Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for May of 2011
Showing posts in English
Gavin O Gorman | 31 May 2011 22:16:19 GMT

There has been some recent online discussion about games from the Chrome Web Store requesting excessive permissions. These games are extensions for Google Chrome. To access various aspects of Chrome, certain permissions are required; for example, to allow access to the Bookmark manager to update bookmarks. The “Super Mario 2” app is offered by the developer “chromitude”, which is associated with Slice Factory, a company that develops services and browser extensions to remix Web data. The extension requests permissions which seem excessive for simply playing a game. These permissions are:

·         Access to bookmarks

·          Notification of  new tabs being created

·         Access to all URLs

To determine why these permissions are required for the game and what the extension...

Hon Lau | 31 May 2011 17:05:53 GMT

It seems there is no let up in the recent spate of Mac malware. A few days ago, another group of domains were registered and are being used to support a fake antivirus campaign that not only targets Mac, but also Windows users.

A series of sites were all registered by a Lee Juango who gives an address in "Pekin". However, the Web sites are hosted in Romania. The interesting thing is that these sites look almost exactly the same, with slight text changes depending on if the target is a Mac or a PC.

On the Mac domains, you will get a file called "" (MacProtector). On the page for Windows, you get a file named “install.exe” (detected as Trojan.Gen/Trojan.FakeAV!gen39). This is actually a copy of...

Samir_Patil | 26 May 2011 15:21:56 GMT

There has been yet another spam attack on the widely followed game of cricket. Earlier this year, Symantec reported about a spam attack that targeted the Cricket World Cup. It is now time for the Indian Premier League (IPL). With the playoffs in progress and the grand finale just two matches away, it is not surprising to see spammers trying to make the best of it.

We have observed IPL scam, in the wild, promoting an IPL lottery. Were the IPL honchos promoting a sweepstake of this sort?  We did our research and the answer is no.  So, where did this offer come from?  We investigated further and found that it was from a compromised machine from the suburbs of Mumbai, India.

Below is the spam sample:

So what is this scam all about? Our analysis found out that it comes...

Nithya Raman | 25 May 2011 17:27:03 GMT

There is no doubt that athletes all around the world are training hard to compete at the London Olympics in 2012, but cyber criminals seem to be gearing up for the event as well. Even with over 400 days still to go until the Olympics, we have already started seeing search terms related to this event returning a large number of poisoned links. As we have observed with search engine optimization (SEO) poisoning in the past, these poisoned links redirect to rogue antivirus sites.

The following are the top 10 poisoned search terms:

We have also found dozens of other poisoned search terms related to Olympics tickets, mascots, offers, and so on. Below is a screenshot of the search results for the term “london 2012 stadium diagram”; Norton Safe Web indicates that all of the first 10 links are malicious:


Irfan Asrar | 23 May 2011 23:28:07 GMT

Symantec has discovered a Trojanized version of a legitimate application that is part threat, part doomsayer. The threat was embedded in a pirated version of an app called ‘Holy ***king Bible’, which itself has stirred controversy on multiple forums in which the app is in circulation.

Once the threat is installed, it waits for the device to reboot. After the reboot, it starts a service called 'theword'. At regular intervals, it attempts to contact a host service, passing along the device’s phone number and operator code. It then attempts to retrieve a command from a remote location. These same actions are carried out in a loop, in intervals of 33 minutes. In addition to having abilities to respond to commands through the Internet and SMS, the threat also has activities that are designed to trigger on the 21 and 22 of May 2011, respectively.


khaley | 20 May 2011 20:25:20 GMT

At first, I was just plain annoyed. Someone forwarded a hoax email to me twice in the same week. I am often asked about hoax email: “Kevin, you work at Symantec, is this true?” That’s fine; that’s not what annoyed me. What set me off was that both emails had been forwarded to warn me. The forwarder wasn’t even questioning the content of the email. They had accepted clearly bogus warnings about the “world’s worst virus” as fact.
Then I started thinking about the Twitter discussion I recently had about education. Some security professionals are turned off by education because they don’t believe it works. The rest feel it’s important, but never done right. (I fall into the latter category.) And, I decided that my previous approach to educating people about these hoaxes was not working. Just giving people a link to a Web page...

Symantec Security Response | 20 May 2011 06:45:54 GMT

W32.Qakbot is a worm that's been around since at least 2009. The worm initially infects users by exploiting vulnerabilities when certain Web pages are visited. It subsequenly spreads through network shares and removable drives. It downloads additional files, steals information, and opens a backdoor on the compromised computer. During the past few months, we've seen high levels of active development from the malware author's side, the intent of which is to circumvent detection techniques used by various security software.

The Symantec Security Response team has been monitoring this worm for the past couple of years. Activity around Qakbot appears every couple of months when external entities claim to see an outbreak. The last major wave we saw started in early April. We took that opportunity to spend additional time to analyze and document the working of this threat in a...

Mathew Maniyara | 19 May 2011 15:42:29 GMT

The Income Tax Department of India recently announced that the last date for sending income tax returns for AY 2010-2011 has been extended to July 31, 2011. During 2010, phishers had plotted their phishing scams based on the tax return deadline. As the deadline for tax returns of the current financial year approaches, phishers have returned with their stream of phishing sites.

This time, phishers have spoofed the Reserve Bank of India’s Web site as a ploy for a tax refund scam. The phishing site attempts to lure users by stating that the bank would take full responsibility for depositing the tax refund to the user’s personal bank account. The user is prompted to select the name of the bank and enter their customer ID and password. There is a list of eight banks to...

Eric Park | 18 May 2011 15:41:10 GMT

The unexpected raid and resulting death of Osama Bin Laden shocked the world. As always, spammers were quick to jump on this headline and send a variety of spam messages leveraging the event. The “Fallout from the Death of Osama Bin Laden” section includes samples of some of the spam monitored in different languages.

The effect of the Rustock shutdown from the previous month continued this month. After falling 27.43 percent in March, the average daily spam volume fell another 5.35 percent in April. Compared to a year ago , it is down 65.42 percent. Overall, spam made up 74.81 percent of all messages in April, compared with 74.68 percent in March. Going back a year, the percentage of spam was 89.22 in April 2010.

To find out more, click here to download the May 2011 State of Spam & Phishing Report, which highlights the...

Stephen Doherty | 16 May 2011 20:42:02 GMT

There is currently a new spam campaign spreading across Facebook. The spam has an appearance similar to the following:

It is worth mentioning that the app_id in the requests is “6628568379”, which may cause the post to look as though it was sent from an iPhone when this is not the case. This is done to give an appearance of further credibility to the scam.

The message may vary slightly as it is randomly generated by using a combination of the following three options:

Part one:

  • hey
  • HEY
  • OMG
  • omg
  • omg!
  • OMG!!
  • WTF
  • wtf
  • wtf!!
  • WTF!!
  • YO
  • yo
  • YO!

Part two:

  • I can't believe you're
  • i cant believe youre tagged
  • what are you doing
  • why are you
  • why are you tagged
  • you...