Video Screencast Help
Security Response
Showing posts tagged with Security
Showing posts in English
Kaoru Hayashi | 19 Mar 2014 12:58:54 GMT

DarllozConcept.png

Last November, we found an Internet of Things (IoT) worm named Linux.Darlloz. The worm targets computers running Intel x86 architectures. Not only that, but the worm also focuses on devices running the ARM, MIPS and PowerPC architectures, which are usually found on routers and set-top boxes. Since the initial discovery of Linux.Darlloz, we have found a new variant of the worm in mid-January. According to our analysis, the author of the worm continuously updates the code and adds new features, particularly focusing on making money with the worm.

By scanning the entire Internet IP address space in February, we found that there were more than 31,000 devices infected with Linux.Darlloz.

Coin mining
In addition, we have discovered the current...

Symantec Security Response | 18 Mar 2014 22:56:52 GMT

Security researchers have released a paper documenting a large and complex operation, code named “Operation Windigo”. Since the campaign began in 2011, more than 25,000 Linux and Unix servers were compromised to steal Secure Shell (SSH) credentials, to redirect Web visitors to malicious content, and to send spam. Well-known organizations such as cPanel and Linux Foundation were confirmed victims. Targeted operating systems include OS X, OpenBSD, FreeBSD, Microsoft Windows, and various Linux distributions. The paper claims Windigo is responsible for sending an average of 35 million spam messages on a daily basis. This spam activity is in addition to more than 700 Web servers currently redirecting approximately 500,000 visitors per day to malicious content.

The paper lists three main malicious components (ESET detection names):

  • Linux/Ebury – an OpenSSH backdoor used...
Nick Johnston | 13 Mar 2014 18:14:34 GMT

We see millions of phishing messages every day, but recently, one stood out: a sophisticated scam targeting Google Docs and Google Drive users.

The scam uses a simple subject of "Documents" and urges the recipient to view an important document on Google Docs by clicking on the included link.

Of course, the link doesn't go to Google Docs, but it does go to Google, where a very convincing fake Google Docs login page is shown:

phish_site_image.png

Figure. Google Docs phishing login page

The fake page is actually hosted on Google's servers and is served over SSL, making the page even more convincing. The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive's preview feature to get a publicly-accessible URL to include in...

Symantec Security Response | 12 Mar 2014 11:16:35 GMT
On Tuesday, Microsoft released its security updates for Microsoft Patch Tuesday, which included the much needed update to address a zero-day vulnerability affecting Internet Explorer 9 and 10. The exploit for the Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2014-0322) was originally used in targeted attacks, but it caught on among average cybercriminals. As a result, the exploit currently affects Internet users in general.
 
In this month’s Patch Tuesday, Microsoft covered another Internet Explorer zero-day vulnerability, which is being exploited in the wild. This flaw is known as the...
PraveenSingh | 11 Mar 2014 18:52:34 GMT

Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing five bulletins covering a total of 23 vulnerabilities. Nineteen of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft's summary of the March releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms14-mar

The following is a breakdown of the issues being addressed this...

Joji Hamada | 11 Mar 2014 15:22:59 GMT
A new spam campaign with an information-stealing malware attachment has been circulating since March 7, 2014. While spam emails are typically sent to many people, in this campaign, the spammer has limited their targets to administrators of online Japanese shopping sites.
 
The attacker may have targeted these recipients for various reasons. As most online stores provide contact details on their Web page, they become easy targets since their email addresses can be easily harvested by crawling sites. The attacker could also have targeted the recipients to get the companies’ account details in order to steal data maintained by the stores. The attacker may have also wanted to compromise the shopping sites in order to carry out further attacks against the store’s visitors.
 
The malware, detected as Infostealer.Ayufos, is a basic...
Dick O'Brien | 07 Mar 2014 19:24:20 GMT

Bitcoin Woes 1.png

Virtual currency Bitcoin has experienced some turbulent times in recent weeks as attackers focused their attention on a newly publicized weakness in Bitcoin’s software in an attempt to siphon off huge sums. The instability has already claimed the scalp of Mt Gox, which was once the world’s largest Bitcoin exchange and thousands of investors have lost their deposits.  The thefts caused the currency’s value to plunge but it has since recovered significantly, indicating that investors still have an appetite despite the risks. Nevertheless, this spate of incidents perfectly illustrates how attackers can swarm around a particular area once a weakness is found and attempt to pick it clean.

The first sign of trouble came on February 7, when Mt...

Kevin Savage | 05 Mar 2014 15:49:07 GMT

Ransomcrypt authors are not known to have a conscience, and until now have always left their victims with no way out, other than paying the extortion demand to decrypt their files. This seems to have changed somewhat with the arrival of Trojan.Ransomcrypt.G. While the authors of this malware are still total scammers, they seem to have some principles and offer to decrypt the victim’s files for free after a one month period, even  if the ransom has not been paid. While this behavior does not exonerate the actions of the malware authors, it does leave some light at the end of the tunnel for any unfortunate victims of this scam.   

OMG_Fig1.jpg

Figure 1. “how to get data.txt” snippet from ransom file left behind by Trojan.Ransomcrypt.G

Trojan....

Peter Coogan | 05 Mar 2014 14:24:53 GMT

Darwinism is partly based on the ability for change that increases an individual’s ability to compete and survive. Malware authors are not much different and need to adapt to survive in changing technological landscapes and marketplaces. In a previous blog, we highlighted a free Android remote administration tool (RAT) known as AndroRAT (Android.Dandro) and what was believed to be the first ever malware APK binder. Since then, we have seen imitations and evolutions of such threats in the threat landscape. One such threat that is making waves in underground forums is called Dendroid (Android.Dendoroid), which is also a word meaning something is tree-like or has a branching structure.

...

Symantec Security Response | 28 Feb 2014 07:29:50 GMT

While the Sochi Winter Olympics may now be over without incident, considering all of the media attention and fears surrounding a potential terrorist attack at the event, it should come as no surprise that cyberattackers were preying on these uncertainties to target potential victims of interest.

During the games, Symantec saw multiple targeted email campaigns that used Sochi Olympics themes to bait potential victims. These observed email campaigns were blocked by our Symantec.Cloud service. In one such campaign, we saw that targets were being sent the following email.

figure1_0.jpg

Figure 1. Email purporting to relate to a terrorist threat at the Sochi Olympics

In this campaign...