It's only been a couple of short weeks since the iPhone background-changing incident that took the world by storm (well, parts of Australia at least), but already a Dutch ISP has reported what would be the first malicious iPhone worm to be seen in the wild.
Unfortunate news to be sure, but not exactly surprising. Our two recent blogs relating to iPhone threats warned (and I quote) that 'the publicly released code could easily be altered so that consequences were not so benign'. In case you missed them, the first blog was about the Ikee rickroller, which wasn't really considered malicious in that it only changed the iPhone background to a picture of 80's pop singer Rick Astley and was really more of a warning from the creator that jailbroken iPhones in a certain state could be compromised. That incident...
A new exploit targeting Internet Explorer was published to the BugTraq mailing list yesterday. Symantec has conducted further tests and confirmed that it affects Internet Explorer versions 6 and 7 as well. The exploit currently exhibits signs of poor reliability, but we expect that a fully-functional reliable exploit will be available in the near future. When this happens, attackers will have the ability to insert the exploit into Web sites, infecting potential visitors. For an attacker to launch a successful attack, they must lure victims to their malicious Web page or a Web site they have compromised. In both cases, the attack requires JavaScript to exploit Internet Explorer.
The exploit targets a vulnerability in the way Internet Explorer uses cascading style sheet (CSS) information. CSS is used in many Web pages to define...
I had the honor recently of moderating a virtual roundtable discussion on the top Internet security trends from 2009 and what we expect to see in the security threat landscape in 2010. Funny thing about security predictions—you hope they won’t come true, but expect them to anyway. The roundtable featured expert panelists Paul Wood (Senior Analyst, MessageLabs Intelligence, Symantec) and Zulfikar Ramzan (Technical Director, Symantec Security Response). They each have unique insights into the world of cybercrime, spam, phishing attacks, and other cyberthreats that plague us all.
We want to give a big thanks to everyone who joined in to listen to our experts, and we hope you found it interesting. For those of you who couldn’t make it, please take a few minutes to listen to the podcast of the actual roundtable.
We are monitoring new malicious attacks that look similar to the fake "Microsoft Outlook reconfigure" spam campaign messages we have been observing for the last couple of months. That malicious campaign was followed by attacks on social networking sites, transforming from malicious code attacks into URL-based phishing attacks. These new attacks have similar traits, such as the spoofed “From” headers, which aggressively target and baffle enterprise users, and a subject line that is intended to cause panic (for obvious reasons—have a look at the example image below).
As seen in the message above, the mail attachment is a zipped file named “utility.zip” that extracts an executable detected as Trojan.Dropper by Symantec antivirus. Using...
Zeus is a botnet package that allows for the easy creation and command and control of a botnet. We've discussed Zeus previously in Zeus, King of the Underground Crimeware Toolkits. The main purpose of Zeus is to steal online credentials such as online banking passwords, but it can be configured to steal passwords from any online site.
Today, the BBC is reporting that police in the UK have arrested two suspects in relation to Zeus. While the details are preliminary, the two likely appear to be users of the Zeus botnet package rather than the actual creators, and thus the prevalence and usage of Zeus is likely to continue.
We've created a research paper providing more in-depth information on Zeus, including how the bot is created, what functionality it has, and additional screenshots on...
Yes, it’s a cheap trick and not even close to original. But the lesson here is that even obvious social engineering tricks can get people to click on a link. We can’t help ourselves. We love to click. Clicking on links and attachments that are accompanied by just the slightest bit of social engineering appears to be a basic human need. I expect it to show up in a revision of Maslow’s Hierarchy of Human Needs any day now—behind love, but certainly ahead of safety.
I do have a point to all this. Two actually. As we compiled the Security Trends to Watch in 2010, what occurred to me is that the people who most needed to read this information never will. At least not without some social engineering on my part. And since social engineering plays such a prominent role in future trends, it seemed appropriate. So I’ve decided to use this little trick to get people to...
The Security Response team has compiled the top security trends of 2009. We pulled data from the Global Intelligence Network and the experiences of the thousands of analysts and security experts at Symantec to come up with the top trends for the year. While none of these trends will be a surprise to anyone even casually following the threat landscape, when compiled and summarized, it is clear that the breadth of security problems in the past year was pretty stunning.
For example:
• Toolkits and threat recycling have made malware easier to create than ever
• Polymorphic technology is being applied to make threats harder to catch
• Botnets, large and small, are used as the foundation of attacks making most attacks complex
• All major news events are used for social engineering
• Major brands are being appropriated by cybercriminals...
Finally, some help with explaining Internet security to my non-geek friends! The Guide to Scary Internet Stuff video series will hopefully make my life a little easier. Explaining the intricacies of Internet security is a challenging task. I often have difficulty explaining to my non-technical friends and relatives why they need to know about risks on the Internet. On top of that, I sometimes discover that my advice has fallen on deaf ears as I inevitably fix their computers after a click on a spam or phishing link, or after they have not run Windows Update or updated their antivirus software in a while.
Although this is not the normal technical type of material that we post here on the Security Response blog, when Dominic Cook from our UK PR team showed me these, I immediately thought they were worth a post. The animations are fun, but most of all I think my friends will understand them, remember some of the advice,...
When trawling the Web today we came across a website that has been compromised and rigged so that it is returned in search engine results for many different search terms. The site in question belongs to a UK-based company that specializes in hiring out holiday homes and is a legitimate business. However, the site has been compromised and is being used in a major ongoing SEO-based misleading applications attack, and has been for some time now. As you can see in the sample search results below, you may wonder what college football, a Ukraine vs. Greece soccer match, Penn State basketball, and Robin Williams have to do with renting a holiday home—and with good reason, too.
The key to identifying malicious pages in the search results is...
In a nutshell, Clampi is an Infostealer threat. Its executable can be seen as a host for separate modules, containing the real payloads of the threat. These modules are heavily protected from reverse-engineering as well. The functionalities range from banking-site password stealing, to local credential gathering, to a SOCKS proxy. The communication with Clampi’s command & control servers, the “Gates”, uses HTTP and is encrypted. Clampi...
Recently, I've been seeing phishing attacks using Web forms attached to emails making the rounds again. This type of phishing isn't so common but is used on occasion, so I want to take this opportunity to remind everyone not to fall for this trick.
Common phishing attacks include emails purporting to be from legitimate entities like financial instituions, auction sites, and SNS sites which include links to Web sites set up by the attacker to steal user information.
In this case, however, the phishing site arrives as an email attachment rather than a link to the site included in the body of the email.
Threats targeting the Macintosh platform are much less common than those targeting Windows. The same can be said about video games, where Windows is the dominate platform of the two. Combining games and malware has happened before, but a Mac game performing malicious activities? That’s something relatively new.
Takashi Katsuki, one of our Tokyo engineers, came across just that today. The game looks to be a throw-back to the classic Space Invaders/Galaga style of games from the early 1980s. However, what brings this game into the realm of malicious code is that for every alien ship you destroy, the game deletes a file from your home directory.
Symantec Security Response has become aware of a Trojan Horse we detect as Trojan.Ramvicrype. The Trojan uses the RC4 algorithm to encrypt files on compromised computers, rendering them unusable. Presence of files with a .vicrypt extension is a sure-fire sign of infection.
Trojan.Ramvicrype is a little different from most other Ransomware programs we’ve seen in the past. Typically these kinds of threats display a message prompting users to visit a certain Web page or email a specific address. Users will end up paying the online criminals in exchange for keys that can be used to unlock the computer or decrypt the encrypted files.
Previously posted blogs on the subject of Ransomware can be found at:
This chapter in our Clampi saga brings us back to the malware’s logging facility. As we saw before, one of Clampi’s modules, codenamed LOGGER, is responsible for logging outgoing information going to a determined list of URLs – stored in a data file as CRCs.
One problem arises with banking sites that preprocess the user’s personal information before sending it over HTTPS—it’s done using client-side JavaScript. For instance, a hash of the input PIN number could be sent instead of the PIN number itself. This mechanism adds an extra layer of security, preventing malware from sniffing network traffic at one end of the SSL tunnel. But still, it’s only covering one end. It’s more secure than no encryption, but still not great. At least two methods exist to get around this:
