Android device.

“Adobe has lost so much credibility with the community that I’m hoping they are bought by someone else that can bring some stability and eventually some credibility back to the Flash Platform,” wrote software developer Dan Florio in a blog post on Wednesday morning.

The drastic reversal in Adobe’s mobile plans comes in the wake of the company cutting 750 jobs on Tuesday, a move prompted by what Adobe labeled “corporate restructuring.”

An Adobe representative did not immediately respond to a request for comment.

Source: Wired

Tags: , , , , , , ,
Comment

Where Have All the Spambots Gone?

Filed under: Computers, Cybersecurity, Exploit, Hackers, Internet, RootKit, Security, Technology, Trojan by Ryan Boese — Leave a comment
July 3, 2011

First, the good news:  The past year has witnessed the decimation of spam volume, the arrests of several key hackers, and the high-profile takedowns of some of the Web’s most notorious botnets. The bad news? The crooks behind these huge crime machines are fighting back — devising new approaches designed to resist even the most energetic takedown efforts.

The volume of junk email flooding inboxes each day is way down from a year ago, as much as a 90 percent decrease according to some estimates. Symantec reports that spam volumes hit their high mark in July 2010, when junk email purveyors were blasting in excess of 225 billion spam messages per day. The company says daily spam volumes now hover between 25 and 50 billion missives daily. Anti-spam experts from Cisco Systems are tracking a similarly precipitous decline, from 300 billion per day in June 2010 to just 40 billion in June 2011.

There may be many reasons for the drop in junk email volumes, but it would be a mistake to downplay efforts by law enforcement officials and security experts.  In the past year, authorities have taken down some of the biggest botnets and apprehended several top botmasters. Most recently, the FBI worked with dozens of ISPs to kneecap the Coreflood botnet. In April, Microsoft launched an apparently successful sneak attack against Rustock, a botnet once responsible for sending 40 percent of all junk email.

In December 2010, the FBI arrested a Russian accused of running the Mega-D botnet. In October 2010, authorities in the Netherlands arrested the alleged creator of the Bredolab botnet and dismantled huge chunks of the botnet. A month earlier, Spamit.com, one of the biggest spammer affiliate programs ever created, was shut down when its creator, Igor Gusev, was named the world’s number one spammer and went into hiding. In August 2010, researchers clobbered the Pushdo botnet, causing spam from that botnet to slow to a trickle.

But botmasters are not idly standing by while their industry is dismantled. Analysts from Kaspersky Lab this week published research on a new version of the TDSS malware (a.k.a. TDL), a sophisticated malicious code family that includes a powerful rootkit component that compromises PCs below the operating system level, making it extremely challenging to detect and remove. The latest version of TDSS — dubbed TDL-4 has already infected 4.5 million PCs; it uses a custom encryption scheme that makes it difficult for security experts to analyze traffic between hijacked PCs and botnet controllers. TDL-4 control networks also send out instructions to infected PCs using a peer-to-peer network that includes multiple failsafe mechanisms.

Getting infected with TDL-4 may not be such a raw deal if your computer is already heavily infected with other malware: According to Kaspersky, the bot will remove threats like the ZeuS Trojan and 20 other malicious bot programs from host PCs.  “TDSS scans the registry, searches for specific file names, blacklists the addresses of the command and control centers of other botnets and prevents victim machines from contacting them,” wrote Kaspersky analysts Sergey Golovanov and Igor Soumenkov.

The evolution of the TLd-4 bot is part of the cat-and-mouse game played by miscreants and those who seek to thwart their efforts. But law enforcement agencies and security experts also are evolving by sharing more information and working in concert, said Alex Lanstein, a senior security researcher at FireEye, a company that has played a key role in several coordinated botnet takedowns in the past two years.

“Takedowns can have an effect of temporarily providing relief from general badness, be it click fraud, spam, or credential theft, but lasting takedowns can only be achieved by putting criminals in silver bracelets,” Lanstein said. “The Mega-D takedown, for example, was accomplished through trust relationships with registrars, but the lasting takedown was accomplished by arresting the alleged author, who is awaiting trial. In the interim, security companies are getting better and better about working with law enforcement, which is what happened with Rustock.”

Attacking the botnet infrastructure and pursuing botmasters are crucial components of any anti-cybercrime strategy: TDSS, for example, is believed to be tied to affiliate programs that pay hackers to distribute malware.

Unfortunately, not many security experts or law enforcement agencies say they are focusing attention on another major weapon in battling e-crime: Targeting the financial instruments used by these criminal organizations.

Some of the best research on the financial side of the cybercrime underworld is coming from academia, and there are signs that researchers are beginning to share information about individuals and financial institutions that are facilitating the frauds. Recent studies of the pay-per-install, rogue anti-virus and online pharmacy industries reveal a broad overlap of banks and processors that have staked a claim in the market for handling these high-risk transactions. Earlier this week I published data suggesting that the market for rogue pharmaceuticals could be squashed if banks and credit card companies paid closer attention to transactions destined for a handful of credit and debit card processors. Next week, I will publish the first in a series of blog posts that look at the connections between the financial instruments used by rogue Internet pharmacies and those of the affiliate networks that push rogue anti-virus or “scareware.”

Source: Krebs on Security

Tags: , , , , , , , , ,
Comment

Web attack knows where you live

Filed under: Exploit, Hackers, Malware, RootKit, Security, Technology by Ryan Boese — Leave a comment
August 3, 2010

The attack, thought up by hacker Samy Kamkar, exploits shortcomings in many routers to find out a key identification number.

It uses this number and widely available net tools to find out where a router is located.

Demonstrating the attack, Mr Kamkar located one router to within nine metres of its real world position.

Many people go online via a router and typically only the computer directly connected to the device can interrogate it for ID information.

However, Mr Kamkar found a way to booby-trap a webpage via a browser so the request for the ID information looks like it is coming from the PC on which that page is being viewed.

He then coupled the ID information, known as a MAC address, with a geo-location feature of the Firefox web browser. This interrogates a Google database created when its cars were carrying out surveys for its Street View service.

This database links Mac addresses of routers with GPS co-ordinates to help locate them. During the demonstration, Mr Kamkar showed how straightforward it was to use the attack to identify someone’s location to within a few metres.

“This is geo-location gone terrible,” said Mr Kamkar during his presentation. “Privacy is dead, people. I’m sorry.”

Mikko Hypponen, senior researcher at security firm F Secure, attended the presentation and said it was “very interesting research”.

“The thought that someone, somewhere on the net can find where you are is pretty creepy,” he said.

“Scenarios where an attack like this would be used would be stalking or targeted attacks against an individual,” he added.

“The fact that databases like Google Streetview’s Mac-to-Location database or the Skyhook database can be used in these attacks just underlines how much responsibility companies that collect such data have to safeguard it correctly,” said Mr Hypponen.

Mr Kamkar detailed the attack during a presentation at the Black Hat hacker conference. In 2005, Mr Kamkar created a worm that exploited security failings in web browsers to garner more than one million “friends” on the MySpace social network in one day.

Prosecuted for the hack, Mr Kamkar was given three years’ probation, did 90 days of community service and paid damages. He was also banned from using the net for personal purposes for an undisclosed amount of time.

Tags: , , ,
Comment

JailbreakMe Exploits Serious iPhone Security Flaw

Filed under: Apple, Exploit, Hackers, Mobile, RootKit, Telecom, Unlocking, Wireless by Ryan Boese — Leave a comment
August 3, 2010

JailbreakMe makes the process of jailbreaking the Apple iPhone much simpler and less intimidating. Just visit a Web site on the iPhone, and voila! Jailbroken iPhone. Think about that for a minute, though. The simple act of visiting a Web site is able to fundamentally alter the core functionality of iOS.

jailbreaking the iPhone is technically legal–at least from a copyright and DMCA (Digital Millennium Copyright Act) perspective–having a tool that can accomplish it simply by visiting a Web site is awesome for less technically savvy iPhone owners.

However, if JailbreakMe is capable of unlocking the iPhone operating system by taking advantage of a flaw in the way the iPhone renders Adobe PDF files, then other applications can also exploit that same flaw for less-benevolent goals. What JailbreakMe illustrates is that the iPhone has a serious security issue that Apple needs to address.

For companies that allow the iPhone to connect with network resources, or that have embraced the iPhone as the business smartphone of choice, both the JailbreakMe tool itself, as well as any other malicious attacks that might circumvent iOS controls using the same method represent a security concern.

IT admins can use a tool like MAD (Mobile Active Defense) for the iPhone to monitor and enforce security policy on iPhones. Winn Schwartau, chairman of M.A.D. Partners, LLC–developers of Mobile Active Defense–explains that, with jailbreaking, “iPhone users can now download apps from anywhere they choose, not just the iTunes store. This signifies a far greater risk to companies who are trying to leverage the unique capabilities of the Apple platform. But, Mobile Active Defense provides a strong, workable and automatic solution that solves the jailbreaking problem on corporate networks.”

Companies have compliance mandates such as HIPAA (Health Insurance Portability and Accountability Act), GLBA (Gramm-Leach-Bliley Act), and PCI-DSS (Payment Card Industry Data Security Standard) to follow, and the requirements dictate that IT admins must have control over the devices that connect to the network or process company data and communications. A jailbroken iPhone can interfere with the ability to do that.

Schwartau says that the MAD Mobile Enterprise Compliance and Security (MECS) server “can detect jailbreaking within one minute. That’s pretty cool. Once this clear violation of security policy is discovered, the MECS managed firewall issues immediate remediation options to the administrator.”

Detecting jailbreaking could mean intentional jailbreaking from a user trying to implement the JailbreakMe tool on an iPhone, or unintentional jailbreaking from a malicious attack exploiting similar means to take control of the iPhone. Either way–legal or not–IT admins need tools in place that help to monitor and enforce security policy on the iPhone and prevent users from jailbreaking the device.

Source: Yahoo!

Tags: , , , , , , , , ,
Comment

Software released for attacking Android phones

Filed under: Android, Droid, Exploit, Google, Hackers, HTC, RootKit, Security, Technology, Telecom, Wireless by Ryan Boese — 1 Comment
July 30, 2010

Two security experts said on Friday they released a tool for attacking smartphones that use Google Inc’s Android operating system to persuade manufacturers to fix a bug that lets hackers read a victim’s email and text messages.

“It wasn’t difficult to build,” said Nicholas Percoco, head of Spider Labs, who along with a colleague, released the tool at the Defcon hacker’s conference in Las Vegas on Friday.

Percoco said it took about two weeks to build the malicious software that could allow criminals to steal precious information from Android smartphones.

“There are people who are much more motivated to do these things than we are,” he added.

The tool is a so-called root kit that, once installed, allows its developer to gain total control of Android devices, which are being activated by consumers at a rate of about 160,000 units per day, according to Google.

“We could be doing what we want to do and there is no clue that we are there,” Percoco said.

The test attacks were conducted on HTC Corp’s Android-based Legend and Desire phones, but he believed it could be conducted on other Android phones.

The tool was released on a DVD given to conference attendees. Percoco was scheduled to discuss it during a talk on Saturday.

Google and HTC did not immediately return calls for comment.

Some 10,000 hackers and security experts are attending the Defcon conference, the world’s largest gathering of its type, where computer geeks mix with federal security officials.

Attendees pay $140 in cash to attend and are not required to provide their names to attend the conference. Law enforcement posts undercover agents in the audience to spot criminals and government officials recruit workers to fight computer crimes and for the Department of Defense.

Organizers of the conference say presenters release tools such as Percoco’s root kit to pressure manufacturers to fix bugs.

Source: Yahoo! /Reuters

Tags: , , , , , , ,
Comment