Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for March of 2011
Showing posts in English
Irfan Asrar | 30 Mar 2011 22:55:17 GMT

Android.Walkinwat is the first mobile phone threat discovered in the wild that attempts to discipline users that download files illegally from unauthorized sites.

Figure 1 – Messages displayed by the Trojan

Presented as a non-existent version (V 1.3.7) of Walk and Text, an application that is available on the Android Market, Android.Walkinwat can be found on several renowned file sharing websites throughout North America and Asia. One could make the case that this app was intentionally spread in these regions by the creators of the threat in order to maximize the download prevalence and convey their message to as large an audience as possible, however one could also make the case the creator of Android.Walkinwat is attempting to undermine the publisher of Walk and Text....

Vivian Ho | 30 Mar 2011 12:46:48 GMT

In the past couple of days, Symantec has observed a spike of email attacks that are designed to distribute malicious threats. All of the observed samples are spoofed to appear as if they are legitimate delivery warnings or notifications from UPS or Post Express. The message text asks recipients to open the zipped executable file for further details or actions necessary to take delivery of the item.

Below are the sample headers observed in this spam attack:

From: "United Parcel Service" <info***3@ups.com>
From: "UPS� Customer Services"<***@secureserver.net>
From: "United Parcel Service" <***@dhl.com>
From: "Neil Molina" United Parcel Service  <[Details Removed]@ [Details Removed]>
From: "Kimberley Miner" United Parcel Service  <[Details Removed]@ [Details Removed]>...

Candid Wueest | 29 Mar 2011 15:23:35 GMT

Currently a new and unpatched cross-site scripting (XSS) vulnerability in Facebook is being widely used to automatically post messages to other user’s walls. The vulnerability was used for some time in some smaller cases; however, it is now widely being used for the first time by many different groups—especially in Indonesia, where we are seeing thousands of infected messages being posted by unknowing users.

The vulnerability exists in the mobile API version of Facebook due to insufficient JavaScript filtering. It allows any website to include, for example, a maliciously prepared iframe element that contains JavaScript or use the http-equiv attribute’s “refresh” value to redirect the browser to the prepared URL containing the JavaScript. Any user who is logged into Facebook and visits a site that contains such an element will automatically post an arbitrary message to his or her wall. There is no other user interaction required, and there are...

Vikram Thakur | 23 Mar 2011 22:59:12 GMT

Earlier today news was made public regarding nine fraudulent digital certificates which were issued by a company named Comodo. The certificates were issued through a breached registration authority (RA), causing the applicant to be improperly verified. Mozilla, Google, and Microsoft (major browser vendors) have updated their applications, or put out patches, in order to block the certificates from being used. The certificates have already been revoked as of last week.

To provide a little background, browsers include a list of certificates which are 'blacklisted'. These certificates are ones which have been compromised through some method and no longer validate the authenticity of the person using it. Since they were reported as 'compromised', the browser vendors ship a patch, or updated version of the browser itself, which recognizes these certificates and blocks them from being used.

Users who don't use updated browsers or patched machines may be...

Stephen Doherty | 23 Mar 2011 22:42:48 GMT

Recently at Symantec Security Response, we came across a seemingly innocuous program which was being hosted at a number of different URLs. What flagged the file as unusual was the fact many different customers were submitting the same file for analysis.

The basic behaviour of the program is to run you through a job suitability questionnaire before redirecting you to one of the following URLs:

hxxp://groupinc-upland.biz/registration/1
hxxp://artby-group.biz/registration/1
hxxp://artby-gorup.net/registration/1
hxxp://callisto-ltdco.net/registration/1
hxxp://kresko-group.biz/registration/1
hxxp://kresko-group.net/registration/1
hxxp://targetmarket-groupllc.net /registration/1
hxxp://neoline-llc.net/registration/1
hxxp://neoline-groupco.cc/registration/1

You cannot simply browse to these pages without first downloading and completing the suitability test.

...

Candid Wueest | 21 Mar 2011 21:41:51 GMT

Not only Facebook is adding new and interesting features to its toolbox; spammers and scammers in Facebook are, too. Currently there is a scam making rounds using a classic “who is viewing your profile” themed bait.

So far - nothing new. After the user grants the application the requested privileges, which of course will send out the above mentioned spam posts to all his or her friends, the user gets redirected to a download instruction site. There he or she is asked to download the Firefox browser and then install a popular Firefox extension which allegedly gets downloaded over 27,000 times per week. This simple tweak should generate a new menu entry in Facebook which would then show user statistics.

Of course this “Facebook Connect” Firefox extension is not found on the official Mozilla...

Eric Park | 21 Mar 2011 17:39:49 GMT

When Brian Krebs posted a report about Rustock botnet takedown, Symantec observed a decline in overall spam traffic. Symantec.cloud posted a blog about this, and the Wall Street Journal is now reporting that Microsoft led this takedown.

On March 16, Symantec saw global spam drop 24.7% compared to March 15. On March 17, global spam volume dropped another 11.9% compared to March 16. Compared to a week prior, the volume on March 17 was down 40.4%.

As we typically see with a drop in global spam volume, the overall spam percentage saw a similar decline when spam volume...

Mathew Maniyara | 18 Mar 2011 20:13:20 GMT

Recently, phishers have used several types of bait on phishing sites where they impersonated universities, asked for fake donations, targeted celebrities, etc. Now, they are trying their luck on end users who play the lottery with a brand based in the UK. The bait used in the phishing site was a lottery prize of 1356 pounds. The phishing site prompted users to enter their confidential information to have the lottery prize credited to their debit card account.

Lottery is a game where there may be only one winner among participants. But what are the odds for a phisher to harvest the confidential information of lottery winners?

The bigger the lottery prize, fewer are the number of winners. Hence, the motive of phishers was to target a large number of users because they perceive that by duping more users, they would increase their chances of phishing confidential information. Financial gain is a common motive for phishers but this time they were seeking a larger sum from...

Dylan Morss | 18 Mar 2011 18:14:08 GMT

The earthquake and aftershocks which have struck New Zealand in the last few months are still being exploited by spammers and phishers in an attempt to feed upon the fears of Internet users. Symantec has recently observed continued phishing attacks against these users.

In this case, the phishers are asking users to check in with the bank and provide some additional information. The information will then most likely be used to access users’ banking accounts and personal information with the intent of stealing money and probably identities as well.

By the time Symantec went to analyze the data, this site had already been taken down. Although the volume of New Zealand specific attacks continues to dwindle as the events in Japan take center stage, we will continue to see such scams.

Internet users are advised to follow best practices to avoid phishing attacks:

•...

Samir_Patil | 17 Mar 2011 17:11:32 GMT

Symantec observed a spike of malicious spam activity in the early morning of March 16. These spam samples use subject lines related to the recent natural disaster in Japan and political unrest in the middle east. This blog discusses the end-to-end analysis of the attack.

As shown in the samples below, the spam mail uses subject lines related to the nuclear disaster due to series of explosions at Japanese nuclear plants, earthquake and tsunami effects on the global economy, and unrest in middle east.

Below are some of the subjects used in the attack.

Subject: Japanese Stocks May Defy Earthquake, Gain as Global Demand Drives Exports - Bloomberg

Subject: Quake-prone California questions nuclear safety - Reuters

Subject: Yen slips as risk aversion flows subside - Reuters

Subject: Japan Adds to Global Economy Woes

Subject: Apple delays Ipad 2 launch in Japan - Inquirer

Subject: European hospitals may aid Japan

Subject:...