Video Screencast Help
Security Response
Showing posts for September of 2009
Showing posts in English
Piotr Krysiuk | 30 Sep 2009 20:42:22 GMT

It is not very common for a file infector to do more than simply introduce trivial modifications to the files it infects. Virus authors usually avoid complex modifications to the files because of the possibility of corruption. W32.Xpaj.B is one of exceptions.

W32.Xpaj.B is an entry-point obscuring, polymorphic file infector. The virus is not completely new and shares some of its characteristics with its predecessor, W32.Xpaj, first seen in June 2008. What sets this creature apart is the amount of effort its authors have invested into hiding their malicious code in the files it infects.

W32.XPaj.B is more sophisticated than your average file infector. To make finding its malicious code difficult, the virus avoids putting any obvious signs in the infected files. Unlike most simple viruses, it doesn’t attempt to execute the virus code by hijacking control when the infected file is started. Instead, the virus overwrites some subroutines from the infected files with...

Mayur Kulkarni | 30 Sep 2009 19:43:08 GMT

The Diwali “Festival of Lights” happens in October and is celebrated across India. During this time a large portion of the Indian population will be out shopping and looking for holiday deals. We have started noticing spam messages that offer discounts related to Diwali. Interestingly, spammers are sending the same Internet offers, but in the form of Diwali discounts.

For example, in the spam message selling a database CD of contacts (names, email addresses, ages, phone numbers), “Diwali” is inserted to make it enticing for recipients. As shown in the below sample message, recipients are offered a database CD of 57,000 Indian companies (SMEs).


We also monitored unsolicited offers that we think may ultimately lead to a compilation of opted-out email addresses for the spammers. Most of these spam messages draw email users with cash prizes or discounts...

Hon Lau | 30 Sep 2009 12:07:33 GMT

An unfortunate side effect of any news-worthy disasters of the modern day is that a wave of malware will often follow in the virtual world after the initial event in the physical world. The large earthquake (8.3 on the Richter scale) last night recorded off the coast of Western Samoa and the subsequent tsunami that followed caused much destruction and loss of life to the islands near the epicentre of the quake. As with any large scale disasters that quickly become major news events, people want to know what happened and to know that loved ones are safe. The Web, being a major source of information to many people around the world, is one of the first places to see such information-seeking activity. For many people, search engines are the gateway to the masses of information available and because of this, it is also one of the first places to be targeted by malware creators. They waste no time in getting their malicious software and web sites set up and poisoning the Web...

Mathew Maniyara | 25 Sep 2009 21:17:15 GMT

Symantec has observed that most phishing URLs associated with Chinese brands attempt to trick users by stating that they are winners of a great prize. The fake websites declare that the visitors are winners for reasons such as:

1.    Customers of the brand were chosen for a lucky draw and that the customer won the draw.
2.    The brand wishes to thank the customer for their long time commitment by gifting them prizes.
3.    The customer has triumphed in a gaming site of the brand, attaining the highest score.

The phishing site goes on to state that the customer needs to submit confidential information to receive the prize, either to prove his or her identity or for the transfer of the prize money to the customer’s bank account. The following image is an example of a Chinese phishing page for a gaming website. The page says that the customer needs to enter details to prove his or her identity so as to...

Patrick Fitzgerald | 25 Sep 2009 16:45:01 GMT

It’s well known that malware is growing more sophisticated, but few threats have had us scratching our heads like Trojan.Clampi. In order to remove the mystery around this threat, Security Response will be publishing a series of blogs talking about various aspects of Clampi. As an introduction, we’d like to present a brief overview of the threat.

Trojan.Clampi has been around for a number of years now. During this time it has gone through many iterations, changing its code with a view to avoid detection and also to make it difficult for researchers to analyze.

From our analysis it seems that Clampi has mainly affected machines in the US. Clampi infection rates seem to be skewed towards countries where English is the primary language.  This may indicate the first infections were as a result of malicious drive-by attacks on...

Ben Nahorney | 24 Sep 2009 20:48:07 GMT

A lot can be said with 140 characters. It’s just enough to convey a point, but constricting enough to make things concise. No wonder microblogging sites such as Twitter have become so popular.

Unfortunately one of the limitations here is sharing Web pages with long URLs. In order to address this issue, URL-shortening utilities have grown in popularity on the site. Using such tools allows you to include a link well within the 140-character limit, which will redirect anyone who clicks it to the longer URL and thus the site you wanted to share.

There’s one downside here, from a security point of view—you’ll often have no idea where the link leads until you click it. Clicking any link like this is entirely a security leap of faith. Unfortunately malware authors have caught on to this and are currently distributing misleading applications using these shortened URLs. Using enticing tweets and commonly used twitter search terms, their goal is to get...

Gerry Egan | 22 Sep 2009 19:04:27 GMT

Have you ever noticed how movies tend to come in waves? A few years ago it seemed like every action movie had a space theme; then the following year the big new movies featured some kind of natural disaster. This past summer it seemed like every other movie was in 3-D. Technology, as we all know, has waves too, and the security industry is no different. For example, recently there has been a lot of talk about reputation-based security and suddenly it seems like every vendor is claiming to have some type of reputation technology. But, not all technologies are created equal, so I thought I’d take a few minutes to look at what makes Symantec’s reputation-based technology so very different.

Why is a new approach needed?

Two fairly recent trends have had a negative impact on the effectiveness of traditional approaches to security. First, many of today’s threats are highly polymorphic—they are able to easily hide because nearly every instance of...

Vivian Ho | 18 Sep 2009 15:34:11 GMT

The Chinese Mid-Autumn Festival, also know as the Moon Festival, is one of the major holidays celebrated in Chinese society. It happens on August 15 in the Chinese lunar calendar, which is October 3 on the western calendar this year. Most families will get together to admire the bright full moon and eat mooncakes on this holiday. It is a cultural tradition for friends and family members to send mooncakes and reunite for the holiday.

As we expected, Chinese spammers are capitalizing on this holiday and we have monitored spammers sending out mooncake and gift promotions to mark the day in the past couple of weeks. In the examples below, we observed randomized From lines with a mid-autumn festival related subject line. We anticipate more to come before the holiday.

Sample 1:

From: Randomized email alias
Subject: 中秋礼品解决方案


Subject: Moon Festival Gift Solution

Body Translation...

Greg Ahmad | 15 Sep 2009 21:46:13 GMT

Recently we became aware of a new security vulnerability that affects various versions of Microsoft Windows operating systems. This vulnerability allows remote attackers to carry out denial-of-service and local privilege escalation attacks against affected computers and though not confirmed, it may also facilitate remote code-execution with kernel-level privileges.

The issue was publicly released on September 7, 2009, by a researcher named Laurent Gaffié. The researcher published proof-of-concept code and some technical details on the Full Disclosure mailing list. He indicated that the code targets the Microsoft Server Message Block version 2 (SMB v2) protocol implementation in Microsoft Windows Vista and Windows 7 and it could be used to...

Hon Lau | 15 Sep 2009 21:02:39 GMT

Yes folks, the Bredolab crew is at it once again. Today we saw a moderate wave of spam email, numbering a few thousand per hour. Not to be drawn to the depth of exploiting the death of Patrick Swayze to deliver their malware, the Bredolab gang is still adapting old reliable—spam email messages with promises of undelivered parcels and cash for collection. Depending on whether the delivery is for cash or for a parcel you will get a slightly different message, although the attachment names are much the same as one another, following a distinct pattern.

For parcel deliveries you might see something like the following example:

Dear customer!
Unfortunately we were not able to deliver the postal package sent on the 24th of June in time
because the recipients address is inexact.
Please print...