Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Emerging Threats
Showing posts in English
Orla Cox | 11 Jul 2009 01:15:20 GMT

We've been spending most of the past week pulling apart Trojan.Dozer in order to get a full understanding of what its purpose is. Its most publicized feature is the DDOS attacks it performs against a number of sites. But after some further research we've found some other sinister features in the form of an old school time bomb.

First of all, the trojan will check if system time is after July 10th 2009 00:00:00. If it's after this time then the threat will begin its real mischief. It first searches files with the following extensions:

.accdb
.alz
.asp
.aspx
.c
.cpp
.cpp
.db
.dbf
.doc
.docm
.docx
.eml
.gho
.gul
.hna
.hwp
.java
.jsp
.kwp
.mdb
.pas
.pdf
.php
.ppt
.pptx
.pst
.rar
.rtf
.txt
.wpd...

Symantec Security Response | 09 Jul 2009 21:04:44 GMT

Fireworks weren't the only thing going off on the 4th of July. Several U.S. and South Korean government, financial, and media websites were attacked and at different times, were offline. There's been a lot of speculation about the source of the attacks, but here is what we know so far.

We've observed a number of malware components that are responsible for the attacks. W32.Dozer, Trojan.Dozer, W32.Mydoom.A@mm, and W32.Mytob!gen work in tandem to both spread and attack. W32.Dozer, a dropper that contains all the other components within it, is sent by W32.Mytob!gen to email addresses it...

Eric Park | 08 Jul 2009 22:46:20 GMT

With the soaring popularity of social networking sites, it is no surprise that spammers try to take advantage of them. In the past, spammers would register their own accounts and then send unsolicited messages through the social networking site. By default, the site generated automated email to let the user know that there is a new message. While such notifications are technically legitimate, the user would have most likely considered the messages as spam, due to the unsolicited content. For spammers, this technique had a shortcoming—the message sent to the user was from an unknown person/entity.

Recently, Symantec has observed a rise in a newer technique of social networking site abuse. The below example is a legitimate notification from Facebook that informs the user of a new private message:

imagebrowser image

As noted above, the message itself is not spam because there really is a...

Zahid Raza | 08 Jul 2009 14:30:00 GMT

In the present scenario, when more people are paying attention to the risks and have taken the proper steps needed for increased security, fraudulent sites are easily visible when not using SSL. However, a recent attack spotted by Symantec was using a legitimate SSL certificate to masquerade as a legitimate site. Fraudsters continue to use these kinds of techniques to perpetuate identify theft and these particular attacks aren’t as noticeable.

Over the last thirty days, Symantec has observed the highest number of URLs abusing SSL certificates for the last year. A single compromised Web server with an SSL certificate can be used to host a broad range of phishing sites that can have a higher success rate, in that the visitors erroneously believe that they have a secure connection with their intended site.

Fraudsters have targeted the users of major brands by compromising Web servers with SSL certificates so that the fraudulent pages display the familiar lock icon...

Security Intel Analysis Team | 06 Jul 2009 17:00:19 GMT

As mentioned in a recent blog, Symantec is aware of the exploitation of a previously unknown and unpatched vulnerability affecting the Microsoft Video Streaming ActiveX control. Initially, there were limited in-the-wild attacks; however, new developments indicate that the flaw is now being exploited to great extent in China and other parts of Asia. Reports indicate that thousands of websites have been compromised and are now hosting the exploit for this issue.

Our tests show that Microsoft Windows XP systems are affected, while Windows Vista systems do not seem to be affected by the attack. The flaw lies in the “msvidctl.dll” library and can be exploited by providing a crafted file as input to the “data” parameter of the “BDATuner.MPEG2TuneRequest.1” ActiveX object. The object is associated with...

Gilou Tenebro | 04 Jul 2009 02:32:02 GMT

W32.Waledac has launched a new spam campaign using a 4th of July theme. Below are some screenshots of sample spam emails with the new theme.

imagebrowser image

imagebrowser image

imagebrowser image

If the unsuspecting user clicks the link in the email, they will be directed to a Web page similar to the following:

imagebrowser image

The page claims to contain a video of a fireworks show for this year’s 4th of July celebration. However, clicking on the "video" actually leads to a W32.Waledac executable. Watch out for spam containing any of the following strings in the subject and body of the email:

  • Fourth of July Fireworks Shows...

Joe Pasqua | 22 Apr 2009 17:46:15 GMT | 0 comments

Yesterday at the RSA conference a group of Symantec executives and technologists met with industry influencers to discuss a broad collection of topics, ranging from innovation to reputation to virtualization. It was a pretty interesting discussion and I'd like to focus on one particular aspect that is near and dear to me—the importance of maintaining innovation momentum in a down economy. There are plenty of historical examples that show that companies that innovate through tough times emerge with a strong and sustainable advantage over those that don't. An interesting point, but I think there is more compelling evidence that sustained innovation is the smart thing to be doing right now.

Someone once said that there are two kinds of products in the world: those that cost a dollar but help you earn five dollars, and those that cost a dollar but help you save five dollars. Both are valid value propositions, but in this economy it's not too surprising that people are...

Greg Ahmad | 26 Mar 2009 12:52:47 GMT | 0 comments

System Management Mode (SMM) is an operating mode available in Intel x86 and x86_64 architectures. SMM is the most privileged CPU operation mode on Intel architectures and facilitates power-management features and other operating-system-independent functions. It resides in a protected region of memory called System Management RAM (SMRAM)—access to which is typically limited to the BIOS. An SMI (system management interrupt) is used to enter SMM mode.

Over the last few years, research reports discussing attacks that target SMM have started to surface. In 2006, Loïc Duflot reported various security issues in SMM and presented an attack that bypassed the Securelevel mechanism in the OpenBSD kernel. In 2008,...

Brian Hernacki | 02 Mar 2009 21:42:33 GMT | 0 comments

So this week is pretty exciting. For the third year in a row, we're going to be showing off a prototype at the DEMO conference. Two years ago we launched Identity Defender (I was part of that one), which went on to become Norton Identity Safe—a technology available today in our award-winning Norton Internet Security and Norton 360 products. Last year our Symantec Research Labs Advanced Concepts group unveiled Project Watchdog, which today is known as Norton Online Family...

Elia Florio | 05 Dec 2008 01:25:16 GMT | 0 comments

Following Dan Kaminsky’s research on DNS insecurities, we saw attackers racing with their DNS servers to hijack network connections. It was only a matter of time before the bad guys decided that racing against DNS was not enough.

DHCP is a widely used network protocol that has been around for a while—it’s used to automatically assign IP addresses on a local network. When you connect your laptop on the wireless router at your home or to your office network, it is most likely that a DHCP server assigns an IP address to your machine and will provide all of the important parameters such as a gateway IP and DNS servers. The DHCP protocol is simple, transparent, and efficient for end users, but it is also non-secure. There’s nothing new and sensational in that statement, because it’s something well known and is really just a lack of authentication. Wikipedia has a pretty good...