Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for April of 2009
Showing posts in English
Dermot Harnett | 29 Apr 2009 19:22:04 GMT | 0 comments

According to recent political opinion polls, U.S. President Obama’s approval rating currently stands at 65%. It is clear that when his first 100 days in office are analyzed, spammers also view him favorably. In the last few weeks there has been a noticeable boost in the number of spam messages that use his name and popularity to promote certain spam products and services.

President Obama first became a target for spammers in 2008, when Obama and his then challenger Senator John McCain had their names linked with "portable dewrinkle machine" spam, medical product spam, and get-rich-quick spam messages. When President Obama took his campaign to Europe in July 2008, Spammers duly followed up with a spam campaign that contained links to malware. Ever since President Obama was inaugurated on January 20th 2009, spam attacks with...

khaley | 29 Apr 2009 16:54:59 GMT | 0 comments

Computer viruses got their name because they spread just like biological viruses. There are other parallels as well; for instance, best practices. In the medical world they are called preventative measures, but really they are best practices. For instance, you should wash your hands in soap and water often. In the computer world, the equivalent is keeping your security software up to date and keeping your patches current. For computer users, if you follow this one best practice, your computer will stay healthy.
We wrote earlier about how the spammers are taking advantage of public concern about the swine flu. Now the malware writers have entered the game, too. Potential victims are going to get an email with a PDF attachment that promises to answer all questions about the much talked about swine flu. The attachment is named “Swine influenza frequently asked questions.pdf.” It is a real PDF file, and when opened it will show something like this:...

Mayur Kulkarni | 28 Apr 2009 10:21:17 GMT | 0 comments

The swine flu outbreak in Mexico and the United States is making news headlines all over the world, with updates coming out in real time from the Centers for Disease Control and Prevention. The scare has spawned a spamming frenzy, like sharks smelling blood in the water. Symantec has been monitoring the spam and is continuing to analyze the underlying intentions of the associated messages. In the past, such current event spam campaigns included sending malicious messages, in which the email user is lured into clicking malicious links that pretend to be a harmless link or a related video. However, this time around it is an email address that the spammers are more interested in collecting—perhaps as part of a harvest for their future campaigns.

One of the samples (shown below) simply informs recipients of the disaster, using linked news headlines from reputable news agencies. Users are asked whether they...

Mayur Kulkarni | 27 Apr 2009 20:18:26 GMT | 0 comments

In an effort to track the prevalence of Mother’s Day spam, we’ve started monitoring recent spam samples and have found that the spammers seem less enthusiastic about Mother’s Day than other events around the world, such as the resurgence of interest in the swine flu. Most of the Mother’s Day-related spam we analyzed consisted of Internet offers providing personalized gifts such as photo frames or jewelry. Others included gift cards, kitchen related products, and the ever-present weight-loss solutions.

Some of the common subject lines are listed below:

Personalized Mothers Day Gifts
Mother's Day Gifts
This is about Mother's Day next month
Microwavable pasta cooker. Mother's Day is near!
Your Mothers Day Gifts are Here!

Sumit Pagey | 27 Apr 2009 15:46:11 GMT | 0 comments

Misleading applications, also known as rogue antispyware applications, use various techniques such as misleading task bar notifications, popup windows, and fake security scans to attempt to scare users into believing they will need to purchase the “protection” offered by the misleading apps. We have observed a new technique being used by misleading applications, one that involves asking users to pay for software from popular vendors.

As is typical with misleading applications, when executed, a fake security warning is initially displayed:

Then, a fake system scan is conducted and non-existent threats are reported on the system:

However, instead of the misleading application...

Mayur Kulkarni | 24 Apr 2009 22:52:16 GMT | 0 comments

We have recently come across a different type of phishing attack that involves JavaScript being used to attempt to trick users into submitting sensitive banking-related information. This type of attack usually carries an HTML file attachment. The HTML file will locally open a look-alike bank submission form with the capability to pass critical user information to the phisher’s server.

Case 1

In the past, we monitored attacks with a similar type of file attachment, but they contained straightforward redirection code. There are different ways to redirect users to the desired location. One of the simpler HTML codes for redirection is shown below:

Sample image of the message:


Karthik Selvaraj | 24 Apr 2009 20:49:59 GMT | 0 comments

Once again, the Indian election looms and while it is an exciting time to vote, malware authors are looking to exploit voters’ hope and enthusiasm for their country’s political future. Any popular websites with a large user base will inevitably become a target that attackers will use to host or push their threats onto unsuspecting users’ computers. This time, the voting website Jaago re! is the attacker’s choice.

Jaago re! is an Indian online non-profit portal that provides several voter services, including voter registration, voter list searching, election information, and assembly constituency searching. It’s easy to see why this site has a large enough user base to make it a target for attackers. 

Unfortunately, Jaago re! has not only become a target for attackers, but has also become a victim. We discovered that this site was compromised and its pages were...

Joe Pasqua | 22 Apr 2009 17:46:15 GMT | 0 comments

Yesterday at the RSA conference a group of Symantec executives and technologists met with industry influencers to discuss a broad collection of topics, ranging from innovation to reputation to virtualization. It was a pretty interesting discussion and I'd like to focus on one particular aspect that is near and dear to me—the importance of maintaining innovation momentum in a down economy. There are plenty of historical examples that show that companies that innovate through tough times emerge with a strong and sustainable advantage over those that don't. An interesting point, but I think there is more compelling evidence that sustained innovation is the smart thing to be doing right now.

Someone once said that there are two kinds of products in the world: those that cost a dollar but help you earn five dollars, and those that cost a dollar but help you save five dollars. Both are valid value propositions, but in this economy it's not too surprising that people are...

Security Intel Analysis Team | 22 Apr 2009 15:59:31 GMT | 0 comments

Symantec’s Security Intelligence Analysis Team has collaborated with Nmap contributor Ron Bowes to aid in the development of an Nmap script that is able to detect hosts infected with W32.Downadup.C by enumerating the peer-to-peer (P2P) protocol used by the worm. The script has been made available to the public via The script has also been bundled in with the latest Nmap beta, nmap-4.85BETA8. If you are using an older version of Nmap that does not contain the Nmap scripting engine, you may want to download this updated version.

If you are new to using Nmap scripts I suggest that you check out Ron’s blog, which has lots of details on how to use the script with Nmap. Once you have located infected...

Ben Nahorney | 21 Apr 2009 16:34:30 GMT

For the last couple weeks, all’s been pretty quiet on the Downadup/Conficker front. While we’re still performing our ‘daily patrols’ here in Security Response, watching for signs of something new, quiet moments like this give us a chance to reflect on what has come to pass so far.

What we’ve discovered looking back is that there has been some confusion about the different Downadup variants—what each one does and how they interrelate. It’s not surprising, given that a feature present in one version is often absent in another. Some largely stand on their own, some install other risks, and others largely seem to exist in order to update their siblings. Try describing how each works and you’re likely to find yourself reminded of an Abbott and Costello routine.


In order to connect the dots between Downadup variants, we’ve developed a...