Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts in English
How Attackers Steal Private Keys from Digital Certificates
Hiroshi Shinotsuka | 22 Feb 2013 11:10:22 GMT | 0 comments

Regular readers of the Symantec blog may sometimes read blogs that mention a fraudulent file that is signed with a valid digital certificate or that an attacker signed their malware with a stolen digital certificate.

You may recall that the creators of Stuxnet, arguably the most notorious malware in history, signed it using the private keys of valid digital certificates of well-known companies.

Digital certificates are significant because a file with a digital certificate can be checked to see who authored it and to make sure it was not altered. Moreover, some versions of Windows display a dialog box when a file that has no digital signature is opened. If an attacker signs malware with the stolen private key from a digital certificate, Windows will execute the file in many cases, except if the file is downloaded from the Internet using a Web browser.

How does an...

Read more
Malicious Mandiant Report in Circulation
Joji Hamada | 21 Feb 2013 16:57:15 GMT | 0 comments

The report, APT1: Exposing One of China's Cyber Espionage Units, published by Mandiant earlier this week has drawn worldwide attention by both the security world and the general public. This interest is due to the conclusion the report has drawn regarding the origin of targeted attacks, using advanced persistent threats (APT), performed by a certain group of attackers dubbed the Comment Crew. You can read Symantec’s response to the report here.

Today, Symantec has discovered someone performing targeted attacks is using the report as bait in an attempt to infect those who might be interested in reading it. The email we have come across is in Japanese, but this does not mean there are no emails in other languages spreading in the wild. The email purports to be from someone...

Read more
APT1: Q&A on Attacks by the Comment Crew
Symantec Security Response | 19 Feb 2013 22:28:02 GMT | 0 comments

Today Mandiant released a detailed report dubbed "APT1" which focuses on a prolific cyber espionage campaign by the Comment Crew going back to at least 2006 and targeting a broad range of industries. The report cites the earliest known public reference about APT1 infrastructure as originating from Symantec. We have detected this threat as Backdoor.Wualess since 2006 and have been actively tracking the group behind these attacks. The following Q&A briefly outlines some of the relevant Symantec information around this group:

Q: Do Symantec and Norton products protect against threats used by this group?

Yes. Symantec confirms protection for attacks associated with the Comment Crew through our antivirus and IPS signatures, as well as STAR malware...

Read more
New Adobe PDF Zero-day Unleashes Trojan.Swaylib
Symantec Security Response | 14 Feb 2013 22:16:55 GMT | 0 comments

In a previous blog, Symantec reported on a new Adobe zero-day vulnerability (CVE-2013-0640, CVE-2013-0641) affecting Adobe Reader and Acrobat XI (11.0.1) and earlier versions, that was being actively exploited in the wild. Adobe has yet to release a patch for this zero-day, but in an advisory they have provided a means of mitigation against the attack. 

The initial report on this zero-day being actively used in the wild came from FireEye. They reported that several files were being...

Read more
Trojan.Ransomgerpo Criminal Arrested
Symantec Security Response | 14 Feb 2013 12:05:43 GMT | 0 comments

Spanish police have reported the arrest of an individual involved with a particular strain of police Ransomware known as Ransom.EY, detected by Symantec as Trojan.Ransomgerpo.

This variant is one of the earliest active police Ransomware families, which Symantec has been tracking since at least July, 2011. The Trojan was distributed using drive by download techniques, in conjunction with the Black Hole exploit kit. Early versions of the locking screen were quite primitive but quickly evolved as the author obviously stole design ideas from other Ransomware gangs as shown in Figure 1.

...

Read more
New Adobe Vulnerabilities Being Exploited in the Wild
Symantec Security Response | 14 Feb 2013 08:59:53 GMT | 0 comments

Adobe posted a vulnerability report warning that vulnerabilities in Adobe Reader and Acrobat XI (11.0.1) and earlier versions are being exploited in the wild. Adobe is currently investigating this issue.

 

According to the FireEye blog posted earlier today, the malicious file arrives as a PDF file. Upon successful exploitation of the vulnerabilities, two malicious DLL files are dropped.

Symantec detects the malicious PDF file as Trojan.Pidief and the two dropped DLL files as...

Read more
Man Arrested in Relation to the “Remote Control Virus”
Joji Hamada | 13 Feb 2013 21:35:07 GMT | 0 comments

Back in October 2012, we published a couple of blogs about Backdoor.Rabasheeta, a back door Trojan that was used to make numerous death threats from compromised computers, resulting in four wrongful arrests. The saga may have come to an end for the malware author who had been taunting the Japanese authorities for months. On February 10, the Tokyo Metropolitan Police arrested Yusuke Katayama, a 30-year-old Tokyo resident who works for an IT company, on suspicion of forcible obstruction of business by posting anonymous online threats, although the accused has denied any wrongdoing. Katayama was also arrested and convicted in 2006 for making similar online threats to a record company...

Read more
Microsoft Patch Tuesday – February 2013
Candid Wueest | 12 Feb 2013 18:26:39 GMT | 0 comments

Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing 12 bulletins covering a total of 57 vulnerabilities. Eighteen of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft's summary of the February releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms13-Feb

The following is a breakdown of the...

Read more
Zeus Now Setting its Sights on Japanese Online Banking Customers
Symantec Security Response | 12 Feb 2013 06:05:44 GMT | 0 comments

As we have blogged in the past, Zeus (Trojan.Zbot) and other banking Trojans have been a headache to online banking customers all over the world for years. Certain countries such as Japan have in the past escaped attacks from banking Trojans, perhaps due to the language barrier or some other unknown reason. As the National Police Agency of Japan has reported several times, Japanese online banking customers have now started to fall victim to this type of attack.

Symantec recently came across a new Zeus file targeting five major banks in Japan. Figure 1 shows part of the decrypted configuration file. The...

Read more
Cross-Platform Frutas RAT Builder and Back Door
Joseph Bingham | 11 Feb 2013 22:49:07 GMT | 0 comments

Contributor: Val S.

We recently came across a sample of a back door remote access tool (RAT) written entirely in Java. The RAT is freely distributed on underground forums, free for any registered forum user to download. It is named Frutas, which means “fruit” in Spanish.
 

Figure 1. Frutas logo
 

The Frutas RAT allows attackers to create a connect-back client JAR file to run on a compromised computer. When executed, it parses an embedded configuration file for a server IP and port to connect to. The back door builder provides some minor obfuscation, which allows the attacker to use a custom encryption key for some of the embedded back door functionalities.
 

...

Read more