Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for February of 2009
Showing posts in English
Andy Cianciotto | 28 Feb 2009 00:38:23 GMT | 0 comments

Over the past two days, Security Response has observed an increase in detections of W32.Ackantta.B@mm and subsequently, Trojan.Vundo.





W32.Ackantta.B@mm is a mass-mailing worm that gathers email addresses from a compromised computer and spreads by copying itself to removable drives and shared folders. Trojan.Vundo is...

khaley | 27 Feb 2009 19:27:29 GMT | 0 comments



It must have seemed like a good idea at the time. Automatically launch a program that’s been discovered by the computer. You don’t have to waste a bunch of mouse clicks to get your music CD or movie DVD to play. Well, the bad guys think AutoPlay is a good idea, too. Actually they think it’s a great idea and they take advantage of it a lot more than you and I do. Sality, Silly, and even Downadup are all examples of threats that leverage the AutoPlay feature. Ben Nahorney has written about this in the past.


Of course, it’s not the CDs or DVDs that are carrying the threats. It’s USB drives. Banning USB drives seems like a solution, but it’s not practical. I’m not going to stop using mine and I suspect you won’t give up yours, either. So it’s kind of...

Patrick Fitzgerald | 25 Feb 2009 23:27:18 GMT | 0 comments

Recently we have had a resurgence of people complaining that their online email accounts have been compromised and are being used to send spam. The reports all say the same thing: a message has been sent to every recipient in the Webmail address book, but the user had nothing to do with sending it.

In these types of situations, it usually turns out that a user’s Webmail login credentials are stolen during a phishing attack. The attacker will then use the stolen credentials to change the user’s account settings in order to allow the Webmail account to automatically send out spam email. Also, the attacker will modify or add an email signature so that every future email sent by the user includes additional spam text that the user will be unaware of. In addition, auto-responding vacation notifications are often turned on so that an automatic reply—including spam—is sent to any new incoming email.

The added spam signature text usually contains an...

Patrick Fitzgerald | 24 Feb 2009 17:58:10 GMT | 0 comments

Yesterday, our engineers in Japan noticed the arrival of some unusual submissions from a small number of our customers. All of these submissions contained suspicious Microsoft Office Excel 2007 spreadsheets. Further analysis showed that these files were exploiting a vulnerability in Excel that allowed them to drop and execute a binary onto the file system.

We see this kind of behavior all the time, but as the analysis of the vulnerability progressed it became clear that this vulnerability is one that we had not seen before. It turns out that this vulnerability exists in the old Excel binary .xls format and not the new .xlsx format. Opening the malicious spreadsheet triggers the vulnerability. This causes the shellcode to execute and then drops two files on the system—the malicious binary mentioned earlier and another valid Excel document. The shellcode then executes the dropped file and opens the valid Excel document to mask the fact that Excel has just crashed. This...

Elia Florio | 23 Feb 2009 22:02:43 GMT | 0 comments

Editor’s Note: This is the concluding article in Symantec’s multi-part series covering specific and interesting aspects of W32.Downadup.

The conclusion of my previous blog posed an interesting question to readers: “...seeing as the list of the future domains was publicly disclosed on the Web, why hadn’t any other cyber criminals taken advantage of the predictions?” Antivirus companies and many independent security researchers were able to crack the domain prediction algorithm used by the worm, so it is reasonable to believe that other people were able to achieve the same result, but with different intentions. In fact, predicting what the next domain will be creates the perception that someone can take control over the botnet, and, for example, start pushing a bank Trojan to these millions of...

Patrick Fitzgerald | 23 Feb 2009 17:28:00 GMT | 0 comments

Over the last few days many reports have emerged concerning a new variant of Downadup (a.k.a. Conficker), which has been dubbed Downadup.B++ or Conficker.C. While one could categorize Downadup into three variants (or even more), Symantec products will detect all known variants of Downadup as either Downadup.A or Downadup.B.


Unfortunately, in addition to differences in names, variant differentiation also exists between vendors. Some vendors have a different detection for every single Downadup binary—with a differing MD5 hash—resulting in more than 30 different Downadup “variants.” Some others don’t differentiate at all and just have a single name with no variant differentiation.


However, the important point regarding Downadup is not whether this is another variant, but rather is it a new variant; i.e., if it has been released recently. Fortunately, Downadup.B++ / Conficker.C is not a...

Patrick Fitzgerald | 20 Feb 2009 14:37:02 GMT | 0 comments

Symantec Security Response has received several PDF files that actively exploit a vulnerability in Adobe Reader. We are continuing to remain in contact with Adobe on this vulnerability in order to ensure the security of our mutual customers.


This exploit is currently detected heuristically as Bloodhound.PDF.6 by our products. We have noticed an increase in submissions of similar PDFs using this exploit. So far, these attacks appear to be targeted and not widespread. Symantec is continuing to monitor the vulnerability’s use in the wild.


While examining the JavaScript code used for “heap-spraying” in these PDFs, we can see the same comments that show that these separate exploit attempts come from the same source! It seems likely that the people behind this threat are using targeted attacks against...

Elia Florio | 19 Feb 2009 11:06:34 GMT | 0 comments

Back in 2008, the infamous MBR rootkit (a.k.a. Mebroot or Sinowal) proved to be one of the most complicated pieces of malicious code ever seen. Clearly written by professional developers, the Mebroot rootkit has pushed stealth technologies to an extreme level in order to support a bigger criminal project.

In fact, Mebroot can be considered as a real e-crime platform that binds itself to the core of the operating system in order to provide support to the higher layer of modules, designed to steal sensitive information for access to bank accounts. This speculation became a fact in November 2008, when law enforcement and a group of researchers were able to gain access to a remote server used by the Mebroot gang, where it was soon discovered that the servers contained around 500,000 stolen credit card and bank account numbers.

We have posted some...

Eric Chien | 18 Feb 2009 19:22:49 GMT | 0 comments

Editor’s Note: This is the seventh installment of a multi-part series on specific and interesting aspects of W32.Downadup.

While Downadup’s RPC exploit method of spreading has been highlighted in several recently posted blog articles, the worm spreads via other methods as well. One of the potentially more noticeable methods is through network shares, especially in enterprise environments.

Downadup attempts to copy itself to other machines using the administrative network share (ADMIN$) that exists by default on Microsoft Windows machines. However, copying itself to the share requires authentication. This requirement leads to some...

Shravan Shashikant | 17 Feb 2009 21:37:22 GMT | 0 comments

As discussed in the Symantec State of Spam Report for February, URLs with the “.cn” country code top level domain (ccTLD) have become a popular ingredient in spam messages. A top-level domain (TLD) is the part of a domain name that follows the final dot of any domain name. A ccTLD is a top-level domain generally reserved or used by a country or a dependent territory. According to the February report, URLs with .cn ccTLDs accounted for approximately 32% of all URLs seen during that period. However, we saw a noticeable decrease in this particular technique starting around the end of January with levels dropping down to 7%. On February 12, we once again observed a revival approaching similar levels as was seen in January—these levels are currently sitting around 29%. The URLs are applied to various kinds of spam attacks, but one of the more popular versions uses legitimate...