Video Screencast Help
Search Video Help Close Back
to help
New in the Rewards Catalog: Vouchers for "Symantec Technical Specialist" and "Symantec Certified Specialist" exams.

Security Response

Showing posts tagged with Endpoint Protection (AntiVirus) remove filter
Showing posts in English remove filter
Revamped Fake Android Market for SMS Fraud
Joji Hamada | 10 Feb 2012 | 0 comments

We have continued monitoring the massive campaign involving SMS Fraud on the mobile platform for a while now as new activities are constantly taking place. New domains are created practically every day and new variants are being released consistently. Most activities are not really noteworthy. However, we did discuss a recent development of interest regarding the APK malware using server-side polymorphism. And earlier this week, we came across a new type of site that is not technically interesting, but is worthy of a mention in order to warn people about the new activity.

A little while back, a fake Android Market was developed that hosted various Apps that were ultimately malware. As you can see below, the page looks slightly different from the official Android Market.

...
Read more
Is Waledac Spam Dirtying the Russian 2012 Elections?
Symantec Security Response | 10 Feb 2012 | 0 comments

Recently there have been several reports about the re-emergence of a botnet variant (Kelihos), which Symantec detects as W32.Waledac.C. The Waledac family is a threat that has been monitored by Symantec for many years and was featured in numerous blogs as well as a white paper. In the past, Waledac gained its infamy as a spamming botnet that utilized compromised systems to send out spam.  The purpose of these spamming campaigns had usually...

Read more
New Targeted Attack Using Office Exploit Found In The Wild
Joji Hamada | 09 Feb 2012 | 0 comments

Contribution: Takayoshi Nakayama

I was going through some files we acquired related to targeted attacks the other day and an unusual set of files caught my eyes. We did some analysis on the files and it turns out a pair of files in the set exploits a vulnerability we have not seen in the wild before. Microsoft is aware of the issue and notes users who have applied MS11-073 are fully protected.

The files stand out from the common targeted attacks because a Microsoft Word document file is paired with a .dll file. Usually, targeted attacks involve one file which drops malware. The pair would most likely arrive to the target wrapped in an archive file attached to an email. It is common to see document files sent by email inside an archive, but typically, you would not see .dll files ever sent by email.

The exploit makes use of an ActiveX control embedded in a Word document file....

Read more
Infostealer.Offsupload: 20,000+ Archives Containing Stolen Data Uploaded to Third Party File-Sharing Site
Stephen Doherty | 08 Feb 2012 | 0 comments

Upwards of 20,000 stolen archives have been uploaded to a third party file-sharing site from hosts infected with a new threat called Infostealer.Offsupload. The following heatmap indicates the U.S. is the primary target of infection, however, only a few countries worldwide have managed to avoid the affect of this threat.

Infostealer.Offsupload is being used as part of a blended threat. The initial stage of the attack is an email purporting to come from FedEx with a malicious attachment: “FedEx_Invoice.exe”.

Once executed, this Trojan (detected as Trojan.Gen.2) contacts a command-and-control (C&C) server in order to download...

Read more
Android.Bmaster: A Million-Dollar Mobile Botnet
Cathal Mullaney | 08 Feb 2012 | 0 comments

Thanks to Eric Chien for his assistance with this research.

Introduction

We recently came across a new piece of Android malware, first highlighted by NC State’s Xuxian Jiang, and began investigating the command-and-control (C&C) servers associated with the threat. The malware was discovered on a third party marketplace (not the Android Market) and is bundled with a legitimate application for configuring phone settings. Trojanized applications are a well known infection vector for Android malware, as they allow malware to be distributed while retaining the appearance of a legitimate application.

Analysis of these servers indicate the total number of infected devices connected to the botnet over its entire life span numbered in the hundreds of thousands. The number of infected devices able to generate revenue on any...

Read more
Server-side Polymorphic Android Applications
Symantec Security Response | 01 Feb 2012 | 0 comments

For quite some time, we have observed the technique of server-side polymorphism being used to infect Windows computers around the world. What this means is that every time a file is downloaded, a unique version of the file is created in order to evade traditional signature-based detection. We are now seeing this same technique being used for malicious Android applications hosted on Russian websites. We detect all of these variants as Android.Opfake. The sites hosting Opfake include either links or buttons that can be used to download the malicious packages that are purporting to be free versions of popular Android software.

The applications morph themselves automatically in a few ways every time the threat is downloaded. In addition, manual modifications are also made every few days indicating that the malware authors are actively maintaining this malware family.

Opfake...

Read more
An Update on Android.Counterclank
Symantec Security Response | 30 Jan 2012 | 0 comments

Last week, we posted a blog informing Android users of the discovery of new versions of Android.Tonclank, which we have named Android.Counterclank. The blog generated a bit of discussion over whether these new versions should be a concern to Android users. When classifying applications, our focus is on whether users want to be informed of the application's behavior, allowing them to make a more informed choice regarding whether to install it.

The situation we find ourselves in is similar to when Adware, Spyware, and Potentially Unwanted Applications first made appearances on Windows. Many security vendors did not initially detect these applications, but eventually, and with the universal approval of computer users, security companies chose to notify users of these types of applications...

Read more
MIDI exploit in the wild
Shunichi Imano | 27 Jan 2012 | 0 comments

Symantec Security Response is aware of in-the-wild malware exploiting the Microsoft Windows Media Player 'winmm.dll' MIDI File Parsing Remote Buffer Overflow Vulnerability (BID 51292). Microsoft has already issued a patch against this vulnerability in the monthly patch release this January. Applying the patch is strongly recommended.

There are several components involved in this live attack:

  • a.exe
  • baby.mid
  • i.js
  • mp.html

Symantec products detect mp.html and i.js as Trojan.Malscript. The vulnerable baby.mid file is detected as Trojan Horse and the end-result file, a.exe, is flagged as Downloader.Darkmegi....

Read more
Android.Counterclank Found in Official Android Market
Irfan Asrar | 27 Jan 2012 | 0 comments

Symantec has identified multiple publisher IDs on the Android Market that are being used to push out Android.Counterclank. This is a minor modification of Android.Tonclank, a bot-like threat that can receive commands to carry out certain actions, as well as steal information from the device.

For each of these malicious applications, the malicious code has been grafted on to the main application in a package called “apperhand”. When the package is executed, a service with the same name may be seen running on a compromised device. Another sign of an infection is the presence of the Search icon above on the home screen.

The combined download figures of all the malicious apps indicate that Android....

Read more
Insight into Sykipot Operations
Symantec Security Response | 26 Jan 2012 | 0 comments

The Sykipot campaign has been persistent in the past few months targeting various industries, the majority of which belong to the defense industry. Each campaign is marked with a unique identifier comprised of a few letters followed by a date hard-coded within the Sykipot Trojan itself. In some cases the keyword preceding the numbers is the sub-domain's folder name on the Web server being used. Here are some examples of the campaigns we have seen so far:

  • alt20111215
  • auto20110413
  • auto20110420
  • be20111010
  • chk20111219
  • chksrv20111122
  • easy20110720w
  • easy20110926n
  • good20110627
  • help20110908
  • help20110926
  • info20111025
  • info20111028
  • info20111031G
  • insight20111122
  • pretty20111101
  • pretty20111122
  • pub2011124x
  • server20111212
  • webmail20111122
  • ...
Read more

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
258,850