15 posts categorized "exploit"

About This Blog

The Content Security Research Team's Mission: Deliver security research and intelligence that educates, supports and strengthens the security community, and drives innovation in our eSafe solutions.

Learn More

Follow Us on Twitter


eSafe Version 8.6 Has Been Released

Discover eSafe Content Security v8.6

When it comes to content security, it is essential to stay ahead of the times by incorporating new features and functions for a more secure email and web gateway. We are glad to announce the release of eSafe Content Security v8.6  managed availability from June 28, 2011

New Functionalities & Enhancements

The highlights of this release of eSafe include:

  • Additional Data Loss / Leak Prevention (DLP) functionality with an advanced dictionary creator tool
    - Allows create unique and costume DLP dictionaries per the organization needs with full Unicode support
  • New Transparent SSL Mode
    - Intercepts and scans encrypted SSL/HTTP traffic is now built-in part of the eSafe bridge/router installation mode
  • Web Quota Control enhancements
    - New competitive feature allowing monitor and enforce company policy for users/groups that exceeded their daily web quota
  • Mail IP Reputation features
    - New Anti-Spam engine that rejects spam email based on the sender IP reputation on connection time.
    - Rejects and eliminates 80% of spam email before they even establish SMTP connection
  • New dynamic URL Filtering Engine
    - 80 URL categories, over 100m URLs categories - More than 90% URL category classification
    - No more huge local DB, only local dynamic cache with common URLs
  • New Web 2.0 Script analysis engine
    - New faster and better script analysis engine to treat the latest up-to-date malwares and web exploits
  • Central Management functionalities enhancements

For more information about the new eSafe v8.6 version and evaluation process, please contact your local SafeNet sales representative


Microsoft Security Bulletin - March 2011

Microsoft has released the March vulnerabilities patches:


Microsoft March Bulletin


Weekly Security News – December 20, 2010

1. NSA considers its networks compromised
Read More

2.  Top Five Vishing Techniques
Read More

3. New Google service identifies hacked sites
Read More

4. Your Apps Are Watching You
Read More

5. FarmVille players lured with fake "farm cash" offer from Zynga
Read More

6. Another Massive Data Breach in University of Wisconsin
Read More

7. Staying Secure Through the Holidays
Read More

8. The 10 Most Destructive Hacker Attacks In The Past 25 Years
Read More

9. Nigerian Scam Victim Sues Bank, Loses in California Appellate Court in Riverside
Read More

10. Performance concerns make 25% of users turn off AV
Read More


Weekly Security News – November 18, 2010

1. McAfee CEO: Get ready for tidal wave of mobile attacks
Read More

2. Drive-By Downloads Still Running Wild
Read More

3. Malware pushers lure victims with leaked Harry Potter movie screener
Read More

4. Scareware SEO attack exploits engagement of Prince William and Kate Middleton
Read More

5. Well crafted PayPal phishing e-mail doing rounds
Read More

6. Debt collectors utilize Facebook to embarrass those who owe
Read More

7. Chinese ISP hijacked US military, gov web traffic
Read More

8. Rogue e-mail makes Swiss bank lose millions?
Read More

9. LinkedIn attack comprised over 31% of all spam
Read More

10. 10 security tips for retailers
Read More

11. One Hundred Naked Citizens: One Hundred Leaked Body Scans
Read More

12. The 12 most dangerous online scams
Read More

13. 10 holiday ID theft prevention tips
Read More

14. Joshua Simon Ashby gets 4 months in jail for posting naked photo of ex-girlfriend on Facebook
Read More

15. Web users deceived into downloading malicious anti-virus software
Read More

16. Top 10 Security Threats for 2011
Read More

17. Holiday spam e-mail runs start off
Read More

18. 40% of all rogueware was created in 2010
Read More

19. Palin hacker sentenced to one year in custody
Read More

20. Half of SMBs block employee access to Facebook
Read More


Weekly Security News – November 11, 2010

1. Facebook, Twitter fail latest security assessment
Read More

2. Hackers break into OECD computer system
Read More

3. ZeuS attackers set up honeypot for researchers
Read More

4. Two alleged Zeus mules arrested in Wisconsin
Read More

5. GoDaddy-hosted websites injected with malicious code
Read More

6. Man Pleads Guilty to $4.8 Million ATM Fraud
Read More

7. Man loses millions in computer virus-related scam
Read More

8. Breaches cost health care industry $6 billion annually
Read More

9. Burglar cuffed after crime scene MySpace blunder
Read More

10. Student who hacked Bill O'Reilly gets 30 months
Read More

11. Barracuda first security vendor to pay for bug finds
Read More

12. 2 Charged With Fraud of Millions From Pianist
Read More

13.  Latest IE 0-day exploit finds its way into Eleonore toolkit
Read More

14. Malicious URLs Pose Mobile Hijacking Risk
Read More

15. Hacker accesses Louisiana EMT licensing database
Read More

16. Employees will take bigger risks during this holiday season
Read More

17. Nasty IE 0day exploit hosted on Amnesty International site
Read More

18. Virus Leads to $20 Million Scam
Read More


The Evolution of eCrime

It took almost 40 years from the first computer bug in 1947, to the first PC virus in 1986, which marked the beginning of eCrime.  But even then it took more than 10 years for criminals to realize that they can make more money infecting computers than selling drugs.  The advent of the Internet and easy reach to millions of computers around the world, created endless opportunities for criminals to make money with almost zero risk. They took things seriously and the sophistication and the professionalism of the eCrime that we see today would have looked as science fiction just 10 years ago.

Threats Evolution
As the Internet has evolved into the dynamic, collaborative and wide-open Web 2.0, the business of eCrime has evolved along with it. eCrime is now a highly profitable and targeted business model that capitalizes on the weaknesses of an open Web and human’s naïve nature.  Carefully crafted and socially engineered spam messages lurk for those naïve and unsuspicious internet users guiding them to infected websites.

The Motive - It’s all about money…
The money making process is structured and thorough:

  • Finding the opportunities
  • Researching security vulnerabilities of most commonly used applications like PDF reading, Internet Explorer, etc.
  • Choosing the tools and methods of operation usually writing code to exploit security vulnerabilities and inject malware into users computer
  • Operating and feeding the food chain (through money laundering) by selling exploits and malware to operators that control networks of infected computers (BOTNET)
  • Making money by sending spam and phishing email via infected computers that are part of the controlled BOTNET

The Food Chain

  • Cybercriminals are paying researchers that sometimes work as a group to scrutinize commonly used internet-enabled applications and find vulnerabilities
  • They then pay code writers to write malware that exploits found vulnerability
  • They distribute malware by paying people for each infected computer that joins their BOTNET
  • All this is fueled by selling spam advertisement for questionable or bootlegged products
  • This spam is being sent out through the BOTNET of infected computers around the world

Cybercriminals are developing malware that has been purpose-built to find its way around traditional security measures.  The race will always be between security solutions and eCrime professionals/amateurs. Security companies are developing new technologies to stop them and Cybercriminals are developing new technologies to bypass security.


Weekly Security News – November 4, 2010

1. Police To Get Facebook Lessons
Read More

2.  Facebook discovers and "punishes" UID-selling developers
Read More

3. Guarding Your Business Against Social Networking Hacks
Read More

4. Spying app kicked out of Android Market
Read More

5. Russian-Armenian botnet suspect raked in $140,000 a month
Read More

6. Adobe Accelerates Patch Schedule for Critical Flash Bug
Read More

7. Turkey reinstates YouTube ban
Read More

8. Perverted Facebook hacker targeted women
Read More

9. Five LinkedIn privacy settings you need to know about
Read More

10. Police leak risks security catastrophe
Read More

11. Where did all the Viagra spam go?
Read More

12. Internet Explorer users warned of new zero-day attacks
Read More

13. DDOS Attack on Myanmar Takes the Country Offline
Read More


100% protection promises by Shimon Gruper, CISSP

Recently I have talked to a customer who said that he chose a certain vendor for his email security gateway product because he promised him 100% blocking of all viruses. After looking closer at the SLA (service level agreement) of this vendor I found out that the promise was to block 100% of “email-based” viruses.

This statement made me realize how good the marketing department of this vendor is and how easy it is to provide empty promises to customers who are not experts in security.

A short history – email-based viruses were prevalent about 10 years ago when the famous LoveBug was spreading all over the world cluttering mail servers and mail boxes.

Fortunately we learned a lot from it. Since then Microsoft has built many security safeguards into Exchange and Outlook (for example you cannot open by default executable attachments), every organization has an email security gateway or a service that cleans viruses before they arrive to your inbox. Even for individual users, email anti-virus is a standard thing. Gmail gives it for free as well as many ISPs and web-mail providers. The anti-spam measures we are using today also very effectively block viruses, since they have a distribution pattern of spam.

Unfortunately hackers and other malicious people learned a lot as well. They understood that creating email viruses is not worthwhile because the number of computers they will be able to infect will be very small and that there is no ROI here. Thus they moved on to a less protected medium, which is the world-wide-web.

Today, the majority of infections happen from the web by unknowingly downloading malicious programs or even by simply visiting malicious websites that will try to exploit security vulnerabilities in your browser, or in one of its plug-ins.

Have you noticed the dramatic increase in the number of patches and updates Adobe is releasing for its PDF reader?  The PDF format was one of the main targets of hackers. They were able to find bugs in the way the PDF reader interprets the PDF file format and exploit those bugs to inject malicious code and eventually infect computers. 

It is not uncommon to receive an email, sometimes with a nice socially engineered message, that will ask you to click on a link, open your browser and… be infected by an exploit embedded in the visited web page.

In a simplified scenario, you receive an email with a PDF attachment that can even come from somebody you know. You open the attachment that contains a small exploit code, which in turn downloads the real virus from the web. 

Now back to the promise of 100% email-based virus protection – is this PDF an email-based virus? No, technically there is no virus in the PDF it is just a malformatted file which exploits a bug. The real virus is coming from the web, which is obviously not covered by this bogus 100% email-based virus blocking promise.

Again and again, our decisions are affected by nice marketing messages that hide the real issue: that having the best email anti-virus in the world will provide you almost no protection. Today it is necessary to include also a Web Security Gateway, which will make sure that those email exploits will not be able to download their malicious payload from the web.


About the Author: Shimon Gruper, CISSP
Strategic Consultant - eSafe Content Security
Shimon is a noted worldwide expert in the fields of Anti-Virus, Security, and Anti-Vandal software. As one of the first to discover malicious code contained in Active-X, Java, etc. he is often sought out by professional journals for advice and comments on Internet security issues.
Shimon is responsible for all eSafe development and technologies and is the "creator" of the generic process to trap and nullify malicious code and vandals.


Stunext demonstration at the Virus Bulletin 2010

Symantec gave a presentation yesterday (30 Sept, 2010) at the VB2010 – Vancouver Conference. This time it was not just a presentation of slides describing the virus’ work, we actually had a live demonstration.

Symantec did an absolutely great job, analyzing the virus. All the information can be found here:
Symantec's Stunext analyze paper

Symantec’s team brought a PLC machine, which is the one the virus targets, and connected to it a blower with a balloon at the end. The PLC machine in its clean state was programmed to pump the balloon for 2 seconds and then stop.

Then, the PLC machine has been infected with the POC of the virus and the blower started to work, and... it got into an endless loop and never stopped, the balloon was blown eventually.

The demonstration was photographed by the Sophos team:



Following that, the Symantec team explained that the virus was mostly found in Iran, it has a flag that "tells" the virus to turn on or off, and the key name is 05091979 which is 05/09/1979. On this date a Jewish business man by the name of Habib Elghanian was executed in Iran.

They also said that it was a very meaningful date in Jewish history, and about that I am sorry to say - not really. If you will ask Israelis about the Habib Elghanian case, it is most likely that they will not know what you are talking about.

To conclude, nobody really knows what exactly the virus was intended to do, except for the fact that it looks for specific SCADA systems configuration and it is giving the ability to change these configurations.

Was it written by the Israelis? maybe and maybe not. One thing is certain, this was not written by a script kiddy, it was written by a funded organization and by several engineers.

Oren Medini, at VC2010 – Vancouver.


Will Cyber Crime Affect Our Lives Outside the Cyber Space?

Up to a few weeks ago, computer viruses were an issue for every person who uses a computer. People knew that they exist and people have been getting infected by them daily. Yet, for the regular John Doe, who is not an IT guy, it looked like another problem that can be solved by using an anti virus software or in the worst case, by formatting the machine and re-installing the OS.

Then, if you’ve been keeping a proper backup, you had less worries, but in the bottom line, computer viruses, in the eye of the regular user, have their own domain, which is the internet.

Last June we started hearing about a new virus – the Stunext, a Trojan/Worm, which is able to affect specific Siemens control systems. This virus was not written in order to use a person’s email/computer power or to steal passwords. This virus was able to monitor, track, update and change the operation parameters of real systems that we use in our daily life (not the cyber life). It could change train traffic, power plants and even nuclear plants.

There is no doubt that this specific Trojan was written for a specific use and in order to target specific systems in specific countries. The question it raises is, what will be next?

Will a crime organization be able to take control of our train systems? Maybe it will be able to shut down a whole city power supply?

The Stunext Trojan/Worm is only marking the beginning of a new era in cyber crime, a new generation of viruses that will affect our lives offline, outside the cyber space.