Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts in English
Phishers Target Myanmar with Wut Hmone Shwe Yee
Mathew Maniyara | 02 May 2013 19:58:54 GMT | 0 comments

Contributor: Avdhoot Patil

Phishers have already made their mark in Southeast Asia by targeting Indonesians. For the past couple of years, celebrities have been their key interest in the region. Aura Kasih and Ahmad Dhani are good examples. In March 2013, phishers turned their attention toward Myanmar by incorporating model and actress Wut Hmone Shwe Yee in a phishing site.

The phishing site spoofed a popular social networking site in order to ask for user login credentials. The phishing page was in Burmese. The background image contained a photograph of Yee from her recent modeling photo shoot. The phishing site stated that users can learn more about the model after logging into the social networking site. Phishers even...

Read more
Latest Java Zero-Day Shares Connections with Bit9 Security Incident
Symantec Security Response | 02 May 2013 19:58:55 GMT | 0 comments

Symantec recently received information on a new Java zero-day, Oracle Java Runtime Environment CVE-2013-1493 Remote Code Execution Vulnerability (CVE-2013-1493).  The final payload in the attack consisted of a DLL file, detected by Symantec as Trojan.Naid, which connects to a command-and-control (C&C) server at 110.173.55.187. 

Interestingly, a Trojan.Naid sample was also signed by the compromised Bit9 certificate discussed in the Bit9 security incident update and used in an attack on another party.  This sample also used the backchannel communication server IP address 110.173.55.187.   

The Trojan.Naid attackers have been extremely persistent and have shown their sophistication in multiple attacks.   Their...

Read more
Fake Antivirus Renewal Email Rises from the Dead
Symantec Security Response | 02 May 2013 19:58:56 GMT | 0 comments

Over the last few years, many reports, white papers, and blogs have been released detailing targeted attacks. For example, some attacks employ sophisticated infection methods, such as watering hole attacks, and some rely on exploit code hidden in document files mixed with social engineering schemes. Some time ago, when the malware world was still dominated by mass-mailing worms that used fake emails as the infection method, one of the schemes was a fraudulent license renewal notification from well-known antivirus vendors.

Some may think that this scheme had become extinct but we saw evidence recently that it is still alive and kicking when an email was sent to an electric power company and a major industrial company in Japan.

Figure 1. Fake antivirus...

Read more
Fake Adobe Flash Update Installs Ransomware, Performs Click Fraud
Val S | 02 May 2013 19:58:59 GMT | 0 comments

Adobe Flash is one of the most widely distributed products on the Internet. Because of its popularity and global install base, it is often a target of cybercriminals. Cybercriminals are using social engineering methods to distribute their malware through fake Flash update sites, often compelling unsuspecting users, who may be in need of a software update, to unknowingly install malware.

Recently, we came across the following site masquerading itself as an Adobe Flash Player update page:

http://16.a[REMOVED]rks.com/adobe/
 

Figure 1. Fake Adobe Flash update page
 

The attacker has created what appears to be a rather convincing landing page; however, there are a few inconsistencies. Most of the links resolve back to the attacking domain and all of the links within...

Read more
As Russians Ready for Fatherland Day, Spammers Take Advantage
Evan liu | 02 May 2013 19:59:00 GMT | 0 comments

Major events and holidays have always been a time for celebrations. Unfortunately, it also attracts unscrupulous spammers searching to make a quick offer. Symantec observes that spam email usually spikes in conjunction with these holidays.

One such occasion is Defender of the Fatherland Day observed on February 23, which is a Russian holiday in countries of the former Soviet Union, such as Belarus and Tajikistan. Aside from parades and processions in honor of veterans, it is also customary for women to give small presents to men in their lives, such as fathers, husbands, and co-workers. Consequently, the holiday is often referred to as Men's Day.

As such, most spam emails revolve around souvenirs, small gifts, and even men’s medicine such as Viagra. Below is an example of some of these emails:

Subject: Волшебные подарки на 23 февраля
Translation: Magical gifts for February 23

...

Read more
Stuxnet 0.5: The Missing Link
Symantec Security Response | 02 May 2013 19:59:01 GMT | 0 comments

In July 2010, Stuxnet, one of the most sophisticated pieces of malware ever written, was discovered in the wild. This complex malware took many months to analyze and the eventual payload significantly raised the bar in terms of cyber threat capability. Stuxnet proved that malicious programs executing in the cyber world could successfully impact critical national infrastructure. The earliest known variant of Stuxnet was version 1.001 created in 2009. That is, until now.

Symantec Security Response has recently analyzed a sample of Stuxnet that predates version 1.001. Analysis of this code reveals the latest discovery to be version 0.5 and that it was in operation between 2007 and 2009 with indications that it, or even earlier variants of it, were in operation as early as 2005.

Key discoveries found while analyzing Stuxnet 0.5:

  • Oldest variant of Stuxnet ever found...
Read more
Stuxnet 0.5: Disrupting Uranium Processing at Natanz
Symantec Security Response | 02 May 2013 19:59:03 GMT | 0 comments

When Symantec first disclosed details about how Stuxnet affected the programmable logic controllers (PLCs) used for uranium enrichment in Natanz, Iran, we documented two attack strategies. We also noted that the one targeting 417 PLC devices was disabled. We have now obtained an earlier version of Stuxnet that contains the fully operational 417 PLC device attack code.

After painstaking analysis, we can now confirm that the 417 PLC device attack code modifies the state of the valves used to feed UF6 (uranium hexafluoride gas) into the uranium enrichment centrifuges. The attack essentially closes the valves causing disruption to the flow and possibly destruction of the centrifuges and related systems. In addition, the code will take snapshots of the normal running state of the system, and then replay normal operating values...

Read more
Stuxnet 0.5: How It Evolved
Symantec Security Response | 02 May 2013 19:59:06 GMT | 0 comments

Introduction

Stuxnet stores a version number within its code. Analysis of this code reveals the latest discovery to be version 0.5. Based on website domain registration details, Stuxnet 0.5 may have been in operation as early as 2005. The exact date this version began circulating in the wild is unclear. What is known is that the date this early variant stopped compromising computers was July 4, 2009—just 12 days after version 1 was created.
 

Table 1. Known Stuxnet variants, based on main module PE timestamps
 

This blog focuses on the Stuxnet timeline, how Stuxnet 0.5 fits into the attack timeline, and its evolution to Stuxnet version 1.
 

Evolution

Stuxnet 0.5 is...

Read more
Stuxnet 0.5: Command-and-Control Capabilities
Symantec Security Response | 02 May 2013 19:59:07 GMT | 0 comments

Similar to Stuxnet 1.x versions, Stuxnet 0.5 has limited command-and-control (C&C) ability. In particular, Stuxnet 0.5 does not provide fine-grained control to its authors. Instead, Stuxnet 0.5 can only download new code and update itself. Stuxnet needs to spread on isolated networks and therefore has been designed to be autonomous, reducing the need to have robust and fine-grained C&C ability. Stuxnet 0.5 also uses a secondary peer-to-peer mechanism in order to propagate code updates to peers on networks inaccessible to the broader Internet.

Stuxnet 0.5 has four C&C servers, all of which are now either unavailable or have since been registered by an unrelated party.

Interestingly, Stuxnet 0.5 is programmed to stop contacting the C&C server after January 11, 2009, even though the threat is programmed to stop spreading several months later after July 4, 2009.

The C&C server domains were created in 2005 and all displayed the same front page...

Read more
Ichitaro Vulnerability: Another Zero-Day Exploit in the Wild
Joji Hamada | 02 May 2013 19:59:08 GMT | 0 comments

Contributor: Masaki Suenaga

We have already seen a handful of zero-day vulnerabilities being exploited in the wild this year. These vulnerabilities have affected users globally leaving both individuals and organizations scrambling to protect their computers. While this does become tiring, this is not the time to rest or become complacent, especially for those using the Japanese word processor software, Ichitaro.

JustSystems has just announced a vulnerability that is currently being exploited in the wild. Symantec has seen the exploitation in the wild since mid-January, but it has been limited to users in Japan. The attacks using the exploit typically involve archive files containing the following files:

  • A clean Ichitaro document (.jtd file)
  • A modified JSMISC32.DLL file with a hidden attribute
  • A malicious DLL file with a hidden attribute and a .jtd file...
Read more