Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrade.
Please accept our apologies in advance for any inconvenience this might cause.

Security Response

Showing posts for October of 2009
Showing posts in English
Andrea Lelli | 31 Oct 2009 13:13:44 GMT

Sure we have heard a lot about bots and botnets. One key component of a botnet is the command-and-control (C&C) server, which as we know can come in several flavours (IRC, Web pages, newsgroups, custom servers, etc.). Yet, here comes Trojan.Whitewell, which, being tired of old C&C channels, decides to pick up Facebook as a coordinator for the C&C server. I use the word “coordinator” because the Trojan only receives some configuration data from its Facebook account—the actual command execution and data reporting is done through a third party Web server.

The Trojan was sent through a popular malware distribution channel that is also related to other prevalent threats such as Trojan.Bredolab. The distribution technique is pretty simple: they send documents (PDF, or MS Office formats) containing exploits for known vulnerabilities. These documents usually...

Shunichi Imano | 30 Oct 2009 05:23:54 GMT

Symantec Security Response has become aware of a Trojan Horse we detect as Trojan.Ramvicrype. The Trojan uses the RC4 algorithm to encrypt files on compromised computers, rendering them unusable. Presence of files with a .vicrypt extension is a sure-fire sign of infection.

Trojan.Ramvicrype is a little different from most other Ransomware programs we’ve seen in the past. Typically these kinds of threats display a message prompting users to visit a certain Web page or email a specific address. Users will end up paying the online criminals in exchange for keys that can be used to unlock the computer or decrypt the encrypted files.

Previously posted blogs on the subject of Ransomware can be found at:

Patrick Fitzgerald | 29 Oct 2009 17:51:49 GMT

While looking through some recent customer submissions a particular filename caught my attention. It was called “googlewaveinvitegenerator.exe”. Google Wave is a new communication application being developed by Google. Many people who missed the initial sign up for this application are now seeking invites to the service. Certain bad guys have latched onto this and are attempting to take advantage of the situation to push malware. In this case the malware in question is Backdoor.Tidserv. It’s also worth pointing out Google Wave was only selected because of its current popularity. Using a trusted brand like this also increases the chance of success for the attacker. This technique is something we see all of the time.

This particular campaign tries to trick people who want to get into the Google Wave community by promising not only an application that generates Google Wave invites, but also untold riches by selling these invites to other people who want to...

Eric Chien | 28 Oct 2009 21:17:13 GMT

A Blackberry application called PhoneSnoop was released recently, which resulted in an advisory from US-CERT. The application allows remote users to listen in on a Blackberry user’s surroundings.   
 
snoop1.png

The application as seen when installed on a Blackberry

The application is actually quite straightforward and uses standard Blackberry APIs that allow the interception of incoming phone calls. When a call is received from a preconfigured phone number, the call is automatically answered and the speakerphone is engaged. Someone who has had this application installed may not notice the incoming phone call and not realize someone can now listen in on the immediate surroundings.

We’d consider this application just a proof of concept for a variety of reasons, including the author himself designing it as such:...

Mayur Kulkarni | 27 Oct 2009 20:31:17 GMT

Instant degree spam attacks have become one of the most regular attacks monitored in recent months. In an earlier blog post we listed the top five degrees offered by spammers. The messages guided users to online degree sites where recipients needed to actually earn their degree. On the other hand, with instant degrees there is no effort required—just call the number provided in the message and you can obtain a degree certificate in no time. These plain text messages arrived with a variety of subjects, which are listed below this sample message:

degreespam.png

We have listed subject lines in descending order of number of appearances:

Get Your Bachelor's Degree Online
Earn a Bachelor's or Master's Degree Online
Enhance Your Career Tomorrow
Earn a Bachelor's or Master's Degree Online...

Vivian Ho | 27 Oct 2009 20:20:04 GMT

Chinese spammers are very adaptive to new Internet social mediums that might attract recipients’ interests in order to get Web hits. Spammers have done their research on popular social networking activities and living habits, thus setting up spam traps for possible hits. Recipients often fall for the spammers’ tricks because they may not be aware of updated spam news or phishing alerts.

Recently we observed Chinese spammers sending out moneymaking scams using a popular free micro blogging service. This type of free social networking allows users to send live updates through short text messages or links. In this sample we found that a spammer registered a legitimate user account and then sent out a friend invitation request. All links lead to the same money making promo ads:

Sample 1:

From: Popular social networking <Details removed>
Subject: 兼職工作,全職收入-每月增加2到 5萬 邀請您到 <Details removed> 註冊帳號

Translation:...

Shunichi Imano | 27 Oct 2009 11:19:47 GMT
Security Response is aware of a new round of spam replacing old DHL and UPS themes in an attempt to spread Trojan.Bredolab.

Taking a Closer Look at Trojan.Bredolab
Bredolab Delivers More Parcels and Cash
 

This time the email is masquerading as a notification from Facebook that the recipient’s password has been reset.

Facebook.PNG
 
The message comes with a .zip file containing a malicious .exe file. Symantec detects the .exe files as Trojan.Bredolab.

This variant...
Nicolas Falliere | 27 Oct 2009 04:06:33 GMT

Clampi goes to unusual measures to bypass the local firewall on the compromised computer, such as the Windows Firewall. Usually, such firewalls allow only specific programs to communicate using specific ports and protocols. For instance, your browser would be allowed to use outbound TCP port 80.

As we’ve previously discussed, Clampi needs to communicate with a “Gate” gateway server in order to get its orders and send information. Any firewall would block the program if it tried to connect to the outside world. Bypassing this can be done in many ways, the most common one in the malware world being to add an entry in the Windows registry, added the program to the trusted file list.

The Clampi gang decided to inject their networking code into Internet Explorer, which is granted Web access by any standard firewall configuration out there. Fair enough—that’s another approach, but not a new one. Yet you’ve seen these guys don’t do...

Mayur Kulkarni | 26 Oct 2009 23:22:09 GMT

This has been a season of malicious attacks, starting last month when we informed users about an increase in spam containing malware. Coincidentally, we are seeing different methods of luring or scaring recipients to download malicious programs. In the past few weeks we reported spam attacks with malicious links that included MJ’s leaked song spam attack and the hunting the airplane game. In this recently monitored attack, we observed a typical phishing email that encourages users to click and download executable files.

Sample image of the message:

FDIC1.jpg

As shown in the above image, a fake FDIC alert warns users of a bank failure. This...

Jarrad Shearer | 26 Oct 2009 21:54:33 GMT

Misleading application, rogue software, fake AV: call it what you will, it’s everywhere. The authors of these applications are pumping them out by the hundreds, fooling many Internet surfers, and in the process they’re making big bucks out of it. In fact, as many of our readers will be well aware by now, it is the focus of a white paper Symantec has just released entitled Symantec Report on Rogue Security Software.

So if there are so many of these things, why should one called Windows Enterprise Defender be any different from the rest? Firstly, it tries to pass itself off as Windows Defender, which is a legitimate security product released by Microsoft. Obviously the name is similar but so is the GUI:

shot1.JPG

Notice the castle wall on the top-right hand side of the...