Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Bhaskar Krishna | 20 Oct 2014 16:45:39 GMT

Contributor: Joseph Graziano

PDF invoices sent over email have become increasingly common in today’s business world. However, that doesn’t mean that there are no complications with the file format. Addressing these invoices without requiring verification from the recipient can lead to a compromised computer with the user’s confidential data in jeopardy.

Over the past week, Symantec has observed a spam campaign involving suspicious emails that masquerade as unpaid invoices. However, these suspicious emails come with a nasty surprise attached in the form of a malicious .pdf file.

Figure 1. Malicious .pdf file attached to suspicious email

While these invoices may appear to be legitimate because the sender’s email address may be associated with a major company, the emails contain spelling errors in the subject line and the body of the email...

Nick Johnston | 17 Oct 2014 20:01:12 GMT

In March 2014, we blogged about how Google Docs and Google Drive users were being targeted by a sophisticated phishing scam. In this scam, messages included links to a fake Google Docs login page hosted on Google itself.

We continue to see millions of phishing messages every day, and recently we saw a similar scam targeting Dropbox users. The scam uses an email (with the subject "important") claiming that the recipient has been sent a document that is too big to be sent by email, or cannot be sent by email for security reasons. Instead, the email claims, the document can be viewed by clicking on the link included in the message. However, the link opens a fake Dropbox login page, hosted on Dropbox itself.

Dropbox 1.png

Figure 1. Fake Dropbox login page

Symantec Security Response | 16 Oct 2014 19:41:59 GMT

Poodle vulnerability.png

A newly discovered vulnerability in an old version of the SSL protocol represents a threat to a high number of Web servers because they contain legacy support for the outdated technology. The SSL Man In The Middle Information Disclosure Vulnerability (CVE-2014-3566) affects version 3.0 of SSL, which was introduced in 1996, and has since been superseded by several newer versions of its successor protocol, TLS. However, the vulnerability may still be exploited because SSL 3.0 continues to be supported by nearly every Web browser and a large number of Web servers.

SSL and TLS are both secure protocols for Internet communication and work by encrypting traffic between two computers. Most TLS clients will downgrade the protocol they use to SSL 3.0 if they have to work with legacy servers. The...

PraveenSingh | 14 Oct 2014 20:37:12 GMT

ms-tuesday-patch-key-concept-white-light 2.png

Hello, welcome to this month's blog on the Microsoft patch release. This month, the vendor is releasing eight bulletins covering a total of 24 vulnerabilities. Thirteen of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required....
Symantec Security Response | 14 Oct 2014 19:50:38 GMT

Symantec is investigating reports that a zero-day vulnerability affecting Microsoft Windows TrueType Font (TTF) parsing is being exploited in a limited number of attacks. The Microsoft Windows 'Win32k.sys' TrueType Font Handling Remote Code Execution Vulnerability (CVE 2014-4148) is reportedly being exploited to gain remote access into an international organization.

The attack consisted of a document with a malicious TTF, which when viewed on a vulnerable computer would result in the execution of additional malware. The payload was a somewhat sophisticated remote access Trojan (RAT) that would run from memory. Symantec regards this vulnerability as critical since it affects all supported versions of the Windows OS and allows an attacker to execute code remotely on the compromised computer.

On October 14, 2014, Microsoft issued a security bulletin which provides a patch for the vulnerability. We recommend...

Symantec Security Response | 14 Oct 2014 16:00:10 GMT

A coordinated operation involving Symantec and a number of other security companies has delivered a blow against Backdoor.Hikit and a number of other malware tools used by the Chinese-based cyberespionage group Hidden Lynx. Dubbed Operation SMN, this cross-industry collaboration has seen major security vendors share intelligence and resources, resulting in the creation of comprehensive, multi-vendor protection which may significantly blunt the effectiveness of this malware. The organizations involved in this operation include Cisco, FireEye, F-Secure, iSIGHT Partners, Microsoft, Symantec, ThreatConnect, Tenable, ThreatTrack Security, Novetta, and Volexity.

The Hikit back door has been used in cyberespionage attacks against a range of targets in the US, Japan, Taiwan,...

Symantec Security Response | 14 Oct 2014 15:38:06 GMT


A critical new vulnerability in the Windows operating system is reportedly being exploited in a limited number of attacks against targets in the US and Europe. The Microsoft Windows OLE Package Manager Remote Code Execution Vulnerability (CVE-2014-4114) allows attackers to embed Object Linking and Embedding (OLE) files from external locations. The vulnerability can be exploited to download and install malware on to the target’s computer. The vulnerability appears to have been used by a cyberespionage group known as Sandworm to deliver Backdoor.Lancafdo.A (also known as the Black Energy back door) to targeted organizations.

The vulnerability affects all versions of Windows...

Satnam Narang | 02 Oct 2014 22:08:55 GMT

In May, Snapchat released an update to the popular photo-messaging application that put the “chat” into Snapchat by allowing users to send messages within the app.  We previously warned that criminals would inevitably leverage this feature in future spam campaigns. Sure enough, a number of Snapchat users have recently reported receiving chat messages and photos from their friends promoting diet pill spam.

Fruit spam on Snapchat
This is not the first campaign of this type we have seen. In February 2014, a number of Snapchat accounts were compromised and used to send images of fruit drinks, promoting websites called FrootSnap and SnapFroot....

Symantec Security Response | 26 Sep 2014 20:13:14 GMT

Australian Cryptomalware 1.png

Australia is a land that is blessed by natural beauty and plentiful resources. Its isolation in the Indian and Pacific Oceans has helped protect it from many global afflictions that have hit other lands closer to world population centers. While Australia’s geography has long shielded it from storms, what worked in the past does not always work in the present.

This is particularly true of digital threats. Since the middle of 2014, Symantec has observed a major global surge in the occurrence of many different cryptomalware families such as Cryptolocker, Cryptodefense, and...

Symantec Security Response | 25 Sep 2014 13:40:06 GMT


A new vulnerability has been found that potentially affects most versions of the Linux and Unix operating systems, in addition to Mac OS X (which is based around Unix). Known as the “Bash Bug” or “ShellShock,” the GNU Bash Remote Code Execution Vulnerability (CVE-2014-6271) could allow an attacker to gain control over a targeted computer if exploited successfully.

The vulnerability affects Bash, a common component known as a shell that appears in many versions of Linux and Unix. Bash acts as a command language interpreter. In other words, it allows the user to type commands into a simple text-based window, which the operating system will then run.

Bash can also be used to run commands passed to it by applications and it is this feature...