Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Emerging Threats
Showing posts in English
Hon Lau | 18 Dec 2009 17:01:03 GMT

Those looking to see the latest 3D blockbuster movie, The Avatar, on the cheap will have to take great care in what they search for. We have become aware of at least one site that has been rigged to redirect users to a page that presents the now-familiar "play video/need codec" screen. In an unusual twist, this time it is offering a new ActiveX update rather than the usual codec or Flash player updates.



Clicking on the play button or icon will send a request to, which will then eventually offer you a file named along the lines of Activex_Setup[1].45158.exe from the domain. This is now detected as Trojan.FakeAV.

In addition to this malware page there are literally hundreds of other scam sites and pages trying to cash in on the...

Mircea Ciubotariu | 17 Dec 2009 11:32:37 GMT

We have recently learned of yet another zero-day exploit in Adobe Acrobat. This time it's an overflow for a special type parameter in a function provided by the multimedia.api plugin that can be manipulated from JavaScript in the following manner:


Somewhere deep in newPlayer, deinit_obj is set as the handler for deleting the object when it's no longer needed:


And eventually deinit_obj calls the destroy function from the object's v_table:


So far, so good, except the...

Jarrad Shearer | 07 Dec 2009 09:06:25 GMT

It has come to our attention recently that a website is giving out instructions on how to use a low tech social engineering trick to view private Facebook profiles. To view the instructions, a third-party application must be first downloaded and installed. While this application is not malware, it may impact computer performance. The instructions then describe how to view private Facebook profiles, with the result being that a Facebook user may receive a friend request from a person that is already on their friend list.

The social engineering trick lies in the fact that the friend request is not from the “friend” that it purports to be from. The friend request may also come with a personal message; the instructions also suggest a message, “Hey, I can’t login to the previous account. add [sic] me back in.” Since the friend request received both via email and Facebook looks legitimate (because it is legitimate; that is, the...

Candid Wueest | 03 Dec 2009 21:58:29 GMT
The Mozilla Firefox browser is constantly gaining in popularity. A recent market share survey by Net Applications awards Firefox with 24% of users worldwide. One of the key philosophies of Firefox is that its functionality can easily be extended using plug-ins or extensions. According to the Mozilla foundation there are more than 12,000 extensions available and they have recorded more than 1 billion extension downloads so far. Quite an irresistible target for a malware author, don’t you think?
This is by no means a new phenomenon, nor a Firefox-centric one. Browser helper objects (BHOs) in Microsoft’s Internet Explorer have been misused by attackers for years, and we saw malicious Firefox extensions appear more than three years ago. But, we have recently observed an increase in malware that drops malicious BHOs, Firefox extensions, and even Opera user scripts—all this in order to maximize their impact on a user’s machine....
Suyog Sainkar | 23 Nov 2009 20:13:40 GMT

Phishers are constantly targeting newer brands from diverse industries, with the sole motive of fraudulently acquiring a large amount of users’ confidential information for financial gains. Symantec has observed and followed up with some recent trends in phishing attacks targeting some of the popular online gaming websites. Since the beginning of this year there has been a steady rise in phishing attacks on gaming websites.

Why and How?

The primary motive of fraudsters is to seek out users’ confidential information, such as the login details for online gaming websites. The sample shown below is of a typical phishing Web page created by the fraudsters, which mimics a popular online gaming website. To trick users into trusting the phishing website, the phishers add a widget (to monitor online visitors) that will display some random number of purported online users visiting the site at a given time.  

Patrick Fitzgerald | 23 Nov 2009 16:27:01 GMT

Once again Zeus is up to its old tricks with a new twist.  The latest spam run informs users that their latest Social Security statement is available but it may contain errors.  The subject of the mail will be something like “Review annual Social Security statement“ and the body warns of a potential identity theft risk and asks you to review your annual statement at the link they provide.

Figure 1. An example of the Spam

If you follow this link you will arrive at the following page:
Figure 2. This fake page asks for your social...

Security Intel Analysis Team | 21 Nov 2009 13:05:59 GMT

A new exploit targeting Internet Explorer was published to the BugTraq mailing list yesterday. Symantec has conducted further tests and confirmed that it affects Internet Explorer versions 6 and 7 as well. The exploit currently exhibits signs of poor reliability, but we expect that a fully-functional reliable exploit will be available in the near future.  When this happens, attackers will have the ability to insert the exploit into Web sites, infecting potential visitors.  For an attacker to launch a successful attack, they must lure victims to their malicious Web page or a Web site they have compromised. In both cases, the attack requires JavaScript to exploit Internet Explorer.

The exploit targets a vulnerability in the way Internet Explorer uses cascading style sheet (CSS) information. CSS is...

Marian Merritt | 20 Nov 2009 14:45:48 GMT

I had the honor recently of moderating a virtual roundtable discussion on the top Internet security trends from 2009 and what we expect to see in the security threat landscape in 2010. Funny thing about security predictions—you hope they won’t come true, but expect them to anyway. The roundtable featured expert panelists Paul Wood (Senior Analyst, MessageLabs Intelligence, Symantec) and Zulfikar Ramzan (Technical Director, Symantec Security Response). They each have unique insights into the world of cybercrime, spam, phishing attacks, and other cyberthreats that plague us all.
We want to give a big thanks to everyone who joined in to listen to our experts, and we hope you found it interesting. For those of you who couldn’t make it, please take a few minutes to listen to the podcast of the actual roundtable.

You can read more about...

Eric Chien | 18 Nov 2009 19:54:37 GMT

Zeus is a botnet package that allows for the easy creation and command and control of a botnet.  We've discussed Zeus previously in Zeus, King of the Underground Crimeware Toolkits. The main purpose of Zeus is to steal online credentials such as online banking passwords, but it can be configured to steal passwords from any online site. 

Today, the BBC is reporting that police in the UK have arrested two suspects in relation to Zeus. While the details are preliminary, the two likely appear to be users of the Zeus botnet package rather than the actual creators, and thus the prevalence and usage of Zeus is likely to continue.

We've created a research paper providing more in-depth information on Zeus, including how the bot is created, what functionality it has, and additional...

Hon Lau | 16 Nov 2009 15:00:47 GMT

When trawling the Web today we came across a website that has been compromised and rigged so that it is returned in search engine results for many different search terms. The site in question belongs to a UK-based company that specializes in hiring out holiday homes and is a legitimate business. However, the site has been compromised and is being used in a major ongoing SEO-based misleading applications attack, and has been for some time now. As you can see in the sample search results below, you may wonder what college football, a Ukraine vs. Greece soccer match, Penn State basketball, and Robin Williams have to do with renting a holiday home—and with good reason, too.


The key to identifying malicious pages in the search results is looking for the string...