Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for April of 2010
Showing posts in English
Security Response China | 30 Apr 2010 16:46:57 GMT

Trojan.Mebratix infects the Master Boot Record (MBR) of a compromised computer. It is very harmful, advanced, and rare in the threat landscape. First appearing in March 2010, this version, also known as “Ghost Shadow” in China, copies the original MBR to the next sector and then replaces the original MBR with malicious code. As a result, Trojan.Mebratix will be loaded and then executed before the operating system, and it can’t be removed thoroughly by a normal reboot.

Symantec Security Response has recently discovered a new variant: Trojan.Mebratix.B. This variant enhances itself to hide more secretly on the compromised computer, so that it is more difficult for security software to detect. Trojan.Mebratix.B won’t place its malicious code in MBR directly after it infects it. Rather, it places the malicious code in other sectors, shown in the picture below:


Greg Ahmad | 30 Apr 2010 12:49:13 GMT

Web browsers are an integral part of home and business computing environments and one of the most popular and ubiquitous applications on computer systems. Due to their popularity, the exploitation of security vulnerabilities in browsers is a common method for attackers to compromise computers. Vulnerabilities in browsers and browser plug-ins facilitate the propagation of malware, as well as aid in other attacks such as fraud and the theft of sensitive information. Not only are these issues used to compromise computers in targeted attacks, but vulnerabilities affecting browser applications are also exploited en masse by malware, bot networks, and exploit toolkits. Nowadays, attacks that take advantage of vulnerabilities in browsers and other associated applications such as browser plug-ins are very common. According the recent Symantec Global...

Mayur Kulkarni | 29 Apr 2010 20:56:35 GMT

Surprising? Not the least bit. Spammers have always shown their liking for big names and brands. And very often these brands are abused to spread malware or gain access to users’ accounts. However, they are also sometimes used only to entice users to open emails. These emails may contain links to pornographic or pharmacy sites.

During recent times we have monitored spam attacks that have used the email templates of famous Internet brands such as Amazon, Apple, and now, Twitter. Using the email templates of well-known newsletters and notifications is a commonly known trick to make recipients believe the authenticity of spam email. Recipients may treat these emails as legitimate and may open them without any suspicion. Though this attack uses an old trick, we feel it is important that users are reminded about this type of spam campaign, which has been observed for over a month or so. We have seen...

Mathew Maniyara | 27 Apr 2010 21:40:06 GMT

During the past month, scammers have been targeting students by phishing a brand that belongs to the UK government. The legitimate brand provides information and services for government organizations to UK citizens. Students who are seeking financial services for their higher education can apply on this brand’s website. The website requires customers to open an account to access any of the services. An account helps to keep track of all payment transactions.

The phishing website that targeted students was asking for verification to process the credit/loan application submitted by the student. This fake verification request sought sensitive information, such as customer reference number, password, and bank account details. The reference number represents the customer’s account, which fraudsters take advantage of by viewing their account history. Upon entering credentials, the page redirects to the legitimate website.


Suyog Sainkar | 27 Apr 2010 21:11:56 GMT

We first reported a similar 419 scam email back in the July 2008 State of Spam report. Let’s first understand what a 419 scam is. 419 spam is named after the section of the Nigerian Criminal Code dealing with fraud, and refers to spam email that typically alerts end users that they are entitled to a sum of money, by way of lottery or a new job or by being nominated as beneficiaries to the fortune of a retired government official or a wealthy person. This is also sometimes referred to as an advance fee fraud.

Symantec recently observed another 419-type spam attack where the spammer obtained a user’s credentials and sent out email to the contacts in the victim’s address book, seeking help in the form of money—obviously with a cooked-up story. Here is a spam message sample:

From: "Xxx Xxxx" <...

Adrian Pisarczyk | 27 Apr 2010 12:57:12 GMT

Far gone are the times when truly remote server-side vulnerabilities were the most popular vectors for compromising machines and attacking organizations. More than 93 percent of vulnerabilities exploited in recent years have been client-side security flaws, as discussed in the Symantec Global Internet Security Threat Report. They are used in both targeted attacks and massively widespread drive-by attacks to create botnets. One type of these sorts of vulnerabilities is browser and browser-related issues. In many cases they merely require a victim to follow a single link to become compromised. There is a continuous race between browser developers, vulnerability researchers, and exploit writers. In this year’s Pwn2Own contest at the CanSecWest Applied Security Conference, all of the most popular browsers except Google Chrome were successfully exploited on the first day. The list included Apple...

Ashwin Athalye | 27 Apr 2010 00:29:21 GMT

Google is presenting a paper tomorrow (Tuesday, April 27) regarding websites that offer fake antivirus software. Part of Google’s research shows that search engine results can lead to such pages. The presentation demonstrates that Google is working hard at preventing these search poisoning attempts.

Our data likewise shows that poisoning search engine results with links to fake antivirus software is an effective way for attackers to infect users’ machines. As such, we constantly track search results for malicious links. In previous blogs we’ve discussed how attackers are able to poison results; we continue to see search engine result poisoning as a primary vector of infection, especially for fake security products.

We watch search results constantly via an...

Peter Coogan | 26 Apr 2010 10:50:59 GMT

In an earlier blog entry we mentioned SpyEye as a new, up-and-coming crimeware toolkit to look out for. In that blog we highlighted the Kill Zeus feature, which had just been added to the SpyEye Trojan builder at that time. We can now substantiate that this Kill Zeus feature does actually work. Well, some of the time. In my opinion the Zeus toolkit creators don’t need to lose any of their precious sleep just yet.

Our analysis has shown that the kill Zeus feature seems to work on a limited number of Zeus samples. In March 2010, Symantec alone counted 9,779 new unique samples of what we call Trojan.Zbot. We estimate that only a small percentage of these samples can be successfully removed by SpyEye’s Kill Zeus feature. The samples we observed it working successfully on are most likely created...

Brent Graveland | 23 Apr 2010 10:06:32 GMT

In 2009, the Induc virus was the top new malicious code sample observed by Symantec worldwide. Notably, Induc does not actually do anything strictly malicious; all it does is propagate. No keystroke logging, no spam sending abilities, no ad clicking, and no destruction of data.

So what makes this virus interesting? All Induc does is propagate, but only on developer’s computers. Specifically, it does not do anything unless it detects an installation of versions 4 thru 7 of the Delphi® development environment. Delphi is a variant of the Pascal programming language originally developed by Borland and is meant to facilitate the development of applications for the Microsoft Windows platform. The targeted versions of Delphi were released between 1998 and 2002, but are still in wide use throughout the...

Mathew Maniyara | 22 Apr 2010 20:33:06 GMT

In the past couple of months, Symantec observed phishing attacks against a major fast food brand. The attacks were carried out through spam mails requesting customers’ answers for a bogus satisfaction survey. The fast food brand is one of the most popular worldwide, so fraudsters sent the spam globally. The spam email states that the brand is planning major changes to their chain of restaurants to improve their quality of service. The mail further states that to implement these changes, customer opinion is required by means of a survey (which is of course fake). Fraudsters try to trick customers by claiming a reward for those who participate in this survey. The spam email contains a link that leads to the phishing website containing the fake survey:

In the above example, the phishing website claims to provide an $80 reward for the customer taking part in a quick, 8 question survey. Upon...