Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

Security Response

Showing posts for February of 2011
Showing posts in English
Mario Ballano | 28 Feb 2011 14:34:56 GMT

As seen in recent blog postings, Android malware is on the rise. Android.Pjapps is another example of a Trojan with back door capabilities that targets Android devices. As seen with previous Android threats, it is spreading through compromised versions of legitimate applications, available on unregulated third-party Android marketplaces.

We have detected a few applications carrying Android.Pjapps code. One of these applications is Steamy Window. Similar to other compromised Android applications, it is difficult to differentiate the legitimate version from the malicious one once it is installed. However, during installation it is possible to identify the malicious version by the excessive...

Mathew Maniyara | 25 Feb 2011 16:17:36 GMT

In February, Symantec observed a mass phishing attack on a popular credit card services brand. There were a large number of phishing URLs in the attack, which were all secured using Secure Socket Layer (SSL).

So what makes this phishing attack stand out from the rest?
Phishing websites that use SSL are uncommon and are typically seen in very small numbers. To create a phishing site that uses SSL, the phisher would either have to create a fake SSL certificate or attack a legitimate certificate to attain an encryption for the site. In both cases, Symantec has observed that phishing sites using SSL are less frequent. In this particular attack, there were over a hundred phishing URLs that used a fake SSL certificate. This was achieved by hosting the phishing site on one single IP address which resolved to several domain names. That is, although there were abundant URLs in the attack, they all resolved to a single IP address and contained the same webpage. The SSL...

Symantec Security Response | 24 Feb 2011 17:09:25 GMT

In some recent blog postings by Irfan Asrar, we discussed how a number of legitimate Android applications have been “Trojanized” in order to include “backdoor” functionality and are then published on unregulated Android marketplaces. In the past, we have seen a number of English and Chinese language Android applications being Trojanized and placed on unregulated Android marketplaces. Up until now, however, we have not seen any Japanese language Android applications being manipulated in this manner. This is no longer the case, since we have found a Trojanized Japanese language Android application on an unregulated Android marketplace. Symantec detects this malicious Android application as Android.Geinimi. The following image is the start picture of the application:
 

...

khaley | 24 Feb 2011 16:04:29 GMT

“I am not in London, I have not been mugged.”
     
A scam we first starting seeing on social networks at the beginning of 2009 is still going strong. Today, the criminals behind these threats are using stolen (or phished) social networking  accounts, email accounts, and instant messaging and other forms of chat to fool people into parting with their money.

The scam basically works like this. A “friend” contacts the intended victim and tells them they are in London and have been mugged. They are okay but have lost all their money and have no way to get home. They are trapped in a foreign country unless the friend can help them out. All the victim has to do is wire them money for plane fare and their friend can fly home.

This basic scam has been around for a long time, but there are variations. And the twist on this one is your reward is in...

Samir_Patil | 23 Feb 2011 13:51:47 GMT

The Tunisian wave has captured the minds of people across the Middle East region. What is surprising to note is the creative use of the Internet in discussing such sensitive issues. The unrest in Tunisia has "tsunamied" into a mass movement straight at the heart of the Arab world. Egypt, with the ousting of President Hosni Mubarak, has become ground zero of this wave. But, as this movement gains momentum and spreads, there are many waiting to misuse this space—as demonstrated in the sample discussed below.

 
In this typical 419 scam message, the scammer masquerades as the erstwhile President Hosni Mubarak. A handsome proposal, considering the (bogus) bonanza of a 30% handling fee to be given to the one who cooperates in siphoning his booty out of Egypt. Further, because of the urgency of the situation, one is required to give "full contact information" as well...

Amanda Grady | 22 Feb 2011 19:38:38 GMT

With just over two months to go before the wedding of Prince William and Kate Middleton, it’s no surprise to find this significant event is being used to promote products. Emails advertising a replica of Princess Diana’s engagement ring were observed in the past few days, sent by well established spammers.

Although infected botnet machines are responsible for the vast majority of spam sent globally (77% at the end of 2010), these attacks do not fall in that category, and in fact the IP which is sending the spam is the same as the one hosting the domain which is linked to in the email. This domain has also been used in other spam campaigns, such as the long running Who’s Who social networking spam messages (see our May 2008 State of Spam report for similar attacks)....

Samir_Patil | 18 Feb 2011 14:47:28 GMT

In the United States, Presidents' Day is celebrated on the third Monday of February to honor two of America’s greatest presidents, Abraham Lincoln and George Washington. This year, Presidents' Day will be celebrated on February 21. Recently, Symantec has observed spam attacks leveraging Presidents' Day and has seen attempts to exploit the "groups" function of a social networking site.

The samples shown below are screenshots of one such group from a social networking website. The group is quite obviously trying to exploit the Presidents' Day event:

 

The group description “MEGA SPAM!... Spam YOUR A TOOL! on your messages” [sic] is an attempt to inspire group members...

Hardik Suri | 18 Feb 2011 11:26:09 GMT

Symantec has been monitoring the BlackHole toolkit, which has a powerful set of exploits and is spreading like wildfire. At present, it is the most prevalent exploit toolkit in the wild and can easily be compared with the likes of Neosploit and Phoenix in terms of the number of affected users.

In recent times, BlackHole has clearly emerged as the most used toolkit among hackers. The following IPS graph proves this fact, since more than 100,000 malicious hits are reported each day:


 

End-to-end Analysis of the BlackHole Exploit Kit

 

•    When a victim...

Takashi Katsuki | 18 Feb 2011 11:04:47 GMT

With the recent discovery of Android.Adrd, I thought it was really interesting that a few security companies decided to bundle this threat with the same detection name as Android.Geinimi, even though Android.Adrd is unique in its own right. This is the first Trojan horse for Android whose purpose is search engine manipulation. In today’s blog, I will compare these two threats.

Propagation
Both of the threats use pirated software to infect user devices. The threat author has selected popular apps to “Trojanize” and deliver malicious content on top of clean content.

Initialization
Both threats register themselves to run at boot time. Android.Adrd also registers itself when a phone call is made or network connectivity settings are changed.

Functionality
Android.Geinimi opens a back door on a device. It has over twenty functions, such as making calls, sending SMS messages,...

Nicolas Falliere | 16 Feb 2011 06:56:52 GMT

Back in the spring of 2010, I blogged about W32.Sality and the decentralized P2P botnet made up by hosts infected by Sality. The botnet is used to propagate URLs pointing to more malware. Recently, the gang behind Sality has distributed a tool to brute force Voice over IP (VoIP) account credentials on systems that use Session Initiation Protocol (SIP). SIP is a protocol widely used to initiate and control voice and video calls made over the Internet.

Let’s rewind back to November 2010. At that time, a few SIP-related blogs and mailing lists...