Video Screencast Help
Security Response
Showing posts for June of 2010
Showing posts in English
Mathew Maniyara | 30 Jun 2010 10:37:34 GMT

In the past month, several phishing websites were observed to be spoofing online gaming brands. The popularity of the FIFA World Cup has encouraged users to visit legitimate gaming sites to play online football. The phishing sites were created with the hope of luring users to give up their credentials if they fell for fake offers celebrating the FIFA World Cup 2010. There were primarily two brands of gaming websites spoofed in these phishing attacks, and the phishing sites were created using free webhosting sites.

The legitimate website for the first brand offers users free and paid versions of online games. The phishing website of this brand claimed that the customer could get the retail version of one of the games from a given list for free as a “FIFA World Cup 2010” special offer. In addition to the game, other features were also included in the fake offer, such as organizing groups, joining chats, and so on. The fraudulent site further stated that in order to...

Dermot Harnett | 24 Jun 2010 12:25:43 GMT

June 25, 2009 is a day that is etched in the memory of Michael Jackson fans worldwide. Jackson's death took a lot of people by surprise—the spammers included. However, it took spammers just a few hours to take advantage of this tragedy. Within hours, Symantec had discovered a mass-mailing worm and concert-ticket-offer spam messages using the news of Michael Jackson's death as bait. The worm was designed to send out spam emails with the subject “Remembering Michael Jackson” and an attachment named “Michael songs and” The concert ticket offer spam messages were used to request recipients’ information in exchange for (bogus offers of) reimbursement for a ticket for the Michael Jackson concerts that were due to start July 13, 2009. In the weeks that followed, spam related to Michael Jackson easily exceeded President Obama-related spam and accounted for approximately two percent of all spam messages sent during this time. Michael...

Hon Lau | 24 Jun 2010 11:58:09 GMT

We have recently seen some instances of spam email hitting our spam traps with a story about the Brazilian soccer coach Dunga, who was given a black eye by an angry fan last Sunday. The spam email has the following characteristics:
Subject: Tecnico Dunga e agredido por Torcedor.
Email body: (Translated)

Dunga trading punches with fans, and ends with black eye. The coach of Brazilian national team, Dunga, was hit on Sunday morning by a fan who was angry about not having called Ronaldinho Gaucho and Paul Henry Goose. It happened around 10:00 am yesterday in CT training in Johannesburg in South Africa, Dunga filed a complaint with the police but the accused managed to escape.
>> Watch the video released


The link redirects to:

Mathew Maniyara | 23 Jun 2010 17:17:31 GMT

There are several special occasions throughout the year that help to deliver a sense of solidarity and unity among people. Social networking sites have gained popularity by linking people together from different geographic locations; hence, social networking sites promote special occasions because they encourage users to greet one another. In the last couple of months, Symantec has observed phishing websites spoofing Google’s social networking site Orkut. The phishing websites are trying to take advantage of the celebration of special occasions. Keep in mind that these phishing sites do not represent any security issues or failings in the legitimate Google or Orkut sites; phishing sites are created with the purpose of tricking users into giving up personal, secure information.

Legitimate social networking websites promote festivals or special occasions by changing their logo appropriately to reflect the prevailing trend. For example, Google celebrated Earth Day by...

Orla Cox | 22 Jun 2010 11:43:48 GMT

We've posted many articles discussing misleading applications and the tricks and techniques that are used to get them onto a user’s computer. Typical techniques employed include repeated, often aggressive, warnings about serious computer problems such as malware infections and system errors. Typically these warnings are fake and are used to scare the user into parting with their money in order to correct the "problems".

In recent weeks we started hearing chatter about what sounded like a new misleading application. The usual scare tactics were employed. However, instead of using applications to convince users that their computer was in trouble, this particular group was phoning users directly to tell them that they had a virus on their computer—but thankfully help was at hand. The company in question, Online PC Doctors, offers to remotely connect to your computer to clean up the infection. All for a fee...

Henry Bell | 17 Jun 2010 11:16:08 GMT

Recently there’s been a fair bit of coverage of the ‘likejacking’ phenomenon. Just today, in fact, one of my friends fell victim to this mischievous trick and some rather embarrassing content was posted on his social networking site profile without his knowledge or approval. So what exactly is it?

The term ‘likejacking’ is a play on the word ‘clickjacking’, itself a portmanteau of ‘click hijacking’. Clickjacking is not a new technique, but has been hitting headlines as more and more websites now make use of cross-site content. Text, images, or other content generated by one website may be displayed, and interacted with, as part of another.

A specially crafted Web page can contain hidden content that is activated when a user clicks on something that appears to be innocuous: a fake video, an enticing picture, a message to ‘click here to continue’, or the promise of a free gift, for instance. To illustrate...

Vivian Ho | 16 Jun 2010 21:44:23 GMT

As 52 countries across the world gear up to celebrate Father’s day on Sunday, June 20, Symantec is monitoring the increase in the Father’s Day spam volume since the end of May. Sadly, spammers don’t forget to send out their holiday spam, although a couple of ongoing global events such as the FIFA World Cup and Shanghai World Expo might also draw their attention. The Father’s Day spam messages are similar to Mother’s Day spam, including hit-and-run spam, product promotion, and ecard services. We have observed that spammers registered lots of domains with various From aliases and Subject lines in order to bypass spam filters in hit-and-run spam. These types of spam messages, with Father’s Day headers, can attract readers’ attention.

Symantec is expecting to see more attacks in the coming days and advises users to ignore these messages. Here...

Vivian Ho | 15 Jun 2010 21:37:42 GMT

Spammers are known to be crowd chasers. And so it goes that social networking forums, sports events, and major news-generating events always seem to catch the spammers’ attention. In line with this trait, spammers are now targeting global expos. With around 70 to 100 million visitors expected to turn up at the Shanghai World Expo 2010 this year, spammers couldn't have asked for a better time to make their presence felt.
Spammers are using the Shanghai expo in their subject lines and email messages to deliver fake promotions, sell products, and offer various services. Symantec has been monitoring several different variations of spam types in the campaign.

Sample 1:
Spammers include an expo event subject line to attract hits. In the body, there is a meds promotion URL right in the center and a bogus MSN subscription note at the bottom.

From: <Details Removed>
Subject: 200,000 flood Shanghai Expo...

John McDonald | 15 Jun 2010 20:18:10 GMT


If you missed Parts I and II of this blog series, you can find them here and here. I finished Part II promising to reveal the organization behind this sorry saga.
Following the trail

The trail really wasn’t very hard to follow. When we looked up some of the IP addresses from the Active Connections listing (in Part II), we found some interesting results:

This one appeared in both lists (along with several other addresses in the same subnet); the list from Derek’s computer and the one from our virus lab machine. It was also the top generator of traffic on our virus lab machine (we didn’t take such stats from Derek’s pc). Doing a...

Security Intel Analysis Team | 14 Jun 2010 22:37:57 GMT

While investigating the malware and shellcode that were associated with the recent Adobe Flash Player, Adobe Reader, and Acrobat 'authplay.dll' Remote Code Execution Vulnerability (BID 40586), we came across some interesting similarities to the malware and shellcode that were used in the Microsoft Internet Explorer 'iepeers.dll' Remote Code Execution Vulnerability (BID 38615) targeted attacks from March 2010.

The first similarity is in the shellcode

The image below is the function-hooking shellcode that was used in the targeted attacks against the Microsoft Internet Explorer 'iepeers.dll' Remote Code Execution Vulnerability in March 2010:

Below is the function-hooking shellcode that was used in the targeted attacks...