Spammers are recycling their old spamming methods after more than two years. Symantec reported an .mp3 version of pump-and-dump stock spam back in October 2007.
In this recent spam attack, a small .mp3 file promoting a meds domain is attached in the email messages. These email messages contain no subject line or message body. The .mp3 file is a five-second message recorded in a female voice and promotes a particular meds domain. The file is approximately 11 KB in size and recorded at a 16 kbps bit rate. The voice is heavily distorted with background noise. The domain name described in the file is a recently registered domain in China.
Those looking to see the latest 3D blockbuster movie, The Avatar, on the cheap will have to take great care in what they search for. We have become aware of at least one site that has been rigged to redirect users to a page that presents the now-familiar "play video/need codec" screen. In an unusual twist, this time it is offering a new ActiveX update rather than the usual codec or Flash player updates.
Clicking on the play button or icon will send a request to update-activex.com, which will then eventually offer you a file named along the lines of Activex_Setup[1].45158.exe from the standardmultimedia.com domain. This is now detected as Trojan.FakeAV.
We have recently learned of yet another zero-day exploit in Adobe Acrobat. This time it's an overflow for a special type parameter in a function provided by the multimedia.api plugin that can be manipulated from JavaScript in the following manner:
media.newPlayer(null)
Somewhere deep in newPlayer, deinit_obj is set as the handler for deleting the object when it's no longer needed:
And eventually deinit_obj calls the destroy function from the object's v_table:
We’ve monitored a great deal of Christmas sales spam (in English) for the upcoming holiday. Compared to English holiday spam, Chinese spammers seem to have fewer activities for Christmas, most likely because it is not a major holiday in the Chinese calendar. The Christmas holiday is popular among younger Chinese generations, however, and shopping for gifts is still expected. We have observed a couple of notable Chinese samples covering the topic of Christmas shopping. In the first sample, a spammer has sent a random Christmas sales ad, and we found that the spammer purposely set the promotion text background color in gray (<FONT style="BACKGROUND-COLOR: gray" color=gray>); you have to highlight the gray line in order to see the promotion text. In the header we observed a forged and randomized “From” alias. They used a shortened URL service in the body image, which led to an actual business website.
Sample Header:...
Didn’t shop enough on Black Friday? Still looking for Christmas Gifts? Need to send holiday greetings? Spammers will send them all at your convenience! We started seeing Christmas-related spam just after the Thanksgiving holiday—spammers are just as busy as the rest of us are this holiday season.
We have recently observed many different types of Christmas-related spam, such as medical/replica/gift shopping offers, loan offers, lotto scams, fraud and viruses, etc. Many of them have Christmas themed key words in the header to lure users to open emails. We saw some last year and have already observed the familiar “festive” headers.
Earlier today, we received a tip from a source that there is a possible Adobe Reader and Acrobat 0-day vulnerability in the wild. We have indeed confirmed the existence of a 0-day vulnerability in these products. The PDF files we discovered arrives as an email attachment. The attack attempts to lure email recipients into opening the attachment. When the file is opened, a malicious file is dropped and run on a fully patched system with either Adobe Reader or Acrobat installed. Symantec products detect the file as Trojan.Pidief.H.
We have reported our findings to Adobe who have acknowledged the vulnerability in this blog.
The analysis is still ongoing, so more details to follow. In the meantime, I recommend everyone to be extra vigilant during this holiday season, especially when...
Notable highlights this month include the continuing shift of the region of message origin to APJ and South America, and changes in the average size of spam messages.
• The EMEA region has been firmly displaced as the primary region of origin for spam—the APJ region has obtained that mantle. The APJ region currently accounts for 26 percent of all spam, which is a nine percentage point increase since June 2009.
• With respect to the average size of spam messages, 71.08 percent of messages now have an average message size between 2kb – 5 kb, while 19.53 percent have an average message size between 5kb – 10kb.
• With respect to spam categories, Internet spam decreased by four percent and now accounts for 35 percent of all spam messages, with leisure and fraud increasing by three and two percent, respectively.
The AVAR 2009 Conference was held in the historical city of Kyoto, Japan from November 5. As this year's trend is cloud computing, fake antivirus software and massive PDF file attacks, the cloud and PDF topics were covered in the conference.
We had several Japan-specific sessions. Some delegates from the Japanese ministries and governmental agencies spoke about their tasks and statistics on cyber crimes. As with other nations, Japan has its own specialty in computer usage and malware, such as wide-spread usage of the peer-to-peer software called Winny and the related malware W32.Antinny and a destructive Trojan horse Trojan.Haradong that was discovered in the Winny network (the creator was eventually arrested). Another trend in Japan is the so-...
The popularity of applications on social networking websites has increased a great deal this year. This has led to a new wave of phishing attacks targeting the users of these applications. Symantec has examined phishing websites exploiting three major social networking brands. The fake websites display attractive offers on the social networking applications to lure end users. Some of the applications that the phishing sites were based on are:
1. Social networking on mobile – Due to the rise in the number of users accessing the Internet through smart phones, social networking websites have expanded their services on smart phones, including messaging, chatting, photo viewing, etc. This increase in users has opened more doors to attackers because there are now more potential victims. Hence, attackers have created phishing websites on social networking brands claiming to provide these services on smart phones.
2. ...
In a new wave of phishing attacks, Symantec has observed that attackers are targeting the FTP credentials of websites. The messages appear to come from various trusted Web hosting providers. So far we have observed that users of over 100 Web hosting providers are being targeted by this attack.
The attackers asks users to click on the link provided in the spam message, which will lead the users to open an “FTP access confirmation” page where the FTP credentials of the recipients are stolen. Attackers use a phishing cPanel page to do this (cPanel is Web hosting administration tool).
Some of the various subject lines observed are as follows:
Subject: for [hosting domain name] webhosting user
Subject: [hosting domain name] web hosting update
Subject: [hosting domain name] webhosting update
Subject: for [hosting domain name] web hosting user
In quality assurance circles at Symantec it is often stated that clean data (e.g. files from clean software) are to false positives as malicious data are to true positives. In simple terms this means that clean data helps us prevent false positives in the same way that we can’t write antivirus signatures or antivirus technology if we don’t have malicious data.
At Symantec we go to serious lengths to generate, and also source, clean data to assist with our false-positive prevention efforts. With this in mind, over the past 12 months we piloted a “software white-listing program” that allows software developers and Independent Software Vendors (ISVs) the opportunity to proactively white-list their software with Symantec. The good news is that, due to the success of the pilot program, we are ready to offer this program on a...
Ahoy there ye landlubbers! The high seas of wireless security appear to have gone commercial with the introduction of a paid service, which means it just got a whole lot easier for a casual attacker to break into your wireless network. Before going on to talk about how this attack vector can be used, though, we'll quickly cover off some terminology; Wi-Fi standards can be an acronym minefield.
Many moons ago—more than ten years ago, in fact—a move was made to devise a method of securing wireless networks that would provide a level of confidentiality equivalent to that of traditional wired networks. The name Wired Equivalent Privacy (WEP) was given to the system. Unfortunately flaws emerged and it turned out to be trivial to circumvent. WEP is still built in to most Wi-Fi products on the market, but security-wise it was blown out of the water long ago and as such its use is now heavily deprecated. Roll out the successors!
A peak of new infections of Trojan.Mebroot has been found in the wild and after some investigation the data shows that there is a new wave of Mebroot Trojans being distributed through a popular exploit pack. The binary executables are using a newer packer to avoid detection from antivirus products.
Mebroot has been around for some time; apart from updating their packer, the most interesting thing about this infection is how Mebroot gets itself onto your machine in the first place. I had a glance at the network capture and the intrusion seems to be coming from Java:
...
Images 1 and 2: The network activity shows a series of http GET requests that end up downloading an executable onto the machine.
Hello and welcome to this month’s blog on the Microsoft patch releases. This month we also have a "Patch Tuesday" from Adobe.
Microsoft's patches
Microsoft released six security bulletins to address 12 vulnerabilities; seven are rated "critical." The critical issues affect Internet Explorer, Project, and Internet Authentication Service (IAS). Attackers could exploit the IAS remotely, without any interaction from victims. For the other issues, a user must visit a malicious Web page or open a malicious file.
The remaining issues, rated “Important” and “Moderate,” affect IAS, WordPad, Word, Active Directory Federated Services, and Windows LSASS.
Adobe's patches
Adobe is scheduled to release security updates for Flash Player and AIR (Adobe Integrated Runtime). Although both of the updates scheduled for release today are classified as "critical," all customers should apply the Flash Player update immediately because...
