Video Screencast Help
Search Video Help Close Back
to help
New in the Rewards Catalog: Vouchers for "Symantec Technical Specialist" and "Symantec Certified Specialist" exams.

Security Response

Showing posts tagged with Security Response remove filter
Showing posts by Vikram Thakur remove filter
The Sykipot Attacks
Vikram Thakur | 08 Dec 2011 | 0 comments

Thanks to Stephen Doherty, Andrea Lelli, Nicolas Falliere, Paul Mangan, Asuka Yamamoto, and Sean Kiernan for their technical contributions.

Recently, we posted two blogs about attacks leveraging the latest Adobe vulnerability. These attacks are part of a long-running series of attacks using the Sykipot family of malware. Sykipot has been used in targeted attacks for at least the past couple of years, and unconfirmed traces date back to as early as 2006. The latest wave spiked on December 1, 2011 with a huge uptick of targeted entities being sent a PDF containing a zero-day exploit against Adobe Reader and Acrobat (CVE-2011-2462).

Symantec classifies the set of Trojans used by these attackers as ‘Sykipot’ and includes detection names such as...

Read more
W32.Stuxnet — Network Information
Vikram Thakur | 22 Jul 2010 | 0 comments

We’ve been analyzing W32.Stuxnet, which is a threat that uses a legitimate digital certificate from a major third party and takes advantage of a previously unknown bug in Windows; ultimately, it searches for SCADA systems and design documents. The findings of our analysis are being documented in a series of blog articles.

Stuxnet contacts two remote servers for command and control, and until last week those domains were pointing to a server hosted in Malaysia. Once we identified those domains, we redirected traffic away from the C&C servers thereby preventing them from controlling the infected machines and retrieving stolen information.

Within the past 72 hours we've seen close to 14,000...

Read more
Storming Through Tragedy
Vikram Thakur | 18 Jun 2008 | 0 comments

Some advice for the day: don't click on every link in your email. It looks like the Peacomm (Storm) authors have decided to use past and future events in China as lures for their latest creation. A new spam run is in progress with links to a file called "beijing.exe," which is currently detected by Symantec as Trojan.Peacomm.D.

Some of the subject lines we've seen so far are:

The most powerful quake hits China
Countless victims of earthquake in China
Death toll in China is growing
Recent earthquake in china took a heavy toll
Recent china earthquake kills million
China is paralyzed by new earthquake
Death toll in China exceeds 1000000
A new powerful disaster in China
A new deadly catastrophe in China
2008 Olympic Games are under the threat

...

Read more
Storm Worm - Still Evolving
Vikram Thakur | 05 May 2008 | 0 comments

No sooner had various agencies commented on the reduction of the size of the Storm network than we started seeing signs of another wave of malware in the offing. We are currently tracking some fast-flux domains related to Trojan.Peacomm (a.k.a. Storm). These domains were registered just a few days ago. Simply visiting the sites presents the user with a blank page; however, modifying the URLs to access a specific file runs a script which attempts to exploit several different vulnerabilities. Some of the vulnerabilities targeted are Bugtraq IDs 20047, 28157, 23224, 27533 and...

Read more
Yet another Site Falls Prey to XP Antivirus
Vikram Thakur | 24 Mar 2008 | 0 comments

A couple of weekends ago, I was doing
exactly what most computer users do in their free time. I was sitting
front of the computer, visiting sites that I have no business with. One
site led to another and I eventually started looking for some old
friends I had lost contact with over the years. One such search led me
to Spoke.com, a business networking site. Using the Spoke search box
soon had me believing that my computer might be infected and I would
soon need to scan it for malicious programs. OK, I didn't really
believe it because I was laughing a bit too much, trying to understand
what the "warning" was trying to tell me:



...

Read more
Assassination Fascination
Vikram Thakur | 27 Dec 2007 | 0 comments

It’s been less than 24 hours since theformer Prime Minister of Pakistan was assassinated. As expected, themalware authors and distributors have already begun exploiting themorbid curiosity about Benazir Bhutto's death as a lure to spread theirmalice.

A simple search with terms such as "pakistan prime ministerassassination" yields results that include pages like the one shownbelow:

bhutto_youtube.gif

As some would expect, clicking on some of these links will mean that the old (technique-wise) ActiveX message box will appear:

bhutto_activex.gif

The problem with many of these links is that the ActiveX Object ismalicious. For example, following the link in the...

Read more
Assassination Fascination
Vikram Thakur | 27 Dec 2007 | 0 comments

t’s been less than 24 hours since the former Prime Minister ofPakistan was assassinated. As expected, the malware authors anddistributors have already begun exploiting the morbid curiosity aboutBenazir Bhutto's death as a lure to spread their malice.

A simple search with terms such as "pakistan prime ministerassassination" yields results that include pages like the one shownbelow:

bhutto_youtube.gif

As some would expect, clicking on some of these links will mean that the old (technique-wise) ActiveX message box will appear:

bhutto_activex.gif

The problem with many of these links is that the ActiveX Object ismalicious. For example, following the link in the above image...

Read more
When Link Farmers Attack: Shotgun Seeding Poisons Your Searches
Vikram Thakur | 30 Nov 2007 | 0 comments

A few days ago we posted a blog entryabout how some pharmaceutical sites were using link farms and spammingin their marketing campaign. The hackers were injecting links intocompromised sites, which raised the marketed sites in search engineresults. We followed up with some of the owners and administrators ofsites that were being used in this spam campaign and found mostadministrators cleaning up the infections and closing holes in theirWeb applications promptly.

Ironically, after we posted the previous article the spammers beganto use text from our blog to redirect traffic to their sites. Thisshotgun seeding technique allows the link farmers to rapidly manipulatethe metadata and skew search results. Here is a screenshot of what wegot by searching for one specific line from our previous blog entry.

...

Read more
Pharming Pharmaceuticals
Vikram Thakur | 27 Nov 2007 | 0 comments

Earlier today there was a report about AlGore's site, climatecrisis.net, being hacked. The site contained linksthat weren't visible to the visitors, which pointed to variouspharmaceutical products. The links could be viewed by looking into thesource code of the page being displayed. The fact that Al Gore's sitegot hacked or compromised, while definitely of significance, uncovers amuch bigger technique now being used by spammers. Here is a snapshot ofthe links from the hacked climatecrisis.net site:


(Click for larger image)

As you can see, there are loads of links to a university's server.None of the links work. However, the hackers were able to get to thetop of search results by creating...

Read more
Pharming Pharmaceuticals
Vikram Thakur | 27 Nov 2007 | 0 comments

Earlier today there was a report about AlGore's site, climatecrisis.net, being hacked. The site contained linksthat weren't visible to the visitors, which pointed to variouspharmaceutical products. The links could be viewed by looking into thesource code of the page being displayed. The fact that Al Gore's sitegot hacked or compromised, while definitely of significance, uncovers amuch bigger technique now being used by spammers. Here is a snapshot ofthe links from the hacked climatecrisis.net site:


(Click for larger image)

As you can see, there are loads of links to a university's server.None of the links work. However, the hackers were able to get to thetop of search results by creating...

Read more

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
258,916