Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Emerging Threats
Showing posts in English
Symantec Security Response | 01 Sep 2009 15:55:02 GMT

A new zero-day exploit that affects Microsoft Internet Information Services (IIS) was posted on Milw0rm yesterday. According to the posting the exploit works on both IIS 5.0 and 6.0, on the FTP module.

We performed some analysis and testing in our lab with the proof-of-concept code that was provided, and we successfully executed arbitrary code remotely on IIS 5.0. Yet, our results with IIS 6.0 were less than conclusive. What this essentially means is that malicious code can be run on the exploited server; however, there are certain conditions that need to be met for remote execution to happen. First of all, only IIS 5.0 and 6.0 are affected, which consequently means that only Windows 2000 and Windows Server 2003 are affected. Second, write access to the FTP server is needed. This can be either through an anonymous account or a valid user account. The proof of concept targets an anonymous account with write permissions; however, we have validated that any account with...

Mathew Maniyara | 28 Aug 2009 15:34:28 GMT

Symantec has observed a sudden rise in phishing on Indian brands recently. The number of phishing URLs  on Indian brands in the first two weeks of August was nearly 2% of all phishing attacks. In the past, the usual average was typically 0.5%. This means that the rise has grown four fold in just two weeks.

The geo-location of each phishing site was examined and it was observed that none were in India. But, it is likely that at least some of the phishers involved are in India since the confidential data stolen can be used for specific Indian needs. For instance, there are several websites dedicated to the purchasing of Indian goods and articles, which accept net banking payments only from a given list of Indian bank accounts. Hence, the attackers may be employing every means of masking their location by creating their website elsewhere and not on Indian servers.

There were five brands targeted that were all in the banking sector for the given time period. Among...

Shunichi Imano | 26 Aug 2009 00:16:31 GMT

Symantec Security Response has found a new threat that spreads through, which is a very popular Social Networking Site in China ala Facebook. The threat comes in a form of a Flash video, which pretends to be a famous Pink Floyd promotional video clip "Wish you were here."

Viewing the Flash video results in concealed JavaScript being executed while the video is playing.

imagebrowser image

The video is hosted on a legitimate site. The threat exploits an authentication cookie of a currently logged-in user in order to send out the same link (for the Flash file) to users on the Friends list.

imagebrowser image

We detect this malicious XSS threat as Js.Frienren.

Robert Vivas | 24 Aug 2009 22:32:14 GMT

Spammers continue to take advantage of the Internet tools and applications Google provides for free. In the past we have encountered spammers abusing Google Group Pages, Google Maps, Google Search, and Google Docs to host spam content. Recently spammers have started using Google Translate. Google Translate is an excellent tool that enables users to translate any text, Web page, or document, and convert the native text to the specified language requested.

With recent medication spam offer attacks, spammers have discovered a way to exploit the use of Google Translate. Here is one example:

  1. Hijacked URL directory space from a legit domain. In this example they used with the directory path to use as a redirect to host the intended spam domain...
Deepak Patil | 20 Aug 2009 22:54:06 GMT

We have recently observed that attackers are actively exploiting new movie releases to distribute malware. The general practice is to host a blog on a (relatively) reputable site, which in actual fact redirects users to a malicious website hosting malware.

The movie “Obsessed” was released in April 2009 and in order to watch it online for free, users might search for a phrase that includes keywords such as movie, free, video, online, watch, etc.—along with the movie’s name, of course. So, a search phrase such as “obsessed movie online free full video” would yield results similar to the following:

imagebrowser image

The first search result we received was from The page that was listed is flooded with the keywords related to movie:

imagebrowser image


Patrick Fitzgerald | 17 Aug 2009 09:38:10 GMT

A few days ago we wrote about how Downloader.Sninfs is using Twitter as part of its command and control infrastructure. How the threat uses this is quite interesting. Here’s an example of a Twitter account used by this threat:

imagebrowser image

This is a pretty standard Twitter page, but the message is unusual. It turns out that this message is a base64-encoded string that contains two URLs. These URLs are:

These URLs are using the URL-shortening service. These URLs redirect to:


Symantec Security Response | 16 Aug 2009 11:39:09 GMT

We posted a blog "Twittering Botnets" a few days ago that gave details of malware that receives obfuscated URLs from Twitter messages. This malware is detected as Downloader.Sninfs. This blog also made a prophecy that alternative sites could be used in the same fashion, and unfortunately this one has come true.

A new variant of this threat has emerged that uses not only Twitter, but also another social networking and micro-blogging site Symantec detects this Trojan as Downloader.Sninfs.B.

Like the previous variant, Downloader.Sninfs.B also attempts to get URLs from obfuscated Twitter status messages. However, if that attempt fails, the Trojan will use the...

Peter Coogan | 14 Aug 2009 15:57:46 GMT is once again in the media spotlight. This time security researchers at Arbor Networks have found what is thought to be a botnet using Twitter for its command-and-control operations. Obfuscated Twitter status messages (like the ones in the image below) are being used to send out new download links to malware that Symantec calls Downloader.Sninfs.

imagebrowser image

Although has been used in this instance, there are plenty of alternative sites on the Internet that could also be used as a similar medium of communication. has already taken the appropriate action against accounts being used in this way, including suspending the account used in the example above. Our investigation and analysis of Downloader.Sninfs is ongoing but has so far shown that it reads a...

Fred Gutierrez | 25 Jul 2009 04:15:04 GMT

We have already written about threats that can encrypt files or lock victims out of their computers in order to extract a ransom. Today I want to talk about yet another similar threat. It uses scare or nuisance tactics—similar to rogue antivirus programs—in an attempt to demand ransom from its victims.

Once infected with Trojan.Ransompage, a victim’s browser will display a persistent inline ad on every page that the victim visits. The ad will cover part of the original Web page, as shown below.

imagebrowser image

The ad will stay on the screen even if the page is scrolled:

imagebrowser image

This ad is written in Russian and states that in order to remove the ad (and to...

Patrick Fitzgerald | 22 Jul 2009 18:04:10 GMT

Recently we came into possession of an Adobe Acrobat PDF file that upon opening drops and executes a malicious binary. It was quite clear that this PDF was exploiting some vulnerability in order to drop its payload. And, during the analysis it soon became apparent that this vulnerability was not one we had seen in the wild before. What was even more surprising was that this vulnerability affects Adobe Flash—not Adobe Reader as we initially suspected.

An issue in Adobe Flash is more serious. Most vulnerabilities are confined to one technology; for example, a vulnerability may affect a particular browser or a particular operating system, but it is rare for a vulnerability to span multiple platforms and products. This is not the case with Flash. Flash exists in all popular browsers and is also available in PDF documents. It is also largely operating system independent; therefore, the threat posed by this issue is not to be taken lightly. Flash has become an integral part...