Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with Endpoint Protection (AntiVirus)
Showing posts in English
Adobe Zero-day Used in LadyBoyle Attack
Symantec Security Response | 08 Feb 2013 20:03:18 GMT | 0 comments

Yesterday, Adobe released an out of cycle patch that fixed two zero-day vulnerabilities (CVE-2013-0633, CVE-2013-0634) for Adobe Flash Player 11.5.502.146 and earlier versions for both Windows and Macintosh. The patch was released because the zero-days were being actively exploited for attacks in the wild. Symantec recommends applying the patch immediately. 

Reports of the attack seen in the wild using CVE-2013-0634 have been dubbed “LadyBoyle” following FireEye’s initial analysis of the attack. In the analysis they identified a class file, with the name LadyBoyle, that contained the exploit code. Symantec can confirm that...

Read more
Phishing: The Easy Way to Compromise Twitter Accounts
Joji Hamada | 07 Feb 2013 23:32:52 GMT | 0 comments

Last week, Twitter announced that the details of around 250,000 of its users may have been compromised before it discovered and stopped an attack on their network. There is not much you can do when attackers go straight to the service provider to try to steal your data; however, it is also common for attackers to approach the end-user in order to obtain account details. Phishing is a popular tactic used to steal account details this way. When thinking of phishing attacks, people usually think of bank account or credit card details as the type of information that is stolen but social network account details are also a popular commodity for attackers.

Attackers see phishing on social network sites as an easy way to trick users into giving their credentials away. So let me take this opportunity to go over one particular attack that has been taking place on Twitter over the last few months and show you...

Read more
Bamital Bites the Dust
Symantec Security Response | 06 Feb 2013 19:09:10 GMT | 0 comments

Today we are pleased to announce the successful takedown of the Bamital botnet. Symantec has been tracking this botnet since late 2009 and recently partnered with Microsoft to identify and shut down all known components vital to the botnet's operation.

Bamital is a malware family whose primary purpose is to hijack search engine results, redirecting clicks on these results to an attacker controlled command-and-control (C&C) server. The C&C server redirects these search results to websites of the attackers' choosing. Bamital also has the ability to click on advertisements without user interaction. This results in poor user experience when using search engines along with an increased risk of further malware infections.

Bamital’s origin can be tracked back to late 2009 and has evolved through multiple variations over the past couple of years. Bamital has...

Read more
Backdoor.Barkiofork Targets Aerospace and Defense Industry
Satnam Narang | 30 Jan 2013 23:01:00 GMT | 0 comments

Contributor: Joseph Bingham

A few weeks ago, we observed a spear phishing campaign targeting groups in the aerospace and defense industry. We identified at least 12 different organizations targeted in this attack. These organizations include aviation, air traffic control, and government and defense contractors.
 

Figure 1. Spear phishing email targeting aerospace and defense industry
 

In choosing their targets, the attackers identified individuals in important roles, including directors and vice presidents. The content of all the emails were identical. The attackers used a report published in 2012 regarding the outlook of the aerospace and defense industries as the lure. The intention of the attackers was to make...

Read more
Gift of Trojan.Smoaler Delivered Through Fake FedEx Emails
Shunichi Imano | 29 Jan 2013 22:10:05 GMT | 0 comments

Symantec Security Response is aware that fake FedEx emails have been circulating recently. The emails claim the user must print out a receipt by clicking on a link and then physically go to the nearest FedEx office to receive their parcel. Obviously the parcel does not exist and those who click on the link will be greeted by a PostalReceipt.zip file containing malicious PostalReceipt.exe executable file. Instead of receiving a parcel, which the user did not order in the first place, Trojan.Smoaler is delivered to the computer.

All the fake FedEx emails delivering this malware are almost identical except for the order numbers and the website the zip file is hosted on. One sign of laziness, or perhaps an oversight on the part of the malware author, is an consistent order date. The author does change the domain where Trojan.Smoaler is hosted daily. The following emails were spammed out...

Read more
Upswing in Ransomware Activity
Symantec Security Response | 28 Jan 2013 04:44:17 GMT | 0 comments

As we predicted toward the end of last year, we are once again seeing an upswing in ransomware activity in 2013. The ransomware extortion scam has been in existence now for a number of years but its popularity among cybercriminals has grown over the last two years and it continues to indiscriminately plague computer users in greater numbers. Symantec has tracked this growing menace in various blogs, a whitepaper, and a video.

In the last week Symantec has observed a new spike in ransomware activity being seen worldwide. While several variants of the ransomware threat are responsible for the overall spike, the main ransomware variant being observed is...

Read more
Trojan Horse Using Sender Policy Framework
Takashi Katsuki | 25 Jan 2013 21:20:27 GMT | 0 comments

It is important for malware authors to keep a solid network connection between their malware on compromised computers and their own servers so that the malware can receive commands and be updated. However, communication between the malware and the malware servers may be filtered by a gateway or local firewall, or blocked by an intrusion prevention system (IPS). Consequently, malware authors try to find more secure methods of providing communication between the malware and the servers. For example, I wrote a blog last November detailing how Backdoor.Makadocs uses the Google docs viewer function as a proxy to maintain a solid connection between the malware and its servers. More recently, I discovered a Trojan horse that uses Sender...

Read more
MDK: The Largest Mobile Botnet in China
Flora Liu | 24 Jan 2013 03:05:39 GMT | 0 comments

In February 2012, we blogged about Android.Bmaster (a.k.a. Rootstrap), which infected hundreds of thousands of devices. At that time, it was the largest mobile botnet documented to date. Recently, the Bmaster botnet has been overtaken by the newly uncovered MDK botnet. Dubbed as Android.Troj.mdk, Kingsoft believes it is hidden in more than 7,000 apps and has infected up to one million devices.

Symantec’s analysis suggests the MDK Trojan is a new variant of Android.Backscript. Our detection for this threat family has been in place since September 2012. The code of MDK is very similar to Android.Backscript and they use the same certificate to...

Read more
Trojan.Pandex – A New Spam Affair
Santiago Cortes | 24 Jan 2013 00:42:20 GMT | 0 comments

Contributor: Lionel Payet

Last week we saw how W32.Waledac was getting cozy with W32.Virut, but let us not forget about other spam botnets, like Trojan.Pandex (a.k.a. Cutwail), as they also persist in their propagation affairs.

The people behind W32.Cridex have used many attack vectors to spread the malware, including taking advantage of exploit kits like Blackhole, or attempting to deceive users with crafted PDF documents. This month they have managed to compose a more elaborate attack.

The attackers have...

Read more
Downloader Targets Down Under
Val S | 22 Jan 2013 20:18:13 GMT | 0 comments

At the time of this blog post, and for the past five days, we have noticed an increase in spam containing malware that targets Australians. The attackers behind this malicious spam campaign appear to have no specific target in mind other than compromising a large base in Australia for reasons still unknown. Symantec Security Response has observed two separate versions of this campaign purporting to be from Australian organizations and targeting Australian users.

In this following example, an email pretends to be from the "Australian Taxation Office" with the subject line "Tax Agent Report – Delayed Tax Returns" and contains a 'Tax Report.zip' attachment file. Inside the zip file is a TaxReport.xls.exe malicious executable file.
 

...

Read more