Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for June of 2008
Showing posts in English
Kelly Conley | 25 Jun 2008 21:33:11 GMT | 0 comments

John Doe, sitting in his office, was scrolling through email in his inbox when he noticed an email with this subject line:

Mail delivery failed: returning message to sender

John thought to himself, “Message delivery failed? Did my message to Jane get blocked?” He then proceeded to open the message and found that it was an online pharmacy spam message he had allegedly sent. John is initially puzzled because he never sent that message himself. Soon, he realizes that the message is NDR spam.

Symantec has observed a wave of non-delivery receipt (NDR) attacks over the past month. While this technique is certainly not new, a spike in volume was significant enough for us to take a deeper look. A lot of people are confused about these messages. Where do they come from? What is the purpose?

This spam type utilizes a...

M.K. Low | 23 Jun 2008 19:06:05 GMT | 0 comments

Recently, during her vacation to visit me, my sister forgot her cell phone and had to use her credit card in a pay phone to call me. Later that day, she tried to use the same credit card to check into her hotel and it was declined. After calling the credit card company, the man on the phone informed her that criminals often test stolen credit cards in pay phones to verify if it is still valid. Credit card companies know this and instantly put a hold on the card when this occurs.

Of course, this doesn't bode well for the criminal. They have checked if the card works and by doing so, it has been flagged and possibly deactivated. What is a criminal to do? What other methods can they use to verify the validity of the card but yet, still be able to buy that limited edition R2D2 DVD projector after the process? In a previous...

Hon Lau | 19 Jun 2008 16:57:35 GMT | 0 comments

Most people are well aware of the potential problem posed by software vulnerabilities that are publicly announced, but many of these vulnerabilities can remain unpatched by the relevant vendors. Dealing effectively with security problems posed by software vulnerabilities is a two-way street. You count on your software vendors to quickly bring out reliable patches and once they are available, your end of the bargain is to apply them as quickly as possible. Many software vendors are attempting to address their share of the issues in relation to patch development and distribution. The problem is, many users are still slow to apply new software patches, for various reasons. It is this gap between the availability of patches and their application that is creating a window of opportunity for would-be attackers.

To add fuel to the fire, an interesting research report was...

Vikram Thakur | 18 Jun 2008 21:06:49 GMT | 0 comments

Some advice for the day: don't click on every link in your email. It looks like the Peacomm (Storm) authors have decided to use past and future events in China as lures for their latest creation. A new spam run is in progress with links to a file called "beijing.exe," which is currently detected by Symantec as Trojan.Peacomm.D.

Some of the subject lines we've seen so far are:

The most powerful quake hits China
Countless victims of earthquake in China
Death toll in China is growing
Recent earthquake in china took a heavy toll
Recent china earthquake kills million
China is paralyzed by new earthquake
Death toll in China exceeds 1000000
A new powerful disaster in China
A new deadly catastrophe in China
2008 Olympic Games are under the threat


Eoin Ward | 13 Jun 2008 18:19:22 GMT | 0 comments

Trojan.Gpcoder is a particularly nasty threat that uses public key cryptography to encrypt files on a person’s computer and subsequently requests payment from the user in order to recover the files. It has had many variants over the years. While analyzing a recent version, I observed that it uses a short key. Would this make it possible to decrypt the infected files?

Public key cryptography uses two keys—a public key and a private key. In Trojan.Gpcoder the public key is encoded into the virus and is used to encrypt files. The author of Trojan.Gpcoder holds the private key which is used to decrypt files.

Last year we detected Trojan.Gpcoder.E. This version of Trojan.Gpcoder claimed to use a public key algorithm called RSA-4096 to encrypt files (in fact, it used a weaker algorithm). More recently we detected a new variant, ...

Robert Keith | 10 Jun 2008 23:58:54 GMT | 0 comments

Hello and welcome to this month’s blog on the Microsoft patch releases. The vendor is releasing seven bulletins that cover a total of 10 vulnerabilities. Of those, four are rated “Critical”, four are rated “Important”, and two are rated “Moderate.” While most of the critical vulnerabilities are the ever popular client-side issues (DirectX and Internet Explorer), the remaining issue in Bluetooth could allow an attacker within physical range of an affected computer to exploit the issue and take complete control of that computer. The remaining issues affect WINS, Active Directory, Speech API, and PGM.

As always, customers are advised to follow security best practices, specifically:


-         Disable any unnecessary services.

-         Avoid sites of unknown or questionable integrity.


Microsoft’s summary of the June releases can be found here:


Kelly Conley | 03 Jun 2008 20:08:06 GMT | 0 comments

The June State of Spam Report demonstrates that spammers are utilizing current events to their advantage. The economic slowdown has been at the forefront of current event topics for some time, and is indisputably a hot item for spammers. In May, Symantec observed the continued offers by spammers to avoid home foreclosure. Many of these attempts are directed towards harvesting personal information and not towards helping anyone out of a loan crisis.

Other current events being used by spammers to take advantage of the public include rising gas prices, the economic stimulus package, and recent natural disasters. In the wake of rising gas prices, spammers are offering gas from unusual sources, like your water faucet. Free gas cards and other products aimed at creating gas out of  other unusual sources are...

Symantec Security Response | 03 Jun 2008 16:41:48 GMT | 0 comments

From the moment the recent earthquake struck in China on May 12th, mass grief poured out from within the Chinese population at the loss of their loved ones. Many thousands of people have donated their time and money, while some have prayed and expressed their grief using the Web. Unfortunately, as is so often the case in such tragic circumstances, miscreants are all too ready to try and create mayhem and profit from the misfortune of others.

In the weeks following the earthquake, the Symantec Security Response team based in Chengdu discovered that a legitimate Web site [http://][REMOVED]), which is used for the expression of grief and condolences, had been compromised. The attackers had embedded a malicious IFRAME into the page.

The malicious code pointed to another URL, which in turn caused yet another page to be opened. The latter page contains JavaScript that will attempt to exploit a number of...