Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

Security Response

Showing posts for July of 2010
Showing posts in English
Andrea Lelli | 29 Jul 2010 22:33:26 GMT

The Ackantta mass-mailing worm made its first appearance about a year and a half ago. Since then, it has continued to evolve and update its malicious features. We have recently observed one of the latest samples, from the variant W32.Ackantta.B@mm, which demonstrates very interesting tricks and strategies that greatly improve the worm’s stealthiness and its spreading capabilities.

Main purpose:  advertise

Ackantta does not limit itself to spreading to new computers. The purpose of the worm is to drop and run a copy of Trojan.Mozipowp, a Trojan that specializes in advertising. Mozipowp will hijack major Web browsers (Firefox, Opera, Chrome, Internet Explorer) in order to display targeted advertisements on the compromised computer.

...

Mathew Maniyara | 29 Jul 2010 19:00:28 GMT

In the past couple of months, pornography has been used as bait in several phishing websites. In particular, phishers used fake images of the Indian film star Katrina Kaif on a phishing site that spoofed a social networking brand. The images were modified to increase their pornographic appeal.

Katrina Kaif is one of the most popular actresses in Indian cinema today. Recently, the actress has been in the news because of the circulation of a fake adult video on the Internet. The video, claiming to be of the actress, actually features a look-a-like. The title of the phishing site displayed “Katrina Kaif’s XXX Tape,” giving the impression that the video in question was available for viewing. The scam attempts to dupe users into thinking that they can view or download the (bogus) video if they enter their login details for the legitimate social networking site. Of course, once a user enters login details, the phishers will have succeeded in harvesting them for...

Liam O Murchu | 29 Jul 2010 07:40:57 GMT

As we have mentioned in a previous blog W32.Stuxnet contains a complex nested structure of files and components inside.  We were interested to discover if the different samples we have seen in the wild were different variants or just modifications to the wrapper with the same components embedded. To determine if there are different variants of W32.Stuxnet we unraveled each sample in order to determine what the payload of each sample consisted of. Here we present the results of that analysis.

From the samples we have we reviewed (we have only reviewed a subset of the total samples to date) we observed 4 distinct file sizes for the installer component as shown below. As you can see although there are 4 different types of installers, the first 3 types are actually the same just with added...

Ben Nahorney | 28 Jul 2010 15:00:02 GMT

Given the millions of threats that Symantec products block every day, you might find it interesting to know which detection consistently holds the top spot. No, it’s not a worm such as W32.Stuxnet, a virus like W32.Virut, or even one of our long-tem generic detections, such as Backdoor.Trojan. The detection most frequently encountered by Symantec antivirus users is Tracking Cookie.

Luckily this isn’t the sign of an underreported, massive outbreak in the threat landscape....

Mathew Maniyara | 28 Jul 2010 09:45:19 GMT

The ICC 2011 Cricket World Cup begins on February 17, 2011, and phishing sites promoting the tournament have already been observed:

One of the phishing sites spoofs a popular social networking site and has a logo of the brand containing some artwork. It is interesting to note that the artwork has a sketch of the Arc de Triomphe in Paris. The fraudster probably intended to represent the Gateway of India in Mumbai, since the cricket finals will be held there. When the logo is clicked, information related to the event is displayed. Below the logo are icons for the sponsors and sports channels in India that will broadcast the tournament. The schedule of the matches has been finalized and tickets have been available for sale since June 1, 2010. The phishing site claims that users can get tickets to the matches by entering their login credentials. If the fraudsters are successful with the lure, users...

Mathew Maniyara | 28 Jul 2010 09:27:50 GMT

In July 2010, several phishing sites were observed to be spoofing social networking brands. This in itself is nothing new, but this time the sites were posting fake offers for free online mobile phone airtime top-ups. The phishing pages displayed the icons for a number of popular cellular service providers in India. Upon entering login credentials on the phishing site, the page displayed certain steps for the user to follow to obtain the fake offer:

First, the customer is asked to select the amount of airtime recharge in rupees, which should not exceed Rs 500 per day. Then, after selecting the amount, the phishing site generates a Java code. The user is then prompted to use the Java code whenever he or she requires a free mobile recharge. The page states that the Java code has to be entered on the address bar after...

Takayoshi Nakayama | 28 Jul 2010 08:18:07 GMT

W32.Changeup is a type of polymorphic worm written in Visual Basic (VB) and as we stated in the previous W32.Changeup blog, our analysis is focusing on the polymorphic behavior that the threat employs. There are many polymorphic worms but polymorphic worms written in VB are very rare. Analysis of malware written in Visual Basic can be tricky but I have spent some time analyzing this threat and in this blog I'll take a closer look at the polymorphic aspects of this worm.

When the worm executes, it accesses the LinkTopic property in its own form. The strings for the form and module names that Changeup uses are recorded in the LinkTopic property. Every time it infects a computer, the strings are randomly modified.

Once loaded it searches for the string marked with an “x” added...

Vincent Weafer | 27 Jul 2010 13:18:56 GMT

As 2009 came to a close, we at Symantec looked into our crystal ball and made a few predictions regarding what online security trends we expected to see in 2010. Now that we’re halfway through the year, we’re taking a look back and evaluating ourselves based on how our forecasts are panning out thus far.

Here’s a brief recap of how we think our trend predictions are fairing. We’ve rated each of them as either “on track,” “mostly on track,” “still possible,” or “more likely next year.”

To view an interactive version of this graphic that provides more detail, please click here. Once you do, you can click on each of our predictions and the corresponding mid-year statuses to read more.

...

Symantec Security Response | 27 Jul 2010 09:42:40 GMT

Introduction
It has been all about W32.Stuxnet for the past two weeks due to its connection to SCADA systems as well as the use of an unpatched vulnerability to propagate. But from about a month ago, we observed a significant increase in infection numbers of W32.Changeup worldwide, especially in the Enterprise environment.



Figure 1. Distribution of W32.Changeup



Figure 2. Distribution of W32.Changeup.B 

...

Liam O Murchu | 26 Jul 2010 05:16:58 GMT

Previously in our series of blogs about Stuxnet we wrote about the installation details and the numerous files that are associated with the threat. In this installment I will discuss the network communication and command and control functionality of W32.Stuxnet. Although some of the tasks that the threat performs are automated, other tasks are performed only after the threat has connected to the command and control server and received specific instructions. It is this aspect of the threat that will be discuss here.

After the threat has installed itself, dropped its files, and gathered some information about the system it contacts the C&C server on port 80 and sends some basic information...