Security Response: Showing posts tagged with Endpoint Protection (AntiVirus)

If you are a resident of the United States and haven’t already filed your tax returns, maybe you should consider reading the following blog post. The countdown to “tax day” (April 15 in the United States) is currently in full swing, with the IRS offering daily tips for filing.

The run-up to tax day in the United States has traditionally become a time when phishing directed towards the IRS becomes more prevalent. As reported in previous Symantec State of Spam reports, spammers continue to attempt to disguise themselves as the IRS, dangling tax refund offers in front of unsuspecting users.

These “offers” are aimed towards recipients who may be unaware that the IRS “does not initiate communication with taxpayers through email.” The purpose of these attacks is...

During hard economic times, people look for ways to save money. Spending money on necessities such as tax preparation is no exception. Recently, spammers have been offering ways to save money on tax preparation as a means to enter a user’s inbox.
 
Below are some examples of subject lines spammers are using to lure users into opening messages:

File Your Returns Now!
TaxAct Online Home of the Totally Free federal tax return.
Prepare Free Print Free IRS e-file FREE
Click the link below to start your tax return

These messages are not just limited to taxpayers in the United States. Since spammers are part of  international underground corporations, other countries fall victim to spammers’ tactics as well. Our technicians have monitored emails directed to the people of France using the same principle. Here is an example:

Madame,...

If you’re one of those people with a passing knowledge of Linux, you might see it as something used exclusively by network admins, developers, and hobbyists. What you may not realize is that these admins, devs, and hobbyists have taken this versatile OS and ported it to all sorts of devices over the years. While some of these ports were for fun (epitomizing the “because I could” attitude of many hardware enthusiasts), Linux slowly began to appear on everyday devices. Today you can find the operating system on anything from phones to cameras to PVRs. Even if you’re not a gadget geek, you may have Linux-embedded device yourself without even knowing it.

While this swell in usage is great news for open-source advocates, it also brings with it unwanted attention. As we’ve seen time and again—as software gains in popularity it becomes more of a target for malicious code. Over the last few months,...

    当你看见一个“电影场记板”图样  的文件出现在邮件里，会不会好奇地想要点击一下这个文件，看看它到底会如何运行？如果答案是“肯定”的话，Backdoor.Tidserv木马病毒很可能就会通过这个渠道进入你的电脑。

     Backdoor.Tidserv是一个非常“狡猾”的病毒，其传播渠道和隐藏技术都十分多变。从传播渠道来讲，Backdoor.Tidserv可以将自己伪装为令人好奇的图标，作为垃圾邮件的附件进入用户计算机，驱使用户点击而触发病毒的执行；它还可能通过偷渡式下载的方式，在用户浏览某些不安全网页时自动载入用户计算机中。从隐藏技术来讲，Backdoor.Tidserv通常会被加壳，如Packed.Generic.200等。而且这个“壳”变种迅速，增加了防病毒软件查杀该病毒的难度。

    Backdoor.Tidserv首先检查互斥量 \TdlStartMutex以确保每次在计算机中只有一个实例在运行。 紧接着，Backdoor.Tidserv会在受感染的计算机中生成并运行以UAC开头的病毒文件。同时，病毒还会释放一个DLL文件，并通过修改msvcrt.dll入口以通过启动系统服务MSISERVER来加载这个DLL文件。该DLL文件运行后，会释放出一个驱动程序，当该驱动程序运行时，将隐藏系统中所有以UAC开头的文件—这不仅包括以UAC开头的病毒文件，还包括其他与该病毒无关却以UAC开头的干净文件。如此以来，所有和病毒命名相似的文件都将被隐藏，增加了防病毒软件对该病毒的检测难度。

    以下是我们根据病毒“自我隐藏”的特性所做的演示： 

    图一显示病毒运行前，文件夹的病毒文件Tidserv.exe，及其他以UAC开头的干净文件：

...

Easter is around the corner and as expected, attackers have already started to poison search engine queries to redirect users to websites that deliver misleading applications. Various search keywords related to Easter have been poisoned in Internet search results so that links to rogue websites are returned in the search listings. Some of the examples of poisoned keywords are:

Easter verse
Popular Easter Bible verse scriptures
Easter greeting card verses
Easter Bible verses
Easter verses poems
Bible Easter verse
Easter-Bible
Easter Bible quotes

Attackers are using various tricks, such as referrer checking, in order to evade security researchers. If the bogus domains returned in the search listing are visited directly, we will see a page with many Easter-related keywords and links used to bolster the page’s search ranking. However, if the bogus links are clicked on from the search engine results, users will be redirected to...

With Downadup/Conficker rising to celebrity status in the computer worm world, Symantec (along with other companies in the security industry) is hard at work, keeping our customers protected. But guess who else is hard at work at the moment? Yes, the authors of misleading applications. It isn’t the first time that they have latched onto popular news to fuel their malicious intent using search engine optimization (SEO).

Let's say you are curious about Conficker, or you think your computer might be infected with Conficker. By simply searching for "Conficker C," page one of the results includes a link to an infected site being used to spread a fake antivirus program:

Following the malicious link eventually leads you to a rogue...

As the Internet community continues to pay more attention to the reputation of websites and email senders, spammers are doing their best to hide behind well-established and reputable brands. Social networking sites have for some time now been used by spammers in the spam war. As more and more people become connected through social networking sites, it is not unusual to receive notifications of status update or sharing information from your friends. Symantec has recently observed a number of spam attacks claiming to be messages from various social networking sites.

One recent sample attempted to attract the attention of the recipient by using the following tactics:
1.    Claiming to be from a social networking site
2.    Indicating in the Subject line that message was from a social networking site
3.    The message indicated that the recipient had a personal message.

 ...