Symantec Connect
  • Login
  • Register
  • Security
    • All of Connect
    • Backup and Archiving
    • Endpoint Management & Virtualization
    • Storage and Clustering
    • Security
    • Inside Symantec
    • Vision User Conference
    • Partners
    • Developers
    •  
  • Overview
  • Forums
  • Articles
  • Blogs
  • Downloads
  • Events
  • Videos
  • Groups
  • Ideas
Login to participate

Security ResponseSyndicate content

Phishing Site Uses Katrina Kaif as Bait
Mathew Maniyara | July 29, 2010
0 comments

In the past couple of months, pornography has been used as bait in several phishing websites. In particular, phishers used fake images of the Indian film star Katrina Kaif on a phishing site that spoofed a social networking brand. The images were modified to increase their pornographic appeal.

Katrina Kaif is one of the most popular actresses in Indian cinema today. Recently, the actress has been in the news because of the circulation of a fake adult video on the Internet. The video, claiming to be of the actress, actually features a look-a-like. The title of the phishing site displayed “Katrina Kaif’s XXX Tape,” giving the impression that the video in question was available for viewing.

Evidently, phishers have chosen the actress to create the phishing page because of her huge fan following and also because of the recent news about the XXX video clip. As with most cases of...

Read more
Tags: Endpoint Protection (AntiVirus), Katrina Kaif, Online Fraud, phishing, Security, Security Response, Spam
W32.Stuxnet Variants
Liam O Murchu | July 29, 2010
0 comments

As we have mentioned in a previous blog W32.Stuxnet contains a complex nested structure of files and components inside.  We were interested to discover if the different samples we have seen in the wild were different variants or just modifications to the wrapper with the same components embedded. To determine if there are different variants of W32.Stuxnet we unraveled each sample in order to determine what the payload of each sample consisted of. Here we present the results of that analysis.

From the samples we have we reviewed (we have only reviewed a subset of the total samples to date) we observed 4 distinct file sizes for the installer component as shown below. As you can see although there are 4 different types of installers, the first 3 types are actually the same just with added junk or nulls. However,...

Read more
Tags: Endpoint Protection (AntiVirus), Security, Security Response, W32.Stuxnet
Tracking Cookies
Ben Nahorney | July 28, 2010
0 comments

Given the millions of threats that Symantec products block every day, you might find it interesting to know which detection consistently holds the top spot. No, it’s not a worm such as W32.Stuxnet, a virus like W32.Virut, or even one of our long-tem generic detections, such as Backdoor.Trojan. The detection most frequently encountered by Symantec antivirus users is Tracking Cookie.

Luckily this isn’t the sign of an underreported, massive outbreak in the threat landscape....

Read more
Tags: Endpoint Protection (AntiVirus), Security, Security Response, Tracking Cookie
After Football, Scammers Pursue the Cricket World Cup
Mathew Maniyara | July 28, 2010
0 comments

The ICC 2011 Cricket World Cup begins on February 17, 2011, and phishing sites promoting the tournament have already been observed:

One of the phishing sites spoofs a popular social networking site and has a logo of the brand containing some artwork. It is interesting to note that the artwork has a sketch of the Arc de Triomphe in Paris. The fraudster probably intended to represent the Gateway of India in Mumbai, since the cricket finals will be held there. When the logo is clicked, information related to the event is displayed. Below the logo are icons for the sponsors and sports channels in India that will broadcast the tournament. The schedule of the matches has been finalized and tickets have been available for sale since June 1, 2010. The phishing site claims that users can get tickets to the matches by entering their login credentials. If the fraudsters are successful with the lure, users...

Read more
Tags: Endpoint Protection (AntiVirus), Cricket World Cup 2011, Online Fraud, phishing, Security, Security Response, Spam
Fraudsters Offering Free Mobile Phone Airtime
Mathew Maniyara | July 28, 2010
0 comments

In July 2010, several phishing sites were observed to be spoofing social networking brands. This in itself is nothing new, but this time the sites were posting fake offers for free online mobile phone airtime top-ups. The phishing pages displayed the icons for a number of popular cellular service providers in India. Upon entering login credentials on the phishing site, the page displayed certain steps for the user to follow to obtain the fake offer:

First, the customer is asked to select the amount of airtime recharge in rupees, which should not exceed Rs 500 per day. Then, after selecting the amount, the phishing site generates a Java code. The user is then prompted to use the Java code whenever he or she requires a free mobile recharge. The page states that the Java code has to be entered on the address bar after...

Read more
Tags: Endpoint Protection (AntiVirus), Mobile & Wireless, Online Fraud, phishing, Security, Security Response, Spam
W32.Changeup: Visual Basic Polymorphic Code Uncovered
Takayoshi Nakayama | July 28, 2010
0 comments

W32.Changeup is a type of polymorphic worm written in Visual Basic (VB) and as we stated in the previous W32.Changeup blog, our analysis is focusing on the polymorphic behavior that the threat employs. There are many polymorphic worms but polymorphic worms written in VB are very rare. Analysis of malware written in Visual Basic can be tricky but I have spent some time analyzing this threat and in this blog I'll take a closer look at the polymorphic aspects of this worm.

When the worm executes, it accesses the LinkTopic property in its own form. The strings for the form and module names that Changeup uses are recorded in the LinkTopic property. Every time it infects a computer, the strings are randomly modified.

Once loaded it searches for the string marked with an “x” added...

Read more
Tags: Endpoint Protection (AntiVirus), Security, Security Response, W32.Changeup
Security Trends to Watch in 2010: A Mid-Year Status Check
Vincent Weafer | July 27, 2010
0 comments

As 2009 came to a close, we at Symantec looked into our crystal ball and made a few predictions regarding what online security trends we expected to see in 2010. Now that we’re halfway through the year, we’re taking a look back and evaluating ourselves based on how our forecasts are panning out thus far.

Here’s a brief recap of how we think our trend predictions are fairing. We’ve rated each of them as either “on track,” “mostly on track,” “still possible,” or “more likely next year.”

To view an interactive version of this graphic that provides more detail, please click here. Once you do, you can click on each of our predictions and the corresponding mid-year statuses to read more.

...
Read more
Tags: Endpoint Protection (AntiVirus), Emerging Threats, Evolution of Security, IT Risk Management, Security, Security Response, Security Trends 2010
W32.Changeup Threat Profile
Symantec Security Response | July 27, 2010
0 comments

Introduction
It has been all about W32.Stuxnet for the past two weeks due to its connection to SCADA systems as well as the use of an unpatched vulnerability to propagate. But from about a month ago, we observed a significant increase in infection numbers of W32.Changeup worldwide, especially in the Enterprise environment.



Figure 1. Distribution of W32.Changeup



Figure 2. Distribution of W32.Changeup.B 

...

Read more
Tags: Endpoint Protection (AntiVirus), Security, Security Response, W32.Changeup
W32.Stuxnet – Network Operations
Liam O Murchu | July 25, 2010
0 comments

Previously in our series of blogs about Stuxnet we wrote about the installation details and the numerous files that are associated with the threat. In this installment I will discuss the network communication and command and control functionality of W32.Stuxnet. Although some of the tasks that the threat performs are automated, other tasks are performed only after the threat has connected to the command and control server and received specific instructions. It is this aspect of the threat that will be discuss here.

After the threat has installed itself, dropped its files, and gathered some information about the system it contacts the C&C server on port 80 and sends some basic information...

Read more
Tags: Endpoint Protection (AntiVirus), Malicious Code, Security, Security Response, W32.Stuxnet
W32.Stuxnet — Network Information
Vikram Thakur | July 22, 2010
0 comments

We’ve been analyzing W32.Stuxnet, which is a threat that uses a legitimate digital certificate from a major third party and takes advantage of a previously unknown bug in Windows; ultimately, it searches for SCADA systems and design documents. The findings of our analysis are being documented in a series of blog articles.

Stuxnet contacts two remote servers for command and control, and until last week those domains were pointing to a server hosted in Malaysia. Once we identified those domains, we redirected traffic away from the C&C servers thereby preventing them from controlling the infected machines and retrieving stolen information.

Within the past 72 hours we've seen close to 14,000...

Read more
Tags: Endpoint Protection (AntiVirus), Security, Security Response, W32.Stuxnet
Insights into Shutting Down the Virut Botnet
Nicolas Falliere | July 22, 2010
0 comments

Virut is a Windows file infector that propagates by infecting executable and Web-related files (such as .html, .php or .asp files). Its payload runs as a remote thread inside winlogon.exe, a well-known, critical Windows process.

The payload does two things:

  • It infects other files.
  • It connects to a command and control (C&C) server.

The C&C server is established over IRC. The IRC host names and ports are hardcoded inside the virus body, and may be updated during propagation. Based on variants, the protocol details vary. For instance, Virut may connect to a high TCP port and use encryption (custom symmetric algorithm). Beneath the encrypted layer are standard IRC commands. It’s worth noting that the key is never directly exchanged between the client and its server. This means the server has to bruteforce it, using a known-plaintext/known-ciphertext attack on the initial IRC nickname (NICK) request.

Other versions do...

Read more
Tags: Endpoint Protection (AntiVirus), Security, Security Response, W32.Virut
Distilling the W32.Stuxnet Components
Liam O Murchu | July 22, 2010
0 comments

Previously, I blogged about the installation control flow used by W32.Stuxnet. In this blog I would like to discuss the complexity of the threat a little further and particularly focus on the amount of different files used by the threat and the purpose of each of those files, along with which files are signed and which are not.

The main payload of the threat is a UPX packed .dll file that is contained in an encoded fashion inside one of the files that reside on an infected removable drive. When this UPX .dll file is decoded and unpacked it can be seen to contain many other files within itself as outlined below.

The packed UPX .dll file contains 13 different resources, these resources consist of various different...

Read more
Tags: Endpoint Protection (AntiVirus), Security, Security Response, W32.Stuxnet
Phishers Want Broadband Internet Service
Mathew Maniyara | July 21, 2010
0 comments

Phishers have been targeting many sectors to steal confidential information for various reasons. Most of the time, the motive is financial gain. Here is an example of a phishing attack that was primarily targeting information for reasons other than financial gain. In July, Symantec observed a phishing website that spoofed an Internet Service Provider (ISP). The brand offers internet services using cable, ADSL, dialup, etc, and is a popular brand in Australia.


 
The phishing website was sent to customers in spam email. The spam messages stated that the ISP was unable to verify the customer’s account due to a recent change in his or her contact details. The mail requested that the customer verify their account by providing certain information and provided a link to the phishing website. The phishing website asked for login details and then led to a page that asked for personal...

Read more
Tags: Endpoint Protection (AntiVirus), phishing, Security, Security Response, Spam
The Hackers Behind Stuxnet
Patrick Fitzgerald | July 21, 2010
0 comments

W32.Stuxnet has received a lot of media attention over the last few days. This incident provides almost a complete case study of how these attacks succeed and how they will probably be used in the future. A successful attack allowed the attacker to steal confidential SCADA design and usage documents.

Let’s start by saying we don’t know who is behind the attack, and historically discovering this is very rare. However, if someone proposed this type of attack a month ago, while we would have agreed it was theoretically possible, most would have dismissed such an attack as a movie-plot scenario. Furthermore, attacks of this nature are rarely disclosed publicly.

We know that the people behind this attack aren’t amateurs, but their final motive is unclear.

The principal facts in this case are:

  • The attackers discovered and used a zero-day...
Read more
Tags: Endpoint Protection (AntiVirus), Security, Security Response, W32.Stuxnet
Zlob.P – DNS Poisoning at Home
Fred Gutierrez | July 21, 2010
0 comments

We have seen several threats that alter DNS settings in the past; however this Zlob variant will do more than just change DNS settings. It will take advantage of popular search engines and make money for itself using ads and affiliates. In this reincarnation, Zlob has three effective states. The first state is when the Trojan infects the computer and installs itself. This is done partly by calculating a cyclical redundancy check (CRC) of when Windows was installed. The second state discovers network topology and reconfigures settings. If accessible, it will even attempt to log in to your router. The third state deals with browser traffic. The Trojan will perform a man-in-the-middle attack and change what the user sees and does, accordingly. We will take a look under the hood and analyze each of these states more closely. 

State I: Installation

In order to ensure that...

Read more
Tags: Endpoint Protection (AntiVirus), DNS poisoning, Malicious Code, Security, Security Response, Trojan.Zlob, Trojan.Zlob.P
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • …
  • next ›
  • last »

About Security Response Blog

Our security research centers around the world provide unparalleled analysis of and protection from malware, security risks, vulnerabilities, and spam.
Filter by:

Blog Tags

10.x 11.x 2010 State of Enterprise Security Report 419 scam 9.x and Earlier Adobe Acrobat Adobe Flash Adobe Reader Advanced Persistent Threats Amazon Antivirus2010 Apple Backdoor.Tidserv Backdoor.Trojan Brazil Brightmail Gateway Brightmail IQ Clickjacking Cricket World Cup 2011 DNS poisoning Earth Day Email Emerging Threats Endpoint Encryption Endpoint Protection (AntiVirus) Endpoint Protection Small Business Enterprise Security Manager Evolution of Security FIFA Father's Day Gary Coleman General Symantec Google ISTR XV IT Healthcare Landscape IT Risk Management Infostealer.Bancos Infostealer.Gampass Internet Security Threat Report Java Katrina Kaif Live PC Care Malicious Code Michael Jackson Microsoft Microsoft Patch Tuesday Misleading Applications Mobile & Wireless Mobile Security Mother's Day Online Fraud Orkut PDF PDF spam Password Management Restore SEO Poisoning Security Security Risks Security Trends 2010 Soccer Social networking South Africa Spam Survey Sykipot Symantec State of Spam & Phishing Report SymbOS.Exy Symbian Tmphider Tracking Cookie Trojan.Bredolab Trojan.Dropper Trojan.FakeAV Trojan.Loginck Trojan.Mebroot Trojan.Pidief Trojan.Pidief.I Trojan.Pidief.J Trojan.Twebot Trojan.Vundo Trojan.Zbot Trojan.Zlob Trojan.Zlob.P VirusDoctor Vulnerabilities & Exploits W32.Changeup W32.Downadup W32.Koobface W32.Qakbot W32.Sality W32.Stuxnet W32.Stuxnet!lnk W32.Temphid W32.Virut Windows World Cup 2010 World Expo 2010 Zeus directory harvest attack facebook fakeav phishing rogue antivirus rootkit scams social media twitter typosquatting volcano zero-day vulnerability
© 2010
  • Symantec Corporation
  • Contact Us
  • Get RSS
  • Privacy Policy
  • Symantec.com