Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Security Risks
Showing posts in English
khaley | 10 Apr 2009 18:53:25 GMT | 0 comments

It’s nice to pretend, but I’m under no illusions—I am not famous. Not even on the D-list. There are no paparazzo camped outside my house. If you asked my neighbor two doors down who I was, he probably wouldn’t know. And I have never, ever been hired as a celebrity endorser.
I woke up in the morning on the day after April Fool’s Day (seemingly unscathed), got my cup of coffee, and sat down to read the Symantec Security Response Blog. To my horror I was featured in the first blog post. Now, I didn’t write the article and I wasn’t named for my contribution to the research. I was part of the scam it discussed.

I’ve seen George Clooney’s name used to sell things in spam email (you’ll have to guess...

Téo Adams | 01 Apr 2009 17:55:35 GMT | 0 comments

I had a great time at CanSecWest 2009. There were some great speakers, the food was excellent, and the venue was pretty classy. One of the talks that stood out for me discussed using the BIOS as a means to persistently maintain control of a computer.

To my knowledge, this wasn’t the first time that the BIOS has been used by malicious code, but it is the first time that using the BIOS to fully contain and store said malicious code has been presented. By modifying the BIOS to store malicious code and install it on a local drive or device, an attacker can continually maintain control of a computer regardless of operating system reinstallations, physical change to hard drives, or other seemingly “sure fire” methods of system sanitization. This means that regardless of changes to devices or hardware, the computer remains at risk as long as the BIOS is not flashed with a “clean”...

Parveen Vashishtha | 26 Mar 2009 17:14:09 GMT | 0 comments

Easter is around the corner and as expected, attackers have already started to poison search engine queries to redirect users to websites that deliver misleading applications. Various search keywords related to Easter have been poisoned in Internet search results so that links to rogue websites are returned in the search listings. Some of the examples of poisoned keywords are:

Easter verse
Popular Easter Bible verse scriptures
Easter greeting card verses
Easter Bible verses
Easter verses poems
Bible Easter verse
Easter Bible quotes

Attackers are using various tricks, such as referrer checking, in order to evade security researchers. If the bogus domains returned in the search listing are visited directly, we will see a page with many Easter-related keywords and links used to bolster the page’s search ranking. However, if the bogus links are clicked on from the search engine results, users will be redirected to...

khaley | 20 Mar 2009 16:19:22 GMT | 0 comments

Melissa was an exotic dancer and David L. Smith was obsessed with her and also with writing viruses. The virus he named after Melissa and released to the world on March 26th, 1999, kicked off a period of high-profile threats that rocked the Internet between 1999 and 2005. I like to think of it as the “Virus & Worm World Tour.”
1999       Melissa
2000       LoveLetter
2001       Code Red
2003       SQL Slammer

Parveen Vashishtha | 11 Mar 2009 01:25:18 GMT | 0 comments

Search engines are often used by attackers as platforms from which to deliver malicious code. A while ago it was reported that Google was serving up advertisements that led to misleading applications (also known as rogue antispyware products).

This time, the malicious code authors are using “Yahoo! Sponsored Search” listings as a means to promote a misleading product called ”Antivirus & Security.” and are returned in Yahoo! Sponsored Search results as the latest version of AVG antivirus; however, the website actually claims that it is better than AVG and is an alternative to AVG antivirus. The sponsored search result leads to and, where users are asked to make a payment to buy a membership in order to obtain the product.

Instead of using techniques like...

khaley | 27 Feb 2009 19:27:29 GMT | 0 comments


It must have seemed like a good idea at the time. Automatically launch a program that’s been discovered by the computer. You don’t have to waste a bunch of mouse clicks to get your music CD or movie DVD to play. Well, the bad guys think AutoPlay is a good idea, too. Actually they think it’s a great idea and they take advantage of it a lot more than you and I do. Sality, Silly, and even Downadup are all examples of threats that leverage the AutoPlay feature. Ben Nahorney has written about this in the past.

Of course, it’s not the CDs or DVDs that are carrying the threats. It’s USB drives. Banning USB drives seems like a solution, but it’s not practical. I’m not going to stop using mine and I suspect you won’t give up yours, either. So it’s kind of hypocritical to expect your...

Nishant Doshi | 27 Jan 2009 22:12:29 GMT | 0 comments

Welcome back to this blog series on misleading applications. This is the concluding article, so if you need a refresher on what we’ve covered to get to this point, have a look at the first two parts (part 1 and part 2). Essentially, today I’m going to conclude how malicious users gain access to Trojans, fake codec, and fake scanner URLs in order to distribute misleading applications. And, it may be of some interest to discuss why those with malicious intent would do this (easy money, perhaps?), but I’ll break some reasons down for you. Also, I’ll provide some tips to protect your computer from these threats and to keep your eye out for telltale signs of misleading apps.

Pay-per-install: The Source...

Nishant Doshi | 21 Jan 2009 23:26:04 GMT | 0 comments

The first article of this blog series provided an introduction to rogue applications that parade as fake antivirus scanners and/or fake “system cleaners.” Once installed, these misleading applications attempt to scare the user into believing that his or her computer is infected with dozens or more threats. This is done using constant pop-ups, task bar notification icons, etc. These apps usually start off with a fake scan of the system and then proceed to report non-existent threats on the system. The goal here is to try to lure the user into buying the fake product, which promises to clean up all of those made-up threats.

Today, I’m going to continue discussing the ways in which malicious applications make it onto a victim’s system. In this article I will show you the distribution vectors for fake scanner Web pages.


Nishant Doshi | 19 Jan 2009 22:14:01 GMT | 0 comments

Lately there has been a huge influx of misleading applications (a.k.a. rogue or fake antivirus applications) plaguing users. By traditional definition, these programs are rogue applications that parade as fake antivirus scanners and/or fake “system cleaners.” For a good briefing on this type of “scareware,” take a look at the description provided here.


Once installed, these applications attempt to scare the user into believing that his or her computer is infected with dozens or more threats. This is done using constant pop-ups, task bar notification icons, etc. These apps usually start off with a fake scan of the...

Nishant Doshi | 16 Jan 2009 17:21:22 GMT | 0 comments

Authors of misleading applications have always been coming up with new techniques in order to entice or scare users into buying their fake products. Once installed on the system, a misleading application uses various social engineering techniques, some of which involve displaying fake scans, fake threats, and fake error messages. These techniques attempt to scare users into buying or activating the product in order to erase the made-up threats and remain protected. The registration usually costs $20 to $50 USD, but this is simply a huge social engineering scam.

Recently we came across a misleading application, Antivirus 2009, using a new social engineering technique. Once the latest version of Antivirus 2009 is installed on a system it registers a Browser Helper Object (BHO) called “winsystems.dll”. BHOs are plug-in extensions for Internet Explorer and are often used by malicious applications.

Now, whenever a user visits any Google pages, the BHO modifies...