Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for September of 2010
Showing posts in English
Eric Chien | 01 Oct 2010 06:50:21 GMT

We’re pleased to announce that we’ve compiled the results of many weeks of fast-paced analysis of Stuxnet into a white paper entitled the W32.Stuxnet Dossier. On top of finding elements we described in the ongoing Stuxnet summer blog series, you will find all technical details about the threat’s components and data structures, as well as high level information, including:

  • Attack scenario and timeline
  • Infection statistics
  • Malware architecture
  • Description of all the exported routines
  • Injection techniques and anti-AV
  • The RPC component
  • Propagation methods
  • Command and control feature
  • The PLC infector

The paper is scheduled to be delivered at the Virus Bulletin 2010 conference and can be downloaded...

Mathew Maniyara | 29 Sep 2010 17:30:24 GMT

Adding to the spate of phishing attacks on Indian banks, Symantec recently observed phishing sites spoofing one of India’s leading public sector banks. The phishing sites were created with the motive of stealing credit or debit card details of the bank’s customers.

The phishing sites attempted to lure customers into entering their confidential information by means of a fake customer satisfaction survey. The survey stated that customers would receive 500 INR in their bank account for participating in a quick, five question survey. As per the participation terms, only one survey was allowed per card and that if the user had multiple cards then additional surveys could be taken. This was used as a bait to trick customers into believing that they could gain more money if they participated in more surveys. With this strategy, fraudsters were attempting to steal as many card details as...

Mathew Maniyara | 28 Sep 2010 20:36:59 GMT

Recently, phishers attempted to spread malware by means of a phishing site that spoofed a popular bank based in the USA. The bank serves customers who are government employees as well as veterans and their families.

After the credentials are entered to the phishing site that spoofed the login page of the bank, the phishing page stated that the bank was implementing a new login system. The page claimed that this system offered new features and would increase security on the user’s account. The phishing page also stated that the new system would make the online experience safer and more enjoyable for customers. To implement the changes, customers were prompted to download and run an update tool. However, the link provided, shown as “updatetool.exe”, contained a virus detected as Trojan.Webkit!html by Symantec Antivirus.


Candid Wueest | 28 Sep 2010 12:08:42 GMT

Facebook now has over 500 million registered users, which makes this social network (like many other social networks) a very attractive “fishing pool” for attackers. There are so many potential victims that could easily fall for any of the scattered bait. So, it does not come as a surprise that we see another scam campaign launched nearly every week.

Currently, one of the ongoing scams is referring to a guy that apparently took revenge on his ex-girlfriend. The enticing message that has appeared on many profile pages is similar to the following:

“OMG This GUY Went A Little To Far WITH His Revenge On His EX Girlfriend”

Even though it might appear that one of your friends has shared this link, he or she most likely did not do it knowingly. This is because whenever someone follows one of these malicious links, he or she...

Shunichi Imano | 28 Sep 2010 09:19:19 GMT
Over the past weekend, it was reported that a new worm was spreading amongst the Orkut user community. As a result, some of the Scrapbooks in Orkut had a hidden iframe inserted, which points to a malicious JavaScript file. This JavaScript does several things including sending a message “Bom Sabado”, meaning Good Saturday in Portuguese, with a hidden iframe to everyone on the infected user’s list of friends. The infected Orkut user is also made to join fake communities. These actions will surely turn “Bom Sabado” to “Mau Sabado ” (bad Saturday in Portuguese). Symantec Security Response detects this malicious JavaScript file as JS.Woorkut.
At the end of the day, this worm doesn’t do much harm. If the attacker behind this mischief is maliciously motivated, the worm could potentially cause serious damage. We...
Samir_Patil | 27 Sep 2010 20:47:50 GMT

As expected, we at the Symantec Probe Network have started observing an influx of spam messages related to the upcoming events of Halloween and Christmas. As the festive season is around the corner, it’s not surprising that spammers are exploiting these events with their malicious attacks.

Recently we have observed spam message promoting replica watches, health products, free gift cards, and other fake product offers.

The following email subject lines demonstrate the use of seasonal offers in the email spam:

Subject: Grab em before Christmas

Subject: Get yours Free trial today

Subject: Just in time for Christmas - cheap watches

Subject: Hi xxxx, get 70% off Christmas

Subject: Ys, such as Christmas, are not celebrated at the

Subject: Follow the style 24/7. Our accessories will do it for you. Your money should be in safe place, buy Armani wallet today.

Most of these spam messages encourage users to get these...

Mathew Maniyara | 27 Sep 2010 19:17:21 GMT

In September 2010, Symantec observed a phishing Web site that spoofed the Apple brand by mimicking the “My Apple” Web site of the Apple Store. The legitimate Apple Store Web site provides customers with latest Apple news, software updates, and information on Apple products and services.

The phishing site prompted customers to update their profile information , purportedly so that they may continue to receive updates and news from Apple. The heading of the page stated “Complete the fields below, then click the Continue button to save”. The sensitive information requested was the Apple ID, password, customer’s name, credit card CVV number, and contact details. After the required information was entered and the “Continue” button was clicked, the phishing site returned an error message stating “Your session has timed out after a period of inactivity. Please return to the Store Menu to continue shopping”. The phishing site...

Nicolas Falliere | 27 Sep 2010 02:16:56 GMT

Previous blog entries have covered several different Stuxnet propagation vectors, from autorun.inf tricks to zero-day vulnerabilities. Our research has also uncovered another method of propagation that impacts Step7 project folders, causing one to unknowingly become infected when opening an infected project folder that may have originated from a third party.

The structure of a Step7 project folder is as follows:


Stuxnet monitors Step7 projects (.S7P files) being worked on by hooking...

Liam O Murchu | 24 Sep 2010 08:42:33 GMT

Code to exploit the zero-day .lnk file vulnerability (BID 43073) used by Stuxnet was added to the threat around March 2010; we know this because the samples we observed before this date did not contain code to exploit that vulnerability. This leads us to the following question: how did previous Stuxnet variants spread through removable devices?

The answer is that older versions did not use a vulnerability but instead an AutoRun trick to spread. The worm’s trick was to create an autorun.inf file in the root of removable drives that served two different purposes. The specially crafted file could be interpreted as either an executable file or as a correctly formatted autorun.inf file. When Windows parses autorun.inf files the parsing is quite forgiving. Specifically, any characters that...
Mathew Maniyara | 23 Sep 2010 15:28:08 GMT

Since the last week of August 2010, Symantec has been observing a massive phishing attack on a popular Indian bank. To date, we have recorded over one thousand phishing URLs that have spoofed the bank’s website. This has increased the total count of phishing attacks on Indian brands from the previous month by a whopping 192 per cent.

In this case, users who clicked the phishing URLs are prompted to verify their accounts to continue access of online services. Fraudsters typically use this strategy in an attempt to con users into giving away their confidential information. The fake verification asks for the user’s ID with password, transaction password, ATM/Debit card number, and mobile number.

After the sensitive information is entered and the “Verify” button clicked, the user is automatically redirected to the page shown below. Here, the user is asked to enter their...