Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Malicious Code
Showing posts in English
Hardik Shah | 07 Apr 2011 08:45:19 GMT

Recently, we came across an application that displays the message “Tornado Randomly Appears During Soccer Game” on Facebook:

Clicking on the message forces the download of a script from http://<IP Removed>/fb2.js, which displays a Facebook login message. If the user is logged in to Facebook, the malicious app will log the user out and ask him/her to log in again:

When the user clicks on the “Login” button, it will show the login form:

When the user enters login details and clicks on the Login button, the fake application sends two POST requests: one to, and the other to the malicious server. The request sent to the malicious server has the...

M.K. Low | 07 Apr 2011 03:47:54 GMT

Taking the Shortcut to Malicious Attacks 

Shortened URLs have become popular in recent years as a means of conserving space in character-limited text fields, such as those used for micro-blogging. Some URLs consist of a substantial number of characters that can eat up character limits, break the flow of text, or cause distortions in how Web pages are rendered for users. URL shortening services allow people to submit a URL and receive a second, specially coded shortened URL that redirects to the original URL. When a user clicks on the shortened URL, the service will redirect the person to the submitted Web page.

Attackers are taking advantage of this type of service because it helps to hide the actual destination URL. Attackers use the shortened links, which may or may not be legitimate, to lead unwitting users to malicious websites that are designed to attack any system using a vulnerable browser. 

Social networks are a security concern for...

Poul Jensen | 06 Apr 2011 11:44:21 GMT

Internet advertising has the potential to be a very worthwhile method for generating income. However, advertising on the Internet typically produces a higher return of payment if the ads themselves are clicked. Therefore, there is a high incentive for scammers to devise ways to ensure that the ads hosted on sites under their control are clicked – be it through malware, automated scripts, email spam links, or any other method. After all, potential profit drives innovation – for legitimate and illegitimate business alike.

However, advertisement networks are capable of identifying illegitimate activity on their networks, which increases the need for scammers to hide illegitimate activity for as long as possible, thereby allowing them to reap the largest possible profit. In the past, we have observed various Trojans that connect to websites and click on the ads. Recently, however, we have discovered a more elaborate scam that establishes a network of fake dating/...

Téo Adams | 05 Apr 2011 03:56:08 GMT

We are pleased to announce that Volume 17 of the Symantec Internet Security Threat Report (ISTR) is now available. There are some significant changes to the report this year, including several new metrics, a revamping of existing metrics, and a revised format. Aspects of the new format were first seen in the Report on Attack Kits and Malicious Websites, which was released earlier this year.

One point of interest in this most recent report is the continued prevalence of malicious code propagation through the sharing of malicious executables on removable media. This propagation mechanism has been ranked at the top for quite some time now, with no signs of coming down. However, in February 2011, right in midst of writing the report, we read an...

khaley | 05 Apr 2011 03:55:29 GMT

2011 Internet Security Threat Report Identifies Increased Risks for SMBs
Kevin Haley, Director, Symantec Security Technology and Response

Small businesses have flexibility that can provide them with a competitive edge in today’s Internet-based market. And, with ever more business being conducted online, keeping your sensitive information safe is more critical than ever.

Hackers do not care what the size of your business is. They only care if they can get past your defenses and relieve you of your valuables. What hackers do like about a small business is that they tend to have more money in the bank than an end-user and less cyber defenses than a larger company. And these hackers are no longer limited to highly skilled computer geeks. Using easily available attack toolkits, even a relative novice can infect your computers and extract all the information they...

Mario Ballano | 10 Mar 2011 22:48:25 GMT

Following our initial post on the discovery of Android.Bgserv, Symantec has found additional Trojanized samples in the wild. After analysis of these new samples, it appears that the applications contain multiple bugs. In the case of the Trojanized version of Google’s Security Tool, we have confirmed after testing (with no surprise) that it does not have the ability to clean a system infected with Android.Rootcager.

The Trojanized applications also contain code to change an infected device’s APN settings. The screenshot below belongs to the threat code responsible for changing them. However, in our...

Hardik Suri | 04 Mar 2011 17:53:20 GMT

A mass injection campaign has been started by attackers who are using the BlackHole exploit kit, in which a number of high traffic influx websites are hacked and injected with an iframe that redirects users to a BlackHole server. The number of websites infected gives a fair idea about the popularity of this toolkit in the crimeware industry. Among the number of websites hacked there is a popular news website in Africa, a popular website among techies, and an official website for colleges overseas. The below image shows the common iframe injected across all affected websites:

The script is decoded by the “getSeconds();” value retrieved from the Date Class. The below image shows the decoded iframe:


Hardik Suri | 18 Feb 2011 11:26:09 GMT

Symantec has been monitoring the BlackHole toolkit, which has a powerful set of exploits and is spreading like wildfire. At present, it is the most prevalent exploit toolkit in the wild and can easily be compared with the likes of Neosploit and Phoenix in terms of the number of affected users.

In recent times, BlackHole has clearly emerged as the most used toolkit among hackers. The following IPS graph proves this fact, since more than 100,000 malicious hits are reported each day:


End-to-end Analysis of the BlackHole Exploit Kit

•    When a victim visits a...

khaley | 11 Feb 2011 12:52:25 GMT

For those of you who arrived on this page after clicking on our link, we caught you clicking! Not that we blame you, though. After all, everyone loves clicking on links!

However, this just goes to show why social engineering is as effective in spreading malware today as it was exactly ten years ago, when the Anna Kournikova virus sped across the Internet almost as fast as the tennis star’s serve.

The virus was so successful because, well, let’s face it, everyone wanted to check out the athletic beauty’s latest picture. In the end, though, all they got was a malware infection and a hard life lesson: "curiosity killed the cat."

The fact of the matter is that not much has changed in this regard. Today, just about anyone or anything making headlines seems to be fair game for malware authors and phishers to exploit. The popularity of shortened URLs...

Brent Graveland | 20 Jan 2011 14:40:04 GMT

Antivirus companies and malicious software makers are in a continual battle. Antivirus developers attempt to identify and block malicious software, and the malicious software developers want to evade detection so their products can succeed to earn them money.

The recently released Symantec Report on Attack Toolkits and Malicious Websites discusses how malicious software is increasingly being bundled into attack kits and how those kits are being sold in the underground economy and used in a majority of online attacks. One aspect of the report discusses the various forms of obfuscation methods built into these kits to avoid detection by antivirus sensors and researchers.

A major part of this obfuscation arms race is called a “FUD cryptor.” FUD in this case does not stand for “fear, uncertainty, and doubt,” but rather for “fully undetectable” or...