Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts for June of 2011
Showing posts in English
Suyog Sainkar | 30 Jun 2011 17:31:45 GMT

As most all of us will know, the United States’ Independence Day is on the fourth of July, which is only a few days away. Independence Day is commonly associated with fireworks, parades, barbecues, fairs, ceremonies, get togethers, and various other public and private events celebrating the national holiday. Many people also utilize this time for vacation trips, especially if it’s a long July 4th weekend. However, not everyone goes out of town or participates in special events. Some people actually take advantage of the nice holiday weekend to stay at home and catch up on other activities, which may include shopping. Since sales levels are usually lower during holiday weekends, stores and online shopping sites offer lots of exciting deals. In any case, today’s technology makes it possible to shop online from anywhere—even while on a beach vacation, say!

The spammers, as always, have exploited this likelihood and are distributing spam messages...

Livian Ge | 30 Jun 2011 15:55:16 GMT

The Sina microblog is the biggest microblogging platform in China and is very similar to Twitter. It has more than 140 million users, which is almost 10% of the population of China. On June 28 this year, it was attacked by a cross-site scripting (XSS) worm and more than 30,000 users were affected. The worm aggressively sends out messages containing enticing hot topics and a shortened link to the member's follower list. This is not the first time that threats have used shortened links and on this occasion, it was used as a very simple but powerful tool by the attackers to hide the actual malicious URL.

The following is a screenshot of some of the spam messages sent out by the threat:

Once the link is clicked, the user's computer is infected...

Sammy Chu | 29 Jun 2011 20:36:34 GMT

With our globalized economy, non-English email between international organizations has become the norm for business communication. However, at the same time, non-English spam is also becoming more and more of a problem for national and international enterprises.

For the past several months, Symantec has noticed an increase for Chinese language spam, as shown in the graphic below:

What’s interesting about this increase is the resurfacing of a body-obfuscation technique that is being used by Chinese spammers—the technique is called “invisible text.” What is “invisible text,” exactly? Invisible text is the body text that’s the same color as the background; therefore, it is invisible to the human eye.

Below are some samples that Symantec has observed. The first sample is a typical Chinese seminar (training course) promotion spam...

Samir_Patil | 29 Jun 2011 20:03:55 GMT

Yes, of course! This is what the email is all about! Or, is it?

The 2011 Wimbledon Championship has begun in full gusto and like any other major sporting event, we have been observing spam flowing in the wild that targets Wimbledon 2011. Spammers are exploiting the event by sending online betting, casino, and even online pharmacy spam through email.
The Italian spam sample given below mimics a legitimate betting website (the name of the betting site is deliberately omitted). The email headers are spoofed in an effort to bolster the legitimacy of the email; but the Sender domain has been registered only recently and shows hit-and-run spam characteristics. The spammer says, “Bet risk free! Even if you lose the bet, 20 Euros will be reimbursed.”

The spam sample given below explains the steps that users would supposedly need to take to acquire the “bonus”:

1. Sign up and make a deposit into your account.
2. Place your first...

Mario Ballano | 29 Jun 2011 19:35:24 GMT

We have been taking a close look at Android threats since they first appeared, looking for ways to analyze and classify them, as well as looking at possible attack vectors they may use in the near future. Some of our research has uncovered how Android applications could potentially exploit other installed applications to steal their private information or execute malicious code. In particular, we came across something that resembles Windows DLL Hijacking. Bear in mind that we are not talking about Android vulnerabilities per se, but application-specific issues. We found a few applications in the Google Android Marketplace that were susceptible to this attack and have notified the application developers accordingly.

Android provides APIs that allow an application to dynamically load code to be executed. For example, an application may support plug-ins that are downloaded and then loaded at a later time...

Samir_Patil | 29 Jun 2011 19:17:08 GMT

Exploiting the popularity of social networks for the purposes of distributing spam, malware, and phishing attacks is quite a common technique these days. Spam attacks via social networks grew dramatically between April and June 2011. Over this period, we monitored and analyzed social network spam attacks that used three popular social networking sites—Facebook, Twitter, and YouTube.

The Trend

The graph below demonstrates the volume spikes for social network spam from April 1 to June 15:

One of the obvious patterns seen in the graph above is the rise in the number of attacks on one social networking site, then an abrupt fall, and then a shift to the next social site, as if following a cyclical pattern. We observed a sudden surge in the number of attacks on Facebook, then a peak, and then a drastic decline. While the attacks on Facebook declined, we...

John McDonald | 29 Jun 2011 11:21:58 GMT

A colleague of mine recently wrote about one of the June “Microsoft Tuesday” vulnerabilities being exploited in the wild. Because we're a bit like that, we decided to allow the exploit to compromise one of our honeypot computers so we could observe what happened.

The exploit first came to our attention by way of email messages that were initially sent to a customer and then passed on to us for investigation. These messages were sent from an account hosted on a popular webmail service, contained very bad grammar, and were purportedly sent by a Chinese university student. The emails either asked for advice on a particular topic, or thanked the recipient for a recent presentation and included a question related to that presentation. The emails included a link to a Chinese restaurant and the destination Web page contained the exploit for an Internet Explorer 8 vulnerability:...

John McDonald | 29 Jun 2011 09:03:03 GMT

Our friends at Microsoft recently blogged about a new variant of a bootkit Trojan from the family they call Popureb. The variant, Win32/Popureb.E, introduced a driver component to prevent a malicious master boot record (MBR) and other malicious components from being cleaned.

At least one tech writer was quick to pick up on the implications of the following sentence from the Microsoft blog:

"If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR  using the Windows Recovery Console to return the MBR to a clean state."

Mark Hachman wrote an article for entitled "Microsoft's Answer to Vicious Malware? Reinstall Windows." In the article, Mark refers to a blog post on the Symantec Connect site that...

Carey Nachenberg | 27 Jun 2011 21:08:09 GMT

The mass adoption of both consumer and managed mobile devices in the enterprise has increased employee productivity, but has also exposed the enterprise to new security risks. Our latest research is a deep dive into the current state of mobile device security. You can read the whitepaper in its entirety here.

More than anything else, the analysis shows that while the most popular mobile platforms in use today were designed with security in mind—and certainly raise the bar compared to traditional PC-based computing platforms—they may still be insufficient for protecting the enterprise assets that regularly find their way onto these devices.

Today’s mobile devices also connect to an entire ecosystem of supporting cloud and desktop-based services. The typical smartphone synchronizes with at least one public cloud-based service that is outside enterprise control. At the same time, many users also...

Mayur Kulkarni | 23 Jun 2011 16:37:16 GMT

When scammers try to gain sympathy from the email readers or to entice them with huge amount of money, they will usually mention a tragedy or, any event that attracted huge public attention. They may also want the users to read additional information, therefore a URL from a well-known news site is also provided. This addition of a link may assure a reader that the email is genuine, and some action needs to be taken in response to the email. Toward the end of the email scam, an appeal to help the victims is made if it is a tragic event. This message will also provide contact information in the form of email addresses, phone or fax numbers.

Anti spam filters will find it easier to block the news URLs in the scam message because, although they are legitimate, these are old news items and should ideally not be in circulation for any reason.

For the sake of curiosity, we went through our active filters to check such news URLs and surprisingly found some of the filters...