Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for August of 2009
Showing posts in English
Mayur Kulkarni | 31 Aug 2009 20:41:15 GMT

Last month we wrote about a spam campaign for mobile spying software (possible malware) that snoops on the phone calls and SMS messages of a person of interest. The most advertised service was spying on your loved one to see if they are having an affair. Of course, spying is not going to help a troubled relationship, so spammers are now providing another solution for distressed lovers. They claim to bring excellent results for solving troubles with loved ones—all without even needing to meet the spammer.

This is another ploy to entice recipients to contact the spammer, reminiscent of the examples in one of our May 2009 blog postings. In the current scenario, a clever message has been drafted to lure troubled lovers into a 419-like trap in order to extract personal information. Also, spammers may use personal...

Mathew Maniyara | 28 Aug 2009 15:34:28 GMT

Symantec has observed a sudden rise in phishing on Indian brands recently. The number of phishing URLs  on Indian brands in the first two weeks of August was nearly 2% of all phishing attacks. In the past, the usual average was typically 0.5%. This means that the rise has grown four fold in just two weeks.

The geo-location of each phishing site was examined and it was observed that none were in India. But, it is likely that at least some of the phishers involved are in India since the confidential data stolen can be used for specific Indian needs. For instance, there are several websites dedicated to the purchasing of Indian goods and articles, which accept net banking payments only from a given list of Indian bank accounts. Hence, the attackers may be employing every means of masking their location by creating their website elsewhere and not on Indian servers.

There were five brands targeted that were all in the banking sector for the given time period. Among...

Symantec Security Response | 28 Aug 2009 01:36:42 GMT

In the last few years, voice over IP (VoIP) has gained a significant foothold in the realm of voice communication. In some arenas the technology has supplanted traditional telecommunication devices, becoming a technology many of us can no longer imagine going without.

As is often the case, when something gains a foothold in software and networking technology, it becomes a target of malicious code writers. This week we’ve seen the release of a Trojan horse called Trojan.Peskyspy that records VoIP communications, specifically targeting Skype—one of the today’s most popular VoIP applications. What we’re looking at is something that could be considered the first “wiretap Trojan”.

Now before going into the details of this threat, we’d like to point out that its existence isn’t due to any problems with Skype itself. In this case, Skype has simply become a victim of its own popularity, most likely being targeted simply...

Nishant Doshi | 27 Aug 2009 14:59:54 GMT

Did I just say that? Usually security researchers hate obfuscation. But I say, let them obfuscate more!

Obfuscation is a loosely defined term, but it basically refers to a method of concealing your exploit code to avoid detection. Attackers employ various techniques and methodologies to achieve obfuscation. Some techniques are very clever and take even the most seasoned security researcher by surprise. In most cases, attackers try to obfuscate their exploit by stretching the limits of the language or protocol they are using. Some take advantage of the detection engine limitations as well.

Today many detection engines parse files and network streams to detect vulnerabilities and odd behavior by using pattern-matching algorithms. However, in many cases the detection logic used has some limitations and assumptions built in. Some limitations stem from the architecture of the detection engine, and some stem from the risk of a false positive. In this cat and mouse game,...

Mayur Kulkarni | 26 Aug 2009 20:08:00 GMT

In our earlier blog posting on obfuscated URL attacks we reported on the transition of image spam attacks to URL-obfuscation attacks, and we also mentioned how resources such as domains and subject lines were being recycled. In this blog post we will be discussing another aspect of the image spam attack, that of message size. We have observed a sudden growth in message sizes during the month of August. Similar jumps in message size were reported on the Symantec Security Response Blogs in November 2008.  

After monitoring the messages during the month of August (so far), we came to the following conclusions:

•    9.3% of image spam had a message size greater than 100kb.
•    14.43 % of image spam had an average size of...

Takako Yoshida | 26 Aug 2009 19:44:39 GMT

In the past, we have seen spammers use election content in their spam campaigns. So, it comes as no surprise to see spam messages with a catchy subject relating to an upcoming political event. We have observed spammers sending out messages instructing recipients on how to “make money fast” with a subject line referring to the upcoming Lower House election in Japan, which will be held on Aug 30, 2009.

A message guides users to a website where it is said that they can obtain free information on how to make money fast with summer horse racing. However, after a recipient enters their email address for registration they will not receive profitable information but instead a message that has a link for a definitive registration to provide personal information. It is unknown whether the recipients will receive free information after providing their personal data.

Although there is no correlation between an election and summer horse racing, spammers lure people to...

Vivian Ho | 26 Aug 2009 00:48:13 GMT

Happy Valentine’s Day! Yes, Chinese love birds get to celebrate twice a year with their loved ones. Chinese Valentine’s Day is set to fall this year on July 7th in the lunar calendar—that’s August 26 on the western calendar.

Chinese spammers have been using eventful holidays in the same way that English and European spammers have in order to spread their wares. We have observed spammers sending dating service advertisements and gift service site promotions for the upcoming Chinese holiday. Below you will find some examples of recent Chinese Valentine spam messages.

Sample 1:

Chinese singles often go to the matchmaker temple and pray for luck in love or marriage. People call this matchmaker god “Yue Lao.” We see spammers using this name in email aliases to promote their dating service for this legendary holiday. The advertisement is simply an inserted dating service link for users to click on in the body.


Shunichi Imano | 26 Aug 2009 00:16:31 GMT

Symantec Security Response has found a new threat that spreads through, which is a very popular Social Networking Site in China ala Facebook. The threat comes in a form of a Flash video, which pretends to be a famous Pink Floyd promotional video clip "Wish you were here."

Viewing the Flash video results in concealed JavaScript being executed while the video is playing.

imagebrowser image

The video is hosted on a legitimate site. The threat exploits an authentication cookie of a currently logged-in user in order to send out the same link (for the Flash file) to users on the Friends list.

imagebrowser image

We detect this malicious XSS threat as Js.Frienren.

Peter Coogan | 25 Aug 2009 19:43:45 GMT

The Zeus crimeware toolkit has been around now for some time and is well established in the underground economy as being an easy-to-use and powerful tool for stealing personal data from remote systems. Initially linked to a group of criminals known as the “Rock Phish” group and targeting worldwide financial institutions, the toolkit has since become widely available both for sale and for free on underground forums.

The following video provides an insight into the Zeus crimeware toolkit, the underground economy, and distribution methods for the Trojan:


Robert Vivas | 24 Aug 2009 22:32:14 GMT

Spammers continue to take advantage of the Internet tools and applications Google provides for free. In the past we have encountered spammers abusing Google Group Pages, Google Maps, Google Search, and Google Docs to host spam content. Recently spammers have started using Google Translate. Google Translate is an excellent tool that enables users to translate any text, Web page, or document, and convert the native text to the specified language requested.

With recent medication spam offer attacks, spammers have discovered a way to exploit the use of Google Translate. Here is one example:

  1. Hijacked URL directory space from a legit domain. In this example they used with the directory path to use as a redirect to host the intended spam domain...