Symantec Intelligence Quarterly April - June 2010 Quarterly Report: Symantec Intelligence Quarterly Symantec Intelligence Quarterly April - June 2010 Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Overview: The Microsoft Help and Support Center Zero-day Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Overview: The Adobe Flash Zero-day Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Overview: The Month of PHP Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Credits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Symantec Intelligence Quarterly April - June 2010 Introduction Symantec has established some of the most comprehensive sources of Internet threat data in the world with the Symantec™ Global Intelligence Network. More than 240,000 sensors in over 200 countries and territories monitor attack activity through a combination of Symantec products and services such as Symantec DeepSight™ Threat Management System, Symantec™ Managed Security Services, Norton™ consumer products, and third-party data sources. Symantec also gathers malicious code intelligence from more than 133 million client, server, and gateway systems that have deployed its antivirus products. Additionally, the Symantec distributed honeypot network collects data from around the globe, capturing previously unseen threats and attacks and providing valuable insight into attack methods. Spam and phishing data is captured through a variety of sources including: the Symantec probe network, a system of more than 5 million decoy accounts; MessageLabs™ Intelligence, a respected source of data and analysis for messaging security issues, trends and statistics; and, other Symantec technologies. Over 8 billion email messages (as well as over 1 billion Web requests) are processed each day across 16 data centers. Symantec also gathers phishing information through an extensive antifraud community of enterprises, security vendors, and over 50 million consumers. These resources give Symantec security analysts unparalleled sources of data with which to identify, analyze, and provide informed commentary on emerging trends in attacks, malicious code activity, phishing, and spam. This report will discuss notable aspects of malicious activity that Symantec has observed in the second quarter of 2010 (April to June). An important note about these statistics The Symantec Global Intelligence Network uses automated systems to map the IP addresses of the attacking systems to identify the country in which they are located. However, because attackers frequently use compromised systems situated around the world to launch attacks remotely, the location of the attacking systems may differ from the location of the attacker. Highlights • The United States was the top country for malicious activity in this quarter, accounting for 21 percent of the total; • The top Web-based attack for the quarter was related to malicious PDF activity, which accounted for 36 percent of the total; • Credit card information was the most commonly advertised item for sale on underground economy servers known to Symantec in this quarter, accounting for 28 percent of all goods and services; • Symantec created 457,641 new malicious code signatures during this quarter; • The most common malicious code sample by potential infections during this quarter was the Sality.AE virus; • Symantec observed 12.7 trillion spam messages during this quarter, accounting for approximately 89 percent of all email messages observed; • The majority of brands used in phishing attacks this quarter were in the financial sector, which accounted for 73 percent of the total. 1 Symantec Intelligence Quarterly April - June 2010 Metrics Malicious activit activityy by countr country/re y/region gion This metric will assess the countries and regions in which the highest amount of malicious activity took place or originated. Rankings are determined by calculating the average of the proportion of malicious activity that originated in each country or region. The United States was the top ranked country for malicious activity this quarter, accounting for 21 percent of the total (table 1). Within specific category measurements, the United States ranked first in all categories except spam zombies. Table 1. Malicious activity by country/region India had the second highest amount of overall worldwide malicious activity this quarter, accounting for six percent. Within specific category measurements, India ranked first in spam zombies by a significantly large margin. Top W Web-based eb-based attacks This metric will assess the top distinct Web-based attacks that originate either from compromised legitimate sites or malicious sites that have been created to intentionally target Web users. In this quarter, the top Web-based attack was related to malicious PDF activity, which accounted for 36 percent of Webbased attacks (table 2). Attempts to download suspicious PDF documents were specifically observed. This may indicate attempts by attackers to distribute malicious PDF content to victims via the Web. The attack is not directly related to a specific vulnerability, although the contents of the malicious file would be designed to exploit an arbitrary vulnerability in an application that processes it. This attack may be popular due to the common use and distribution of PDF documents on the Web, and to the practice of configuring browsers to automatically render PDF documents by default. 2 Symantec Intelligence Quarterly April - June 2010 Table 2. Top Web-based attacks The second most common Web-based attack this quarter was associated with the Microsoft Internet Explorer® ADODB.Stream Object File Installation Weakness,1 which accounted for 33 percent of the total globally. The weakness allows attackers to install malicious files on vulnerable computers when users visit websites hosting an exploit. To carry out this attack, an attacker must exploit another vulnerability that bypasses Internet Explorer® security settings, allowing the attacker to execute malicious files installed by the initial security weakness. This issue was published on August 23, 2003, and fixes have been available since July 2, 2004. The continued popularity of this Web-based attack may indicate that many computers running Internet Explorer® have not been patched or updated and are running with this exposed weakness. Under Underground ground econom economyy ser servers—goods vers—goods and ser services vices a avvailable ffor or sale This section discusses the most frequently advertised items for sale observed on underground economy servers, which are online black market forums for the promotion and trade of stolen information and services. In this quarter, the most frequently advertised item observed on underground economy servers was credit card information, accounting for 28 percent of all goods (table 3). Prices for credit card information ranged from $1 to $30 depending on the type of card, the country of origin, and the amount of bundled personal information used for card holder verification.2 Symantec observed bulk purchase offers of 1000 credit cards for $1,500. 1-http://www.securityfocus.com/bid/10514 2-All currency in U.S. dollars 3 Symantec Intelligence Quarterly April - June 2010 Table 3. Goods and services available for sale on underground economy servers The second most commonly advertised item for sale on underground economy servers during this quarter was bank accounts, accounting for 24 percent of all advertised goods. The advertised price for bank accounts ranged from $10 to $125 and bank balances ranged from $373 to $1.5 million. Top malicious code samples The most common malicious code sample by potential infections during this quarter was the Sality.AE virus (table 4).3 This virus infects executable files on compromised computers and removes security applications and services. Once the virus is installed, it also attempts to download and install additional threats onto infected computers. Table 4. Top malicious code samples The second ranked malicious code sample causing potential infections during this quarter was Mabezat.B.4 This worm propagates by copying itself to any mapped or remote drives, and is also programmed to copy itself to network shares by attempting to connect with weak passwords. It also attempts to propagate through email, to modify the built-in Microsoft Windows® CD burning feature to include the worm in burned CDs, and to encrypt numerous different file types. 3-http://www.symantec.com/security_response/writeup.jsp?docid=2008-042106-1847-99 4-http://www.symantec.com/security_response/writeup.jsp?docid=2007-120113-2635-99 4 Symantec Intelligence Quarterly April - June 2010 Top phishing sectors The majority of brands used in phishing attacks this quarter were in the financial services sector (table 5). These attacks accounted for 73 percent of the total reported phishing attacks. The financial sector is commonly the largest sector targeted in phishing attacks because the various associated services are the most likely to yield data that could be directly used for financial gain. Many phishing attacks that spoof financial services brands will prompt users to enter credit card information or banking credentials into fraudulent sites. If these tactics are successful, the phishers can then capture and sell such information in the underground economy. Table 5. Top phishing sectors The second largest percentage of brands used in phishing attacks was in the ISP sector, accounting for 10 percent of the total number of phishing attacks reported this quarter. ISP accounts can be valuable to phishers because they may contain email accounts, Web-hosting space, and authentication credentials. Overview: The Microsoft Help and Support Center Zero-day Vulnerability On June 9, 2010, a third-party researcher reported a zero-day vulnerability affecting the Help and Support Center application in Windows® Server 2003 and Windows® XP. Help and Support Center is the default application used for handling access to online Microsoft Windows® documentation. Documentation can be accessed directly through other applications such as Web browsers by using Help and Support Center protocol (HCP) URIs. When the application receives an HCP request, the requested file is verified using a whitelist to restrict untrusted sites from accessing unauthorized data. The reported vulnerability occurs because of a flaw in the way that the application handles errors while checking the whitelist. By adding specially crafted data to an HCP URI, the flaw can be manipulated to bypass restrictions that are defined by the whitelist. This can result in unauthorized access to restricted help documents. The report included a proofof-concept URI to demonstrate exploitation of the vulnerability. Limited, targeted attacks using the proof-of-concept code were confirmed in the wild by June 15. An attacker can exploit this issue by enticing a victim to follow a malicious URI. A successful attack would grant the attacker unauthorized access to restricted help documents on the victim’s computer. The attack could be combined with exploits of other vulnerabilities—such as the Microsoft Help and Support Center “sysinfo/sysinformation.htm” cross-site 5 Symantec Intelligence Quarterly April - June 2010 scripting weakness—to execute malicious code on the target computer. An attacker who successfully exploits this issue can gain control of target computers and carry out additional malicious activities, such as stealing confidential information or using the victimized computers to send spam email. On June 10, Microsoft released a security advisory to acknowledge its awareness of the report and that it was investigating the issue. Microsoft is currently developing a security update to address the vulnerability; in the interim, an automated workaround solution is available immediately to mitigate the vulnerability by unregistering HCP. Overview: The Adobe Flash Zero-day Vulnerability On June 4, 2010, Adobe issued a security bulletin indicating that it had received reports of the exploitation of an unpatched, previously unknown zero-day vulnerability affecting its Flash Player application.5 As security researchers scrambled to identify the problem, knowledge of the bug spread to more attackers, slowly exacerbating the situation. With limited mitigations available, security vendors were under pressure to release detections and mitigation procedures, and for the vendor to create, test, and distribute an out-of-band patch. Timeline • June 4, 2010 – Adobe receives information that an unknown, unpatched issue exists in Flash Player;6 • June 4, 2010 – Symantec issues BID 40586;7 • June 4, 2010 – Adobe issues security advisory APSA10-01;8 • June 7, 2010 – Adobe indicates that its quarterly security update regularly scheduled for July 13 would be pushed up, to June 29 for Adobe Reader® and to July 10 for Flash Player;9 • June 10, 2010 – The Metasploit Project publishes a reliable public exploit;10 • June 10, 2010 – Adobe provides an update for Flash Player; Reader is still vulnerable;11 • June 14, 2010 – Symantec analysts identify link between this vulnerability and IEPeers targeted attacks, and possibly other targeted attacks, from as far back as 2008;12 • June 29, 2010 – Adobe issues an update for Reader.13 Vulnerabilit ulnerabilityy The bug is a class of vulnerability referred to as an invalid or dangling pointer.14 Discovering these bugs using binary static analysis is difficult, but not impossible.15 The Flash file used in this attack came from a public source and it is highly unlikely that the file was originally intended to be malicious.16 However, a specific, single-byte modification to the file results in an easily exploitable condition. There is a high possibility that this bug was found using a fuzzer tool.17 5-http://www.adobe.com/support/security/advisories/apsa10-01.html 6-http://www.adobe.com/support/security/advisories/apsa10-01.html 7-http://www.securityfocus.com/bid/40586 8-http://www.adobe.com/support/security/advisories/apsa10-01.html 9-http://www.adobe.com/support/security/advisories/apsa10-01.html 10-http://www.metasploit.com/redmine/projects/framework/repository/revisions/9473 11-http://www.adobe.com/support/security/advisories/apsa10-01.html 12-http://www.symantec.com/connect/blogs/zero-day-connection 13-http://www.adobe.com/support/security/bulletins/apsb10-15.html 14-http://www.memorymanagement.org/glossary/d.html; the exploitation details of which can be found on the Symantec Security Response blog at http://www.symantec.com/connect/blogs/analysis-zero-day-exploitadobe-flash-and-reader 15-Static analysis is a technique for software verification that relies on analyzing the application without executing it. 16-http://blog.zynamics.com/2010/06/09/analyzing-the-currently-exploited-0-day-for-adobe-reader-and-adobe-flash 17-Fuzzers test an application for buffer overflows, format string vulnerabilities, and other errors that can subsequently be exploited; see http://www.cgisecurity.com/questions/securityfuzzer.shtml 6 Symantec Intelligence Quarterly April - June 2010 Vulnerabilities in Flash are valuable to attackers. Flash is prolific and there are versions for virtually every browser on all major operating systems. The wide distribution of Flash, combined with the number of affected operating systems, makes it an appealing target for attackers. The return on investment for this vulnerability is very high, especially if it was discovered using a fuzzer, because this often requires less time investment on the attacker’s part. An exploitable weakness in Reader is also highly attractive to attackers because Reader is widely used for rendering PDF files and PDFs can contain embedded content. For example, Reader can render an embedded Flash file inside a PDF. Unlike JavaScript, there is currently no easy way to disable Flash from the user interface in Reader, which means the process of mitigating a Flash vulnerability in Reader is difficult for less technical users. Attacks Upon initial disclosure of the vulnerability, Symantec identified two cases in the wild that exploited Web and PDF documents, respectively. While these attacks exploited the same vulnerability, they did so in different products, with each having a separate, specific goal. Both attacks appeared to use the same malicious Flash file, with only a slight variation (the Flash file had to be tweaked slightly to be used either in a PDF or in a Web browser). Although they appeared to use the same Flash file, each attack delivered a unique piece of malicious code using distinctly different pieces of shellcode.18 PDF PDF-based -based attack While a good file format exploit19 will replace a malicious document with a benign one, post-exploitation, this particular PDF attack made no such attempt. This could be a sign that the attacker was either not very sophisticated or was not concerned about the vulnerability being discovered and fixed. An unpatched vulnerability is a commodity for an attacker. There is a correlation between the number of people that know about an unpatched vulnerability and the value that it has. For example, an unpatched vulnerability that is exploitable and known by only a select few people has high value, while conversely, a vulnerability that is known by many and readily patched has low value. Often, once a bug is publicly known and more attackers gain access to it, there will be a surge of attacks that attempt to exploit any remaining unpatched systems. These attacks often lack the finesse of the original, with less regard for protecting the vulnerability because it is already well known (at least to more knowledgeable users). The shellcode in this attack made use of return oriented programming (ROP) techniques to disable Data Execution Prevention (DEP) on Windows® XP systems, indicating some technical prowess. The malicious PDF was delivered to victims as an email attachment, while the email message was crafted to lure the victim into opening the attached malicious PDF. The malicious code installed by the PDF attack was unremarkable. It provided a rudimentary backdoor to attackers, but did not include direct functionality to harvest credentials or obtain sensitive information in an automated fashion. Web-based attack The Web-based attack was tailored toward users of Microsoft Internet Explorer®. While the bug could be used against any browser that supports Flash, due to the nature of the vulnerability, making it work on different browsers required additional modifications. The way the Web-based attack was written implied a greater desire to protect the vulnerability. Whoever developed the shellcode implemented a number of checks to ensure that the application terminated quickly and without generating a crash report to leave few traces about the nature of the bug. Interestingly, high-quality exploits are 18-A shellcode is an assembly language program that executes a shell; shellcode can be used as an exploit payload 19-A file format exploit is a software exploit that makes use of a maliciously crafted file format used by the affected application 7 Symantec Intelligence Quarterly April - June 2010 usually those that attempt to continue execution of the application uninterrupted. An application that terminates immediately after loading a new file usually indicates that there is something amiss. Additionally, unlike the PDF-based attack, the shellcode did not attempt to disable DEP. The IEP IEPeers-tar eers-targeted geted attack link The shellcode used in the Web-based attack is eerily familiar to that used in the targeted attacks against the Microsoft Internet Explorer® “iepeers.dll” Remote Code Execution Vulnerability,20 which occurred in March 2010 and which targeted attacks against the Microsoft Internet Explorer® XML Handling Remote Code Execution Vulnerability.21 The only major differences in this shellcode appeared to be reliability enhancements. Attackers sharing and reusing shellcode is common and often not a definitive sign of the same exploit author; however, there are some convincing similarities in the malicious code used in the two attacks. For example, once a computer is compromised, the malicious code injects a DLL file named “wshipm.dll” into applications such as Internet Explorer®, Firefox®, and Outlook®. Comparing this file at the binary level with the DLL that is used in the IEPeers targeted attack shows a number of distinct similarities in the source code. This lends credibility to the possibility that the malicious code in this attack is a derivative of the same malicious code used in the IEPeers targeted attacks. Whoever wrote the code for this attack definitely had access to the source code for portions of the malicious code used in the IEPeers targeted attack. As with the IEPeers attack, sensitive information can be harvested from the exploited applications and sent to the attacker in a remote location. Conclusion While these attacks exploited the same vulnerability, they did so in different ways with different agendas. The Web-based attack appears to be more tailored to obtaining sensitive information, while the PDF-based attack simply provided limited backdoor functionality, possibly for building a bot network or for the later distribution of additional malicious code. The Web-based attack appears to have been much more targeted and is far more sophisticated in both its attempts to hide the vulnerability and its post-exploitation activity. Overview: The Month of PHP Security The disclosure of security vulnerabilities in software has historically been a contentious topic between security researchers and software vendors. Vendors often do not want to publicly discuss security problems in their products on the chance that doing so will harm sales, make customers unhappy, and give hackers a vector to target with an exploit. Security researchers, even those who practice responsible disclosure, often feel frustration that vendors reveal few of the details about vulnerabilities or hold the perception that some vendors do not take security seriously. In 2006, the first Month of Bugs project was launched as a way to increase awareness of security vulnerabilities in Web browsers.22 The Month of Browser Bugs was a series of exploits published every day for a month against Internet Explorer®, Mozilla Firefox®, Apple Safari®, and Opera®. This project helped bring some publicity to browser security and may have impelled vendors to fix the issues faster than they normally would have. Other researchers have since used this strategy to help improve the security of various technologies; this includes the Month of Kernel Bugs, the Month of Apple Bugs, and the Month of PHP Bugs. The latest installment, in May 2010, was the Month of PHP Security (MoPS). 20-http://www.securityfocus.com/bid/38615 21-http://www.securityfocus.com/bid/32721 22-http://www.hardened-php.net/ 8 Symantec Intelligence Quarterly April - June 2010 The purpose of MoPS was to improve the security of PHP and the PHP ecosystem by disclosing vulnerabilities in PHP and PHP applications. The result was the disclosure of 60 security issues and the publication of a number of additional articles about PHP application security or tools specific to PHP security. Notably, the majority of the disclosed issues are not considered exploitable vulnerabilities, because a developer essentially must "attack themselves." Most of the issues involved interrupting internal functions by using a deprecated feature known as call-time pass-byreference. These bugs require that the "allow_call_time_pass_reference" configuration option is enabled, that an attacker has local access to his or her Web server, and that the server is configured to permit the execution of custom code. Of the remaining issues, 10 apply to applications that use PHP: • Campsite23 is prone to an SQL-injection vulnerability affecting the 'article_id' parameter;24 • ClanSphere25 is prone to SQL-injection vulnerabilities that affect the CAPTCHA generator and the MySQL driver;26 • Clantiger27 is prone to an SQL-injection vulnerability affecting the 's_email' parameter;28 • DeluxeBB29 is prone to an SQL-injection vulnerability affecting the 'memberid' cookie parameter;30 • eFront31 is prone to an SQL-injection vulnerability affecting the 'chatrooms_ID' parameter;32 • Xinha33 and Serendipity34 are prone to a vulnerability that permits attackers to upload arbitrary files;35 • Cacti36 is prone to an SQL-injection vulnerability affecting the 'rra_id' parameter;37 • CMSQlite38 is prone to an SQL-injection vulnerability and a local file-include vulnerability;39 • e10740 is prone to an SQL-injection vulnerability and a vulnerability that allows attackers to execute arbitrary PHP code.41 The most serious of these issues is the arbitrary PHP code-execution vulnerability against e107, a popular content manager. Proofs-of-concept are available and the issue has not yet been patched by the vendor. Administrators of e107-based sites should disable bbcode functionality until a vendor patch is available. At the very least, restrict access to trusted networks, deploy network intrusion detection, and be sure only to run the application as a non-privileged user. In PHP itself, four vulnerabilities were reported: • An integer-overflow vulnerability affects the 'php_dechunk()' function.42 This function is used to decode remote HTTP chunked encoding streams. To exploit the issue, a PHP script must interact with a malicious Web server. • Multiple vulnerabilities that allow code-execution affect the PHP ‘sqlite’ module.43 The vulnerabilities reside in the 'sqlite_single_query()' and 'sql_array_query()' functions, and can be triggered if the 'rres' resource is not properly initialized before it is used. 23-http://www.campware.org 24-http://www.securityfocus.com/bid/39862 25-http://www.clansphere.net/ 26-http://www.securityfocus.com/bid/39896 27-http://www.clantiger.com/ 28-http://www.securityfocus.com/bid/39917 29-http://www.deluxebb.com 30-http://www.securityfocus.com/bid/39962 31-http://www.efrontlearning.net/ 32-http://www.securityfocus.com/bid/40032 33-http://trac.xinha.org/ 34-http://www.s9y.org/ 35-http://www.securityfocus.com/bid/40033 36-http://cacti.net/ 37-http://www.securityfocus.com/bid/40149 38-http://www.cmsqlite.net 39-http://www.securityfocus.com/bid/40195 40-http://e107.org/news.php 41-http://www.securityfocus.com/bid/40202 and http://www.securityfocus.com/bid/40252 42-http://www.php.net 43-http://www.securityfocus.com/bid/39877 9 Symantec Intelligence Quarterly April - June 2010 • Multiple format-string vulnerabilities affect the PHP 'phar' extension.44 The phar extension gives developers a way to place entire PHP applications into a single file—i.e., a PHP archive. The vulnerabilities affect several functions within the extension that supply unsafe data to the core 'php_stream_wrapper_log_error()' function. PHP has addressed these issues with patches applied to the project's SVN repository. • Multiple vulnerabilities affect the PHP 'Mysqlnd' extension.45 This native driver extension is a replacement for the MySQL client library libmysql. The four reported vulnerabilities consist of three buffer-overflow vulnerabilities and an information-disclosure issue that lets attackers harvest the contents of heapbased memory. Only the issues affecting the 'phar' extension have been addressed by PHP so far. PHP administrators should implement the following mitigations: • Run PHP with the least privileges possible; • Deploy NIDS to monitor network traffic for signs of malicious activity; • Implement nonexecutable and randomly mapped memory segments if possible; • Restrict access to PHP-based sites to trusted networks and computers only. • PHP servers can be made more secure in general by disabling global variables, using a chroot jail, and restricting file uploads. 44-http://www.securityfocus.com/bid/40013 45-http://www.securityfocus.com/bid/40173 10 Symantec Intelligence Quarterly April - June 2010 Credits Marc Fossi Dean Turner Executive Editor Director, Global Intelligence Network Manager, Development Security Technology and Response Security Technology and Response 11 Amanda Andrews Eric Johnson Editor Editor Security Technology and Response Security Technology and Response Trevor Mack Téo Adams Editor Threat Analysis Engineer Security Technology and Response Security Technology and Response Joseph Blackbird Brent Graveland Threat Analyst Threat Analyst Security Technology and Response Security Technology and Response Darren Kemp Debbie Mazurek Threat Analyst Threat Analyst Security Technology and Response Security Technology and Response About Symantec Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. For specific country offices Symantec World Headquarters and contact numbers, please 350 Ellis St. visit our website. Mountain View, CA 94043 USA +1 (650) 527 8000 1 (800) 721 3934 www.symantec.com Symantec helps organizations secure and manage their information-driven world with security management, endpoint security, messaging security and application security solutions. Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. NO WARRANTY. The information in this document is being delivered to you AS-IS and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the information contained herein is at the risk of the user. This document may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. 7/2010 21072009