Video Screencast Help
Search Video Help Close Back
to help
New in the Rewards Catalog: Vouchers for "Symantec Technical Specialist" and "Symantec Certified Specialist" exams.

Security Response

Showing posts tagged with Security Response remove filter
Showing posts by Orla Cox remove filter
Technical Support Phone Scams
Orla Cox | 22 Jun 2010 | 0 comments

We've posted many articles discussing misleading applications and the tricks and techniques that are used to get them onto a user’s computer. Typical techniques employed include repeated, often aggressive, warnings about serious computer problems such as malware infections and system errors. Typically these warnings are fake and are used to scare the user into parting with their money in order to correct the "problems".

In recent weeks we started hearing chatter about what sounded like a new misleading application. The usual scare tactics were employed. However, instead of using applications to convince users that their computer was in trouble, this particular group was phoning users directly to tell them that they had a virus on their computer—but thankfully help was at hand. The company in question, Online PC Doctors, offers to remotely connect to your computer to clean up the...

Read more
Trojan.Dozer - Kicking You While Your Website is Down
Orla Cox | 10 Jul 2009 | 0 comments

We've been spending most of the past week pulling apart Trojan.Dozer in order to get a full understanding of what its purpose is. Its most publicized feature is the DDOS attacks it performs against a number of sites. But after some further research we've found some other sinister features in the form of an old school time bomb.

First of all, the trojan will check if system time is after July 10th 2009 00:00:00. If it's after this time then the threat will begin its real mischief. It first searches files with the following extensions:

.accdb
.alz
.asp
.aspx
.c
.cpp
.cpp
.db
.dbf
.doc
.docm
.docx
.eml
.gho
.gul
.hna
.hwp
.java
.jsp
.kwp
.mdb
.pas
.pdf
.php
.ppt
.pptx
.pst
.rar
.rtf
.txt
.wpd...

Read more
Do as I Say, Not as I Do
Orla Cox | 07 Jan 2008 | 0 comments

In these “Stormy” times, here at Symantecwe regularly warn users to be wary of following links in unsolicitedemail. Could it be considered a coincidence then that I received thefollowing gem directly to my work email:


(Click for larger image)

Was this a clever use of reverse psychology by phishers or malwareauthors? Or, had I really received an unsolicited (and unsigned) emailfrom the author of a couple of recent whitepapers on "footprinting" andsocial engineering, asking me to click on a link?

It turns out it was the latter. Thankfully the link wasn’t malicious(the lack of misspellings in the mail was one of few clues!), but somepeople need to start practicing what they’re...

Read more
First Sightings of Malicious iPhone Package
Orla Cox | 07 Jan 2008 | 0 comments

Reports started appearing on Saturday regarding the existence of malicious packages for the Apple iPhone. A package called "iPhone firmware 1.1.3 prep", which was described as “An important system update. Install this before updating to the new 1.1.3 firmware.” was reportedly causing problems for iPhone users once uninstalled.

According to various reports, installing the package doesn't have much effect on the iPhone. However, uninstalling it may cause problems, as the malicious package overwrites some other applications during the install. Some of the applications it overwrites are "Erica's Utilities" (a collection of command-line utilities for the iPhone) and OpenSSH. If the user chooses to uninstall the bogus package, these applications will also be removed. Affected users will need to reinstall these applications.

This is technically the first Trojan horse seen for the iPhone, however it does appear to be more of a prank than...

Read more
Patch Tuesday/Exploit Wednesday?
Orla Cox | 09 Oct 2007 | 0 comments

oday we had an interesting sample shared with us. It was a MicrosoftWord document which, when opened, was simply crashing Word. We triedusing various combinations of Word versions, patches and languages, andin each case (with the exception of Office 2007) opening the documentwould cause Word to crash. After taking a closer look, we could seethat the document contained shell code and three other pieces ofmalware. What was interesting about the document was that it wasn't inOLE format, meaning that it wasn't a standard Microsoft Office document.

After some investigation we determined that the document hadactually been created using Word for Macintosh. Here you can see thedifference between the header in an OLE (Windows) format documentcompared to that of a Mac format document:

...

Read more
Tax Phraud
Orla Cox | 29 May 2007 | 0 comments

A new Trojan Horse called Backdoor.Robofohas been spammed out today, which uses a variety of social engineeringtactics to aid its propagation. First it masquerades as an email fromthe US Internal Revenue Service (IRS), including the use of the IRSlogo in the message body to make it appear more legitimate:



The use of legalese in the message content may intimidate some usersinto opening the attachment. The attachment is called COMPLAINT.rtfand, when launched, displays the following bogus error message:


...

Read more
Korean Internet Shoppers Get More Than They Bargained For
Orla Cox | 29 Apr 2007 | 0 comments

Commercial rootkits were first brought to the public's attention with the infamous Sony DRM case. This was followed a few months later by a rootkit component included on some KinoWelt DVDs.This rootkit was part of Alpha-DVD content-protection software,produced by Korean company Settec. Discussion surrounding commercialrootkits has died down somewhat since then, however this doesn't meanthat they've gone away.

Recently we added detection for a rootkit which is installed byKorean online shopping site, Cashmoa. In order to log onto the site,the user is required to install a software package. This packageincludes a driver called cmdriver.sys. The driver behaves like arootkit by hiding processes which use a particular name. The...

Read more
Bills, Bills, Bills
Orla Cox | 28 Mar 2007 | 0 comments

Technologies come and go, but socialengineering remains the most popular technique used to propagatemalware. This tried and trusted method has been around since theLoveletter days, and malware authors don't seem to be giving up on itjust yet. This year we've seen Trojan.Peacommin a number of guises – from videos of current news stories topostcards from loved ones. However, the one "disguise" that we see mostconsistently is in the form of the humble invoice.

Recently, we've seen a spate of malware circulating (in Germany inparticular), masquerading as various invoices. The year started with aspam run of Trojan.Schoeberl.Epurporting to be a bill from German ISP 1&1. Since then, we've seenmalware disguised as bills from a variety of firms...

Read more
Love is in the Air....
Orla Cox | 08 Feb 2007 | 0 comments

Today has seen another large-scale spamming of Trojan.Peacomm, aka the "Storm Trojan". With Valentine's Day approaching, this time around the authors are attempting to tug on the heartstrings of unsuspecting users with romantic subject lines such as "My Heart belongs to you" and "Together You and I". The mail body is empty and the attachments have the usual names of "Greeting Card.exe", "Postcard.exe", and "Greeting Postcard.exe".

The Trojan is much the same as we've seen before, the only difference being that the authors have used a modified packer in an (unsuccessful) effort to evade detection by AntiVirus vendors. These latest samples are proactively detected as Bloodhound.Packed.13 with Rapid Release definitions dated 02/07/2007 (revision 54). Definitions dated 02/08/2007 (revision 25) and later will...

Read more
W32.Rajump: Playing on an iPod near you?
Orla Cox | 17 Oct 2006 | 0 comments

Closely following McDonalds' trouble with infected MP3 players, Apple has now confirmed that a small number of Video iPods were shipped with malware onboard. According to an announcement on the Apple support site, Video iPods purchased after September 12th could potentially contain a copy of W32.Rajump. Like W32.Pasobir, the worm found on the McDonalds MP3 players, it too has the ability to copy itself to removable USB drives. Apple is recommending that users run an antivirus scan of their Video iPod before use.

Apple is quick to point...

Read more

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
258,898