Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Ankit Singh | 04 Nov 2014 11:02:49 GMT

Toolbox_concept.png

On October 27, while tracking exploit kits (EKs) and infected domains, Symantec discovered that the popular music news and reviews website spin.com was redirecting visitors to the Rig exploit kit. This exploit kit was discovered earlier this year and is known to be the successor of another once popular EK, Redkit. The Rig EK takes advantage of vulnerabilities in Internet Explorer, Java, Adobe Flash, and Silverlight and was also one of the EKs associated with the askmen.com compromise back in June.

At the time of writing, the spin.com website was no longer compromised....

Symantec Security Response | 01 Nov 2014 00:11:56 GMT

Symantec Security Response has seen an increase in the number of reports related to a threat known as Trojan.Poweliks. Poweliks is unique when compared to traditional malware because it does not exist on a compromised computer as a file. Instead, it is located in a registry subkey that is found within the computer’s registry.

Poweliks 1 edit.png
Figure. Trojan.Poweliks registry subkey

While Trojan.Poweliks is unique in how it resides on a computer, it can arrive on a computer through more common methods, such as malicious spam emails and exploit kits. Once on the compromised computer, Trojan.Poweliks can then receive commands from the remote attacker.

Poweliks has reportedly been delivered through malicious spam emails that claim...

Sean Butler | 29 Oct 2014 06:04:06 GMT

spam_campaign_concept.jpg

Symantec has recently seen a spam campaign involving fake wire transfer request emails. While this technique is not new, and has had some coverage in the press this year, we have seen an increase in this type of spam recently.

The purpose of this type of email is very simple—to get the recipient to process a payment for non-existent goods or services by way of a wire or credit transfer. The scammers send an email to a target recipient, usually pretending to be from the CEO or a senior executive of an organization. The scammers will usually send the fake wire transfer emails to employees working in the finance department of a company, as those employees will have the ability to action payment requests.

Another tactic the scammers use...

Symantec Security Response | 22 Oct 2014 17:15:56 GMT

At least two groups of attackers are continuing to take advantage of the recently discovered Sandworm vulnerability in Windows by using an exploit that bypasses the patch. The vulnerability came to light following its exploit by a group known as Sandworm, but there is now some evidence to suggest that at least one of these other groups was aware of its existence before its disclosure on October 14.

As with Sandworm, these attacks once again used infected PowerPoint documents, sent as email attachments, as the means of infection. These malicious attachments are detected by Symantec as Trojan.Mdropper. The attacks are being used to deliver at least two different payloads to victims, Trojan.Taidoor and ...

Candid Wueest | 21 Oct 2014 12:07:09 GMT

LinkWP.png
Download a copy of our whitepaper: The continued rise of DDoS attacks.

Distributed denial-of-service (DDoS) attacks are not a new concept, but they have proven to be effective. In the last few years they have grown in intensity as well as in number, whereas the duration of an attack is often down to just a few hours. Such attacks are simple to conduct for the attackers, but they can be devastating for the targeted companies. Amplification attacks especially are very popular at the moment as they allow relatively small botnets to take out large targets. For such an attack, spoofed traffic is sent to a third-...

Bhaskar Krishna | 20 Oct 2014 16:45:39 GMT

Contributor: Joseph Graziano

PDF invoices sent over email have become increasingly common in today’s business world. However, that doesn’t mean that there are no complications with the file format. Addressing these invoices without requiring verification from the recipient can lead to a compromised computer with the user’s confidential data in jeopardy.

Over the past week, Symantec has observed a spam campaign involving suspicious emails that masquerade as unpaid invoices. However, these suspicious emails come with a nasty surprise attached in the form of a malicious .pdf file.

Fig1_19.png
Figure 1. Malicious .pdf file attached to suspicious email

While these invoices may appear to be legitimate because the sender’s email address may be associated with a major company, the emails contain spelling errors in the subject line and the body of the email...

Nick Johnston | 17 Oct 2014 20:01:12 GMT

In March 2014, we blogged about how Google Docs and Google Drive users were being targeted by a sophisticated phishing scam. In this scam, messages included links to a fake Google Docs login page hosted on Google itself.

We continue to see millions of phishing messages every day, and recently we saw a similar scam targeting Dropbox users. The scam uses an email (with the subject "important") claiming that the recipient has been sent a document that is too big to be sent by email, or cannot be sent by email for security reasons. Instead, the email claims, the document can be viewed by clicking on the link included in the message. However, the link opens a fake Dropbox login page, hosted on Dropbox itself.

Dropbox 1.png

Figure 1. Fake Dropbox login page
...

Symantec Security Response | 16 Oct 2014 19:41:59 GMT

Poodle vulnerability.png

A newly discovered vulnerability in an old version of the SSL protocol represents a threat to a high number of Web servers because they contain legacy support for the outdated technology. The SSL Man In The Middle Information Disclosure Vulnerability (CVE-2014-3566) affects version 3.0 of SSL, which was introduced in 1996, and has since been superseded by several newer versions of its successor protocol, TLS. However, the vulnerability may still be exploited because SSL 3.0 continues to be supported by nearly every Web browser and a large number of Web servers.

SSL and TLS are both secure protocols for Internet communication and work by encrypting traffic between two computers. Most TLS clients will downgrade the protocol they use to SSL 3.0 if they have to work with legacy servers. The...

PraveenSingh | 14 Oct 2014 20:37:12 GMT

ms-tuesday-patch-key-concept-white-light 2.png

Hello, welcome to this month's blog on the Microsoft patch release. This month, the vendor is releasing eight bulletins covering a total of 24 vulnerabilities. Thirteen of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required....
Symantec Security Response | 14 Oct 2014 19:50:38 GMT

Symantec is investigating reports that a zero-day vulnerability affecting Microsoft Windows TrueType Font (TTF) parsing is being exploited in a limited number of attacks. The Microsoft Windows 'Win32k.sys' TrueType Font Handling Remote Code Execution Vulnerability (CVE 2014-4148) is reportedly being exploited to gain remote access into an international organization.

The attack consisted of a document with a malicious TTF, which when viewed on a vulnerable computer would result in the execution of additional malware. The payload was a somewhat sophisticated remote access Trojan (RAT) that would run from memory. Symantec regards this vulnerability as critical since it affects all supported versions of the Windows OS and allows an attacker to execute code remotely on the compromised computer.

On October 14, 2014, Microsoft issued a security bulletin which provides a patch for the vulnerability. We recommend...