Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for November of 2010
Showing posts in English
Hon Lau | 30 Nov 2010 20:19:39 GMT

We have observed a change of tack by the creators of fake antivirus software (like Trojan.FakeAV). Since the latter parts of October, we have seen a move into the creation of fake hard disk scanners and defragmentation tools. What started as a trickle has now become a steady outpouring, with new clones being released almost daily.

So far we have seen the following names being used by the clones (all detected by Symantec as Trojan.FakeAV, UltraDefragger, or Trojan.FakeAV!gen28):

·         Ultra Defragger

·         Smart Defragmenter

·     ...

Candid Wueest | 30 Nov 2010 07:16:20 GMT

One of the most appreciated features of Twitter is that information can be spread very fast. Many people are using the service to get up-to-date information about breaking news topics. We often even see online newspaper referring to sources on Twitter. One of the obvious challenges for users is to determine if the source is trustworthy or not.

Unfortunately, these circumstances are being abused by attackers. They simply check the Twitter home page for trendy topics, which reveals messages that have been reposted several times already. The attacker selects one of these tweets containing a shortened URL, which is replaced with a different shortened URL, pointing to a malicious website. Since the text in the messages is identical, the user cannot tell that new shortened URL leads to a malicious website, rather than the original story. Therefore some people will inevitably follow it wherever it may lead....

Vivian Ho | 26 Nov 2010 19:15:44 GMT

When one thinks of Christmas, an aura of emotion arises. We are reminded of our family reunions, Christmas carols, that aroma of turkey being roasted, the cakes and pastries - don’t forget the Christmas gifts! But before we can wish you a merry Christmas we would like to caution you as you prepare your Christmas shopping list.

Please be careful, especially when you do your Christmas shopping online. Spammers are offering a plethora of fake offers, replicas, medication, and loans at unbelievably low interest rates, as is customary, during this season. Don’t get carried away by their cheap offers because no haute couture brand offers their products at such throw-away prices. We again would like to remind you not to get lured into giving your email credentials without first finding out that the Web site you are shopping on is legitimate and real.

We would like to highlight a few more tricks that spammers have pulled out of their hats this Christmas...

Eoin Ward | 25 Nov 2010 20:09:07 GMT

Over the last year, Symantec has blogged on the rise and fall of the Mariposa botnet. (What we detect as W32.Pilleuz.) Today, we’re going to talk about an interesting aspect of this threat—the ability to perform “cookie stuffing”. 

As delicious as it sounds, cookie stuffing is one of the subtler money spinning techniques used by malware writers. In order to explain the technique, let’s first look at the marketing model upon which it relies—affiliate marketing.

Let’s say I enjoy triathlons and that I’m a member of a “Symantec Triathlon Club” with the Web site This club is sponsored by fictional bike store that runs If I see a link to while on, click on it, and then make a...

Candid Wueest | 25 Nov 2010 04:54:13 GMT

We all know spam can be really annoying, and this does not only apply to email messages. Although, with more than 90% of all email being spam, it sure is the biggest piece of cake.

Unfortunately, we have seen that spammers are adapting to all kinds of different platforms, as long as they offer a way of sending messages. Of course, social networks have not been left out by the spammers, since this adds millions of potential spam victims.

There are a lot of different ways that people can interact on social networks and therefore there are also a variety of spam attacks seen. One specific kind of spam that we see is event spam. This method has been around for a few years, but it is still actively used by spammers.

One example is Facebook, which allows its users to create and promote individual events. For this, they can create entries with text, images, and links and send invitations to all of their friends. Well, actually to even more people, because you can also...

Samir_Patil | 23 Nov 2010 13:55:55 GMT

Thanksgiving is a great occasion to thank dear friends and family for their kindness and also a good time to start readying Christmas holiday decorations. Symantec recently observed spam samples targeting Thanksgiving Day. The volume of Thanksgiving spam messages is less than what we anticipated; perhaps this is due to the crackdown on the Russian spam kingpin, Igor Gusev.

Many of the spam samples observed are encouraging users to take advantage of early bird specials to enjoy savings, which are available for a limited period only. Clicking the URL will automatically redirect the user to a fake offer website. The sample shown below is one such spam email that expresses Thanksgiving offers:

The following are some of the subject lines used in the spam samples:


Suyog Sainkar | 17 Nov 2010 21:30:05 GMT

In the past month, Symantec has observed a significant increase in spam messages, particularly in languages other than English, promoting online casinos and luxury product replicas. These spam messages are comprised of URL links using either URL-shortening or free Web-hosting services. The URL shorteners and free Web-hosting services used in these spam attacks have not been very commonly used in spam attacks, and they were seen in a large spam attack for the first time.

Leisure-themed spam attacks promoting online casinos were mostly observed in Italian and German and offered a welcome bonus of €1200.

The English translation of the subject and body of the above message in Italian is:

(Using Google translation)

Subject: Playing without investing money, 1200 bonus

Message body: It could not be easier, simply register, deposit and receive a fantastic welcome bonus,...

khaley | 17 Nov 2010 13:50:44 GMT

My prediction is that we are all going to become nostalgic for the days of fame-seeking mass mailers and network worms. Think of LoveLetter, SQL Slammer, and Melissa all crashing millions of systems within hours of being released into the wild. Those threats seem quite quaint these days as we enter the third significant shift in the threat landscape.

We moved from fame to fortune (which we have dubbed “crimeware”) in the last ten years. Mass mailers were replaced by malware that steals credit card information and sells phony antivirus products. Malware has become a successful criminal business model with billions of dollars in play. The goal became stealth and financial gain at the expense of unsuspecting computer users. And Trojans and toolkits, like Zeus, are the modern tools of the trade.

We have now entered a third stage—one of cyber-espionage and cyber-sabotage. Cyber-espionage did not begin with Stuxnet, and crimeware does not end with it. In...

Eric Chien | 12 Nov 2010 23:36:05 GMT

Thanks to some tips from a Dutch Profibus expert who responded to our call for help, we’ve connected a critical piece of the puzzle.

Since our discovery that Stuxnet actually modifies code on PLCs in a potential act of sabotage, we have been unable to determine what the exact purpose of Stuxnet is and what its target was.

However, we can now confirm that Stuxnet requires the industrial control system to have frequency converter drives from at least one of two specific vendors, one headquartered in Finland and the other in Tehran, Iran.  This is in addition to the previous requirements we discussed of a S7-300 CPU and a CP-342-5 Profibus communications module.

The target system would potentially look something like the diagram below:


Eric Park | 10 Nov 2010 19:46:36 GMT
Overall, spam made up 86.61 percent of all messages in October, compared with 89.40 percent in September.
The spam volume continues to drop. Last month’s report highlighted a sharp decrease in global spam volume, and the decline continued in October as global spam volume fell 22.5 percent month-over-month. Compared to August, volume was down over 47 percent.
Click here (PDF) to download the November 2010 State of Spam & Phishing Report, which highlights the following trends:
  • Phishing social media
  • Spam volume continues to drop
  • The holidays arrive early!
  • Eight-part Russian image spam
  • Phishing a bank with an offer of mobile phone airtime
  • Filing deadline extension triggers more fake offers of tax refunds
  • October...