Video Screencast Help
Security Response
Showing posts for March of 2010
Showing posts in English
Patrick Fitzgerald | 31 Mar 2010 19:13:24 GMT

On Monday, March 29, 2010, published a blog describing malware that masqueraded as the Adobe Reader update program. This tactic is an attempt to run a malicious payload while avoiding detection. As we looked into this sample (detected as Trojan.Dosvine) in more detail, it became clear that this threat is involved in a DDoS (Distributed Denial of Service) attack on the Vietnamese online community. In a related article, Google reported that “compromised keyboard language software and possibly other legitimate software” is being used to infect Vietnamese Windows computers.

Initial reports on this attack have compared this to the Trojan.Hydraq/Aurora incident from earlier this year. For those not familiar with the Hydraq incident, everything you need to know can be...

Security Intel Analysis Team | 30 Mar 2010 19:25:41 GMT

At the recent Pwn2Own contest held during the CanSecWest 2010 security conference, the Web browser targets were the latest versions of Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari. All of the targeted browser platforms were patched up to date and included the latest anti-exploitation technologies. In spite of this, Peter Vreugdenhil succeeded in leveraging two vulnerabilities in Internet Explorer 8 on Windows 7 64-bit to execute and reliably run arbitrary code, bypassing Microsoft’s latest security defenses. Internet Explorer 8 was not the only browser to fall—Charlie Miller exploited the Safari browser on OSX, and Nils exploited Mozilla Firefox on Windows 7.  

So, why do Web browsers make such good targets for exploit developers? First off, the Web browser handles untrusted and therefore unpredictable data, and this data often passes through several security boundaries before the processing of the data is complete. The Web...

Samir_Patil | 30 Mar 2010 18:52:38 GMT

Keeping personal information private on the Internet is always a concern for computer users. In a new spam tactic, spammers seem keen to bring disrepute to social networking sites and Webmail services by introducing fear, uncertainty, and doubt regarding the security of private online data.

In this spam attack, spammers allege that social networking and Webmail service providers are spying on and reading every email that users send and this can seriously impact use, privacy, and safety. Spammers are targeting human emotions, such as concern for children’s safety and personal online security. The spam message states that a privacy protection service will help users keep social networking and email accounts from being spied on.

Sample email:

The so-called “privacy protectors” claim to give subscribers audio updates about the privacy invaders. To protect the...

Henry Bell | 30 Mar 2010 10:15:31 GMT

We’ve been seeing Fake AV programs getting more convincing for a while now. Some of the tricks employed by the guys behind these rogue programs include Windows-7-style fake scanners, in-browser “scanners”, and program features that ape other aspects of the operating system.

Yesterday, though, we came across a misleading application called AntiVirusDemoFraud that is—how to say?—possibly a little less sophisticated than some in terms of user interface design.


Security Response China | 30 Mar 2010 08:50:42 GMT

Symantec Security Response has become aware of multiple reports from mainland China and Hong Kong of an SMS worm targeting the Symbian S60 platform. The worm is detected as SymbOS.Merogo.There are two main reasons that helped the threat in gaining ground. First, China has a strong user base of the S60 platform. Second, the majority of those handset users have not turned on revocation checking, which would have prevented the threat from installing.

Essentially the threat spreads through social engineering, using tricks like “Your friend has sent a picture to you, please click the following link to get it.” Once users click on the link, the threat would proceed to install itself in the compromised phones using a siged certificate (which is currently revoked).

The installer...

Vincent Weafer | 29 Mar 2010 10:03:39 GMT

As we approach April Fool’s Day 2010, we recognize the one-year anniversary of the Downadup/Conficker threat’s April 1, 2009, “trigger” date. A year ago, the security industry monitored Downadup/Conficker activities to be fortified against the criminal or criminals behind the threat’s next move. Fortunately, Conficker did not turn into a widespread threat or cause the significant damage it had the potential to cause.

Earlier in 2009, the Downadup/Conficker threat roamed the “streets” of the Internet looking for “unlocked doors” (unpatched systems) and computers not protected by “alarm systems” (security software). These computers, which numbered in the millions, were prime targets for the threat, which took advantage of a security vulnerability in the Windows operating system, which Microsoft had actually patched a month before the spread of Downadup/Conficker ever began. Once on a machine, the threat...

Mathew Maniyara | 28 Mar 2010 19:00:50 GMT

Despite the global economic slowdown, India witnessed a high number of new jobs in the country during the first quarter of 2010. With the job market looking positive, job sites seem to have benefited with more users accessing their websites.

Below is a screenshot of a phishing website that takes advantage of the brand of a popular Indian job site:

The increased number of candidates seeking jobs in India has led to the launch of phishing attacks on Indian job sites. The phishing page in the above example is asking for potential employers’ login credentials. The phishing website was created on servers located in the Netherlands. The credentials consist of a username and password as well as the employer’s email ID and password. After stealing these credentials, fraudsters send targeted spam messages to the employers. The spam message states that the employer is required to pay an...

Karthik Selvaraj | 27 Mar 2010 17:52:53 GMT

Malware authors use numerous unconventional techniques in their attempts to create malicious code that is not detected by antivirus software. As malicious code analysts, though, it is our job to analyze their creations, and as such we have to be constantly vigilant for the latest tricks that the malware authors employ.

While looking at some PDFs yesterday, something suspicious caught my eye. The PDF file format supports compression and encoding of embedded data, and also allows multiple cascading filters to be specified so that multi-level compression and encoding of that data is possible. The PDF stream filters usually look something like this:

However, in the particular file being analyzed I spotted the use of no fewer than nine JavaScript compression and encoding filters applied to a single stream, which is an unusually large number:


Symantec Security Response | 26 Mar 2010 16:25:47 GMT

The website for If I Can Dream, a popular American reality TV show, was hacked today and the calendar section defaced with messages from a hacker. If I Can Dream is the latest in a string of reality TV talent competition ventures dreamt up by Simon Fuller, who was also behind the hugely successful American Idol shows. The calendar section is used for listing upcoming and recent events that have happened in the lives of the contestants who are participating in the competition.

As you can see in this screen shot, in the second widget on the bottom left is displaying one of the messages left by the hacker.

Clicking through to the calendar page reveals that the normal entries have been replaced with a prank message by the person behind this attack.



khaley | 26 Mar 2010 13:29:33 GMT

I am convinced that the readers of the Symantec Security Response blog are the smartest around! The results from our Password Survey prove it. Actually, the number of responses itself proves it to me. At best, I thought 20 or so of you would take the time to fill out the survey—and that would include most of my close relatives. Instead, we got more than 400 responses in a few short days (not even including my relatives). So, thank you to all who took the time to complete the survey.

I want to comment on some of the results. It may be a stretch to draw too many definitive conclusions from the data, but it will be fun nonetheless. If anyone wants to comment, correct, or vehemently disagree with any of my conclusions, I’ve set up a place to do all that here.

Let’s get started!

My answer to question 1...