Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Security Risks
Showing posts in English
khaley | 19 Oct 2009 12:11:08 GMT

In the 80’s I lived in NYC. At the time, enterprising hustlers had re-introduced the old Three Card Monte con game to NYC streets. Like wide ties and frozen yogurt shops, Three Card Monte always seemed to come back into fashion. Before you knew it, the streets were full of grifters running games. Whole blocks would be lined with these low-rent con men, standing behind cardboard boxes, tossing cards and asking the suckers to put their money on the red queen.
How could there be that many bad guys running Three Card Monte scams at one time? Well, there was plenty of money to be made, and it drew the criminal element like flies to honey. Grifters were making a lot of money at the con and every two-bit chiseler wanted their own piece of the action. Plus, there was very little needed to get in on the scam. The barrier to entry was low. You only need three playing cards, a couple of...

Hon Lau | 30 Sep 2009 12:07:33 GMT

An unfortunate side effect of any news-worthy disasters of the modern day is that a wave of malware will often follow in the virtual world after the initial event in the physical world. The large earthquake (8.3 on the Richter scale) last night recorded off the coast of Western Samoa and the subsequent tsunami that followed caused much destruction and loss of life to the islands near the epicentre of the quake. As with any large scale disasters that quickly become major news events, people want to know what happened and to know that loved ones are safe. The Web, being a major source of information to many people around the world, is one of the first places to see such information-seeking activity. For many people, search engines are the gateway to the masses of information available and because of this, it is also one of the first places to be targeted by malware creators. They waste no time in getting their malicious software and web sites set up and poisoning the Web...

Ben Nahorney | 24 Sep 2009 20:48:07 GMT

A lot can be said with 140 characters. It’s just enough to convey a point, but constricting enough to make things concise. No wonder microblogging sites such as Twitter have become so popular.

Unfortunately one of the limitations here is sharing Web pages with long URLs. In order to address this issue, URL-shortening utilities have grown in popularity on the site. Using such tools allows you to include a link well within the 140-character limit, which will redirect anyone who clicks it to the longer URL and thus the site you wanted to share.

There’s one downside here, from a security point of view—you’ll often have no idea where the link leads until you click it. Clicking any link like this is entirely a security leap of faith. Unfortunately malware authors have caught on to this and are currently distributing misleading applications using these shortened URLs. Using enticing tweets and commonly used twitter search terms, their goal is to get...

Hon Lau | 14 Sep 2009 14:41:55 GMT

Tennis is a huge sport worldwide and yesterday was the women's semi final of the US Open in which Serena Williams lost out to her rival due to a foot fault. To cut to the chase, Ms Williams went on to deliver a verbal volley against the line judge, something about shoving tennis balls … somewhere. The exchange was caught on live video footage and many copies are currently doing the rounds on the Internet. The interest that this incident has stirred, provided the spark needed to ignite yet another SEO campaign to spread malware. In the case of this incident, the malware is encountered when you search for terms such as  "Serena Williams Outburst".

Search results

One of the sites returned from the search goes to a domain named This looks like another case of hacked web site used to host fake AV scanners leading to new variants of misleading...

Joji Hamada | 01 Sep 2009 21:17:43 GMT

Does the following screenshot look familiar to you? It sure does to us here at Symantec because it looks nearly identical to our Norton 2009 product. However, it is actually a misleading application we detect as Trojan.Fakeavalert.

imagebrowser image

The website that is used by the security risk to corral users to purchase rogue software looks suspiciously like our Norton site as well:

imagebrowser image

Besides using our brand name and Nortel's, there is another interesting trick that I thought would be worth a mention so no one gets fooled by this scam. Once infected with the security risk, the computer may suddenly explain that the user has a spyware infection and the following blue screen may appear:
imagebrowser image...

Gilou Tenebro | 24 Aug 2009 09:28:21 GMT

In my previous post, I covered Waledac’s bootstrap mechanisms, armoring methods, and some parts of its communication protocol. Today, I will continue to discuss its communication protocol and how it implements its main functionalities through command-and-control (C&C) messages. I will describe its various tasks and commands, how it downloads components or updates, how it constructs its spam, and lastly how it acts as an infostealer.

Types of task messages

As I mentioned last time, W32.Waledac currently uses nine types of task messages. These messages are mainly used by the malware to distribute spam templates or word lists for its spam campaigns, to send...

Sumit Pagey | 19 Aug 2009 17:08:07 GMT

Misleading applications use various techniques such as fake security scans or exaggerated “malware found” reports to scare users to purchase their so-called solutions. To take this to next step, one such example of a misleading app—called “System Security”—is forcing users to purchase it because it can render a system nearly unusable. Once System Security is installed on a machine it terminates most of the active user processes such as Firefox, antivirus programs, Acrobat Reader, and others. Internet Explorer is spared from this list.

imagebrowser image

If the user tries to run Task Manager, antivirus software, or any other executable binary except Internet Explorer, this misleading application reports that the respective binary is infected and blocks access...

Gilou Tenebro | 04 Jul 2009 02:32:02 GMT

W32.Waledac has launched a new spam campaign using a 4th of July theme. Below are some screenshots of sample spam emails with the new theme.

imagebrowser image

imagebrowser image

imagebrowser image

If the unsuspecting user clicks the link in the email, they will be directed to a Web page similar to the following:

imagebrowser image

The page claims to contain a video of a fireworks show for this year’s 4th of July celebration. However, clicking on the "video" actually leads to a W32.Waledac executable. Watch out for spam containing any of the following strings in the subject and body of the email:

  • Fourth of July Fireworks Shows...

Parveen Vashishtha | 11 Jun 2009 10:02:32 GMT | 0 comments

Attackers often use search engines to deliver malware. Earlier we reported that Yahoo-sponsored search results were used to promote misleading applications. Also, attackers reportedly abused Google advertisement services in order to push out misleading applications.

Instead of using techniques like search engine optimization (SEO) poisoning to get the optimum listing in the search engine results, attackers have recently been using Google’s sponsored links. In this situation the attackers’ advertisements would have been displayed on all websites that use Google’s sponsored links. For example, when a user searches for Adobe Flash player 9, Google-sponsored links might display one particular download link as (Please...

Sumit Pagey | 27 Apr 2009 15:46:11 GMT | 0 comments

Misleading applications, also known as rogue antispyware applications, use various techniques such as misleading task bar notifications, popup windows, and fake security scans to attempt to scare users into believing they will need to purchase the “protection” offered by the misleading apps. We have observed a new technique being used by misleading applications, one that involves asking users to pay for software from popular vendors.

As is typical with misleading applications, when executed, a fake security warning is initially displayed:

Then, a fake system scan is conducted and non-existent threats are reported on the system:

However, instead of the misleading application...