Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for November of 2008
Showing posts in English
Amanda Grady | 28 Nov 2008 18:17:57 GMT | 0 comments

In recent weeks, Symantec has observed an increase in messages promoting online casinos, typically offering a cash bonus or VIP treatment. Leisure spam (defined as email attacks offering or advertising prizes, awards, or discounted leisure activities) has accounted for up to 10% of spam globally during early November. 


As we reported in the March 2007 State of Spam report, these attacks are often translated into many different European languages in order to maximize the reach of the attack. The URLs are quickly changed from message to message, with a simple directory change for each European language–a French example is shown below. Spammers change the URLs frequently in order to try and stay ahead of URL-based anti-spam filters. Symantec uses more than 20 different filtering technologies in order to ensure comprehensive blocking of...

David McKinney | 27 Nov 2008 13:16:30 GMT | 0 comments

The newly released Symantec Report on the Underground Economy discusses a number of topics, including the supply and demand of goods and services that were advertised for sale in the underground economy. This information was gathered by monitoring various IRC channels devoted to the commerce of these good and services. In particular, I’d like to highlight some of the things we observed in analyzing the trade in malicious tools.

One of the things we observed is that the underground economy is self-sufficient. What this means is that the tools necessary to produce goods and services are also available for sale in the underground economy. This indicates that the market has matured enough that productivity gains can occur through the division of labor; i.e., the economy makes it viable for individuals to increasingly specialize in the tasks they excel at. This is where...

Mayur Kulkarni | 26 Nov 2008 21:15:22 GMT | 0 comments

You may have come across multilingual translations of your favorite book or a popular movie. It’s a surefire way to extend one’s work to a wider audience. The desire for an extra buck has driven spammers to adapt to similar tactics for their campaigns. Recent messages observed offered a job that included relaying payments between banks. In return, the “recipient” is allowed to retain some percentage of the amount transferred. This is a type of scam which involves the illegal activity of money laundering.


Initial English language spam attacks were followed by an Italian version within a space of ten days. The nature of the spam source (source IPs from different geographical locations) indicated that this attack was carried out through spamming bots.

Sample headers in English:

Subject: Vacancy! –cB
Subject: New Proposal! –aAzs

Sample headers in Italian:


Alfredo Pesoli | 26 Nov 2008 20:45:05 GMT | 0 comments

Let me introduce you to the new "Trojan kit," which is a member of the "…no, I don't require root privileges…" malicious code targeted toward Mac OS X. A while ago we received a sample of a new Trojan affecting the Apple operating system. OSX.Lamzev.A is the first sample we’ve seen from this threat family. It’s an easily customizable Trojan kit that could be the first of a long list of malicious code clones.
So, what do we mean by Trojan kit and what makes it stand out from the crowd? The only noteworthy feature is the way in which it infects clean applications—what this Trojan does is hijack a common feature that Mac OS X applications use to launch themselves—a smart but simple hack!

Initially, when the Trojan is run, a command prompt will appear, in which the attacker can configure the application that he or she wants to “Trojanize” (figure 1). The Trojan needs to be...

Marika Pauls Laucht | 26 Nov 2008 10:22:03 GMT | 0 comments

The online underground economy has evolved into a full-fledged marketplace where participants advertise and traffic stolen information, provide services to aid in the use of this information, and perform other illegal activities. Like any market-based economy, it is governed by the laws of supply and demand and, given enough supply, the goods available for purchase are virtually limitless.

As stated in the Symantec Report on the Underground Economy, credit card information was the most popular category of goods and services available for sale, accounting for almost one-third of the total observed. This category included credit card numbers, CVV2 numbers, expiry dates, and credit card dumps. (The CVV2 number is a three- or four-digit number on the credit card and is used for card-not-present transactions, such as Internet or phone purchases. This number helps to verify that...

Téo Adams | 25 Nov 2008 12:24:21 GMT | 0 comments

One topic of discussion in the recently released Symantec Report on the Underground Economy is software piracy. Software piracy occurs primarily in two basic forms: physical counterfeiting and file sharing. Counterfeiters create unauthorized physical copies of software intended for sale as legitimate products (though often the attempt to create a realistic valid copy is minimal). The motivation of counterfeiters is typically financial gain, and customers who know that the software is counterfeit are likely trying to save money. In contrast, piracy by means of file sharing—whether by copying a disc for a friend, uploading files using a peer-to-peer (P2P) application, or some other means—is not typically profitable for the people who share the files. The advent of rapid P2P file-sharing protocols has provided a readily available means for people to distribute and obtain...

Thomas Parsons | 25 Nov 2008 10:44:34 GMT | 0 comments

As part of our continuous false-positive prevention efforts for antivirus signatures at Symantec, we research different areas that may help us in our quest. One area of particular interest is the utilization of clean data to prevent the manifestation of antivirus signatures that cause false positive conditions. As a result of this work, earlier this year Bartek, Julie, Catherine, and I co-authored a paper entitled “Clean Data Profiling.” The paper was subsequently published at the Virus Bulletin 2008 Conference in Ottawa in October and is made
available here courtesy of the same organization.

Dylan Morss | 24 Nov 2008 23:45:04 GMT | 0 comments

Although spam levels remain at a relatively low volume following the takedown of the spam host McColo last week, there is some evidence that spammers are starting to prepare for a rally. Late last week we observed the spam volume spike as much as 150% in an hour-to-hour comparison, which is about a seven percent increase since McColo was shut down.

In addition to overall spam volumes, the percentage of spam messages containing the text/HTML content type mime part jumped to 55% of all spam, indicating a change in the overall makeup of spam. Prior to the McColo takedown, the overall percentage of spam messages containing the text/HTML content type mime part was over 55%, but after the takedown the average has been around 34%. This change indicates that a return to normal spam activity could be in the works.

When we took a closer look at the spam contained in the spikes, it was revealed that there was an increased use of HTML. The spam messages were typical “...

M.K. Low | 24 Nov 2008 14:42:14 GMT | 0 comments

Underground economy servers are black market forums used to advertise and traffic stolen information. The information can include government-issued identification numbers such as Social Security numbers, credit card information, bank accounts credentials, personal identification numbers, email address lists, and email accounts. They can also provide services to facilitate these illegal activities and can include cashiers who withdraw funds from the stolen accounts, scam page hosting, and job advertisements for roles such as scam developers or phishing partners.

Symantec's Report on the Underground Economy shows that there are a wide variety of goods and services being advertised on underground economy servers, and many of these goods and services form a self-sustaining marketplace. Participants in this fraud can obtain goods by a variety of means; credit card and banking...

Security Intel Analysis Team | 22 Nov 2008 18:13:04 GMT | 0 comments

Microsoft Security bulletin MS08-067 was an out-of-band security update that was released on October 23, 2008, to address a critical remotely exploitable vulnerability that was being exploited in the wild. The Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability that was addressed by the patch affects Windows 2000, XP, Server 2003, Vista, and Server 2008 to varying degrees. Ultimately the issue can be exploited by a remote attacker to install malicious applications on a target computer without the victim’s knowledge.

Microsoft released a detailed matrix describing the risk that this vulnerability presents to different versions of Microsoft Windows. When reading this matrix it becomes clear that this issue is exploitable by an unauthenticated...