Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with Endpoint Protection (AntiVirus)
Showing posts in English
New Adobe Vulnerabilities Being Exploited in the Wild
Symantec Security Response | 14 Feb 2013 08:59:53 GMT

Adobe posted a vulnerability report warning that vulnerabilities in Adobe Reader and Acrobat XI (11.0.1) and earlier versions are being exploited in the wild. Adobe is currently investigating this issue.

 

According to the FireEye blog posted earlier today, the malicious file arrives as a PDF file. Upon successful exploitation of the vulnerabilities, two malicious DLL files are dropped.

Symantec detects the malicious PDF file as Trojan.Pidief and the two dropped DLL files as...

Read more
Man Arrested in Relation to the “Remote Control Virus”
Joji Hamada | 13 Feb 2013 21:35:07 GMT

Back in October 2012, we published a couple of blogs about Backdoor.Rabasheeta, a back door Trojan that was used to make numerous death threats from compromised computers, resulting in four wrongful arrests. The saga may have come to an end for the malware author who had been taunting the Japanese authorities for months. On February 10, the Tokyo Metropolitan Police arrested Yusuke Katayama, a 30-year-old Tokyo resident who works for an IT company, on suspicion of forcible obstruction of business by posting anonymous online threats, although the accused has denied any wrongdoing. Katayama was also arrested and convicted in 2006 for making similar online threats to a record company...

Read more
Microsoft Patch Tuesday – February 2013
Candid Wueest | 12 Feb 2013 18:26:39 GMT

Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing 12 bulletins covering a total of 57 vulnerabilities. Eighteen of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft's summary of the February releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms13-Feb

The following is a breakdown of the...

Read more
Zeus Now Setting its Sights on Japanese Online Banking Customers
Symantec Security Response | 12 Feb 2013 06:05:44 GMT

As we have blogged in the past, Zeus (Trojan.Zbot) and other banking Trojans have been a headache to online banking customers all over the world for years. Certain countries such as Japan have in the past escaped attacks from banking Trojans, perhaps due to the language barrier or some other unknown reason. As the National Police Agency of Japan has reported several times, Japanese online banking customers have now started to fall victim to this type of attack.

Symantec recently came across a new Zeus file targeting five major banks in Japan. Figure 1 shows part of the decrypted configuration file. The...

Read more
Cross-Platform Frutas RAT Builder and Back Door
Joseph Bingham | 11 Feb 2013 22:49:07 GMT

Contributor: Val S.

We recently came across a sample of a back door remote access tool (RAT) written entirely in Java. The RAT is freely distributed on underground forums, free for any registered forum user to download. It is named Frutas, which means “fruit” in Spanish.
 

Figure 1. Frutas logo
 

The Frutas RAT allows attackers to create a connect-back client JAR file to run on a compromised computer. When executed, it parses an embedded configuration file for a server IP and port to connect to. The back door builder provides some minor obfuscation, which allows the attacker to use a custom encryption key for some of the embedded back door functionalities.
 

...

Read more
Malvertising and Dynamic DNS: A Never Ending Story
abhinav_singh | 09 Feb 2013 00:00:58 GMT

Contributor: John Harrison

Symantec has been tracking a large malvertising campaign for over 5 months now. The campaign is still active and uses Dynamic Domain Name System (DDNS) to prevent itself from being tracked.

The campaign spread rapidly and compromised popular domains and  adult websites. High profile domains with an Alexa ranking of 5,000 or under have also been compromised. Some compromised websites were cleaned after notice from Symantec products alerted users when the sites were visited. However, many of the domains remain compromised.

The interesting thing about infections delivered through malvertising is that it does not require any user action (like clicking) to compromise the system and it does not exploit any vulnerabilities on the website or the server it is hosted from. Infections delivered through malvertising silently travel through Web page advertisements served by...

Read more
Adobe Zero-day Used in LadyBoyle Attack
Symantec Security Response | 08 Feb 2013 20:03:18 GMT

Yesterday, Adobe released an out of cycle patch that fixed two zero-day vulnerabilities (CVE-2013-0633, CVE-2013-0634) for Adobe Flash Player 11.5.502.146 and earlier versions for both Windows and Macintosh. The patch was released because the zero-days were being actively exploited for attacks in the wild. Symantec recommends applying the patch immediately. 

Reports of the attack seen in the wild using CVE-2013-0634 have been dubbed “LadyBoyle” following FireEye’s initial analysis of the attack. In the analysis they identified a class file, with the name LadyBoyle, that contained the exploit code. Symantec can confirm that...

Read more
Phishing: The Easy Way to Compromise Twitter Accounts
Joji Hamada | 07 Feb 2013 23:32:52 GMT

Last week, Twitter announced that the details of around 250,000 of its users may have been compromised before it discovered and stopped an attack on their network. There is not much you can do when attackers go straight to the service provider to try to steal your data; however, it is also common for attackers to approach the end-user in order to obtain account details. Phishing is a popular tactic used to steal account details this way. When thinking of phishing attacks, people usually think of bank account or credit card details as the type of information that is stolen but social network account details are also a popular commodity for attackers.

Attackers see phishing on social network sites as an easy way to trick users into giving their credentials away. So let me take this opportunity to go over one particular attack that has been taking place on Twitter over the last few months and show you...

Read more
Bamital Bites the Dust
Symantec Security Response | 06 Feb 2013 19:09:10 GMT

Today we are pleased to announce the successful takedown of the Bamital botnet. Symantec has been tracking this botnet since late 2009 and recently partnered with Microsoft to identify and shut down all known components vital to the botnet's operation.

Bamital is a malware family whose primary purpose is to hijack search engine results, redirecting clicks on these results to an attacker controlled command-and-control (C&C) server. The C&C server redirects these search results to websites of the attackers' choosing. Bamital also has the ability to click on advertisements without user interaction. This results in poor user experience when using search engines along with an increased risk of further malware infections.

Bamital’s origin can be tracked back to late 2009 and has evolved through multiple variations over the past couple of years. Bamital has...

Read more
Backdoor.Barkiofork Targets Aerospace and Defense Industry
Satnam Narang | 30 Jan 2013 23:01:00 GMT

Contributor: Joseph Bingham

A few weeks ago, we observed a spear phishing campaign targeting groups in the aerospace and defense industry. We identified at least 12 different organizations targeted in this attack. These organizations include aviation, air traffic control, and government and defense contractors.
 

Figure 1. Spear phishing email targeting aerospace and defense industry
 

In choosing their targets, the attackers identified individuals in important roles, including directors and vice presidents. The content of all the emails were identical. The attackers used a report published in 2012 regarding the outlook of the aerospace and defense industries as the lure. The intention of the attackers was to make...

Read more