Notable highlights this month include the continuing shift of the region of message origin to APJ and South America, and changes in the average size of spam messages.
• The EMEA region has been firmly displaced as the primary region of origin for spam—the APJ region has obtained that mantle. The APJ region currently accounts for 26 percent of all spam, which is a nine percentage point increase since June 2009.
• With respect to the average size of spam messages, 71.08 percent of messages now have an average message size between 2kb – 5 kb, while 19.53 percent have an average message size between 5kb – 10kb.
• With respect to spam categories, Internet spam decreased by four percent and now accounts for 35 percent of all spam messages, with leisure and fraud increasing by three and two percent, respectively.
The AVAR 2009 Conference was held in the historical city of Kyoto, Japan from November 5. As this year's trend is cloud computing, fake antivirus software and massive PDF file attacks, the cloud and PDF topics were covered in the conference.
We had several Japan-specific sessions. Some delegates from the Japanese ministries and governmental agencies spoke about their tasks and statistics on cyber crimes. As with other nations, Japan has its own specialty in computer usage and malware, such as wide-spread usage of the peer-to-peer software called Winny and the related malware W32.Antinny and a destructive Trojan horse Trojan.Haradong that was discovered in the Winny network (the creator was eventually arrested). Another trend in Japan is the so-...
The popularity of applications on social networking websites has increased a great deal this year. This has led to a new wave of phishing attacks targeting the users of these applications. Symantec has examined phishing websites exploiting three major social networking brands. The fake websites display attractive offers on the social networking applications to lure end users. Some of the applications that the phishing sites were based on are:
1. Social networking on mobile – Due to the rise in the number of users accessing the Internet through smart phones, social networking websites have expanded their services on smart phones, including messaging, chatting, photo viewing, etc. This increase in users has opened more doors to attackers because there are now more potential victims. Hence, attackers have created phishing websites on social networking brands claiming to provide these services on smart phones.
2. ...
In a new wave of phishing attacks, Symantec has observed that attackers are targeting the FTP credentials of websites. The messages appear to come from various trusted Web hosting providers. So far we have observed that users of over 100 Web hosting providers are being targeted by this attack.
The attackers asks users to click on the link provided in the spam message, which will lead the users to open an “FTP access confirmation” page where the FTP credentials of the recipients are stolen. Attackers use a phishing cPanel page to do this (cPanel is Web hosting administration tool).
Some of the various subject lines observed are as follows:
Subject: for [hosting domain name] webhosting user
Subject: [hosting domain name] web hosting update
Subject: [hosting domain name] webhosting update
Subject: for [hosting domain name] web hosting user
In quality assurance circles at Symantec it is often stated that clean data (e.g. files from clean software) are to false positives as malicious data are to true positives. In simple terms this means that clean data helps us prevent false positives in the same way that we can’t write antivirus signatures or antivirus technology if we don’t have malicious data.
At Symantec we go to serious lengths to generate, and also source, clean data to assist with our false-positive prevention efforts. With this in mind, over the past 12 months we piloted a “software white-listing program” that allows software developers and Independent Software Vendors (ISVs) the opportunity to proactively white-list their software with Symantec. The good news is that, due to the success of the pilot program, we are ready to offer this program on a...
Ahoy there ye landlubbers! The high seas of wireless security appear to have gone commercial with the introduction of a paid service, which means it just got a whole lot easier for a casual attacker to break into your wireless network. Before going on to talk about how this attack vector can be used, though, we'll quickly cover off some terminology; Wi-Fi standards can be an acronym minefield.
Many moons ago—more than ten years ago, in fact—a move was made to devise a method of securing wireless networks that would provide a level of confidentiality equivalent to that of traditional wired networks. The name Wired Equivalent Privacy (WEP) was given to the system. Unfortunately flaws emerged and it turned out to be trivial to circumvent. WEP is still built in to most Wi-Fi products on the market, but security-wise it was blown out of the water long ago and as such its use is now heavily deprecated. Roll out the successors!
A peak of new infections of Trojan.Mebroot has been found in the wild and after some investigation the data shows that there is a new wave of Mebroot Trojans being distributed through a popular exploit pack. The binary executables are using a newer packer to avoid detection from antivirus products.
Mebroot has been around for some time; apart from updating their packer, the most interesting thing about this infection is how Mebroot gets itself onto your machine in the first place. I had a glance at the network capture and the intrusion seems to be coming from Java:
...
Images 1 and 2: The network activity shows a series of http GET requests that end up downloading an executable onto the machine.
Hello and welcome to this month’s blog on the Microsoft patch releases. This month we also have a "Patch Tuesday" from Adobe.
Microsoft's patches
Microsoft released six security bulletins to address 12 vulnerabilities; seven are rated "critical." The critical issues affect Internet Explorer, Project, and Internet Authentication Service (IAS). Attackers could exploit the IAS remotely, without any interaction from victims. For the other issues, a user must visit a malicious Web page or open a malicious file.
The remaining issues, rated “Important” and “Moderate,” affect IAS, WordPad, Word, Active Directory Federated Services, and Windows LSASS.
Adobe's patches
Adobe is scheduled to release security updates for Flash Player and AIR (Adobe Integrated Runtime). Although both of the updates scheduled for release today are classified as "critical," all customers should apply the Flash Player update immediately because...
According to the 2002 Census of the Population, 42% of the population of Ireland has the ability to speak Irish. Irish has also had official and working language status at the EU level since January 1, 2007. Recently, some examples of spam messages in Irish—the official language of the Republic of Ireland—have been observed.
While the Irish translation is generally pretty good in this example, there are some anomalies between how certain phrases have been constructed. For example:
“le do thoil bain na scriosaidh nuair a thugann tú cuairt ar ár láithreán gréasáin.”
When translated by a fluent Irish speaker into English, it translates as "Please remove destroyers when you come on a visit to our website." “Greasain” can also mean coverage—as in...
It has come to our attention recently that a website is giving out instructions on how to use a low tech social engineering trick to view private Facebook profiles. To view the instructions, a third-party application must be first downloaded and installed. While this application is not malware, it may impact computer performance. The instructions then describe how to view private Facebook profiles, with the result being that a Facebook user may receive a friend request from a person that is already on their friend list.
The social engineering trick lies in the fact that the friend request is not from the “friend” that it purports to be from. The friend request may also come with a personal message; the instructions also suggest a message, “Hey, I can’t login to the previous account. add [sic] me back in.” Since the friend request received both via email and Facebook looks legitimate (because it is legitimate; that is, the...
The Mozilla Firefox browser is constantly gaining in popularity. A recent market share survey by Net Applications awards Firefox with 24% of users worldwide. One of the key philosophies of Firefox is that its functionality can easily be extended using plug-ins or extensions. According to the Mozilla foundation there are more than 12,000 extensions available and they have recorded more than 1 billion extension downloads so far. Quite an irresistible target for a malware author, don’t you think?
This is by no means a new phenomenon, nor a Firefox-centric one. Browser helper objects (BHOs) in Microsoft’s Internet Explorer have been misused by attackers for years, and we saw malicious Firefox extensions appear more than three years ago. But, we have recently observed an increase in malware that drops malicious BHOs, Firefox extensions, and even Opera user scripts—all this in order to maximize their impact on a user’s machine....
Piggybacking (pun intended) on the swine flu pandemic is the Zeus bot crew, whose latest offering comes in the guise of an email purporting to come from the CDC (Center for Disease Control). The email contains a link to a bogus Web page that is made to look like an official CDC page.
The content of the page asks you to create a profile that will then enable you to get the H1N1 flu vaccine.
The subject lines used in the emails are quite variable; for example, the following have been seen:
• Instructions on creation of your personal Vaccination Profile
The Koobface gang has been keeping themselves busy of late. Like Santa's little elves, they’re beavering away, creating and checking their fake Facebook and YouTube video sites and packin' it (the worm, that is) twice. The latest campaign involves posting messages on Facebook profiles, which link to either to fake video pages or a fake Facebook page. Either way you will be offered a file named setup.exe, which may be presented as a Flash Player upgrade or some kind of free antivirus to protect you from Koobface.
The lure is put forth in compromised or bogus Facebook postings. The text is largely the same, though the messages appear with duplicate letters in various parts of the posts. For example:
• I caan't ffall asleepp affter viewwing thiss videeo. I haven'tt seenn aanything liike this
• I can''t falll aslleep aftter viiewing thhis vvideo. I havven't seeen aanything likee thhis
• ...
The car accident involving Tiger Woods last night outside his home in Windemere, Florida has been generating a lot of heat as far as Web traffic and searches go. Since the news broke, the top web searches on Google has been related to the this story. Even hours after the break of the story, six out of the top ten search items are still related to this event. Tiger Woods is obviously a huge celebrity from a sport that has a huge worldwide following. The circumstances surrounding this accident are still as yet unclear.
From an IT security point of view this unfortunate incident is just another fruit ripe for the picking as far as malware writers are concerned. So it comes as no surprise that the creators of rogue antivirus or misleading application software have already jumped on the...
Security Response has discovered a threat that is being talked about among some members of certain discussion groups in Japan. The threat, named Infostealer.Kenzero, teaches yet another lesson to those using file-sharing networks not to download illegal games. Infostealer.Kenzero primarily arrives in the guise of setup.exe, which in this case is a fake installation file for Japanese pornographic games that are circulating around the file-sharing network “Share.” Several pornographic games have been reported to include this malicious setup.exe file.
Once the setup.exe file is executed it attempts to download image files (.bmp) from a predetermined website. Using these images, the threat brings up a form that asks the user to enter personal information, including his or her full name, password for the game, email address, postal...
