Video Screencast Help

Security Response

Showing posts for August of 2010
Showing posts in English
Gavin O Gorman | 30 Aug 2010 13:17:16 GMT

Symantec often utilizes honeypots to acquire new samples and observe attacks in the wild. Many threats encountered on honeypots are related to botnets. However, on a rare occasion a honeypot may encounter a targeted attack. In these cases the attacker is after a specific entity, be it a person, corporation, government, or any other such body. When a computer is compromised by such a threat, the behavior can be similar to a bot, connecting to a command and control (C&C) server and awaiting commands. However, the commands received are usually not generic. They are interactive, with the attacker seeking some specific information in real-time.

 We recently encountered one of many such targeted threats on a basic honeypot and logged the activity. The attack was quite straightforward and did not utilize any new techniques. Nonetheless it is a good example of the processes such attackers use. This particular threat was targeting a corporate entity, using a tailored PDF...

Piotr Krysiuk | 27 Aug 2010 20:58:11 GMT

In this blog we continue our analysis of the recently discovered Tidserv variant that is capable of infecting 64-bit Windows operating systems. While we gave a quick overview of the threat yesterday, today we’re going to talk more about how Tidserv installs itself on 32- and 64-bit operating systems.

While Backdoor.Tidserv.L arrives as a 32-bit Windows executable, it checks if it's running under a 32- or 64-bit version of Windows and chooses an architecture-specific method of installing itself. If it finds that it’s running on a 32-bit system, it uses the same method as older Tidserv variants to gain necessary privileges—by executing itself in the Print Spooler service. Next, it drops a 32-bit version of the malicious kernel driver and loads it into the Windows kernel. Once the driver is loaded, it infects the Master Boot Record (MBR) with a malicious version.

It then...

Samir_Patil | 27 Aug 2010 20:40:47 GMT

Symantec has observed a new spam tactic being used in which fake surveys are seeking users' opinions or views on features provided by their social networking site. The sample shown below is one such spam email targeting Facebook:

Various “Subject” lines of this spam are as follows:

Subject: Take our online survey and receive a new gaming unit!
Subject: Take our social networking survey and get a gift card!
Subject: Give your opinion on social networks and choose your prize!
Subject: Receive a hot new MP#3 player for your opinions!

Upon clicking the link provided in the message, the user is redirected to a fake survey page where the user has to answer questions related to features provided by social networking site. Upon completion of survey, the users are promised exciting gifts.

Spammers are trying to demonstrate the legitimacy of...

Symantec Security Response | 26 Aug 2010 17:29:18 GMT

Backdoor.Tidserv first came to light in back in 2008 as a Trojan that uses an advanced rootkit to hide itself. Since then, Symantec has seen many changes to Tidserv and we have documented a number of the changes in our blog postings. Yesterday, Symantec came across a new sample of Tidserv that we have broken out detection for as Backdoor.Tidserv.L and Boot.Tidserv.

This new variant of Tidserv is of interest for two main reasons. First, we are now seeing Tidserv inject user-mode code into Windows 64-bit driver processes found in the likes of 64-bit Windows versions. Previously, Tidserv targeted only 32-bit operating systems. Although this is not the first virus to inject code into 64-bit processes, it is still a relatively new venture for virus writers. It also demonstrates how the creators of Tidserv are...

Vivian Ho | 24 Aug 2010 19:59:45 GMT

Language spammers are quick to adapt all English spam tricks. We often see them apply various spam methods, such as the insertion of randomized characters, digits, or symbols into header and body text or the sending of spam messages as document or image attachments in order to bypass spam filters on a daily basis. In fact, they have learned so well (and quickly) that they are becoming spam trick innovators, with their language as an added advantage. Now you can read (or rather, “speak”) different language messages utilizing this new spam trend—there is a new trick that you won’t find in English spam. In this new trick, language spammers are taking advantage of playing around with pronunciation, spelling, and different written characters in their languages.

We recently observed Russian and Chinese spammers applying these tricks in their spam ads. The following two samples are from the same online marketing spammer. In the first example, the spammer...

Mayur Kulkarni | 24 Aug 2010 08:45:13 GMT

Strange stories of celebrities' deaths resulting from plane crashes or car accidents have suddenly erupted in the spam ring. The intention of distributing such false news is to spread viruses using HTML or zipped attachments. This is one more in a series of recent virus attacks seen in the last few weeks. We had written about one of the attacks in a recent Security Response Blog post. This is an old trick of using celebrity names to lure recipients into opening malicious URLs or attachments.

In one of the campaigns seen, spammers are using subject lines showing that a celebrity has died. Examples include:

  • Beyonce Knowles died
  • Bon Jovi died
  • Brad Pitt died
  • Cameron Diaz died
  • David Beckham died
  • Gwen Stefani died
  • Jay-Z died
  • Jennifer Aniston died
  • Jennifer Lopez died
  • Johnny Depp died...
Mathew Maniyara | 19 Aug 2010 13:58:22 GMT

In the past couple of months, Symantec has observed phishing attacks on legitimate automotive sales brands that are based in the UK and the USA. These brands help customers to sell new and used vehicles such as cars, motorbikes, etc. The legitimate websites also provide customers with the facility to advertise the vehicles they wish to sell.

There were several phishing sites created to harvest customers’ confidential information. The phishing sites were hosted on free Web hosting domains. In one of the phishing sites the page stated that the brand was offering customers the opportunity to advertise for free. The customer was required to complete an identity verification (that was fake) so as to avail of the free offer. The verification process prompted for the customer’s email address, the ad’s ID, and a security question with its answer. In this attack the fraudsters attempted to convince customers that the phishing page was authentic by providing the...

Anand A | 18 Aug 2010 22:34:48 GMT

It's fairly well known that different types of malware can "kill" security products in various ways. These kinds of malware are known as retroviruses. In order to step things up a notch, some risks are utilizing legitimate software uninstallers to trick users into uninstalling legitimate security products. A new variant of the Trojan.FakeAV threat has been using this technique to install a newly released clone of the CoreGuard Antivirus security risk, called "AnVi Antivirus". In this case, the Trojan is utilizing this social engineering technique to trick users into uninstalling many well-known security products, including solutions by...

Mathew Maniyara | 16 Aug 2010 18:34:36 GMT

Symantec has recently observed phishing websites spoofing courier service brands. There were primarily three brands targeted and fraudsters were attempting to steal customers’ login credentials.

So what’s in the login credentials of courier service brands that fraudsters can take advantage of? Couriers provide their customer with several online features upon registering with the brand’s legitimate website. The features help customers to track their shipments, make online payments for their orders, specify the address for delivery, and so on. If login credentials are stolen, fraudsters can benefit from these features because it may enable them to reroute valuable packages to any address they provide.

In one of the phishing sites, the page prompted the customer to update user details, purportedly because "the account had not been updated for a considerable time."...

Symantec Security Response | 16 Aug 2010 18:14:25 GMT

A few days ago we came across an interesting application in the Android Market, which we’ve decided to detect as AndroidOS.Tapsnake. Why are we detecting this? A cursory read through the description doesn’t tell us much, other than it’s a spin on the classic “snake” video game, which dates back to the 1970s:

"Yet another modification of the Google Android Snake game. This one listens to the taps for its turn directions." 

Sure enough, after downloading and registering the game it plays as you might expect it to:

However, the Android “satellite” icon appeared in the top menu bar while the game was running, indicating that GPS data was being...